Personal data protection

Date of last change to the Directive:15.8.2024

I. Introductory provisions

This Directive sets out the principles for the protection of personal data collected.

Kristýna Moulisová hereby undertakes to comply with the General Data Protection Regulation in force since 25.
5.
2018, according to the European Commission Regulation 679 / 2016, the so-called.
GDPR (hereinafter referred to as GDPR) and the national legislation related to it.

Furthermore, Kristýna Moulis undertakes to take such steps to comply with the GDPR and related national regulations at all times.

II.
Definition of terms

Data subject – is the natural person to whom the personal data relates.
This person is identified or identifiable by reference to data (e.g. name, identification number, location data, network identifier or to one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person).

Personal data – is any data used to uniquely identify a specific natural person.

Sensitive data – is a special category of personal data revealing national, racial or ethnic origin, political opinions, trade union membership, religion or philosophical beliefs, biometric and genetic information, health and sex life of the data subject.

Controller – is the entity (natural or legal person, public authority or other entity) that determines the purposes and means of processing personal data, obtains and further processes personal data of natural persons and is responsible for the processing.
It may entrust the processing to a Processor if the law so provides.

Processor – is another entity different from the Controller, which processes personal data of natural persons for the Controller on the basis of a pre-agreed purpose, does so on the basis of the law or on the basis of a mandate from the Controller.

Recipient – is a natural or legal person or other entity that receives the personal data provided for a pre-agreed purpose and does not further process the data.
A public authority which receives personal data in the context of its investigative powers is not considered a recipient, but its processing must comply with the applicable data protection rules according to the purpose of the processing.

Location – is the physical storage where personal data is stored (e.g., binder, cabinet, rack)

Legal title – is the legal basis, listed in the GDPR, on the basis of which a natural or legal person, public authority or other entity records personal data.

Purpose of processing – is the justification for why the personal data is required and that it will be used only for the defined purpose.

Processing period – is the period of time for which we record specific personal data, this period is to be reasonable, unless provided for by law.

Data minimisation – is a process that leads the controller to request only the personal data that are necessary for the performance of its activities.

Restriction of processing – is the creation of a state in which personal data is inaccessible for a certain period of time and cannot be otherwise processed.

Destruction of personal data – is the irreversible destruction of personal data

III.
Rights and obligations

1. 1. Our organisation has not appointed a data protection officer.

1. 2. Only authorised personnel have the right to work with personal data Kristýna Moulisová

1. 3. Kristýna Moulisová

1. 4. Authorised personnel undertake to comply with the Privacy Policy, which is:
   1. Inform the data subject of his or her rights and obligations as a controller
   2. Inform the data subject of the legal title, the purpose of the processing and the duration of the processing of their personal data
   3. Request only such personal data as are necessary for the performance of their activities
   4. Record personal data only on designated documents and in designated systems
   5. Not to pass on any personal data to unauthorised persons

1. 5. The Company undertakes to handle personal data only in suitably secure buildings and rooms.

Suitably secured buildings and rooms are:

– Rixon warehouse+offices+shop

• 6. When leaving the room where personal data is located, the authorized employee is obliged to secure the individual locations and the room against the intrusion of unauthorized persons.

1. 7. Printed documents and IT devices containing personal data that are not currently being handled must be stored by authorised personnel in designated storage areas.
   These repositories are: Archives

1. 8. Any IT equipment on which personal data is handled must be appropriately secured, at a minimum, with sufficient security or physical and electronic security to prevent data leakage.

Suitably secured IT devices are:Server, Coolhosting data storage, MailChimp data storage, Camera system with HDD.

1. 9. When leaving the workplace, the authorised employee is obliged to secure the IT equipment by locking the screen and then requiring a password, or by switching off the equipment.

1. 10. Kristýna Moulisová undertakes to regularly back up the data containing personal data.
   Kristýna Moulisová regularly backs up her data to the following backup devices.

1. 11. Kristýna Moulisová operates the website www.rixon.eu on which she undertakes to insert information about the processing of cookies, the principles of processing personal data on the website and the rights of the data subject, or to provide those places where personal data is collected with an informative obligation.

1. 12. Kristýna Moulisová undertakes to provide each document and form on which she initiates the processing of personal data of an individual with an informative addendum on the processing of personal data with reference to the full text of the Personal Data Processing Policy.

1. 13. Kristýna Moulisová operates the following information systems in which she records personal data.
   Abra Flexibee, MailChimp.
   All of these information systems must be secured with access rights and appropriately secured against unauthorised misuse and access.

1. 14. All information systems must be backed up and backups must be stored in secure locations.

1. 15 Each document containing personal data must have a legal title, purpose of processing and duration of processing.
   Kristýna Moulisová records personal data on the basis of the following legal titles.

1. 16. Kristýna Moulisová works with the following personal data for her activities: Name, Address, Surname, Birth number, Telephone number, Tax ID number of natural person, Bank account number, Employee number, Delivery address, Email, Date of birth, CCTV footage – video, photo.

1. 17. Kristýna Moulisová may transfer personal data to her contractual partners (processors).
   These processors are: , Ucetni a pravni servis s.r.o., ANT studio s.r.o..
   The personal data transferred in this way is defined in the scope of the personal data processing records.

1. 18.The organisation is obliged to negotiate with these processors an addendum to the contract or a contract on the handling of the personal data transferred in the sense of personal data protection and to carry out a possible control of compliance with the principles of personal data protection by these processors.

1. 19. Kristýna Moulisová may also transfer personal data to recipients.
   These recipients are DPD s.r.o., ČESKÁ POŠTA s.p., Zásilkovna s.r.o..
   The personal data transmitted in this way are defined in the scope of personal data processing records.

1. 20. As a secure form of transferring personal data, Kristýna Moulisová chose the following options: transfer takes place at the organisation’s location, Private email, Work email, Data box, Letter, Registered letter, Cloud, Web storage.

1. 21. Kristýna Moulisová undertakes to liquidate the personal data after the expiry of the period of processing of the personal data.

1. 22. Kristýna Moulisová undertakes to carry out regular training of the authorised staff, at least once a year.

1. 23.Kristýna Moulisová undertakes to carry out a data protection compliance check at least once a year, to respond to findings and threats, to optimise the processing, storage and security of personal data and to record changes.

1. 24. Kristýna Moulis undertakes to keep a record of requests for erasure, rectification and objections to processing.
   She also undertakes to keep a record of documents relating to responses and replies to the processing of personal data of natural persons.

1. 25. Kristýna Moulisová undertakes to keep a record of security incidents and corrective measures.
   In the event that a serious security incident should occur, or does occur, any employee who becomes aware of such a fact shall notify the person responsible for data protection in the organisation.

1. 26.The organisation shall, in the event of a serious security incident, report any such security incident to the supervisory authority within 72 hours of such discovery.

1. 27. Every data subject, natural person, has the right to information about the personal data recorded about his or her person.
   If such a person exercises his right, this request shall be forwarded to the responsible person, who shall ensure the information obligation within 30 days at the latest.
   Christine Moulis will take into account the adequacy and frequency of such requests from the same applicant.
   A record of this will be made, indicating the date of the request, the name of the applicant, a description of the resolution and retaining a follow-up copy of the response letter to the applicant for further evidence.

1. 28 The data subject shall have the right to rectification of the personal data recorded in respect of his or her person.
   If rectification is requested, such rectification shall be carried out taking into account other circumstances and possibilities.
   A conclusive record shall be made of this fact.

1. 29.The data subject has the right to have the personal data recorded which have been given by consent or explicit consent, or those for which the period for processing has expired, deleted, or if the organisation considers that it is no longer necessary to process them.
   A conclusive record will be made of this request and any erasure of personal data, indicating the date of the request, the name of the requester, a description of the solution and ensuring that the data requested is actually erased for future processing from all active systems.

1. 30. The data subject has the right to object to the processing of personal data.
   If he or she objects, Kristýna Moulisová shall be obliged to take steps or implement measures to restrict the processing of such personal data.
   A conclusive record of this will be made with the date of the request, the name of the applicant and a description of the solution for possible control.

IV.
Sanctions

1. 1. Any contractual partner or entity in a similar legal relationship that violates this Directive will be subject to a one-time penalty of CZK 10,000.
2. 2. Any contractual partner or entity in a similar legal relationship that repeatedly or in a particularly significant manner violates this Directive shall be subject to a fine of up to CZK 50,000.
3. 3. Any employee who violates this Directive shall be subject to compensation by the employer for damages caused to the employer in each individual case up to 4.5 times the average salary.