Doocument B/III

III. Information for E-shop Customers – Business Entities (B2B)

Order Form

Purpose of personal data processing: Processing of personal data of customers – business entities through the order form on the e-shop for the purpose of sending a binding order for goods, concluding a distance purchase contract, and sending a confirmation of receipt of the order. The purpose also includes the processing of technical data necessary for the proper functioning of the ordering system (e.g., IP address, time, session identifier) and for proving the submission of the order as a legally binding proposal for the conclusion of a contract between business entities.

Data subjects or category of data subjects: Natural persons – entrepreneurs and natural persons acting on behalf of business entities who send a binding order for goods through the order form on the e-shop with the aim of concluding a distance purchase contract.

Category of personal data: Ordinary personal data.

List or scope of personal data: Personal data of a natural person – entrepreneur or a person acting on behalf of an entrepreneur: First name and last name, e-mail address, telephone number, registered office address (if a natural person – entrepreneur), delivery address (if different), IP address of the device from which the order was sent. Data concerning the business entity: Business name, ID No. (IČO), Tax ID / VAT ID (DIČ/IČ DPH), billing data, registered office or business premises address, delivery address (if different). Order data: Ordered goods, quantity, price, payment method, delivery method, order note, internal order identifier, date and time of order creation.

Legal basis for personal data processing: Lawfulness of personal data processing: The processing of personal data is necessary for the implementation of pre-contractual measures and for the fulfillment of the contractual relationship arising in connection with the creation and submission of a binding order through the order form. The processing is performed based on:

Art. 6 (1) (b) of the GDPR – implementation of pre-contractual measures and fulfillment of a purchase contract,
Art. 6 (1) (f) of the GDPR – legitimate interest of the controller in protecting legal claims, preventing fraud, and ensuring the proper functioning of the ordering system (IP address, technical logs, time records).

Statutory obligation of personal data processing: Processing of personal data based on a specific legal regulation is not performed.

Recipients or category of recipients to whom personal data will be provided: Processors according to Art. 28 of the GDPR Regulation:

Speedweb s. r. o., ID No. (IČO): 46 845 682 – web hosting, domain, and infrastructure services, technical support, and service of the e-shop.
WIX.COM (UK) LIMITED, CN: 12576807 – email services.

Other authorized entities: Personal data may be provided to public authorities acting within their legal authorizations (e.g., control authorities, courts, law enforcement agencies).

Transfer to third countries: Personal data are not provided to third countries.

Transfer to international organizations: Personal data are not provided to international organizations.

Disclosure of personal data: The Controller does not disclose personal data.

Retention period of personal data / criterion for its determination: Personal data obtained through the order form are retained for the period necessary to fulfill the purpose for which they were obtained, and subsequently during the periods determined by specific legal regulations and the legitimate needs of the controller, as follows:

data necessary for processing the order – during the duration of the contractual relationship and for the period necessary to prove its fulfillment,
technical logs (IP address, time records) – 6 months, for the purposes of ensuring the proper functioning of the system and protecting legal claims,
data related to the order which subsequently become part of the accounting and tax documentation – according to the rules for personal data retention within the economic and accounting agenda of the Controller,
data related to legal claims – for the duration of the limitation periods according to general legal regulations. After the expiry of the stated periods, personal data are securely disposed of or anonymized.

Instruction on the form of the requirement for the provision of personal data: The provision of personal data through the order form is necessary for sending the order and concluding a distance purchase contract. Without their provision, it is not possible to create, send, or process the order.

Source of personal data: Personal data are provided directly by the data subject through the order form on the e-shop.

Information on the existence of automated individual decision-making including profiling: The Controller declares that based on the provided personal data, no automated individual decision-making or profiling within the meaning of Article 22 of the GDPR Regulation occurs.

Purchase of Goods Through the E-shop

Purpose of personal data processing:

Ordering, sale, and delivery of goods to the customer through the electronic store.
Fulfillment of contractual obligations in connection with ordering, sale, and delivery of purchased goods through the electronic store.
Realization of payment for goods purchased through the electronic store based on a contract with the customer and sending a payment confirmation.
Sending a confirmation of receipt of the order and automatic information of the customer about the progress of its processing via e-mail (e.g., confirmation, change of status, expedition, delivery).
Providing data to the carrier for the purpose of product delivery; the customer does not choose the carrier.
Providing telephone and e-mail support to customers in connection with the order. Processing is necessary to ensure communication, resolving questions, and requests of the customer regarding the goods or delivery.

Data subjects or category of data subjects: Buyer, as a representative of a business entity (e.g., managing director, employee, contact person, person authorized to act on behalf of the company).

Category of personal data: Ordinary personal data.

List or scope of personal data: Personal data are processed exclusively to the extent of identification and contact data of natural persons acting on behalf of the business entity.

a) first name, last name, name and registered office of the business entity, workplace e-mail address, telephone number, delivery address (if different from the billing address), information about the ordered goods.
b) data as in point a) + data about the distribution progress and impossibility to deliver the shipment.
c) first name and last name (if necessary for payment), payment amount, date and time of payment, e-mail address (only for payment confirmation).
d) e-mail address, first name and last name of the representative.
e) first name, last name, delivery address, telephone number, e-mail address.
f) first name, last name, e-mail, telephone, order data, order history (if necessary to process the inquiry).

Legal basis for personal data processing: Lawfulness of personal data processing: The legal basis for processing is the performance of a contract according to Art. 6 (1) (b) of the GDPR. Processing is necessary for the conclusion and fulfillment of a distance purchase contract concluded through the electronic store.

Statutory obligation of personal data processing: For the purposes stated in this document, a specific statutory obligation according to Art. 6 (1) (c) of the GDPR does not apply.

Recipients or category of recipients to whom personal data will be provided: Processors according to Art. 28 of the GDPR Regulation:

Speedweb s. r. o., ID No. (IČO): 46 845 682 – web hosting, domain, and infrastructure services, technical support, and service of the e-shop.
WIX.COM (UK) LIMITED, CN: 12576807 – email services.
Anna Žákovičová ŽAAN, ID No. (IČO): 30 347 424 – accounting and economic services.

Independent controllers:

Tatra banka, a.s., ID No. (IČO): 00 686 930 – banking services (non-cash payments).

Other authorized entity based on Art. 6 (1) (c) of Regulation (EU) 2016/679 (GDPR): Personal data may also be made available to public authorities and other authorized entities entitled to process them based on specific legal regulations, in particular the Financial Administration of the Slovak Republic (e.g., Tax Office), the Customs Office, the Slovak Trade Inspection (SOI), law enforcement agencies, courts, the Supreme Audit Office of the Slovak Republic, administrators of local taxes and fees (municipalities and cities), as well as an auditor or tax advisor, if they process personal data to the extent determined by the relevant legal regulations.

Transfer to third countries / international organizations: Personal data are not provided.

Disclosure of personal data: The Controller does not disclose personal data.

Retention period of personal data / criterion for its determination: Personal data will be retained for the duration of the contractual relationship and subsequently until the fulfillment of all contractual obligations resulting from the purchase-sale contract concluded at a distance, including:

processing of the order, delivery of goods, and provision of customer support,
expiry of the period for withdrawal from the contract,
processing of related communication. After the fulfillment of individual purposes, personal data will be deleted, anonymized, or archived in accordance with legal regulations (e.g., Act No. 395/2002 Coll.), if necessary.

Instruction on the form of the requirement for the provision of personal data from data subjects: The provision of personal data is necessary for the conclusion and fulfillment of the distance purchase-sale contract between the customer and the e-shop operator.

Source of personal data: Personal data are obtained:

directly from the customer, i.e., from a natural person – entrepreneur or from a natural person acting on behalf of a business entity (e.g., managing director, employee, or other contact person) when creating an order through the electronic store or within subsequent communication with customer support,
from the orderer, if they provide personal data of another person, for example, the recipient of a shipment or a contact person authorized to take over the goods. In such a case, the orderer is responsible for being authorized to provide these data and for adequately informing the data subject about the processing of their personal data.

Information on the existence of automated individual decision-making including profiling: The Controller declares that based on the provided personal data, no automated individual decision-making including profiling within the meaning of Art. 22 of the GDPR occurs.

Price and Product Inquiries

Purpose of personal data processing: The purpose of personal data processing is the receipt, recording, and processing of a price or product inquiry of the data subject, which is directed towards assessing interest in the goods offered by the Controller and the preparation of an offer or a response before the conclusion of a contract. The processing of personal data serves in particular for:

providing information about the price, availability, and parameters of the goods (e.g., type of metal, purity, weight, size, variant of execution),
preparation of an individual or indicative price offer,
communication with a potential customer in the pre-contractual phase,
continuity of communication in the case of further questions. The inquiry may be exercised through:
the contact form on the website,
e-mail communication,
telephone contact,
messages through the Messenger service on the Facebook and Instagram platforms.

Data subjects or category of data subjects: natural persons acting on behalf of a business entity (e.g., managing director, employee, contact person).

Category of personal data: Ordinary personal data.

List or scope of personal data:

name and surname (if provided),
e-mail address,
telephone number,
content of the inquiry (e.g., requested product, dimension, quantity, question about price),
technical data of communication (date and time of contact).

Legal basis for personal data processing: Lawfulness of personal data processing: Art. 6 (1) (b) of the GDPR Regulation – implementation of measures before the conclusion of a contract at the request of the data subject. The processing of personal data is necessary so that the Controller can respond to the inquiry of the data subject and prepare documents for the possible conclusion of a contract.

Statutory obligation of personal data processing: Processing of personal data based on a specific legal regulation is not performed.

Recipients or category of recipients to whom personal data will be provided: Processors according to Art. 28 of the GDPR Regulation:

Speedweb s. r. o., ID No. (IČO): 46 845 682 – web hosting, domain, and infrastructure services, technical support, and service of the e-shop.
WIX.COM (UK) LIMITED, CN: 12576807 – email services.

Independent controllers (when communicating via social network): Meta Platforms Ireland Ltd. – operation of the social network Facebook and Instagram and the Messenger service.

Other authorized entity based on Art. 6 (1) (c) of Regulation (EU) 2016/679 (GDPR): Personal data may also be provided to public authorities that have legal authorization for their processing, e.g., control and supervisory authorities, courts, or law enforcement agencies. Supervisory authority for personal data protection: Office for Personal Data Protection of the Slovak Republic.

Transfer to third countries: When communicating through the Messenger service, transfer of personal data to third countries (e.g., USA) may occur, based on the European Commission's adequacy decision – EU–US Data Privacy Framework (DPF).

Transfer to international organizations: Personal data are not provided to international organizations.

Disclosure of personal data: The Controller does not disclose personal data.

Retention period of personal data / criterion for its determination:

for the period of processing the inquiry,
for a maximum of 6 months from the last communication if a contract is not concluded,
in the case of establishing a contractual relationship, personal data are further processed according to the relevant purpose (order / purchase of goods).

Instruction on the form of the requirement for the provision of personal data from data subjects: The provision of personal data is voluntary, however, necessary for processing the price or product inquiry. Without providing contact data, it is not possible to respond to the inquiry.

Source of personal data: Personal data are obtained directly from the data subject through the chosen communication channel.

Information on the existence of automated individual decision-making including profiling: During the processing of personal data, no automated individual decision-making or profiling within the meaning of Art. 22 of the GDPR Regulation occurs.

Economic and Accounting Agenda (Tax and Accounting Documents)

Purpose of personal data processing: Processing of personal data of the customer – business entity for the purposes of:

Issuance and processing of invoices for purchased goods or services.
Processing of other tax documents and bank statements (e.g., orders, documents on receipt of payment, credit notes, pro-forma invoices, confirmations of delivery).
Receipt, processing, and recording of payments for ordered goods/services.
Electronic delivery of invoices to the customer's e-mail.
Recording of orders and their processing.
Tax and accounting records in accordance with the relevant laws.

Data subjects or category of data subjects:

Customer – business entity,
Statutory body, representative, or other person authorized to act on behalf of the business entity.

Category of personal data: Ordinary personal data.

List or scope of personal data: Personal data necessary for the fulfillment of the purpose are processed:

Identification and billing data of the entrepreneur: business name, ID No. (IČO), Tax ID (DIČ), VAT ID (IČ DPH - if assigned), registered office or place of business, address of premises (if used for delivery), first and last name of the statutory body or other authorized person.
Contact data: e-mail address, telephone number.
Data on payments and transactions: bank account number (in case of transfer), amount, date, time of payment, variable symbol, payment method.
Data found in accounting documents: invoice number, invoice content, quantity and price of goods/services, maturity, data from the order, delivery data.

Legal basis for personal data processing: Lawfulness of personal data processing:

Art. 6 (1) (b) of the GDPR – fulfillment of a contract to which the data subject is a party, or to implement a measure before the conclusion of a contract based on the request of the data subject (order, payment, delivery, invoicing).
Art. 6 (1) (c) of the GDPR – according to a specific regulation or international treaty by which the Slovak Republic is bound (statutory obligation of the Controller).

Statutory obligation of personal data processing:

Act No. 431/2002 Coll. on Accounting as amended.
Act No. 222/2004 Coll. on Value Added Tax as amended.
Act No. 513/1991 Coll. Commercial Code as amended.
Act No. 595/2003 Coll. on Income Tax.

Recipients or category of recipients to whom personal data will be provided: Processors according to Art. 28 of the GDPR Regulation:

Anna Žákovičová ŽAAN, ID No. (IČO): 30 347 424 – accounting and economic services. Independent controllers:
Tatra banka, a.s., ID No. (IČO): 00 686 930 – banking services (non-cash payments).

Transfer to third countries / international organizations: Personal data are not provided.

Disclosure of personal data: The Controller does not disclose personal data.

Legitimate interest of the controller (according to Art. 6 (1) (f) of the GDPR): The Controller does not perform the processing of personal data based on legitimate interests.

Retention period of personal data / criterion for its determination: Personal data will be retained for the period determined by the relevant legal regulations, at least for a period of 10 years following the accounting period to which they relate, in accordance with Act No. 431/2002 Coll. on Accounting and Act No. 222/2004 Coll. on Value Added Tax as amended. After the expiry of this period, accounting documents and related personal data will be disposed of or anonymized in accordance with Act No. 395/2002 Coll. on Archives and Registries, as well as according to the internal registry rules of the controller.

Instruction on the form of the requirement for the provision of personal data from data subjects: The provision of personal data is a necessary condition for the conclusion and fulfillment of the contractual relationship, as well as for the fulfillment of the legal obligations of the Controller resulting from accounting and tax regulations. Failure to provide the required data will make it impossible to conclude the contract, process the order, and properly fulfill the legal obligations of the Controller.

Source of personal data:

Directly from the customer (entrepreneur or their representative) through the e-shop order form or subsequent business communication.
From public registers (Commercial Register, Trade Register, Financial Administration).
From accounting documents and bank statements when processing payments.
From payment service providers when implementing transactions.
From courier companies when delivering goods.

Reporting a Defect in Goods or Services (Exercise of rights from responsibility for defects according to the Commercial Code)

Purpose of personal data processing:

Recording and processing of exercised claims of buyers – entrepreneurs resulting from reporting a defect, including communication and informing the buyer about the progress of processing.
Fulfillment of legal obligations of the controller related to reported defects.
Proving fulfillment of the legal obligations of the controller when resolving reported defects, including proving of claims and resolution of related legal disputes.

Data subjects or category of data subjects:

Buyer – business entity that reports a defect according to the Commercial Code.
Statutory representatives, authorized contact persons, or other persons involved in the process of processing claims from reported defects.

Category of personal data: Ordinary personal data necessary for the fulfillment of legal obligations.

List or scope of personal data:

Buyer – business entity: Business name, ID No. (IČO), registered office address, first and last name of the statutory representative or contact person, work position, telephone, e-mail.
Data about the goods/service to which the reported defect relates (order number, invoice, description of the defect), communication records.
Persons involved in the process of processing the reported defect: First and last name, work position, or connection with the process. Data stated in the communication.

Legal basis for personal data processing: Lawfulness of personal data processing:

Art. 6 (1) (b) of the GDPR – performance of a contract.
Art. 6 (1) (c) of the GDPR – fulfillment of a statutory obligation resulting from the Commercial Code.
Art. 6 (1) (f) of the GDPR – legitimate interest of the controller (for the purposes of checking the correctness of processing and exercising claims for damages).

Statutory obligation of personal data processing: Commercial Code – Act No. 513/1991 Coll.

Recipients or categories of recipients of personal data when reporting a defect: Personal data may be provided or made available to the following recipients in accordance with applicable legal regulations: Processors according to Art. 28 of the GDPR Regulation:

Anna Žákovičová ŽAAN, ID No. (IČO): 30 347 424 – accounting and economic services. Independent controllers:
Tatra banka, a.s., ID No. (IČO): 00 686 930 – banking services (non-cash payments).
Advocate or legal representative when resolving legal disputes related to defects in goods.
Entities involved in the process of processing reported defects (e.g., suppliers, manufacturers, experts, carriers).
Control authorities, courts, and law enforcement agencies (to the extent required by legal regulations).

Other authorized entity: An authorized entity according to Section 13 (1) (c) of Act No. 18/2018 Coll. on Personal Data Protection and GDPR, includes:

Control and supervisory authorities: Authorities, including the Office for Personal Data Protection, which may require access to personal data for control and supervisory tasks.
Courts and law enforcement agencies: Have access to personal data to the extent necessary for investigations, court proceedings, and legal processes.
Slovak Trade Inspection: Authority for supervision over consumer legislation, authorized to perform control of personal data.
Other legally authorized entities: State and public institutions with the power to process personal data based on law, such as tax offices and social security.

Transfer to third countries / international organizations: Personal data are not provided.

Disclosure of personal data: The Controller does not disclose personal data.

Legitimate interest of the controller (according to Art. 6 (1) (f) of the GDPR): The Controller processes personal data also based on a legitimate interest, which is the control of the correctness of processing reported defects, proving the fulfillment of legal obligations, and exercising or defending legal claims.

Retention period / criterion for its determination:

Personal data related to reported defects are retained for 5 years for potential disputes.
Documents related to reporting a defect (e.g., refund) are retained for 10 years according to the Act on Accounting (Act No. 431/2002 Coll.). The Controller will process personal data only for the time necessary to achieve the purpose of processing in accordance with legal requirements. After the expiry of this period, the data will be securely deleted or anonymized unless they are needed for other legal purposes or for the fulfillment of legal obligations.

Instruction on the form of the requirement for the provision of personal data from data subjects: The provision of personal data is necessary for processing claims resulting from contractual relationships and related legal regulations. Failure to provide personal data may result in the impossibility of properly processing the exercised claim.

Obtaining personal data from sources other than the data subject: The main source of personal data is the data subject. In some cases, however, personal data may also be obtained from other sources, in particular third parties involved in the assessment or processing of the reported defect.