These principles of personal data protection ("Principles") inform you about how ALPI home s.r.o., ID: 28934156, with registered office at Na Bluku 428, 252 28 Prague-Lipence (hereinafter "Company"), obtains, stores, and further processes personal data of its customers.

These Principles describe the purposes of processing personal data, methods of processing, inform about the individual categories of processed personal data, potential recipients of personal data, retention periods of personal data, and your rights concerning the protection of personal data.

These Principles also apply to the website www.alpicollection.com (hereinafter "Website") operated by the Company, including the e-shop operated through it. The Company treats all processed personal data as strictly confidential and handles them in accordance with applicable and effective legal regulations on personal data protection. Data security is a priority for the Company.

1. General Provisions

These Principles of Personal Data Processing apply to:

(I) processing of personal data of Website visitors carried out by the Company during visits to the Website;

(II) processing of personal data of Company customers;

(III) processing of personal data in fulfillment of Company's legal obligations;

(IV) processing of personal data necessary for the purposes of protecting Company's legitimate interests;

(V) processing of personal data based on consent given to the Company.

The purpose of these Principles issued by the Galleries in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) ("GDPR") is to provide information on what personal data the Company, as the controller of personal data, processes about natural persons in the delivery of goods and provision of services, for what purposes and for how long the Company processes this personal data in accordance with applicable and effective legal regulations, to whom and for what reasons it may transfer it, and also to inform about the rights of natural persons in connection with the processing of their personal data and how they can exercise these rights.

These Principles are effective from 20.04.2023 and are issued in accordance with the GDPR for the purpose of fulfilling the Company's information obligations as the controller under Articles 13 and 14 of the GDPR.

2. Data Controller

The Company is the data controller within the meaning of Article 4(7) of the GDPR. Therefore, the Company collects, stores, and uses (otherwise processes) personal data for the purpose of conducting its business activities (specific purposes for which personal data are processed are further defined below).

3. Data Protection Officer

The Company is not obliged to appoint a data protection officer. Therefore, a data protection officer has not been appointed within the Company.

The Company, as the data controller, can be contacted in writing at: ALPI home s.r.o., Nekázanka 882/7, 110 00 Prague.

4. Personal Data Processed by the Company

Personal data is defined in Article 4(1) of the GDPR as any information relating to an identified or identifiable natural person. In this case:

(I.) Visitors of the Website;

(II.) Customers of the Company;

(III.) Recipients of business communications.

An identifiable natural person is a person who can be directly or indirectly identified, in particular by reference to an identifier such as name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. In connection with the provision of services by the Company, the processing of the following personal data may occur.

4.1. Basic personal identification data

Full name; residential, registered office, or business premises address; company registration number (IČO); VAT number (DIČ).

4.2. Contact details

Email address; phone number; contact address.

4.3. Payment details

Bank account number; details of payments made; other details from tax documents.

4.4. Record of written communication

This includes personal data contained in email and written communication with the Company.

5. Purpose, duration, and legal basis for processing personal data of customers and website visitors

During the Company's business activities and when visiting the Website, personal data of customers and website visitors are processed.

When visiting the Website, cookies files are processed. For more information on what cookies are processed by the Company and how they are processed, visit the Cookies section on the website www.alpicollection.com.

Personal data of customers may be processed by the Company for the following legal reasons:

5.1. Processing of personal data in fulfillment of contractual obligations

The Company enters into sales contracts with customers for the sale of goods and services, including delivery of goods. Therefore, for the purpose of fulfilling contractual obligations, the Company processes personal data of customers primarily to fulfill its contractual obligations to customers.

For the purpose of fulfilling contractual obligations, the Company processes the following personal data:

  • When purchasing from the Company's e-shop: email address, full name, phone number, billing address, delivery address, payment details.
  • In further written communication with the Company: personal data contained in the communication.

Personal data of customers are kept for the duration of the contractual relationship between the Company and the respective customer and for an additional five years after its termination.

5.2. Processing of personal data to fulfill legal obligations

The Company processes personal data when necessary to fulfill legal obligations imposed by relevant laws. This particularly includes personal data through which the Company can demonstrate compliance with obligations imposed by the GDPR. For example, the Company retains data that proves customers have given consent to the processing of their personal data (e.g., consent to receive marketing communications).

5.3. Processing of personal data based on the legitimate interests of the Company

The Company has a legitimate interest in continuously improving its services. Therefore, the Company may analyze the behavior of its customers and website visitors to enhance its offerings.

Furthermore, the Company may process personal data to assess potential security risks and mitigate them to maintain the highest security standards of the Website.

The Company ensures prevention, detection, and combating of fraud and other illegal or unauthorized activities related to the use of the Website. Additionally, the Company processes personal data for purposes of its defense in legal disputes. Personal data may be retained for this purpose for the statutory limitation period under Act No. 89/2012 Coll., the Civil Code, as amended ("Civil Code").

5.4. Processing of personal data based on consent

The Company also processes personal data for the purpose of sending marketing communications if consent has been granted. Consent can be withdrawn at any time. For marketing purposes, the Company particularly processes contact details (typically email addresses). Personal data for these purposes are retained for the duration of the granted consent.

6. Transfer of personal data to third parties

In the course of its business activities, the Company utilizes specialized services from third parties. If these third parties process personal data provided by the Company, they act as processors of personal data and process personal data only in accordance with the instructions provided by the Company, refraining from using them for any other purposes.

Specifically, this includes:

  • External providers of tax advisory and accounting services;
  • External providers of legal services;
  • External providers of marketing services;
  • External providers of cloud services;
  • External entities conducting customer satisfaction surveys;
  • External software developers;
  • External providers of IT system management services, computer networks, and hardware.

The Company has concluded data processing agreements with processors of personal data as described above, ensuring at least the same level of personal data protection as these Principles. Furthermore, in fulfilling its legal obligations, the Company may disclose personal data to administrative authorities and other public authorities if such disclosure is required by relevant legal regulations. In particular, the Company may disclose any personal data listed in these Principles to law enforcement authorities upon their request in accordance with the legislation governing criminal proceedings. The Company does not transfer personal data outside the EU or to international organizations, nor does it carry out automated individual decision-making.

7. Security of personal data

The Company has implemented and maintains necessary technical and organizational measures, internal control processes, and measures to ensure information security in accordance with best practices for its customers, corresponding to potential risks to data subjects. The Company also considers the state of technological development to protect personal data against accidental loss, destruction, alteration, unauthorized disclosure, or access.

These measures may include:

  • Taking appropriate steps to ensure accountability of employees and members of the Company's bodies and entities cooperating with the Company who have access to personal data;
  • Training of Company employees;
  • Regular data backups;
  • Implementation of data recovery procedures;
  • Establishment of procedures for handling security incidents;
  • Physical protection of devices storing personal data;
  • Software protection of devices storing personal data.

Company employees, members of the Company's bodies, and entities cooperating with the Company are bound by confidentiality obligations regarding all facts learned during their activities for the Company, even after termination of employment, membership in Company bodies, or cooperation with the Company. A signed confidentiality statement is part of the employment contract of Company employees and agreements concluded with members of Company bodies and cooperating entities.

8. Rights regarding personal data

If you exercise any of your rights listed in Articles 8.1. to 8.8. of these Principles or guaranteed by relevant applicable legal regulations, the Company will subsequently inform you of the measures taken, including the erasure of your personal data or the restriction of processing your personal data if requested. The Company will also inform each recipient of personal data to whom your personal data have been provided under these Principles, provided that such notification is feasible and/or does not require disproportionate effort.

You can exercise your rights and/or obtain relevant information:

If you exercise your rights, the Company is entitled to request certain identification data previously provided to the Company to verify that the request has been sent by the person whose personal data the Company processes. Providing such data is necessary to verify whether the relevant request has actually been sent by the person whose personal data the Company processes.

The Company undertakes to send a response or statement no later than one month after receiving your request. In justified cases, the Company reserves the right to extend this period by up to two months.

8.1. Right to access personal data

Under Article 15 of the GDPR, you have the right to access your personal data, including the right to obtain from the Company:

  • Confirmation whether your personal data are being processed;
  • Information about the purposes of processing your personal data;
  • Information about the categories of processed personal data;
  • Information about recipients to whom your personal data have been or will be disclosed;
  • Information about the intended period of processing your personal data;
  • Information about the existence of the right to request from the Company rectification or erasure of your personal data or restriction of their processing, or to object to such processing;
  • Information about the right to lodge a complaint with a supervisory authority;
  • Information about the source of personal data if not obtained from you;
  • Information about whether you are subject to a decision based solely on automated processing of your personal data, including profiling based on your personal data;
  • Information about suitable safeguards when transferring your personal data outside the EU.

The Company will provide the first copy of personal data free of charge. In the case of repeated requests, the Company is entitled to charge a reasonable fee for a copy of personal data.

8.2. Right to rectify or complete inaccurate personal data

Under Article 16 of the GDPR, you have the right to rectify inaccurate personal data processed by the Company. With regard to the purposes of processing, you also have the right to complete incomplete personal data processed by the Company. The Company will rectify or complete this data without undue delay, considering its technical capabilities.

8.3. Right to erasure of personal data ("right to be forgotten")

Under Article 17 of the GDPR, you have the right to erasure of your personal data unless the Company demonstrates legitimate reasons for processing such personal data. The Company declares that mechanisms are in place to ensure automatic anonymization or erasure of personal data when they are no longer needed for the purposes for which they were processed, or when the period of processing personal data specified by these Principles or legal regulations has expired.

8.4. Right to restriction of processing personal data

Under Article 18 of the GDPR, if you contest the accuracy of your personal data, the reasons for their processing, or you object to their processing under Article 21(1) of the GDPR, you have the right to restrict the processing of your personal data by the Company for the time necessary to verify the accuracy of your request or objection.

8.5. Right to data portability

Under Article 20 of the GDPR, you have the right to receive your personal data that you provided to the Company in a structured, commonly used, and machine-readable format. You also have the right to request the Company to transmit your personal data to another controller in this context. If the exercise of this right could adversely affect the rights and freedoms of third parties, your request cannot be granted.

8.6. Right to object to processing personal data

Under Article 21 of the GDPR, you have the right to object to the processing of your personal data by the Company. If the Company fails to demonstrate compelling legitimate grounds for processing your personal data that outweigh your interests, rights, and freedoms, the Company will cease processing your personal data based on your objection without undue delay.

8.7. Right to withdraw consent to the processing of personal data

If consent has been granted to the Company for the processing of personal data (e.g., consent to receive marketing communications), it may be withdrawn at any time.

8.9. Right to lodge a complaint with the supervisory authority

Data subjects have the right to lodge a complaint regarding the processing of their personal data by the Company with the following supervisory authority:

Office for Personal Data Protection Pplk. Sochora 727/27 170 00 Prague 7 Website of the authority: www.uoou.cz

9. Update of Principles

The Company hereby informs that it is authorized to amend or update these Principles. Any changes to these Principles will become effective upon their publication on the Website.