Privacy Policy

PERSONAL DATA PROCESSING POLICY OF THE E-SHOP OPERATOR

  1. Basic Information
  • This Personal Data Processing Policy (hereinafter referred to as the "Policy") describes the processing of personal data of customers of the GUFEX e-shop, an online store available at the website https://gufex.cz/ (hereinafter referred to as the "E-shop" and the "Customer"), with the data controller being the operator of the E-shop, GUFEX s.r.o., located at Kateřinice 180, 756 21 Kateřinice, Czech Republic, Company ID: 26829371, registered with the Regional Court in Ostrava, file number: C 40002 (hereinafter referred to as the "Operator").
  • This Policy is issued in accordance with the Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), as amended (hereinafter referred to as the "GDPR Regulation"), especially for the purpose of ensuring the information obligation of the Operator under the GDPR Regulation.
  • The Operator is responsible for the lawful processing of personal data. The supervisory authority for personal data processing in the Czech Republic is the Office for Personal Data Protection.
  • The terms used in this Policy have the meanings set out in the GDPR, this Policy, the agreement between the data subject and the Operator, or the general terms and conditions of the Operator, available on the E-shop website.
  • For the purposes of this Policy, the "Customer" refers to natural persons who purchase goods in the E-shop, and natural persons who represent legal entities that purchase goods in the E-shop, regardless of whether the Customer is registered in the E-shop.
  1. Scope and Purpose of Personal Data Processing
  • The Operator processes personal data of Customers that the Customer voluntarily provides. When making a purchase on the E-shop, it is necessary for the Operator to collect the following personal data in order to fulfill the contract:
  1. First and last name;
  2. Email address;
  3. Phone number.

Providing the personal data listed in points a) – c) above is a contractual requirement of the Operator, and failure to provide them may result in the inability to conclude a contract with the Customer through the E-shop.

  • The Operator allows the Customer to register on the E-shop under their user account, which is secured with a password, even without making a purchase. In such cases, by registering and creating their user account, the Customer gives consent to the processing of their personal data necessary for the purpose of sending electronic commercial communications related to the products and services of the Operator (hereinafter referred to as the "Newsletter") to their email address. Granting this consent is voluntary, and the provision of personal data does not impose any legal obligation on the Customer. The Customer has the right to withdraw their consent to the processing of personal data at any time by sending an email to eshop@gufex.cz or by unsubscribing from the Newsletter through the link provided in each Newsletter.
  1. Method of Personal Data Processing
  • The Operator processes the personal data of Customers only in a lawful and transparent manner. If it is determined that the personal data of Customers has been processed without a lawful reason, the Operator will immediately stop processing the personal data of the Customers.
  • In order to comply with legal obligations, the Operator processes only adequate, relevant, and limited data necessary to achieve a specific purpose, ensuring the minimization of processed personal data. The Operator processes only the essential amount of personal data about Customers in relation to the purpose of processing.
  • If the Operator identifies any inaccuracies in the processed personal data, the Operator will promptly correct this data.
  1. If the Customer informs the Operator of a change in their personal data, the Operator will immediately update the processed personal data.
  2. If the Operator learns of a change in personal data for any other reason, the Operator will also promptly update the processed personal data.
  • The Operator processes the data in a way that ensures adequate protection.
  1. The Operator will not allow personal data to be made available to an unlimited group of people.
  2. The Operator makes the processed personal data available only to those persons with whom such access is in accordance with legal regulations.
  • The Operator also informs that the E-shop uses cookies and similar technologies, which are used to anonymously evaluate the Customer's movement within the E-shop, remember when the Customer is logged into their user account on the E-shop, add items to their shopping cart, collect voluntary feedback from Customers, and personalize the display of advertisements on the E-shop. More information about cookies can be found HERE.

 

  1. Retention Period of Personal Data
  • The Operator processes the personal data of Customers only for the period necessary to fulfill the specific purpose of processing. Beyond that, the Operator will process personal data only for the period necessary to fulfill the Operator's archival obligations under legal regulations and for legitimate interests of the Operator, such as the protection of the Operator's claims, for the necessary period, but no longer than 10 years.
  • The processing of personal data based on the Customer's consent is carried out by the Operator for the duration of the respective consent. The Customer has the right to withdraw consent to the processing of personal data at any time by sending an email to eshop@gufex.cz.
  • The Operator regularly reviews the processed data and assesses whether the processing of the data is still necessary and whether a legal basis for their processing continues to exist.
  • After the retention period for the respective personal data has expired, the Operator will proceed to delete the data unless there is another legal basis for processing it. The Operator will also delete personal data without undue delay if it determines that the processing is no longer necessary or lacks a legal basis.
  1. Rights of Customers as Data Subjects
  • Throughout the processing of the Customers' personal data, the Customer has the following rights under the GDPR Regulation:
  1. The right to transparent, understandable, and easily accessible information about the processing of personal data. The identity of the person requesting information about personal data processing will be verified – in order to protect the Customers and their personal data to the maximum, the Operator may request additional information from such requesters to verify their identity. All information is provided free of charge upon a legitimate request, unless the requests are evidently unjustified, excessive, or repetitive.
  2. The right to correct inaccurate personal data or to complete incomplete personal data.
  3. The right to erasure of personal data when it is no longer necessary for the purposes for which it was collected, when there is no legal basis for its processing, when consent given for its processing has been withdrawn, when objections to its processing have been raised, or when the data has been processed unlawfully.
  4. The right to request restriction of the processing of personal data in the event of the exercise of any of the above rights, and if there is no reason for erasure of the personal data. The request for restriction and/or erasure of personal data is communicated by the Operator to other recipients to whom the personal data has been provided in accordance with legal regulations, unless it is impossible or requires disproportionate effort on the part of the Operator.
  5. The right to obtain the provided personal data from the Operator in a commonly used, machine-readable format and to transmit it to another data controller.
  6. The right to object to the processing of personal data or to certain processing methods, as well as to the sending of the Newsletter, including profiling.
  7. The right to file a complaint with the Office for Personal Data Protection if the Customer believes that the processing of their personal data violates the GDPR Regulation.
  1. Processing of Personal Data by Other Recipients
  • The personal data of Customers is processed by the Operator as the data controller. The personal data of Customers may be processed for the stated purposes and made available to the following third parties:
  1. Employees of the Operator and persons performing work for the Operator outside of an employment relationship;
  2. Persons providing services to the Operator based on a special contractual agreement, such as persons providing website creation and management services for the Operator;
  3. Persons ensuring accounting services and related matters for the Operator;
  4. Persons providing tax advisory services and handling related matters for the Operator;
  5. Persons providing legal services to the Operator.
  • Personal data will not be provided to third parties from countries outside the European Economic Area.
  • In cases where personal data processing by other processors is required, the Operator ensures necessary guarantees that the data will be handled in accordance with the same standards as outlined in these Policies and applicable legal regulations.
  1. Final Information
  • The Operator processes personal data both manually and automatically using computing technology in both paper and electronic forms, depending on the specific processing of personal data.
  • The specific types and scope of personal data that the Operator processes in relation to a particular Customer depend on the Customer’s identity and the nature of the relationship between the Customer and the Operator. The Operator processes all personal data with the appropriate level of security corresponding to the nature of the data being processed and makes the data available only to authorized persons.
  • Any inquiries or requests regarding rights or claims may be addressed to the Operator electronically at the email address eshop@gufex.cz or in writing to the address of the Operator’s registered office.
  • This Policy is effective as of December 4, 2025. The Operator reserves the right to modify the content of this Policy at any time, with the new version taking effect from the date it is published on the E-shop website.