Data Protection & Processing Terms (Privacy Policy)

1. DATA SUBJECTS, PURPOSES, SCOPE, DURATION, AND LEGAL BASIS OF PROCESSING

A. BUSINESS PARTNERS – SELF-EMPLOYED INDIVIDUALS PROVIDING DELIVERY SERVICES

The Controller, acting in the position of the controller of personal data, processes the personal data of its business partners – self- employed individuals providing delivery services for the purpose, to the extent, on the legal grounds, and for the duration as follows:

• Purpose: Fulfillment of the agreement on the mediation of the conclusion of the agreement on the delivery of goods with the end users of Svaggy Delivery Partner (agreement conclusion, agreement fulfillment, invoicing, and handling complaints).

  Data scope: First name, last name, email address, phone number, registration number, registered address, bank account number, signature.

  Legal Grounds: Necessity of processing personal data to fulfill the agreement.

  Duration: For the period necessary to fulfill the contract and for the duration of the statute of limitations.

• Purpose: Managing a customer account in the Svaggy Delivery Partner app and delivering goods to customers.

  Data Scope: First name, last name, email address, phone number, current location.

  Legal Grounds: Necessity of processing personal data to fulfill the agreement.

  Duration: From registration until the account is deleted by the business partner or until the account is deleted by the Controller due to the termination of the agreement with the business partner.

• Purpose: Accounting and tax purposes and fulfilling archiving obligations.

  Data Scope: First name, last name, registration number, registered address, signature.

  Legal Grounds: Necessity of processing to fulfill legal obligations imposed on the Controller by law.

  Duration: For the period necessary, 10 years, unless longer periods are specified by legal regulations.

• Purpose: Enforcement of potential claims by the Controller (retention of data necessary as evidence in legal proceedings).

  Data Scope: First name, last name, registration number, registered address, signature.

  Legal Grounds: Legitimate interest.

  Duration: For the duration of the contract and after its termination for the duration of the statute of limitations.

B. CONTACT PERSONS OF BUSINESS PARTNERS – LEGAL ENTITIES PROVIDING DELIVERY SERVICES

The Controller, acting in the position of the processor of personal data, processes the personal data of contact persons of business partners – legal entities providing delivery services for the purpose, to the extent, on the legal grounds, and for the duration as follows:

• Purpose: Fulfillment of the agreement on the mediation of the conclusion of the agreement on the delivery of goods with the end users of Svaggy Delivery Partner (agreement conclusion, agreement fulfillment, invoicing, and handling complaints).

  Data Scope: First name, last name, email address, phone number, signature.

  Legal Grounds: Necessity of processing personal data to fulfill the agreement.

  Duration: For the period necessary to fulfill the agreement and for the duration of the statute of limitations.

• Purpose: Enforcement of potential claims by the Controller (retention of data necessary as evidence in legal proceedings).

  Data Scope: First name, last name, signature.

  Legal Grounds: Legitimate interest.

  Duration: For the duration of the contract and after its termination for the duration of the statute of limitations.

C. EMPLOYEES OF BUSINESS PARTNERS – LEGAL ENTITIES PROVIDING DELIVERY SERVICES

The Controller, acting in the position of the processor of personal data, processes the personal data of employees of business partners – legal entities providing delivery services for the purpose, to the extent, on the legal grounds, and for the duration as follows:

• Purpose: Managing a customer account in the Svaggy Delivery Partner app and delivering goods to customers.

  Data Scope: First name, last name, email address, phone number, current location.

  Legal Grounds: Necessity of processing personal data to fulfill the agreement.

  Duration: From registration until the account is deleted by the business partner or until the account is deleted by the Controller due to the termination of the agreement with the business partner.

D. PROCESSING COOKIES IN THE SVAGGY DELIVERY PARTNER APP

The Controller processes cookies in the Svaggy Delivery Partner app. More information about the processing of cookies in the Svaggy Delivery Partner app can be found here.

a) Right of access to personal data:

Data subjects have the right to obtain from the controller confirmation as to whether their personal data is being processed. If so, they have the right to access this personal data and the following information:

1. Purposes of the processing of personal data;
2. Categories of personal data concerned;
3. Recipients or categories of recipients to whom the personal data has been or will be disclosed;
4. The envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
5. The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing and to object to such processing;
6. The right to lodge a complaint with a supervisory authority;
7. All available information about the source of personal data if not obtained from the data subject.

Data subjects also have the right to request a copy of the processed personal data from the controller, provided that the rights and freedoms of others are not adversely affected. For additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. If the data subject makes the request electronically, the information will be provided in an electronic form commonly used unless the data subject requests another method.

b) Right to rectification:

Data subjects have the right to have inaccurate personal data concerning them rectified without undue delay. Taking into account the purposes of the processing, data subjects also have the right to complete incomplete personal data by providing a supplementary statement.

c) Right to erasure ("right to be forgotten"):

Data subjects have the right to request the erasure of their personal data without undue delay, and the controller has the obligation to erase personal data without undue delay if one of the following reasons applies:

1. The personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
2. The data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing;
3. The data subject objects to the processing, and there are no overriding legitimate grounds for the processing.
4. The personal data has been unlawfully processed;
5. The personal data must be erased for compliance with a legal obligation under the law of the European Union or the Czech Republic;
6. The personal data has been collected in relation to the offer of information society services based on the consent of a child.

d) Right to restriction of processing:

Data subjects have the right to obtain from the controller the restriction of processing in any of the following cases:

1. The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
2. The processing is unlawful, and the data subject opposes the erasure of the personal data and requests instead the restriction of their use;
3. The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims.

e) Right to data portability:

Data subjects have the right to receive the personal data concerning them, which they have provided to the controller, in a structured, commonly used, and machine-readable format and have the right to transmit this data to another controller without hindrance from the controller if:

1. The processing is based on consent or on a contract and
2. The processing is carried out by automated means.

When exercising the right to data portability, data subjects have the right to have personal data transmitted directly from one controller to another, where technically feasible. The right to data portability must not adversely affect the rights and freedoms of others.

f) Right to object:

Data subjects have the right to object to the processing of personal data. If a data subject raises a justified objection to the processing for the purposes of direct marketing or profiling, the personal data will no longer be processed for these purposes. The objection will be evaluated, and the controller will subsequently inform the data subject whether the objection has been upheld, and the controller will no longer process the data, or if the objection was not justified, the processing will continue. During the resolution of the objection, processing will be restricted.

g) Right not to be subject to automated decision-making, including profiling:

Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. This right does not apply if the automated decision-making is necessary for the conclusion or performance of a contract between the data subject and the controller or is based on the explicit consent of the data subject; however, in such cases, the data subject has the right to human intervention on the part of the controller, to express his or her point of view, and to contest the decision.

h) Right to lodge a complaint with a supervisory authority:

Data subjects have the right to lodge a complaint with the supervisory authority regarding the processing of their personal data by the controller. The supervisory authority for the Czech Republic is the Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Prague 7.