Purchasing information
GDPR
Personal data processing policies of ROS'S BAZAAR sro
1. Personal data controller
The controller of personal data is the company ROS'S BAZAAR sro, with its registered office at Olomoucká 715, 751 01 Tovačov, Company ID: 08658277, entered in the Commercial Register kept by the Regional Court in Ostrava, Section C, Insert 80292 (hereinafter referred to as the "Controller") as the operator of the online store located at the internet address https://www.babyross.cz (hereinafter referred to as the "e-shop").
The administrator processes, within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as the "GDPR Regulation"), personal data of e-shop visitors, registered users and customers who have placed an order.
According to the GDPR, processing of personal data means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The administrator has not appointed a data protection officer.
Administrator contact details:
ROS'S BAZAAR sro
Registered office: Olomoucká 715, 751 01 Tovačov
Office: Horní náměstí 407/27, 779 00 Olomouc
ID: 08658277
Email: eshop@babyross.cz
Phone: +420 777 477 827
2. Scope of personal data processing
2.1 Personal data processed
Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The administrator processes the personal data of e-shop visitors, registered users, and customers who have placed an order on the e-shop (hereinafter referred to as the "data subject").
The administrator processes the following personal data:
• first and last name,
• date of birth,
• billing address,
• delivery address,
• email address,
• phone number,
• IP address or other network identifiers, if applicable,
• cookies,
• other data provided as part of communication between the customer/website visitor/registered user and the administrator.
For a natural person doing business:
• personal identification number (IČO),
• tax identification number (TIN),
• the registered office of the entrepreneur.
2.2 Sources of processed personal data
The Administrator processes personal data provided by the data subject or obtained based on the fulfillment of an order or automatically by the data subject visiting the e-shop (e.g. the IP address of the device user). The Administrator processes personal data necessary for the fulfillment of its obligations.
The Administrator obtains personal data in the following way:
• by filling out the order form in the e-shop,
• by filling out the registration form in the e-shop,
• registration carried out directly at the administrator's branch,
• automatically by visiting the e-shop,
• when communicating with the data subject.
2.3 Purpose of processing personal data
The personal data of the data subject is processed by the controller for the following reasons:
a) Performance of the contract
The personal data of the data subject are processed by the controller primarily for the purposes of processing the order and fulfilling the purchase contract. This data is necessary for:
• receipt and confirmation of the order,
• matching payment with order,
• issuing an invoice,
• delivery of ordered goods,
• resolving any complaints and returning goods,
• debt collection,
• communication between the data subject and the controller.
b) Fulfillment of legal obligations
The administrator further processes personal data for the purpose of fulfilling legal obligations, as well as for accounting and tax purposes.
c) Customer record keeping
The administrator further processes the personal data of the data subject for the purposes of maintaining customer records, which applies in particular to registered users in the e-shop.
d) Marketing purposes
The administrator also processes personal data for marketing purposes, specifically for:
• sending email newsletters about new products, ongoing promotions and discount codes,
• sending SMS messages with discount codes and other important messages,
• personalized postal items as part of a registered membership in the e-shop,
• inclusion in competitions announced on the administrator's e-shop or social networks.
The controller is entitled to send marketing communications about its own products or services to the data subject, if he is a customer of the controller, on the basis of the controller's legitimate interest in creating new business opportunities, i.e. without prior consent.
In the event that the data subject is not a customer of the controller, marketing communications are sent to him/her only with his/her prior consent.
In all cases, the data subject may opt out of receiving marketing communications in the manner set out below in Section 5.2 of this Policy.
3. Recipients of personal data
All personal data is processed and used by the administrator exclusively within the company, to the extent necessary. The administrator protects this data from misuse and does not provide it to third parties without your prior notice or consent.
The following categories of beneficiaries are exempt:
3.1 Service providers
For all service providers, the controller contractually requires that the personal data of the data subject be processed in accordance with applicable legislation.
The administrator shares personal data with external companies that provide the following services:
a) payment service provider for the purpose of processing payments and any refunds
The payment gateway provider is Global payments Europe sro, with its registered office at V Olšinách 626/80, 100 00 Strašnice. More information about the GPwebpay payment gateway can be found at: https://www.gpwebpay.cz/ .
b) selected carriers for the purpose of delivering the ordered goods
If the data subject has chosen the option of delivering the goods via a selected carrier, then the data subject's personal data are also transferred and processed by the controller to this carrier to the necessary extent.
The administrator allows goods from the e-shop to be delivered via the following carriers:
Zásilkovna sro, with its registered office at Českomoravská 2408/1a, Libeň, 190 00 Prague 9, Company ID: 28408306. More information about this carrier can be found at: https://www.zasilkovna.cz/.
PPL CZ sro, with registered office at: K Borovému 99, Jažlovice, 251 01 Říčany, ID: 25194798. More information about this carrier can be found at: https://www.ppl.cz/.
c) a company providing commercial communications
ECOMAIL.CZ, sro, with its registered office at Na Zderaze 1275/15, 120 00 Prague 2, company ID: 027 62 943. More information about the Ecomail marketing platform can be found at: https://ecomail.cz/.
d) the company responsible for the creation and operation of our e-shop
MONSTER MEDIA, sro, with its registered office at Šaldova 9, 186 00, Prague 8 – Karlín, Company ID: 04251849. More information about this company can be found at: https://monstermedia.cz/
e) accountant for the purpose of processing and maintaining the administrator's accounts
Švára & Stříž, tax office, sro, with its registered office at 17. listopadu 1230/8a, 779 00 Olomouc, ID: 21135771.
3.2 Public authorities
If required by law, the personal data of the data subject may also be disclosed to public authorities. The processing of personal data by such public authorities must be in accordance with the applicable data protection rules for the purposes of the processing.
4. Period of processing of personal data
The administrator processes and stores personal data for the period strictly necessary to ensure all rights and obligations arising from the contractual relationship, i.e. for the duration of the order processing, including any complaints, and for a period of 3 years from the implementation of the last part of the performance under the contract, so that the administrator is able to protect its rights and handle complaints and any claims after the limitation period.
In accordance with the law, the administrator keeps accounting documents for 5 years and tax documents for 10 years.
The administrator processes personal data processed within the framework of registered membership in the e-shop for the duration of the registered membership of the data subject. In the event of cancellation of the registered membership, the administrator will delete the personal data or will not use them for the purposes for which the data subject has consented to their processing (e.g. consent to sending marketing communications). The administrator continues to process and store the personal data provided within the framework of registered membership in the e-shop to the extent necessary and for the period strictly necessary to ensure all rights and obligations arising from the contractual relationship, i.e. for the duration of the processing of the registered member's orders, including any complaints, and for a period of 3 years from the implementation of the last part of the performance under the contract.
The controller stores personal data processed for marketing purposes until consent is revoked or objection is expressed to such processing.
5. Data subject rights in relation to the protection of personal data
5.1 Individual rights of the data subject
The data subject has the following rights under the GDPR:
a) Right of access to personal data – the data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and if so, he or she has the right to access such personal data.
b) Right to rectification – the data subject has the right to have the controller correct inaccurate personal data concerning him or her without undue delay.
c) Right to erasure ("right to be forgotten") - the data subject has the right to have the controller erase all personal data that the controller records about the data subject without undue delay. In the event that there is another reason that authorizes or obliges the controller to process personal data (e.g. obligations arising from the Accounting Act), erasure cannot be performed.
d) Right to restriction of processing – the data subject has the right to obtain from the controller restriction of processing in any of the following cases:
• if the data subject disputes the accuracy of the data and the controller needs to verify the data subject's communication;
• if the controller processes personal data unlawfully, but the data subject does not wish the controller to erase these personal data and instead requests only the restriction of processing;
• if the controller no longer needs the personal data, but the data subject requests their retention for the exercise of their legal claims;
• if the data subject objects to the processing, until the controller verifies whether the personal data will continue to be processed in his or her important interests or will not process them.
e) Right to data portability – the data subject has the right to receive personal data concerning him or her in a structured, commonly used and machine-readable format and the right to transmit such data to another controller or to designate a controller to whom the personal data are to be transmitted, provided that the controller consents to the transmission.
f) Right to object – the data subject has the right, on grounds relating to his or her particular situation, to object at any time to the processing of personal data concerning him or her.
g) Right not to be subject to automated individual decision-making – the data subject has the right not to be subject to any decision based solely on automated processing, including profiling, which would produce legal effects for the data subject or would similarly significantly affect him or her.
h) Right to withdraw consent – if processing is based on consent, the data subject has the right to withdraw this consent at any time.
5.2 Options for withdrawing consent
a) Withdrawal of consent to receiving marketing communications
If the data subject has given consent to the sending of marketing communications, the data subject may withdraw it at any time in the following ways:
• by clicking on the unsubscribe link in the email newsletter,
• by clicking on the link in the SMS message,
• by sending an e-mail to eshop@babyross.cz with a request to stop sending marketing communications,
• by other available means that enable the expression of will with the withdrawal of consent to reach the administrator (e.g. via a postal service delivery person, data message, etc.).
b) Withdrawal of consent to the processing of personal data
The data subject has the right to withdraw consent to the processing of personal data at any time, even in other cases where the data subject has granted such consent.
5.3 Exercise of rights and complaints
The data subject may exercise his or her rights via the contact details of the controller specified above in point 1 of these principles.
If the data subject is convinced that the administrator is not handling his or her data adequately and in accordance with legal standards, the data subject has the right to file a complaint with the supervisory authority, which is the Office for Personal Data Protection, with its registered office at Pplk. Sochora 27, 170 00 Prague 7, more at: https://uoou.gov.cz/.
6. Profiling and automated processing
When making a purchase on the e-shop, the administrator processes information about the customers' purchasing behavior. In this way, the administrator is able to determine the customers' shopping preferences and estimate possible future purchasing patterns.
This processing is carried out exclusively in an automated manner and does not affect the rights of the data subject in any way. Since the algorithm automatically evaluates customer behavior on the website, the administrator is able to create a personalized offer of goods.
No decision is made on the basis of this processing that would have legal effects on the data subject or would similarly significantly affect him/her.
7. Cookies
7.1 What are cookies?
Cookies are small text files that are stored on the device (computer, tablet, smartphone) through which the data subject visits the e-shop. If the data subject does not delete the cookies after leaving the site, they are reused during subsequent visits by the data subject.
7.2 Purpose of using cookies
The administrator uses cookies to improve the functionality of the e-shop and simplify the data subject's visit, in particular for:
• saving preferences and settings that allow the website to function properly,
• login and authentication – so that the data subject is not forced to repeatedly enter login details,
• security – the administrator uses cookies to detect fraud and misuse of the administrator's website,
• analysis – using cookies, the administrator collects data for analytical tools,
• marketing – the administrator uses cookies to evaluate marketing campaigns,
• social networks – through cookies, the data subject can share content from the e-shop on social networks.
Based on cookies, the administrator is not able to identify specific individuals.
7.3 Refusal to use cookies
The website can also be used in a mode that does not allow the collection of data on the behavior of website visitors. Common internet browsers allow you to disable cookies in their settings. The data subject can find more information in the help of the internet browser.
If an e-shop visitor objects to the processing of technical cookies necessary for the functioning of the website, the full functionality and compatibility of the website on which the e-shop is operated cannot be guaranteed.
8. Conditions for the security of personal data
8.1 Technical and organizational measures
The Administrator declares that it has taken all appropriate technical and organizational measures to secure personal data and prevent unauthorized access to personal data.
8.2 Specific safety precautions
The Administrator has adopted, in particular, the following technical measures to secure data repositories and personal data repositories in paper form:
• encrypted web interface security (HTTPS),
• regular updates of system security components,
• use of antivirus programs and firewalls,
• regular data backup,
• securing data storage using strong passwords,
• encryption of sensitive data,
• physical security of premises where personal data in paper form is stored.
8.3 Access to personal data
The administrator declares that only authorized persons who have been properly trained in the handling of personal data and are bound by a duty of confidentiality have access to personal data.
9. Final provisions
9.1 Agreement to the terms and conditions
By submitting an order from the online order form on the e-shop or by registering on the e-shop website, the data subject confirms that he or she has read these personal data protection principles and accepts them in their entirety.
By completing the registration form or the newsletter subscription form, the data subject agrees to these terms and conditions by checking the appropriate box. By checking the consent box, the data subject confirms that he/she has read the personal data protection principles and accepts them in their entirety.
9.2 Changes to the Privacy Policy
The Administrator is entitled to change this Privacy Policy. In such a case, the Administrator will publish the new version of the Privacy Policy on its website and at the same time send it to registered members to their email addresses.
This privacy policy is effective from March 20, 2025.