I. Personal Data Managers BUY and REPAIR Ltd., 272 Bath Street, G2 4JR Glasgow, The United Kingdom, Scotland Company No. SC564756 and GREENWICH MERIDIAN s.r.o., Slevacska 752/36, 198 00 Prague, Company ID: 02853281, VAT Number: CZ02853281 registered in the Commercial Register kept at the Municipal Court in Prague, Section C, Insert 224540 ("Administrator") from 2.4.2014 Article 12 GDPR inform you about the processing of your personal data and your rights.
II. Scope of Personal Data Processing Personal data is processed to the extent that the relevant data subject has provided the controller in connection with the conclusion of a contractual or other legal relationship with the trustee or which the controller has collected otherwise and processes them in accordance with applicable law or the statutory duties of the trustee.
III. Sources of personal data
• directly from data subjects (registration and purchases through e-shop, e-mail, phone, chat, web site, contact form on the web, social networks, business cards, etc.)
• publicly accessible registers, (eg business register, trade register, real estate register, public telephone directory, etc.)
IV. Categories of personal data being processed
• address and identification data used to uniquely and unambiguously identify the data subject (eg name, surname, title, permanent address, ID, VAT number) and contact data contact details, telephone number, e-mail address and other similar information)
• descriptive data (eg bank account)
• other data necessary for the performance of the contract
• data provided in excess of the relevant laws processed within the framework of the consent granted by the entity )
V. Categories of data subjects
• administrator’s customer (only for e-shop registered entities)
• administrator’s employee
• service provider
• other person who is in a contractual relationship with the manager
VI. Categories of recipients of personal data
• financial institutions
• public institutions
• state and other authorities in fulfillment of legal obligations established by the relevant legislation
• other beneficiaries (eg. transfer of personal data abroad - EU countries)
VII. Purpose of processing of personal data
• purposes contained within the data subject's consent
• negotiation of a contractual relationship
• fulfillment of the contract
• protection of the rights of the trustee, beneficiary or other persons concerned (eg recovery of receivables of the trustee)
• archiving under the law
• vacancies for vacancies
• fulfillment of statutory obligations by the controller
• protection of the vital interests of the data subject
VIII. Method of processing and protection of personal data
The processing of personal data is carried out by the administrator. Processing is carried out at its premises, branches and headquarters by individual authorized servants of the trustee, processor. The processing takes place via computer technology, and manually to personal data in paper form, with all the security policies for managing and processing your personal information. For this purpose, the administrator has adopted technical and organizational measures to ensure the protection of personal data, in particular measures to prevent unauthorized or accidental access to personal data, alteration, destruction or loss, unauthorized transmission, unauthorized processing, and other misuse of personal data. All entities to which personal data may be made available respect the privacy rights of data protection entities and are required to comply with applicable privacy laws.
IX. Time of Processing of Personal Data In accordance with the deadlines specified in the relevant contracts, the administrator's record and retention order, or the relevant legislation, it is the time necessary to secure the rights and obligations flowing from both the obligation relationship and the relevant legal regulations. The maximum period for these cases is set at 10 years.
X. The controller processes the data with the consent of the data subject, except in cases where the processing of personal data does not require the consent of the data subject. In accordance with Article 6 (1) of the GDPR, the controller may, without the consent of the data subject, process the following data: • The data subject has given consent for one or more specific purposes,
• processing is necessary to fulfill the contract to which the data subject is or measures taken prior to the conclusion of a contract at the request of that data subject,
• processing is necessary to fulfill a legal obligation to the controller,
• processing is necessary to protect the vital interests of the data subject or other natural person, • processing is necessary to fulfill the task or
• the processing is necessary for the purposes of the legitimate interests of the relevant trustee or third party, except where the interests or fundamental rights protection of personal data.
XI. Rights of Data Entities
1) In accordance with Article 12 of the GDPR, the Administrator shall, at the request of the data subject, inform the data subject of the right of access to personal data and the following information:
• the purpose of the processing,
• the category of personal data concerned,
• the recipient or categories of recipients to whom personal data has been or will be made available,
• the planned time for personal data to be stored,
• all available information about the source of personal data,
• if not obtained from the data subject, whether automated decision making, including profiling, occurs.
2) Any data subject who discovers or considers that the controller or processor processes the processing of his or her personal data contrary to the privacy or privacy of the data subject, in particular if the personal data are inaccurate with respect to the purpose of their processing may:
• ask the administrator for explanation.
• ask the administrator to remove the resulting condition. In particular, it may be blocking, repairing, adding or deleting personal information.
• if the data subject's request under paragraph 1 is found to be justified, the controller shall immediately remove the defective condition.
• If the controller does not satisfy the data subject's request under paragraph 1, the data subject has the right to contact the Supervisory Authority, the Personal Data Protection Authority.
• the procedure under paragraph 1 does not exclude the data subject from contacting the supervisory authority directly.
• the Administrator has the right to request reasonable compensation for the provision of the information, not exceeding the costs necessary to provide the information.
This statement is publicly accessible on the administrator's website.