pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing the Directive 95/46 / EC.

This document sets out the principles and procedures for the processing of personal data and rights, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (hereinafter referred to as “the Regulation”), and Act No. 480/2004 Coll., on certain services of information society, as amended.

I. Concepts

Personal information: All information about an identified or identifiable customer; identifiable customer is a natural person who can be identified directly or indirectly, in particular by reference to a particular identifier such as name, identification number, location data, network identifier or one or more specific physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person;

Administrator: U Con Gusto s.r.o. (hereinafter referred to as the “Administrator”), the entity that determines the purpose and means of the processing of personal data, performs the processing and is responsible for it. The Administrator may authorise a processor to process the personal data unless a special law provides otherwise;

Processor: Any entity which, based on a special law or under authorisation by the Administrator, processes personal data under the Act and the Regulation on the basis of a contract on the processing of personal data;

Data subject (hereinafter referred to as “Customer”): A natural person (including self-employed persons) to whom the personal data relate (e.g., a potential, current or lost customer);

II. The principle of processing personal data

The Administrator processes personal data in the sense of the following principles arising from the Regulation:

• legality, correctness and transparency of the processing;
• purpose limitation – collection only for certain, expressly expressed and legitimate purposes;
• minimization of data – adequacy, relevance and limitation of processing to the extent necessary in relation to the purpose;
• accuracy and timeliness – the Administrator takes all reasonable measures to ensure that personal data which are inaccurate, taking into account the purposes for which they are processed, are deleted or corrected without delay;
• limited storage – personal data are stored in a form that allows data subjects to be identified for no longer than is necessary for the purposes for which the data are processed, provided the appropriate technical and organizational measures required by existing legislation are in place to guarantee the rights and freedoms of the data subject;
• integrity and confidentiality – personal data are processed in a manner that ensures their proper security, including their protection by means of appropriate technical or organizational measures against unauthorized or unlawful processing and against accidental loss, destruction or damage.

III. Customer’s rights

The Customer is entitled to the following information:

• information on processing purposes
• information on processed personal data
• information on processors
• information on the planned time period for which the personal data will be stored, or if it is not possible to determine it, the criteria used to determine that time
• concretisation of the legitimate interest of the Administrator or a third party in case the processing is based on this reason
• information on the source from which the personal data originated

The Customer is entitled to:

1. access, correct, delete or limit the processing of processed personal data;
2. object to such processing;
3. lodge a complaint with the Supervisory Authority;
4. withdraw their consent to the processing of personal data at any time with effect to the future;
5. obtain confirmation from the Administrator if its personal data are processed or not;
6. have the Administrator correct inaccurate personal data relating to it without undue delay. Taking into account the purposes of processing, the data subject has the right to fill in incomplete personal data;
7. have the Administrator delete the data (including the right to be forgotten) of the data subject (s) and the Administrator is obliged to delete the personal data without undue delay, for the exhaustive reasons stated in the Regulation: a) the personal data are not necessary any more for the purposes for which they were collected or otherwise processed; b) the Customer withdraws consent to personal processing and there is no further legal title to processing; (c) the Customer objects to processing and there are no overriding reasons for further processing; (d) the personal data have been processed unlawfully; (e) the personal data must be erased in order to comply with a legal obligation laid down by the EU or national legislation applicable to the Administrator; (f) the personal data have been gathered in connection with the provision of information society services. Details and exceptions to this right are governed by the Regulation;
8. have the Administrator limit the processing in any of the following cases: (a) the data subject denies the accuracy of the personal data, for the time necessary for the Administrator to verify the accuracy of the personal data; (b) the processing is unlawful and the data subject refuses the deletion of personal data and instead requests limitation of its use; (c) the Administrator no longer needs personal data for processing but the data subject requires them to identify, exercise or defend legal claims; (d) the data subject has objected to processing, until it is verified whether the legitimate reasons of the Administrator outweigh the legitimate reasons of the data subject;
9. the portability of personal data, i.e., to obtain the personal data concerning it which it has provided to the Administrator in a structured, commonly used and machine-readable format and to pass these data to another administrator without the Administrator to whom the personal data were provided preventing it, in case that: (a) the processing is based on consent or a contract, the processing is done automatically;
10. object to the processing of personal data at any time. The Administrator does not process personal data any more unless it can prove that there are serious legitimate reasons for the processing that outweigh the interests or rights and freedoms of the data subject or reasons for the determination, exercise or defense of legal claims;
11. not be the subject of any decision based exclusively on automated processing, including profiling, which has legal effects on it or applies to it similarly. Exceptions and details are set out in the Regulation.

IV. Possibilities of exercising the Customer’s rights to the Administrator

List of communication channels through which a customer request can be received and responded to:

• by e-mail: info@congusto.cz
• by post to: Con Gusto s.r.o., Údolní 532/76, 602 00 Brno

V. Sources of personal data

The Administrator acquires personal data of its customers especially from the customers themselves as part of the purchase, request for services, sending of the newsletter or reservations on https://www.tackarna.cz/.

Additionally, the Administrator obtains personal data on the basis of consent to the processing of personal data.

VI. Scope of processing

The Administrator and its contractual processors, following the relevant legal title and the purpose of processing, process the following personal data or categories of personal data:

1. name, surname, business address, company ID, bank account number
2. electronic contact details: telephone number, mobile phone number, e-mail address
3. other electronic data: IP address, cookies, authentication certificates, social networking and communication platform identifiers (e.g., Skype),

VII. Processing of personal data

The Administrator processes the Customer’s personal data for the following legal reasons (titles):

• authorized interest of the Administrator,
• performance of the contract,
• valid consent to the processing of personal data.

1. Administrator’s legitimate interest

The personal data will be processed in order to identify the parties and to perform the contract and for the purpose of recording contracts and possible future application and defense of the rights and obligations of the contracting parties. Such processing is permitted by Article 6 (1) (b) and (f) of the Regulation.

The personal data will be processed for the duration of the contractual relationship and further to the necessary extent for a period of 10 years from termination of the contractual relationship, unless it is required by another regulation to retain the contractual documentation for a longer period.

The processing of personal data is carried out by the Administrator, but the personal data can also be processed by these processors:

• Con Gusto s.r.o., Údolní 532/76, 602 00 Brno, Company ID: 04702557,
• the e-mail client provider,
• the relevant banking institution,
• possibly other providers of processing software, services and applications, which are not currently used by the Administrator.

Pursuant to the Regulation, the customer is entitled to:

• ask the Administrator for information about what personal data it is processing,
• request access to these data and update or correct these data, or request limitation of the processing,
• request the deletion of such personal data,
• in case of processing carried out on the basis of a legitimate interest, the Administrator may object to such processing,
• the portability of data and the right to request a copy of the processed personal data,
• file a complaint with the Office for Personal Data Protection and exercise the right to effective judicial protection if it assumes that its rights under the Regulation have been breached as a result of the processing of its personal data in contrast to the Regulation.

2. Performance of the contract

The Administrator processes the personal data of the data subjects for the purposes of the concluded Purchase Contract with the Customer. Usually, these are: name, surname, e-mail address, phone number.

The processing time is defined by the duration of the Customer’s contractual relationship with the Administrator.

3. Valid consent to the processing of personal data

In case the Administrator processes the Customer’s personal data for other purposes that cannot be subordinated to the legitimate interest or performance of the contract, it can only do so on the basis of valid consent to the processing of personal data by the Customer, which is an expression of the free will of the Customer and creates a specific title for such personal data handling.

The Customer grants their consent to the processing of personal data – processing of the e-mail address – by completing the form on https://www.tackarna.cz/.

The e-mail address will be processed for the purpose of its inclusion in the business messaging database.

The personal data will be processed for 3 years from the date of granting consent if you do not prolong this period.

You can withdraw your consent at any time, for example, by sending a letter, an e-mail or by clicking on the link in the business message. Withdrawal of consent will result in the suspension of commercial communications.

The processing of personal data is carried out by the Administrator, but the personal data can also be processed by these processors:

• Con Gusto s.r.o., Údolní 532/76, 602 00 Brno, Company ID: 04702557,
• the e-mail client provider,
• possibly other providers of processing software, services and applications, which are not currently used by the Administrator.

Pursuant to the Regulation, the Customer is entitled to:

• ask the Administrator for information about what personal data it is processing,
• request access to these data and update or correct these data, or request limitation of the processing,
• request the deletion of such personal data,
• in case of processing carried out on the basis of a legitimate interest, the Administrator may object to such processing,
• the portability of data and the right to request a copy of the processed personal data,
• file a complaint with the Office for Personal Data Protection and exercise the right to effective judicial protection if it assumes that its rights under the Regulation have been breached as a result of the processing of its personal data in contrast to the Regulation.

VIII. Processing method

Personal data are processed automatically and manually and may be made available to the Administrator’s employees if this is necessary for the fulfillment of their job responsibilities, to the processors with whom the Administrator has a contract on personal data processing and, if applicable, to another person in accordance with the Act and the Regulation.

IX. Personal data processors

The processing of personal data may be done by the processors for the Administrator solely on the basis of a contract on the processing of personal data, i.e., with guarantees of the organizational and technical security of these data and with the definition of the purpose of the processing, and the processors must not use the data for other purposes.

X. Data Protection

The Administrator works with the Customer’s data in other processing systems and their protection is secured by unique user names and passwords. User names and passwords are stored on a personal computer of the Administrator access to which requires a username and password.

The processing of personal data may be done by the processors for the Administrator solely on the basis of a contract on the processing of personal data, with guarantees of the organizational and technical security of these data and with the definition of the purpose of the processing, and the processors must not use the data for other purposes.

XI. Termination of handling

The Administrator terminates the handling of Customer data after termination of the contractual relationship, after expiry of the period specified in the consent to the processing of personal data or after forfeiture of the legitimate reasons for the archiving of personal data.

XII. Security breaches

In the event of a breach of security of data handling or data leakage, the Administrator shall promptly inform the Customer and the Office for Personal Data Protection within 24 hours.

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC.
This document outlines the principles and procedures for processing personal data, as well as related rights, in accordance with the above Regulation and Act No. 480/2004 Coll., on certain information society services, as amended.

I. Definitions
Personal Data: Any information relating to an identified or identifiable customer; an identifiable customer is a natural person who can be directly or indirectly identified, especially by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.
Controller:
Con Gusto s.r.o. (hereinafter referred to as the “Controller”), the entity that determines the purposes and means of the processing of personal data, performs the processing, and is responsible for it. The Controller may authorize or assign a Processor to process personal data, unless otherwise provided by special law.
Processor:
Any entity that processes personal data on behalf of the Controller, either based on a special law or under contract, according to the Regulation.
Data Subject (hereinafter “Customer”): A natural person (including self-employed individuals) to whom the personal data relate (e.g., potential, current or former customer).

II. Principles of Personal Data Processing
The Controller processes personal data in line with the following principles arising from the Regulation:
Lawfulness, fairness, and transparency
Purpose limitation – collected only for specific, explicit, and legitimate purposes
Data minimization – adequate, relevant, and limited to what is necessary in relation to the purpose
Accuracy – reasonable steps are taken to ensure that inaccurate data are corrected or deleted promptly
Storage limitation – data are stored no longer than necessary, subject to technical and organizational safeguards
Integrity and confidentiality – secured against unauthorized or unlawful processing and accidental loss, destruction, or damage

III. Customer Rights
The Customer has the right to:
Know the purposes of data processing
Know which personal data are being processed
Know the identities of processors
Know the planned storage period or criteria for determining it
Know the legitimate interests of the Controller or third parties (if applicable)
Know the source of the personal data
The Customer also has the right to:
Access, correct, delete, or restrict the processing of their data
Object to processing
Lodge a complaint with a supervisory authority
Withdraw consent at any time (effective only for the future)
Obtain confirmation whether their data are being processed
Have inaccurate personal data corrected or completed
Request erasure (“right to be forgotten”) under specific legal grounds
Request restriction of processing under certain conditions
Data portability – receive their personal data in a structured, commonly used, machine-readable format
Not be subject to decisions based solely on automated processing, including profiling


IV. Exercising Customer Rights
The Customer may contact the Controller via the following channels:
Email: info@congusto.cz
Postal address: Con Gusto s.r.o., Údolní 532/76, 602 00 Brno

V. Sources of Personal Data
The Controller collects personal data mainly from the Customer during purchases, service inquiries, newsletter subscriptions or reservations on www.tackarna.cz.
It may also be collected based on the Customer’s explicit consent.

VI. Scope of Processing
The Controller and authorized processors may process the following categories of personal data:
Name, surname, business address, ID number, bank account number
Contact data: phone number, mobile number, email address
Other data: IP address, cookies, authentication certificates, social media or communication platform identifiers (e.g. Skype)

VII. Legal Basis for Processing
1. Legitimate Interest of the Controller
Data are processed for purposes of identifying contractual parties, contract performance, documentation, and defense of legal claims. Based on Article 6(1)(b)(f) of the Regulation.
Retention: for the duration of the contractual relationship and 10 years after its end (unless longer storage is required by law).
Processors may include:
Con Gusto s.r.o.
Email client providers
Relevant banking institutions
Other service/software providers (if used)
2. Contract Fulfillment
Data are processed to fulfill obligations from purchase contracts with Customers (typically: name, surname, email, phone number).
Duration: for the entire contractual period.
3. Valid Consent
When data are processed for other purposes (e.g., marketing), it is based on voluntary and informed Customer consent.
Example: email addresses submitted via www.tackarna.cz for receiving marketing communications.
Duration: 3 years from consent (can be extended or revoked at any time via email, mail, or unsubscribe link).
Processors are the same as above.

VIII. Processing Method
Data are processed both automatically and manually, and may be accessed by the Controller’s staff and authorized processors only if necessary.

IX. Processors
Processors act solely based on a contract with the Controller, with guarantees for technical and organizational protection and clear definition of processing purposes. They may not use data for other purposes.

X. Data Protection
The Controller protects data within processing systems using unique usernames and passwords, stored securely on the Controller’s computer.
Processors are contractually bound to data protection obligations.

XI. Termination of Processing
Data processing ends upon termination of the contractual relationship, expiration of consent, or absence of legal grounds for data retention.

XII. Data Breach Notification
In the event of a security breach or data leak, the Controller will notify the Customer and the Office for Personal Data Protection within 24 hours.