Basic Principles of Personal Data Protection

I. General Provisions

1. The data controller, in accordance with Article 4, point 7 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter: "GDPR"), is the company PSK Cosmetic s.r.o., registered at Pardubická 327, 53701, Chrudim, ID No. 08875901, registered in the Commercial Register under file No. C 45256 at the Regional Court in Hradec Králové (hereinafter: "controller").

2. Contact details of the controller:

Address: Pardubická 327, Chrudim, Czech Republic

E-mail:  info@blackfinstore.cz

Phone:  608 524 545

3. Personal data refers to any information about an identified or identifiable natural person; an identifiable natural person is one who can be directly or indirectly identified, particularly by reference to an identifier such as a name, identification number, location data, online identifier, or one or more specific factors relating to their physical, physiological, genetic, mental, economic, cultural, or social identity.

4. The controller has not appointed a Data Protection Officer.

II. Sources and Categories of Processed Personal Data

1. The controller processes personal data that you have provided or personal data obtained based on the fulfillment of your order, including:

• Name, surname, title
• E-mail address
• Phone number
• Permanent residence address
• IP address
• Bank or payment account number

2. The controller processes your identification and contact details, as well as data necessary for contract fulfillment.

III. Legal Basis and Purpose of Personal Data Processing

1. The legal basis for processing personal data includes:

• Performance of the contract between you and the controller under Article 6(1)(b) GDPR,
• Legitimate interest of the controller in providing direct marketing (especially for sending commercial communications and newsletters) under Article 6(1)(f) GDPR,
• Your consent to the processing of data for direct marketing purposes (especially for sending commercial communications and newsletters) under Article 6(1)(a) GDPR.

2. The purposes of processing personal data are:

• Processing your order and fulfilling the rights and obligations arising from the contractual relationship between you and the controller. When placing an order, personal data necessary for the successful processing of the order (name, address, contact) are required. Providing personal data is a necessary requirement for concluding and fulfilling the contract. Without providing personal data, the contract cannot be concluded or fulfilled by the controller.

• Sending commercial communications and carrying out other marketing activities if you have given consent for this purpose.

3. The controller does not engage in automated individual decision-making as defined in Article 22 GDPR.

IV. Data Retention Period

1. The controller retains personal data:

• For the period necessary to exercise rights and obligations arising from the contractual relationship and to assert claims from these relationships (for 15 years after contract termination).

• Until consent for processing for marketing purposes is revoked, but no longer than 10 years if the data is processed based on consent.

2. After the retention period expires, the controller deletes the personal data.

V. Recipients of Personal Data (Controller's Subcontractors)

1. Recipients of personal data include: 

• Individuals involved in goods/service delivery and payment processing based on a contract
• Providers of e-shop operations and related services for blackfinstore.cz
• Server and email client administrators
• Customer program administrators
• Marketing service providers
• Legal advisors
• Accountants and tax consultants
• Entities analyzing website traffic data
• Entities ensuring adequate security and integrity of services and websites, including security testing

2. The controller does not intend to transfer personal data to third countries (outside the EU) or international organizations, except for Google for the collection of "cookies" (see Section VIII of this policy).
3. The controller is also legally required to provide personal data to administrative, tax, law enforcement, and judicial authorities.

VI. Your Rights

1. Under GDPR, you have the right to: 

• Access your personal data (Article 15 GDPR)
• Rectify personal data (Article 16 GDPR) or restrict processing (Article 18 GDPR)
• Erase personal data (Article 17 GDPR)
• Object to processing (Article 21 GDPR)
• Data portability (Article 20 GDPR)
• Withdraw consent for processing by written or electronic request to the controller’s contact details provided in Section III. Withdrawal of consent does not affect processing based on a legal ground other than consent.
• Restrict processing of personal data
• Be informed about corrections, erasures, or processing restrictions
• Not be subject to automated individual decision-making, including profiling
• Be notified of personal data security breaches and the controller's obligation to inform you of such breaches

2. You also have the right to lodge a complaint with the Office for Personal Data Protection if you believe your rights under GDPR have been violated.

VII. Conditions of Personal Data Security

1. The controller declares that appropriate technical and organizational measures have been taken to secure personal data.
2. The controller has implemented technical measures to secure data storage and personal data records in physical form.
3. The controller declares that access to personal data is granted only to authorized persons.

VIII. Cookies

1. The purpose of processing visitor data through cookies is data collection for Google Analytics. Information about website usage, along with cookie content, will be transferred and stored on Google’s servers in the USA. Google uses this information to evaluate website usage, generate reports on site activity for operators, and provide other services related to website and internet usage. Google may also provide this information to third parties if required by law or if such third parties process the information for Google.
2. For more details on data processing and usage, refer to Google’s terms. To block anonymous statistics via Google Analytics, you can use a plugin provided by Google: https://tools.google.com/dlpage/gaoptout. This plugin must be downloaded and installed in your browser. Personal data collected by Google Analytics is stored exclusively by Google and is not stored by the controller.

VIII. Final Provisions

1. By submitting an order via the online order form, you confirm that you have read the personal data protection terms and that you fully accept them.
2. You confirm your acknowledgment of these terms by checking the consent box via the online form. By checking the consent box, you confirm that you have read the personal data protection terms and that you fully accept them.
3. You also confirm your acknowledgment of these terms by accepting a contract, agreement, or application that explicitly refers to these terms.
4. The controller is entitled to amend these terms. The new version of the personal data protection terms will be published on the controller’s website and will also be sent to your email address, which you have provided to the controller.

This policy is effective as of January 1, 2023.