1. The purpose of this DocSimon Data Protection Policy (hereinafter referred to as the "policy") is to provide a detailed explanation of the terms and conditions of processing of personal data by ČESKÁ LÉKÁRNA HOLDING, as, VAT-ID: 28511298, registered office at Nové sady 996/25, Staré Brno, 602 00 Brno, registered in the Commercial Register maintained by the Regional Court in Brno, Section B, Insert 6919 (hereinafter referred to as the "administrator"), during the operation of the DocSimon e-shop located at the domain www.docsimon.cz (hereinafter referred to as the "e-shop"). The administrator determines the purpose and means of processing of personal information in the e-shop. Besides the operation of the e-shop, the administrator also operates a network of pharmacies and dispensaries of medical devices Dr.Max in the Czech Republic (together hereinafter referred to as the "pharmacy").
2. During the operation of the e-shop, personal data of the customer, who is a physical person and who carries out the purchase or reservation of the goods (hereinafter also referred to as "the customer" or "entity"), is processed. Personal information is any information regarding the designated or identifiable data entity. An entity is deemed to be determined or identifiable if an entity can be identified, directly or indirectly, in particular by the number, code or one or more elements specific to its physical, physiological, psychological, economic, cultural or social identity; personal data include, for example, name, surname, e-mail, mobile phone; personal data may be associated with another personal information as well as a purchase preference (collectively hereinafter also referred to as "personal information" or "data").
3. The person's personal data are processed in accordance with these policy. Processing of personal data means any operation or set of operations performed with personal data either automatically or manually, using computer resources and other means, in particular collecting, storing on information carriers, making personal data available, modifying or altering, searching, using, transmitting, storing, sorting or combining, blocking and disposal (hereinafter referred to as "processing").
4. The entity is required to carefully study these policies before making the purchase of the goods in the e-shop or prior granting consent. If the entity does not understand any point or condition under these policies, they can contact the administrator at the contacts listed below.
5. The administrator shall treat the provided personal data with extreme care. Personal data are processed by the administrator transparently and in accordance with the applicable effective legal regulation.
6. The administrator collects only the personal data he actually needs for the intended purpose. The administrator is doing everything to continually evaluate the processing, whether in terms of proper security, minimization of personal data, transparency, correctness and legality. The administrator adheres to the principle of responsibility, integrity, confidentiality, accuracy and limitation of storage.
7. While operating the e-shop, the administrator does not process specific categories of personal data, such as racial or ethnic origin, political opinions, trade union membership, religion or philosophical beliefs, health status, sexual life, or sexual orientation. While operating the e-shop, the data on medicinal products, medical devices and food for special medical purposes (collectively hereinafter referred to as "the product") ordered by the customer are processed, but these data do not indicate the health of the customer because it is not determined by the administrator for whom the product is intended and it cannot be also identified for this purpose when processing data. For example, if a customer orders a product that is intended for his family member, an order will be recorded by the administrator with the customer's data, but this fact does not indicate the health of that customer.
8. This policy is valid and effective from 25.05.2018. The administrator is entitled to change the policy if necessary, but this does not affect the conditions of the already approved processing. When using an e-shop, the customer is required to periodically check the wording of the policy.
II. Contact details of the administrator
1. The contact information of the administrator is as follows:
b) 844 909 909 (the call is charged according to the price list of the respective operator)
c) ČESKÁ LÉKÁRNA HOLDING, a.s., Contact Center Dr.Max, Nové sady 996/25, 602 00 Brno
2. The administrator has appointed a Data Protection Officer whose contact details are as follows:
b) ČESKÁ LÉKÁRNA HOLDING, a.s., Data Protection Officer, Nové sady 996/25, 602 00 Brno
III. Processed personal data, legal basis, purposes and processing time
1. Purchase of goods
- For the purpose of receiving the order, closing and fulfilling the purchase agreement, the Customer Manager processes the customer's personal data in the following order:
o name, surname, telephone number and customer email address;
o information about the ordered goods (type, quantity, price);
o an indication of the chosen payment method;
o an indication of the chosen method of delivery of the goods;
o billing address (street, street number, city, post code);
o the delivery address if the goods are sent to an address specified by the customer and this address is different from the billing address;
o an indication of where the customer wishes to pick up the goods if the customer chooses the option of personal collection;
o Company details, CRN and Tax ID, if indicated by the customer;
o an order note if the customer specifies it;
o entry about the communication between the administrator and the customer related to the purchase.
- Granting a consent with personal data processing is necessary to meet the above-mentioned purposes. The processing of personal data is also necessary for the implementation of data taken prior to the conclusion of a contract and for the fulfilment of a contract concluded between the customer and the administrator, in order to fulfill the obligations of the administrator arising from the legislation, in particular from the regulations governing the provision of health services, drug treatment and consumer protection; also for the protection of the legitimate interests of the administrator in order to demonstrate compliance by the supervisory authorities with the inspections and for the defense and exercise of the rights of the administrator.
- The administrator operates with the data, as mentioned in the paragraph III.1., for 5 years from the conclusion of the purchase contract. Tax documents that may contain personal data are then kept for 10 years from the end of the taxable period in which the transaction took place.
2. Complaints and withdrawal from a contract
- In order to handle a customer's complaint, the administrator processes the customer's personal information in the following range:
o name and surname of the customer;
o the customer's contact details (home address, e-mail address and / or phone number);
o data of the claimed goods, including the purchase price of the goods and the date of sale of the goods;
o data related to the reasons for the claim and the customer's request for claim settlement;
o data of the date when the complaint was processed and the manner in which it was processed.
- If the customer withdraws from a contract entered into with the administrator, the administrator processes the customer's personal data to the following extent for the purpose of processing related operations:
o name and surname of the customer;
o information about the goods to which the withdrawal relates, including the purchase price of the goods and the date of sale of the goods;
o information of how to refund the customer.
If the withdrawal is not resolved directly in the pharmacy, the administrator also processes:
o the address of the customer's residence;
o customer's account number;
o customer's contact information (e-mail and / or phone number).
- Granting a consent with personal data processing is necessary to meet the above-mentioned purposes. The processing of personal data is also necessary for the fullfilment of a contract concluded between the customer and the administrator, in order to meet the statutory obligations of the administrator, in particular from the regulations governing the provision of health services, drug treatment and consumer protection; also for the protection of the legitimate interests of the administrator in order to demonstrate compliance by the supervisory authorities with the inspections and for the defense and exercise of the rights of the administrator.
- Granting a consent with personal data processing is thus obligatory and in case of the absence of the required data, the customer's rights arising from a contract concluded with the administrator cannot be exercised.
- The administrator operates with the data, as mentioned in the paragraph III.2., for 5 years from the claim settlement or the withdrawal from the contract.
3. Customer account
- In order to maintain a customer account, the administrator handles the customer's personal data in the following range:
o Name, surname, telephone number and customer's email address;
o Billing address (street, street number, postal code, city);
o Delivery address if different from the billing address;
o Company details, CRN and Tax ID, if stated by the customer;
o Data based on the purchases made by the customer in the e-shop (listed in paragraph III.1.)
- The administrator processes the data referred to in this paragraph III.3. until the customer account is canceled according to the Terms and Conditions.
- If a customer grants the administrator permission to process his or her personal data for marketing purposes, the administrator addresses the customer with offers about discounts, benefits or other actions and information about the products and services of the administrator or other persons, in which case these offers and information are tailored to the individual interests of the customer. This addressing is done in particular by sending profiled business messages by electronic means (telephone, e-mail address), but other ways (such as site personalization) may also be used.
- Within the specified purpose, the following operations (activities) will be executed by the administrator in particular:
o Keeping records of customers who have given their consent to processing of personal data under this paragraph III.4;
o Segmentation for sending of suitable bids;
o Segmentation for sending of appropriate information;
o Conducting of market research and evaluation, and purchasing habits of customers;
o Personalization of www.docsimon.cz pages;
o Sending business messages profiled according to customer preferences;
o Sending information on health, cosmetics and body care, including invitations to educational events and proposals for complementary services;
o Sending of so-called transactional messages regarding the granted consent, possibility of involvement in the extended programs of the administrator.
- To fulfill the above-mentioned purpose, the profiling is done by the administrator (segmentation, in particular according to the purchases made by the customer in the e-shop, according to his preferences and according to the way he uses www.docsimon.cz website), in order to select suitable offers from the administrator and to ensure better user comfort and full functionality of the site.
- Customer's personal data are processed to the extent necessary to meet the above-mentioned purpose, and thus in following extent:
o Data collected on the basis of purchases made by the customer in the e-shop (listed in paragraph III.1);
o Data about usage of www.docsimon.cz website;
o Online identifiers data (e.g., IP address, MAC address, device or browser fingerprint);
o Information on the use of offers and information sent by the administrator;
o Information on participation in competitions and events of the administrator;
o Survey data and administrator polls.
- The legal basis for the processing of personal data is an informed and voluntary consent of the customer, which is given to the administrator for the above-mentioned purpose. The customer is entitled to revoke this consent at any time (for more details see Article V. of these Guidelines).
- The customer is not obliged to provide personal information to the administrator for this purpose and to grant consent to their processing. If the customer does not give consent or withdraws consent for the processing of personal data, the customer will not be contacted by the administrator for marketing purposes. Granting consent is not necessary to make purchases in the e-shop.
- Customer's personal data will be processed for the above-mentioned purpose until the customer revokes the consent given to the administrator, but no longer than 3 years from the last purchase the customer made in the e-shop.
- After consent withdrawal, the customer's personal data are kept based on the legitimate interest of the administrator, in order to demonstrate compliance by the supervisory authorities with the inspections and for the defense and exercise of the rights of the administrator, only to the extent for the time strictly necessary.
5. Website personalisation
- In order to provide the highest quality services and create content that is of interest to the customer, the administrator processes the customer's personal data and uses them to personalize the website so that they fit the interests of the customer as much as possible. This personalization consists, for example, in displaying the most recently viewed goods or designing goods that might be of interest to the customer.
- Customer's personal data are processed to the extent necessary to meet the above-mentioned purpose, and thus in following extent:
o Customer's email;
o Data about the use of www.docsimon.cz website (viewing data about the product views and the frequency of site visits);
o Online identifiers data (e.g., IP address, MAC address, device or browser fingerprint).
- The legal basis for such processing is the entitled interest of the administrator.
- Customer's personal data will be processed for the above-mentioned purpose for 45 days from the last purchase the customer made in the e-shop.
6. Forwarding to price comparison sites
- If a customer grants the administrator the consent to pass on the purchase data in order to determine customer satisfaction, the administrator will pass on the customer's e-mail and purchase information (type, quantity and price) to the price comparison sites Heureka.cz and Zboží.cz.
- The Heureka Shopping portal is operated by Heureka Shopping s.r.o., Company ID: 02387727, with its registered office at Karolinská 650/1, Karlín, 186 00 Prague 8, registered in the Commercial Register maintained by the Municipal Court in Prague, Section C, File 218977.
- The shopping portal Zboží.cz is operated by Seznam.cz, a.s., Company ID: 26168685, with its registered office at Prague 5 - Smíchov, Radlická 3294/10, postal code 15000, registered in the Commercial Register maintained by the Municipal Court in Prague, Section B, Insert 6493.
IV. Methods of processing, processors and recipients
1. Personal data shall be processed in an automated or manual manner by the administrator's own employees or by persons in the duty of processors who have been authorized by the administrator by concluding a contract about processing of the personal data (such person is hereinafter reffered to as "the processor"). The processing will also be carried out by means of computer technology.
2. The entity acknowledges that the administrator uses the processor to access the necessary scope of personal data of the entity to fulfill their task. They are mainly processors from the following categories:
- accountants, auditors, legal services;
- IT service providers;
- Persons involved in marketing;
- Persons involved in the processing of printed materials;
- Persons involved in the development, sale and service of pharmacy systems;
- Persons involved in the development and implementation of business systems;
- Developers of web and mobile applications
- Persons involved in on-line communication, including communication on social networks;
- Persons involved in customer satisfaction surveys.
3. The personal data of the entity may also be provided to other recipients who are involved in the operation of the e-shop. These recipients are in particular those who operate pharmacies or dispensaries of Dr.Max medical products in the Czech Republic or who provide for the transport of consignments or operate the customer's chosen method for payment of goods.
4. An up-to-date list of recipients, including processors, may be requested from the administrator's contacts referred to in Article II (1) of these Guidelines.
5. Personal data may also be provided to public authorities authorized to obtain personal data in accordance with the relevant legislation. The processing of personal data by these public authorities must be in accordance with the applicable data protection rules for the purpose of processing.
V. Enforcement of rights, withdrawal of consent
1. Any inquiries, comments or requests concerning the personal data processing, including the withdrawal of consent for the personal data processing, the entity may direct to the contact of the administrator as referred to in Article II (1) of this Policy.
2. If the query or request of the entity for the personal data processing under the preceding paragraph is not satisfactorily addressed, or if the entity has another query, it may contact the Data Protection Officer at the contacts referred to in Article II (2) of this Policy.
3. The termination of sending of the commercial notifications by electronic means may also be requested by the entity in the manner specified in each individual commercial communication.
4. Requests, inquiries, withdrawal of consent, exercise of a right, request for access or any other request of an entity shall be processed by the administrator without undue delay upon receipt, in justified cases within one month at the latest. This deadline can be extended by another 2 months, if necessary and in view of the complexity and number of applications. Revocation of consent to send business communications via electronic contacts (telephone, e-mail address) will be processed without undue delay, no later than 7 calendar days.
5. Where necessary, additional information for the assignment of a person to a particular entity may be required by the administrator when dealing with the requirements under this Article V. In justified cases, for the protection of the rights of the subjects, the inspection / verification of the identification of the applicant's person may be required.
6. The Personal Data Protection Supervisory Authority is the Personal Data Protection Office, whose contact details are available at www.uoou.cz. An entity shall be entitled to lodge a complaint with the supervisory authority.
VI. Detailed lessons on the rights
1. Right of access
- The Entity has the right to obtain a confirmation of the processing of his or her personal data from the administrator and, if so, the entity has the right to request information on the purpose, categories, resources, recipients, processing time, right to rectification, deletion, restriction, objection and subnitting a complaint by the Supervisory Authority.
- The administrator has set some measures to provide every entity with all the information and information about processing of personal data. The administrator will provide the information electronically or in a written form.
- The administrator does not refuse to accept the entity's request when exercising the rights of the entity, unless the administrator cannot reliably identify the identity of the data subject to whom the data relate.
- All information, communications and actions are free of charge. If the claims made by an entity are assessed as manifestly unreasonable or inappropriate, and in particular if they are repeated, the administrator may either: (i) impose an appropriate fee, taking into account the administrative costs associated with providing the required information, communication or making the requested transactions; or (ii) disclaim request.
- If the administrator has reasonable doubts as to the identity of the physical person making the request, he may request the provision of the additional information necessary to confirm the entity.
2. Right to repair
- The entity has the right to claim from the administrator to correct the inaccurate personal data relating to the entity without undue delay.
- Taking into account the purposes of the processing, the entity also has the right to complement incomplete personal data, namely also by providing an additional statement.
3. Right to erasure ("right to be forgotten")
- The entity has the right to claim from the administrator to delete the personal data relating to the entity without undue delay and the administrator is obliged to delete the personal data without undue delay if one of the following reasons is given:
(a) personal data are no longer required for the purposes for which they were collected or otherwise processed;
(b) the entity withdraws the consent on the basis of which the data were processed and there is no further legal reason for the processing;
(c) the entity objects to processing (under "Right to object" below) and there are no overriding legitimate reasons for the processing;
(d) the personal data have been processed unlawfully;
(e) the personal data must be erased for compliance with a legal obligation in European Union or Member State law to which the administrator is subject;
(f) the personal data have been collected in relation to the offer of information society services, where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
- The above does not apply if processing is necessary:
(a) for exercising the right of freedom of expression and information;
(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the administrator is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the administrator;
(c) for reasons of public interest in the area of public health;
(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(e) for the establishment, exercise or defence of legal claims.
4. Right to restriction of processing
The data subject shall have the right to obtain from the administrator restriction of processing where one of the following applies:
(a) the accuracy of the personal data is contested by the data subject, for a period enabling the administrator to verify the accuracy of the personal data;
(b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
(c) the administrator no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
(d) the data subject has objected to processing, pending the verification whether the legitimate grounds of the administrator override those of the data subject.
- Where processing has been restricted under the "Right to restriction of processing" mentioned above, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
5. Right to data portability
- The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a administrator, in a structured, commonly used and machine-readable format and have the right to transmit those data to another administrator without hindrance from the administrator to which the personal data have been provided, where:
(a) the processing is based on consent or on the contract; or
(b) the processing is carried out by automated means.
- The subject matter of "Rights to data portability" is not the data obtained by administrator's activity.
- In exercising his or her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one administrator to another, where technically feasible.
- The "Right to data portability" does not affect the above "Right of Deletion".
- The "Right to data portability" shall not adversely affect the rights and freedoms of others.
6. Right to object
- The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, including profiling based on those provisions.
- Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
- Where personal data are processed for purposes of defense against the claims of the data subject, enforcing of the claims of the administrator or to demonstrate compliance by the supervisory authority with the control, the data subject shall have the right to object at any time. On the basis of this objection, the administrator will review the processing and further processing of personal data unless there are serious legitimate reasons for processing that outweigh the interests or rights and freedoms of the data subject or for the determination, exercise or defense of legal claims.
7. Automated individual decision making, including profiling
- The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
- The profiling performed by the administrator does not have any legal effects on the data subject, nor does it significantly affect him or her.