II. Information for E-shop Customers – Consumers (B2C)

Order Form

Purpose of personal data processing: Processing of personal data of consumers through the order form on the e-shop for the purpose of sending a binding order for goods, concluding a distance purchase contract, and sending a confirmation of receipt of the order. The purpose also includes the processing of technical data necessary for the proper functioning of the ordering system (e.g., IP address, time, session identifier) and for proving the submission of the order as a legally binding proposal for the conclusion of a purchase contract.

Data subjects or category of data subjects: Natural persons – consumers who send a binding order for goods through the order form on the e-shop, on the basis of which a distance purchase contract is concluded.

Category of personal data: Ordinary personal data.

List or scope of personal data: First name, last name, email address, telephone number, delivery address (street, number, city, postal code, state), billing address (if different), order content (goods, quantity, price), payment method (without processing payment card data), delivery method, order note, internal order identifier, date and time of order creation, IP address of the device from which the order was sent.

Legal basis for personal data processing: Lawfulness of personal data processing: The processing of personal data is necessary for the implementation of pre-contractual measures and for the fulfillment of the contractual relationship arising in connection with the creation and submission of a binding order through the order form on the e-shop. The processing of personal data is performed based on the following legal bases:

Art. 6 (1) (b) of the GDPR Regulation – implementation of pre-contractual measures at the request of the data subject and fulfillment of a distance purchase contract, in particular in connection with the receipt of an order, conclusion of a contract, its confirmation, and subsequent fulfillment,
Art. 6 (1) (f) of the GDPR Regulation – legitimate interest of the Controller consisting in ensuring the proper functioning of the ordering system, protecting the legal claims of the Controller and the data subject, preventing system misuse, and proving the submission of the order as a legally binding proposal for the conclusion of a purchase contract (processing of technical data such as IP address, time and system records).

Statutory obligation of personal data processing: Processing of personal data based on a specific legal regulation is not performed.

Recipients or category of recipients to whom personal data will be provided: Processors according to Art. 28 of the GDPR Regulation:

Speedweb s. r. o., ID No. (IČO): 46 845 682 – web hosting, domain, and infrastructure services, technical support, and service of the e-shop
WIX.COM (UK) LIMITED, CN: 12576807 – email services
Anna Žákovičová ŽAAN, ID No. (IČO): 30 347 424 – accounting and economic services

Independent controllers:

Tatra banka, a.s., ID No. (IČO): 00 686 930 – banking services (non-cash payments)

Other authorized entities: Personal data may be provided to public authorities acting within their legal authorizations (e.g., control authorities, courts, law enforcement agencies).

Transfer to third countries: Personal data are not provided to third countries.

Transfer to international organizations: Personal data are not provided to international organizations.

Disclosure of personal data: The Controller does not disclose personal data.

Retention period of personal data / criterion for its determination: Personal data obtained through the order form are retained for the period necessary to fulfill the purpose for which they were obtained, and subsequently during the periods determined by specific legal regulations and the legitimate needs of the controller, as follows:

data necessary for processing the order – during the duration of the contractual relationship and for the period necessary to prove its fulfillment,
technical logs (IP address, time records) – 6 months, for the purposes of ensuring the proper functioning of the system and protecting legal claims,
data related to the order which subsequently become part of the accounting and tax documentation – according to the rules for personal data retention within the economic and accounting agenda of the Controller,
data related to legal claims – for the duration of the limitation periods according to general legal regulations. After the expiry of the stated periods, personal data are securely disposed of or anonymized.

Instruction on the form of the requirement for the provision of personal data: The provision of personal data through the order form is necessary for sending the order and concluding a distance purchase contract. Without their provision, it is not possible to create, send, or process the order.

Source of personal data: Personal data are provided directly by the data subject through the order form.

Information on the existence of automated individual decision-making including profiling: The Controller declares that based on the provided personal data, no automated individual decision-making or profiling within the meaning of Article 22 of the GDPR Regulation occurs.

Purchase of Goods Through the E-shop

Purpose of personal data processing:

Ordering, sale, and delivery of goods to the customer through the electronic store.
Fulfillment of contractual obligations in connection with ordering, sale, and delivery of purchased goods through the electronic store.
Ordering, sale, and delivery of goods through the electronic store in favor of another person designated by the customer.
Realization of payment for goods purchased through the electronic store based on a contract with the customer and sending a payment confirmation.
Sending a confirmation of receipt of the order and automatic information of the customer about the progress of its processing via e-mail (e.g., confirmation, change of status, expedition, delivery).
Providing data to the carrier for the purpose of product delivery; the customer does not choose the carrier.
Providing telephone and e-mail support to customers in connection with the order. Processing is necessary to ensure communication, resolving questions, and requests of the customer regarding the goods or delivery.

Data subjects or category of data subjects:

Customer – consumer (natural person) who made a purchase through the electronic store or placed an order.
Customer – consumer (natural person) whose data are processed for the purpose of fulfilling legal and contractual obligations.
Recipient of the shipment – a natural person who is not a party to the contract, but in whose favor the goods were ordered.
Customer – consumer (natural person) who made an order and realized payment.
Customer – consumer (natural person) to whom notifications about the status of the order are sent.
Customer – consumer (natural person) whose data are provided to the carrier.
Customer – consumer (natural person) who contacts the controller for the purpose of obtaining information or resolving a request related to the order.

Category of personal data: Ordinary personal data.

List or scope of personal data:

Ordering, sale, and delivery of goods to the customer: name, surname, delivery address, information about the ordered goods, telephone number, e-mail address.
Fulfillment of contractual and legal obligations: name, surname, delivery address, information about the ordered goods, telephone number, e-mail address.
Ordering, sale, and delivery of goods in favor of another person: name, surname, delivery address, information about the ordered goods, telephone number, e-mail address of the person to whom the shipment is to be delivered.
Realization of payment and sending of payment confirmation: name and surname (if required for payment purposes), payment amount, date and time of payment, e-mail address (only for the purpose of sending payment confirmation).
Sending confirmation of receipt of the order and automatic information about its processing: e-mail address.
Providing data to the carrier for the purpose of delivery of goods: name, surname, delivery address, telephone number, e-mail address.
Providing telephone and e-mail support in connection with the order: name, surname, telephone number, e-mail address, information about the ordered goods, order history (to the extent necessary to process the inquiry).

Legal basis for personal data processing: Lawfulness of personal data processing: Purposes a), b), d), e), f), g): The legal basis for processing is the performance of a contract according to Art. 6 (1) (b) of the GDPR. Processing is necessary for the conclusion and fulfillment of a distance purchase contract concluded through the electronic store. Purpose c): The legal basis is the legitimate interest of the controller according to Art. 6 (1) (f) of the GDPR, as the delivery of goods to a third person is determined by the customer.

Statutory obligation of personal data processing: For the purposes stated in this document, a specific statutory obligation according to Art. 6 (1) (c) of the GDPR does not apply.

Recipients or category of recipients to whom personal data will be provided: Processors according to Art. 28 of the GDPR Regulation:

Speedweb s. r. o., ID No. (IČO): 46 845 682 – web hosting, domain, and infrastructure services, technical support, and service of the e-shop
WIX.COM (UK) LIMITED, CN: 12576807 – email services
Anna Žákovičová ŽAAN, ID No. (IČO): 30 347 424 – accounting and economic services

Independent controllers:

Tatra banka, a.s., ID No. (IČO): 00 686 930 – banking services (non-cash payments)

Other authorized entity based on Art. 6 (1) (c) of Regulation (EU) 2016/679 (GDPR): Personal data may also be made available to public authorities and other authorized entities that are entitled to process them based on specific legal regulations, in particular the Financial Administration of the Slovak Republic (e.g., Tax Office), the Customs Office, the Slovak Trade Inspection (SOI), law enforcement agencies, courts, the Supreme Audit Office of the Slovak Republic, administrators of local taxes and fees (municipalities and cities), as well as an auditor or tax advisor, if they process personal data to the extent determined by the relevant legal regulations.

Transfer to third countries: Personal data are not provided to third countries.

Transfer to international organizations: Personal data are not provided to international organizations.

Disclosure of personal data: The Controller does not disclose personal data.

Retention period of personal data / criterion for its determination: Personal data will be retained only for the period necessary to fulfill individual purposes of processing:

Order and delivery of goods: For the duration of the contractual relationship and fulfillment of all obligations, including the statutory period for withdrawal from the contract.
Fulfillment of legal obligations: For the period determined by the relevant legal regulations.
Delivery of goods to a third person: For the period necessary to deliver the order.
Payment and confirmation of payment: For the period necessary for the realization of the payment and archiving of the confirmation.
Order status and notifications: For the duration of the contractual relationship.
Data for the carrier: For the period necessary to ensure the delivery of the shipment to the carrier and processing of any delivery complaints.
Customer support: For the duration of the contractual relationship or until the resolution of the request. After the fulfillment of individual purposes, personal data will be deleted, anonymized, or archived in accordance with legal regulations (e.g., Act No. 395/2002 Coll.), if necessary.

Instruction on the form of the requirement for the provision of personal data from data subjects: The provision of personal data is necessary in individual cases as follows:

Purposes a), b), d), e), f), g): Contractual requirement The provision of personal data is required for the purposes of concluding and fulfilling a distance purchase-sale contract, including its delivery, payment processing, sending of notifications, and providing customer support. Failure to provide data will make it impossible to realize the order and deliver the goods.
Purposes c): Legitimate interest of the controller The provision of data of the person in whose favor the order is placed is not a statutory or contractual requirement, but it is necessary to ensure the delivery of goods to the correct recipient. Failure to provide recipient data may lead to the shipment not being delivered to the correct person.

Source of personal data: Personal data are provided directly by the data subject through the order form on the e-shop or within communication with customer support. In the event that the order is created in favor of a third person (e.g., delivery as a gift), the personal data of the recipient may be provided by the orderer. In such a case, the orderer is responsible for being authorized to provide these data and for informing the recipient about the processing of their personal data.

Information on the existence of automated individual decision-making including profiling: The Controller declares that based on the provided personal data, no automated individual decision-making including profiling within the meaning of Art. 22 of the GDPR occurs.

Price and Product Inquiries

Purpose of personal data processing: The purpose of personal data processing is the receipt, recording, and processing of a price or product inquiry of the data subject, which is directed towards assessing interest in the goods offered by the Controller and the preparation of an offer or a response before the conclusion of a contract. The processing of personal data serves in particular for:

providing information about the price, availability, and parameters of the goods (e.g., type of metal, purity, weight, size, variant of execution),
preparation of an individual or indicative price offer,
communication with a potential customer in the pre-contractual phase,
continuity of communication in the case of further questions. The inquiry may be exercised through:
the contact form on the website,
e-mail communication,
telephone contact,
messages through the Messenger service on the Facebook and Instagram platforms.

Data subjects or category of data subjects:

potential customers (natural persons),
natural persons who, in the pre-contractual phase, showed interest in the goods or price offer of the Controller.

Category of personal data: Ordinary personal data.

List or scope of personal data:

name and surname (if provided),
e-mail address,
telephone number,
content of the inquiry (e.g., requested product, dimension, quantity, question about price),
technical data of communication (date and time of contact).

Legal basis for personal data processing: Lawfulness of personal data processing: Art. 6 (1) (b) of the GDPR Regulation – implementation of measures before the conclusion of a contract at the request of the data subject. The processing of personal data is necessary so that the Controller can respond to the inquiry of the data subject and prepare documents for the possible conclusion of a contract.

Statutory obligation of personal data processing: Processing of personal data based on a specific legal regulation is not performed.

Recipients or category of recipients to whom personal data will be provided: Processors according to Art. 28 of the GDPR Regulation:

Speedweb s. r. o., ID No. (IČO): 46 845 682 – web hosting, domain, and infrastructure services, technical support, and service of the e-shop
WIX.COM (UK) LIMITED, CN: 12576807 – email services

Independent controllers (when communicating via social network): Meta Platforms Ireland Ltd. – operation of the social network Facebook and Instagram and the Messenger service.

Other authorized entity based on Art. 6 (1) (c) of Regulation (EU) 2016/679 (GDPR): Personal data may also be provided to public authorities that have legal authorization for their processing, e.g., control and supervisory authorities, courts, or law enforcement agencies. Supervisory authority for personal data protection: Office for Personal Data Protection of the Slovak Republic.

Transfer to third countries: When communicating through the Messenger service, transfer of personal data to third countries (e.g., USA) may occur, based on the European Commission's adequacy decision – EU–US Data Privacy Framework (DPF).

Transfer to international organizations: Personal data are not provided to international organizations.

Disclosure of personal data: The Controller does not disclose personal data.

Retention period of personal data / criterion for its determination:

for the period of processing the inquiry,
for a maximum of 6 months from the last communication if a contract is not concluded,
in the case of establishing a contractual relationship, personal data are further processed according to the relevant purpose (order / purchase of goods).

Instruction on the form of the requirement for the provision of personal data from data subjects: The provision of personal data is voluntary, however, necessary for processing the price or product inquiry. Without providing contact data, it is not possible to respond to the inquiry.

Source of personal data: Personal data are obtained directly from the data subject through the chosen communication channel.

Information on the existence of automated individual decision-making including profiling: During the processing of personal data, no automated individual decision-making or profiling within the meaning of Art. 22 of the GDPR Regulation occurs.

Economic and Accounting Agenda (Tax and Accounting Documents)

Purpose of personal data processing:

Issuance and processing of invoices for purchased goods or services.
Processing of other tax documents and bank statements (e.g., orders, documents on receipt of payment, credit notes, pro-forma invoices, confirmations of delivery).
Receipt, processing, and recording of payments for ordered goods/services.
Electronic delivery of invoices to the customer's e-mail.
Recording of orders and their processing.
Tax and accounting records in accordance with the relevant laws.

Data subjects or category of data subjects: Customer (consumer) – a natural person who:

placed an order,
is the recipient of goods or services,
realizes or realized payment.

Category of personal data: Ordinary personal data.

List or scope of personal data: The Controller processes only those personal data that are necessary for the fulfillment of individual purposes, in particular: Basic identification and contact data:

name, surname, title,
billing address (residence),
delivery address (if different from the billing address),
e-mail address,
telephone number. Payment data (only if necessary):
bank account number,
amount, date, time of payment, variable symbol,
payment method (e.g., payment gateway, bank transfer, cash on delivery – cash or payment card). Data in accounting documents:
invoice number, description and quantity of goods/services, maturity, order content.

Legal basis for personal data processing: Lawfulness of personal data processing:

Art. 6 (1) (b) of the GDPR – fulfillment of a contract to which the data subject is a party, or to implement a measure before the conclusion of a contract based on the request of the data subject (order, payment, delivery, invoicing).
Art. 6 (1) (c) of the GDPR – according to a specific regulation or international treaty by which the Slovak Republic is bound (statutory obligation of the Controller).

Statutory obligation of personal data processing:

Act No. 431/2002 Coll. on Accounting as amended.
Act No. 222/2004 Coll. on Value Added Tax as amended.
Act No. 513/1991 Coll. Commercial Code as amended.
Act No. 595/2003 Coll. on Income Tax.

Recipients or category of recipients to whom personal data will be provided: Processors according to Art. 28 of the GDPR Regulation:

Anna Žákovičová ŽAAN, ID No. (IČO): 30 347 424 – accounting and economic services Independent controllers:
Tatra banka, a.s., ID No. (IČO): 00 686 930 – banking services (non-cash payments)

Other authorized entity based on Art. 6 (1) (c) of Regulation (EU) 2016/679 (GDPR): Personal data may also be made available to public authorities and other authorized entities entitled to process them based on specific legal regulations, in particular the Financial Administration of the Slovak Republic (e.g., Tax Office), the Customs Office, the Slovak Trade Inspection (SOI), law enforcement agencies, courts, the Supreme Audit Office of the Slovak Republic, administrators of local taxes and fees (municipalities and cities), as well as an auditor or tax advisor, if they process personal data to the extent determined by the relevant legal regulations.

Transfer to third countries / international organizations: Personal data are not provided.

Disclosure of personal data: The Controller does not disclose personal data.

Legitimate interest of the controller (according to Art. 6 (1) (f) of the GDPR): The Controller does not perform the processing of personal data based on legitimate interests.

Retention period of personal data / criterion for its determination: Personal data are retained for at least 10 years after the end of the accounting period to which they relate, in accordance with Act No. 431/2002 Coll. on Accounting and Act No. 222/2004 Coll. on VAT. After the expiry of the period, the data will be disposed of or anonymized according to Act No. 395/2002 Coll. on Archives and Registries and the internal registry rules of the controller.

Instruction on the form of the requirement for the provision of personal data from data subjects: The provision of personal data is a necessary condition for the conclusion and fulfillment of the contractual relationship with the consumer, as well as for the fulfillment of the legal obligations of the Controller resulting from accounting and tax regulations. Failure to provide the required data will make it impossible to conclude the contract, process the order, and properly fulfill the legal obligations of the Controller.

Source of personal data: Personal data are obtained in particular:

directly from the customer through the order form of the e-shop, which serves as the primary source of data for issuing an invoice and related accounting documents,
from subsequent communication with the customer (e.g., supplementing data or changing data on the invoice),
from bank statements (data on the received payment),
from the payment gateway (information on a successful/failed transaction),
from the carrier (e.g., confirmation of shipment delivery, which may be an accounting document),
from the accounting system, within the processing of accounting documents according to the law.

Information on the existence of automated individual decision-making including profiling: The Controller declares that based on the provided personal data, no automated individual decision-making including profiling within the meaning of Article 22 of the GDPR occurs.

Reporting a Defect in Goods or Services (Consumer)

Purpose of personal data processing:

Processing of personal data in connection with reporting a defect in goods or services.
Recording and processing of the buyer's claims resulting from reporting a defect according to the Civil Code, including communication and informing the buyer about the progress of their processing.
Ensuring fulfillment of the legal obligations of the controller in connection with reported defects.
Proving fulfillment of the legal obligations of the controller when resolving reported defects, including potential proving of claims and resolution of related legal disputes.

Data subjects or category of data subjects:

Buyer (consumer) who reports a defect.
Persons involved in the process of processing claims from reported defects.

Category of personal data: Ordinary personal data necessary for the fulfillment of legal obligations.

List or scope of personal data:

Name and surname, address, telephone, e-mail. Data about defective goods/service (order number, invoice, description of the defect). Communication records.
Name and surname, connection with the process of processing reported defects, data stated in the communication.

Legal basis for personal data processing: Lawfulness of personal data processing:

Art. 6 (1) (b) of the GDPR – fulfillment of a contract to which the data subject is a party, or to implement a measure before the conclusion of a contract based on the request of the data subject – according to Section 13 (1) (b) of the PDPA.
Art. 6 (1) (c) of the GDPR – according to a specific regulation or international treaty by which the Slovak Republic is bound (statutory obligation of the Controller).

Statutory obligation of personal data processing: Act No. 40/1964 Coll. Civil Code.

Recipients or categories of recipients of personal data when reporting a defect: Personal data may be provided or made available to the following recipients in accordance with applicable legal regulations: Processors according to Art. 28 of the GDPR:

DaisyGroupes s.r.o., ID No. (IČO): 45 366 543 – accounting and economic services. Independent controllers – payment and banking services:
Trust Pay, a.s., ID No. (IČO): 36 865 800 – payment gateway,
Slovenská sporiteľňa, a.s., ID No. (IČO): 00 151 653 – banking services.
Advocate or legal representative when resolving legal disputes related to defects in goods.
Entities involved in the process of processing reported defects (e.g., suppliers, manufacturers, experts, carriers).

Other authorized entity: An authorized entity according to Section 13 (1) (c) of Act No. 18/2018 Coll. on Personal Data Protection and GDPR, includes:

Control and supervisory authorities: Authorities, including the Office for Personal Data Protection, which may require access to personal data for control and supervisory tasks.
Courts and law enforcement agencies: Have access to personal data to the extent necessary for investigations, court proceedings, and legal processes.
Slovak Trade Inspection: Authority for supervision over consumer legislation, authorized to perform control of personal data.
Other legally authorized entities: State and public institutions with the power to process personal data based on law, such as tax offices and social security.

Transfer to third countries / international organizations: Personal data are not provided.

Disclosure of personal data: The Controller does not disclose personal data.

Legitimate interest of the controller (according to Art. 6 (1) (f) of the GDPR): The Controller does not perform the processing of personal data based on legitimate interests.

Retention period / criterion for its determination:

Personal data related to reported defects are retained for 5 years for potential disputes.
Documents related to reporting a defect (e.g., refund) are retained for 10 years according to the Act on Accounting (Act No. 431/2002 Coll.).

Instruction on the form of the requirement for the provision of personal data from data subjects: The provision of personal data is necessary for processing claims resulting from contractual relationships and related legal regulations. Failure to provide personal data may result in the impossibility of properly processing the exercised claim.

Obtaining personal data from sources other than the data subject: The main source of personal data is the data subject. In some cases, however, personal data may also be obtained from other sources, in particular third parties involved in the assessment or processing of the reported defect.

Information on the existence of automated individual decision-making including profiling: The Controller declares that based on the obtained personal data, no automated individual decision-making including profiling occurs.

Withdrawal from the Purchase Contract by the Consumer

Purpose of personal data processing: The purpose of personal data processing is:

receipt and recording of the notice of withdrawal from the purchase contract by the consumer,
identification of the consumer and the order to which the withdrawal relates,
processing of the withdrawal from the contract within the statutory period,
ensuring the return of the purchase price to the consumer,
fulfillment of the obligations of the Controller resulting from legal regulations on consumer protection. The processing of personal data takes place in connection with the exercise of the consumer's right to withdraw from a contract concluded at a distance within 14 days of taking over the goods.

Data subjects or category of data subjects: Consumers who withdrew from a purchase contract concluded through the e-shop of the Controller.

Category of personal data: Ordinary personal data.

List or scope of personal data:

name and surname,
address of permanent or correspondence residence,
telephone number,
e-mail address,
order number,
date of taking over the goods,
identification of the returned goods (product code, name, number of pieces),
bank connection (IBAN, possibly SWIFT code) for the purpose of returning funds,
signature of the consumer (in case of written withdrawal),
date of exercising the withdrawal.

Legal basis for personal data processing: Lawfulness of personal data processing:

Art. 6 (1) (b) of the GDPR Regulation – performance of a contract and implementation of measures before its termination,
Art. 6 (1) (c) of the GDPR Regulation – fulfillment of a statutory obligation of the Controller.

Statutory obligation of personal data processing:

Act No. 108/2024 Coll. on Consumer Protection,
Act No. 40/1964 Coll. Civil Code,
Regulation (EU) 2016/679 (GDPR).

Recipients or categories of recipients of personal data: Personal data may be provided to:

banking institutions ensuring the return of funds (non-cash transfer),
accounting processor of the Controller to the extent necessary for accounting and tax purposes. Personal data are not provided to any other third persons for their own purposes.

Other authorized entity: An authorized entity according to Section 13 (1) (c) of Act No. 18/2018 Coll. on Personal Data Protection and GDPR, includes:

Control and supervisory authorities: Authorities, including the Office for Personal Data Protection, which may require access to personal data for control and supervisory tasks.
Courts and law enforcement agencies: Have access to personal data to the extent necessary for investigations, court proceedings, and legal processes.
Slovak Trade Inspection: Authority for supervision over consumer legislation, authorized to perform control of personal data.
Other legally authorized entities: State and public institutions with the power to process personal data based on law, such as tax offices and social security.

Transfer to third countries / international organizations: Personal data are not provided.

Disclosure of personal data: The Controller does not disclose personal data.

Legitimate interest of the controller (according to Art. 6 (1) (f) of the GDPR): The Controller does not perform the processing of personal data based on legitimate interests.

Retention period / criterion for its determination: Personal data are retained:

for the period of processing the withdrawal from the contract,
subsequently for the period required by specific legal regulations, in particular the Act on Accounting and tax regulations (minimum 10 years after the year to which the documents relate).

Instruction on the form of the requirement for the provision of personal data from data subjects: The provision of personal data is a statutory and contractual requirement. Without providing the necessary data, it is not possible to properly process the withdrawal from the purchase contract or return the funds to the consumer.

Source of personal data: Personal data are obtained:

directly from the consumer through the withdrawal form,
from the internal order system of the Controller.

Information on the existence of automated individual decision-making including profiling: The Controller declares that during the processing of personal data for the purposes of withdrawal from the purchase contract, no automated individual decision-making or profiling according to Art. 22 of the GDPR occurs.