I. Basic Provisions
- The personal data controller referred to in Article 4 (7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of physical persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as “GDPR”) is Extreme Board Games, s. r. o., VAT number: CZ09458468 (hereinafter referred to as the “Administrator”).
- The Administrator’s contact details are:
Extreme Board Games, s. r. o.
Na dlouhém lánu 289/49
160 00 Praha 6
VAT number: CZ09458468
Telephone: +420 777 505 879
(hereinafter referred to as the “Seller”).
- By personal data we mean any information relating to identified or identifiable persons; a person should be deemed a physical identity, directly or indirectly identifiable based on a specific identifier, such as a name, an identification number, location data, a network identifier or one or more specific elements, either physiological, genetic, psychological, economic, cultural or social.
- The Administrator has not appointed a Data Protection Officer.
II. Sources and Categories of Processed Personal Data
- The Administrator processes personal data provided to him by you or personal data obtained from your order.
- The Administrator only processes the identification, contact and support data necessary for contract performance.
III. Legal Grounds and Purposes of Personal Data Processing
- The legal grounds for the processing of personal data are:
- the performance of the contract between you and the Administrator pursuant to Article 6 (1) (a); (b) GDPR.
- the rightful interest of the Administrator to provide direct marketing (in particular for the sending of commercial messages and news) pursuant to Art. (f) GDPR.
- your consent to process personal data for the purpose of providing direct marketing (in particular for the sending of commercial messages and news) pursuant to Article 6 (1) (a). a) GDPR in conjunction with Section 7 (2) of Act No. 480/2004 Coll., regarding certain services of the information company in case no services or goods have been ordered yet.
- The purposes of the processing of personal data are:
- processing your order and exercising the rights and obligations arising from a contractual relationship between you and the Administrator. Upon ordering, personal information is requested for successful order processing (name, address, and contact details). The provision of personal data is a necessary requirement for the provision and performance of contracts. Without the provision of personal data it is not possible to finalize a contract or for the Administrator to perform a contract.
- sending business messages and performing other marketing activities.
- There is no automatic individual decision-making on the Administrator’s part pursuant to Article 22 of the GDPR.
IV. Data Storage Period
- The Administrator stores personal data:
- as long as it is necessary in terms of exercising your rights and performing the duties arising from the contractual relationship between you and the Administrator (for 15 years from the termination of the contractual relationship).
- until consent to the processing of personal data for marketing purposes is withdrawn, or for a maximum of 2 years if the personal data is processed based on consent.
- After the personal data storage period expires, the personal data shall be deleted.
V. Recipients of Personal Data (Subcontractors of the Administrator)
- The recipients of personal data shall be:
- individuals participating in the delivery of goods / services / payments provided under contract.
- individuals providing e-shop services and other services related to e-shop operations.
- individuals providing marketing services.
- external accountants.
- The Administrator intends to transfer personal data to a third country (a non-EU country) or an international organization. The recipients of personal data in third countries are e-mail service (Mailchimp) providers.
VI. Your Rights
- Under the conditions stated in the GDPR, you have:
- the right to access your personal data pursuant to Article 15 of the GDPR.
- the right to rectify personal data pursuant to Article 16 of the GDPR, or to limit its processing pursuant to Article 18 of the GDPR.
- the right to erase personal data pursuant to Article 17 of the GDPR.
- the right to object to the processing of personal data pursuant to Article 21 of the GDPR.
- the right to data portability pursuant to Article 20 of the GDPR.
- You further have the right to issue a complaint at the Personal Data Protection Office if you believe that your personal data protection rights have been violated.
VII. Terms of Personal Data Security
- The Administrator declares that he has considered all available technical and organizational measures to safeguard personal data.
- The Administrator has taken technical measures to safeguard personal data storage and physical personal data storage, with particular attention to backup, passwords, SSL encryption and only allowing access to trusted persons.
- Personal data can only be accessed by persons authorized by The Administrator.
VIII. Final Provisions