Personal Data Protection Policy (GDPR)

Personal data controller: UniMark CZ, s.r.o.
Legal form: Kladno - Kročehlavy, Trojanova 124, Postal Code 27201
Registration Number (Reg. No.): 28252047

Contact telephone number: +420312245864
Contact e-mail: info@unimark.cz

GDPR (General Data Protection Regulation) is the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of the EU. It is a new unifying legislation on personal data protection valid throughout the EU. It was approved in April 2016 and comes into force on 25 May 2018. In the Czech Republic, it replaces the previously valid Personal Data Protection Act No. 101/2000 Coll.

GDPR will fundamentally change the current approach to processing personal data. It affects all companies, institutions and individuals who handle personal data. The regulation is equivalent in all EU countries and is enforceable regardless of country or company size. It introduces new rules that will need to be complied with, as well as proof of compliance. The GDPR is binding on everyone who collects or processes personal data of individuals. The GDPR aims to increase the security and trust of EU citizens towards controllers and processors of their personal data.

The GDPR considers personal data to be any information that can lead to an identified or identifiable natural person. This includes, for example, name, gender, age, date of birth, personal status, personal data of children, photographs, video footage, ID numbers, birth number, citizenship, IP address, email, location, cookies, phone number, address, race, religion, ethnicity, political opinions, philosophical beliefs, trade union membership, health data, sexual orientation, genetic and biometric data, criminal offences, final convictions, etc.

The GDPR significantly strengthens the rights of individuals in the area of their personal data, in particular:

• The data subject must be sufficiently, accurately and comprehensibly informed of his or her rights and the purposes of the processing before consenting to the processing of his or her personal data
• The data subject should have direct access to their data, preferably online
• The data subject may object to the processing of his or her data, has the right to limited processing of the data
• The data subject should be able to transfer data from one controller to another
• The data subject has the right to have his or her personal data erased and to have it forgotten, i.e. to have all personal data, copies of it and references to it erased

• The data subject is any identified or identifiable natural person to whom the DPA relates.
• Personal data (PD) is any information about an identified or identifiable natural person.
• Special categories of personal data are data on racial or ethnic origin, health, political opinions, religious beliefs, trade union membership, genetic data, biometric data, etc.

• first name, surname, permanent residence, delivery address, date of birth, place of birth, age, birth number, personal status, health status, disability, photographic record, video record, audio record, email address, private and work telephone number, IP address, identification number, tax number, national identity number, driving licence number, passport number, bank account number, education, employment income, pension income, performance, health insurance company, number of children, maternity, sick leave, benefits, work schedule and record, nationality, racial and ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, sexual orientation, criminal offences, criminal convictions, DNA, blood type, Rh factor, facial image, fingerprint, iris image, retinal image, signature, voice, name, surname and gender of family member, address of family member and basically everything related to the family member...
• The red and bold areas indicate special categories of PII that require special attention, are subject to additional obligations and, in practice, if you do not have a lawful reason for processing them, you should always seek consent from the data subject to process them.
• Processing of personal data is any operation or set of operations with personal data.
• The data controller is any natural or legal person who manages or processes the personal data.
• A processor is a natural or legal person who processes OA for the controller (e.g. accountant, marketing firm, etc.).
• Consent to the processing of personal data is a free, specific, informed and unambiguous expression of will by which the subject gives consent to the processing of his or her personal data.
• Parental consent - processing of personal data of children under 16 (15 after CR approval) years of age is only possible with the consent of the legal representative.
• The data protection authority is the Office for Personal Data Protection.

• Responsibility principle = only and only the controller and no one else is responsible for compliance with the principles of processing of personal data in accordance with the GDPR and the controller is obliged to demonstrate compliance with the GDPR.
• Risk-based approach principle = the controller is obliged to acknowledge and assess the level of risk in the collection and processing of OA from the outset and at all times

• Lawfulness - the processing must not be contrary to law and must be carried out for one specific and precise reason (for compliance with a legal obligation; for the performance of a contract or a pre-contractual measure; for the protection of vital interests; for the performance of a task carried out in the public interest or in the exercise of official authority; for the purposes of the legitimate interests of the controller; with the consent of the data subject).
• Fairness and transparency - to ensure that the data subject is as well informed as possible.
• Purpose limitation - OA may not be processed for any purpose other than that for which it was collected.
• Data minimisation - processing must be proportionate, relevant and limited to what is necessary.
• Accuracy - the EAs produced must be accurate and updated as necessary.
• Storage limitations - storage of OU may only be carried out for no longer than is strictly necessary for the purpose of the processing (taking into account legal provisions, limitation period, etc.).
• Integrity and confidentiality - the obligation to take appropriate technical and organisational measures to ensure protection against unauthorised or unlawful processing, loss, destruction, damage.
• Responsibility - Compliance with all of the above is the responsibility of the administrator and they must be able to demonstrate this.

The right to be informed about the processing of personal data, the right of access to personal data, the right to rectification or completion, the right to erasure, the right to restriction of processing, the right to data portability, the right to object, the right not to be subject to automated individual decision-making.

Personal data is any information relating to a natural person who can be identified by the controller. The following categories of personal data may be processed by the controller in connection with the provision of services and the sale of goods.

1. Basic personal identification and address data

Such data is necessary for the conclusion and performance of the contract. These include in particular:

• academic degree
• name and surname
• name of the business company
• birth number (if for any reason no birth number has been assigned, then date of birth)
• ID NUMBER, VAT NUMBER
• address of permanent residence
• address of the registered office or place of business
• billing address
• the numbers of the identification documents provided and copies thereof (any information not required for the provision of the service is blacked out on the copies of the documents)
• identification details of the customer's representative or contact person designated by the customer
• identification data of the bill payer
• bank connection
• signature
• in the case of single sale contracts, the scope is limited to basic identification data.

2. Contact details

• contact telephone number
• contact e-mail
• addresses to social networks

3. Data on goods purchased, services received, use of services and payment behaviour

• the type and specification of the service or goods provided
• the volume of services provided and their price
• customer segment
• information on payment morality

4. Operating data and location data

The data is processed for the purpose of resolving any disputes arising from the provision of services and goods, including the fulfilment of the legal obligations of the controller. These include:

• calling number
• called number
• the address of the data connection (e.g. IP address or URL address)
• the number, name and location of the network endpoint
• type of internet access

5. Communication data between the controller and the customer

This data arises from communications related to the provision of the controller's services and goods between the controller and the customer. These include records of face-to-face communications with the customer in stores or other direct contact with the customer, written and electronic communications with the customer, and records of telephone calls, chat and video chat communications between the customer and the controller.

6. CCTV footage from the administrator's shops and premises

The Administrator places the following in the Administrator's stores and premises to protect legitimate interests. The areas where cameras are placed are always marked with a notice.

7. Data processed on the basis of your consent

The processing of this data is not strictly necessary for the performance of a contract, order, offer or legal obligation or to protect the legitimate interests of the controller, but the processing of this data will enable the controller to improve the service, to focus on what customers are really interested in and, where appropriate, to inform customers about offers that are suitable for them. This data is only processed if consent is given and may be processed for as long as that consent is valid.

These include:

• data obtained from marketing surveys (processed from customers)
• services of the controller on the basis of consent to the processing of personal data for marketing and commercial purposes)
• data on the use of services, products, benefits and bonuses and typical service usage behaviour (processed for customers of the controller's services on the basis of consent to the processing of personal data for marketing and commercial purposes)
• contact data in the event that the customer is not a customer of the controller (processed on the basis of consent to marketing outreach)
• records of behaviour on websites managed by the controller obtained from cookies if cookies are enabled in the web browser (they are processed to improve the operation of websites operated by the controller and, in the case of consent, these data are processed together with other personal data for the purposes to which the consent relates)

The scope of the data processed depends on the purpose of the processing. For some purposes, data may be processed directly on the basis of a contract, the legitimate interest of the controller or on the basis of law (without consent), for others only on the basis of consent.

1. Processing for the performance of a contract, the fulfilment of legal obligations and the legitimate interests of the controller

The provision of personal data necessary for the performance of the contract, the fulfilment of the legal obligations of the controller and the protection of the controller's legitimate interests is mandatory. Without the provision of personal data for these purposes, it would not be possible to provide the services. We do not need consent to process personal data for these purposes.

Processing for the performance of the contract and the fulfilment of legal obligations cannot be refused.

These are in particular the following basic sub-purposes:

• billing for services (contract performance)
• compliance with legal tax obligations (compliance with legal obligations)
• for the purposes set out by specific laws for the purposes of criminal proceedings and for the fulfilment of the obligation to cooperate with the Police of the Czech Republic and other state authorities (fulfilment of legal obligations)
• operating CCTV and monitoring systems on the premises of the administrator for the purpose of preventing damage (legitimate interest of the administrator)
• evaluating the customer's behaviour when using the services and their payment morality for the purpose of preventing the occurrence of claims which may affect the controller's decision to enter into further contracts with the customer, whereby the decision to enter or not to enter into a further contract is not automated
• customer debt recovery and other customer disputes (contract performance)
• recording and monitoring of calls with the customer line (contract fulfilment)
• processes related to customer identification (contract fulfilment)
• securing evidence in case of the need to defend the rights of the controller (legitimate interest of the controller)
• debtor registry (legitimate interest of the administrator)

Personal data for these activities are processed to the extent necessary for the fulfilment of these activities and for the time necessary to achieve them or for the time directly provided for by law. Thereafter, the personal data are erased or anonymised. The basic time limits for processing personal data are available below.

In the case of customers of the Controller's services, the Controller is entitled to process in the customer database their basic personal, identification, contact, service data and data from their communications with the Controller for a period of 4 years from the date of termination of the last contract with the Controller.

In the case of purchase of goods from the controller, the controller is entitled to process the customer's basic personal, identification and contact data, data about the goods and data from communications between the customer and the controller for a period of 4 years from the date of expiry of the warranty period for the goods.

In the event of negotiations between the controller and a potential customer on the conclusion of a contract, which have not resulted in the conclusion of a contract, the controller is entitled to process the personal data provided for a period of 1 years after the relevant negotiations.

In case of consent to the provision of contact records in the contact database of UniMark CZ, s.r.o. the administrator is authorized to process contact and personal data for a period of 10 years from the date of consent.

Invoices issued by the administrator are archived for a period of 10 years from their issue in accordance with Section 35 of Act No. 235/2004 Coll., on value added tax. Due to the need to prove the legal reason for issuing invoices, customer contracts, orders and quotations are also archived for a period of 10 years from the date of termination of the contract.

For debtors, the trustee retains personal data related to the debt for 4 years after the debtor is removed from the SOLUS Register, due to the legitimate interest to defend claims related to the transfer of the debtor to the SOLUS Register.

CCTV footage from the shops and premises of the Trustee and from the vicinity of the Trustee's buildings shall be processed for a maximum period of 90 days from the date of the CCTV footage.

2. Processing of data of customers of the controller's services with consent for marketing and commercial purposes effective from 25 May 2018

We process personal data for marketing and business purposes with the consent of the customer of the controller's service. For the period from 25.5.2018, the controller charges a new consent for marketing and commercial purposes, which is effective after this date. The effective date of the consent to the processing of personal data for marketing and business purposes is the date of receipt of the consent or the date of receipt of the order, the so-called legitimate interest, if the customer did not object to the sending of marketing offers when placing the order.

With the consent for marketing and business purposes, the controller will process the customer's personal data from 25 May 2018 primarily for the creation of suitable offers of products and services of the controller or third parties and in connection with addressing the customer, by telephone, in writing, through all means of Internet advertising and by electronic communication via contact details or service numbers. Accordingly, the controller will also create data on customers who give this consent about their typical behaviour when using the controller's services and products and create and store anonymised behavioural analysis. All of these activities are strictly necessary to reach customers with appropriate marketing offers.

The provision of consent for marketing and commercial purposes is voluntary and may be withdrawn by the customer at any time after 25 May 2018. This consent shall remain valid for the duration of the use of the products and services of the Administrator and for the following 10 years thereafter or until revoked by the customer. For marketing and business purposes, all categories of data listed above in this document (except for signatures and copies of identification documents) may be processed in the case of consent, for as long as the controller is entitled to record such data for the purposes of providing services, fulfilling its legal obligations and protecting its legitimate interests, but no longer than until the consent is withdrawn or until 10 years have elapsed from the date of termination of the last contract for services provided by the controller, unless the customer withdraws consent earlier.

3. Processing data of customers of the controller's services with consent for marketing and business purposes through electronic contact - the so-called sending of a newsletter

In the case of data subjects who have given consent to be granted marketing contact via electronic contact (e-mail), the controller, with their consent, processes the name and e-mail for a period of 10 years for the purpose of e-mail marketing contact with the controller's offer of services, products and goods, i.e. the so-called sending of newsletters. If this consent is granted via the websites www.unipresent.cz or www.unimark.cz operated by the controller, together with these contacts, data from the controller's cookies, which are placed on the websites on which this consent was granted, is also processed, namely only if the data subject has cookies enabled in their web browser and has given this consent through the cookies bar indicated when accessing the www.unimark.cz or www.unipresent.cz pages. In case of legitimate interest based on the purchase contract through the e-shop, the customer has the option to check the box refusing to send newsletters even before sending the order. If he does not use the option of not agreeing to the sending of newsletters, he has the option to unsubscribe at any time via the unsubscribe link in the newsletter or via a request sent to the e-mail address info@unimark.cz. In case of unsubscribing from the newsletter, the controller has no new legitimate interest in the next order and the customer will not be sent newsletters again (if interested in resending, it is necessary to use the form for sending the newsletter and confirm the e-mail address or write a request to info@unimark.cz). If the customer does not unsubscribe from receiving news, a legitimate interest arises with each subsequent order (purchase contract) and the consent is always effective from the last order (purchase contract). In the case of consent sent via the form for sending the newsletter, confirmation of the e-mail address is always required, the so-called double opt-in, and if there is no legitimate interest (on the order - purchase contract) and therefore extension of the effectiveness of the consent. In this case, the data processing period is 10 years from the registration of the contact or until revocation. For the purpose of sending the newsletter, the controller uses personal data only first name and e-mail and possibly other data from cookies that have been enabled).

4. Processing of cookies from websites operated by the controller

If the subject has cookies enabled on his or her terminal device, we process behavioural records based on consent about him or her from the controller's cookies placed on websites operated by the controller for the purpose of ensuring better operation of the controller's websites. We also allow selected subjects to place their cookies on websites operated by the controller.

Unless the law provides otherwise, as a personal data controller, we can transfer personal data to other data controllers only if we have the consent of the data subject for such transfer. The granting of this consent is voluntary.

We may also transfer your personal data to other entities that act as processors:

• In connection with the processing of your order to our partners involved in this processing, specifically:
• When paying by card at the establishment or on the websites www.unipresent.cz or www.unimark.cz, personal data are required to mediate the payment (payment card data, e-mail address, first and last name). According to your payment choice, your personal data is processed for us in this case by Stripe Payments Europe, Limited, of The One Building 1, Grand Canal Street Lower, Dublin 2, Co. Dublin, Ireland, Tax Identification Number: IE 3206488LH (Stripe Personal Data Processing Policy) or GOPAY s.r.o., with registered office at Planá 67, Planá, IČO: 26046768 (Gopay Personal Data Processing Policy) or SumUp Limited, Block 8, Harcourt Centre, Charlotte Way , Dublin 2, Ireland D02 K580, VAT number: IE 9813461A (SumUp Personal Data Processing Policy) or PayPal (Europe) S.a.r.l. et Cie, S.C.A., 22-24 Boulevard Royal L-2449, Luxembourg, Tax ID: LU22046007 (PayPal Personal Data Processing Policy).
• For the purpose of easy filling in of forms during registration or ordering on www.unipresent.cz or www.unimark.cz, the Administrator uses whispering of addresses, companies, validation of e-mails, names and typos via the Foxentry service (www.foxentry.cz). In this case, your personal data is processed for us by AVANTRO, s.r.o. - Foxentry service provider (Foxentry Personal Data Processing Policy).
• We use logistics companies to transport goods to you. Depending on the choice of transport, your personal data is processed for us in this case by the following companies: General Logistics Systems Czech Republic s.r.o., IČO: 26087961 (Principles of personal data processing GLS), Lorenc Logistic, s.r.o., IČO: 64832660 (Principles of personal data processing Lorenc Logistic), PPL s.r.o., ID number: 25194798 (Personal data processing policy of PPL), Česká pošta, s.p., ID number: 47114983 (Personal data processing policy Česká pošta), Direct Parcel Distribution CZ s. r. o., ID number: 61329266 (DPD personal data processing policy), TOPTRANS EU , a.s., IČO: 2202376 (Toptrans personal data processing policy), GEBRÜDER WEISS spol. s.r.o., IČO: 44795092 (Gebrüder Weiss Personal Data Processing Policy), FedEx Express Czech Republic s.r.o., IČO: 15888959 (FedEx Personal Data Processing Policy), United Parcel Service, Inc., its subsidiaries and affiliates (collectively, “UPS”) ( UPS Privacy Policy ), Deutsche Post AG, Tax ID: DE169838187, its subsidiaries operating under the DHL brand (DHL Personal Data Processing Policy)
• Suppliers of goods in connection with ordered goods or services with whom we have a contract for the processing of personal data.
• For the purpose of sending electronic invoices, we use so-called transaction e-mails and the processor of personal data is the company Dativery s.r.o., with its registered office at Olešná 51, Němčovice, IČO: 05574617 (Principles of personal data processing of Dativery), which ensures the connection of the economic system with the company ECOMAIL.CZ, s.r.o., with registered office at Na Zderaze 1275/15, Prague 2, IČO: 02762943 (Principles of personal data processing Ecomail), which processes personal data to ensure the sending of an e-mail with an electronic invoice.
• In order to connect the economic system with transport companies, we use a service where your personal data is processed by the company DIAMOND SOFTWARE s.r.o., with registered office at Padoly 47/32, Bolatice, IČO: 04661346 (Diamond Software personal data processing policy). 
• Based on your consent to advertising and social networks, as described in the section Information about cookies and other technologies, the following companies specifically process your personal data:
• Google Ireland Limited, with registered office at Gordon House, Barrow Street, Dublin 4, Ireland, VAT number: IE 6388047V (Google Privacy Policy)
• Meta Platforms Ireland Ltd, with registered office at 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, D02 X525, Ireland, VAT number: IE9692928F (Meta Privacy Policy)
• Seznam.cz, a.s., with registered office Radlická 3294/10, Prague - Smíchov, ID number: 26168685 (Seznam.cz personal data processing policy)
• The provider of the Verified by customers satisfaction survey service, the intermediary of our sales and the processor of personal data in this case is the company Heureka Shopping s.r.o., with its registered office at Karolinská 650/1, Prague - Karlín, ID number: 02387727 (Heureka personal data processing policy)
• When using the online chat on our websites www.unipresent.cz or www.unimark.cz, we have a legitimate interest in providing customer support, during which cookies or other data you enter into the chat box are processed. Personal data in the chat box is processed automatically. Advanced features are only enabled if you have explicitly consented to them through analytical and/or marketing cookies. When using the online chat, the data processor is Smartsupp.com, s.r.o., Company ID: 036 68 681, registered office at Šumavská 31, 602 00 Brno (Smartsupp Privacy Policy). By using this service, voluntarily provided contact information (name, surname, email address, phone number, or social network account contact) and any details voluntarily provided by the visitor in the chat window may be processed. Details about your website visit: URL of the visited webpages, date and time of the website visit, technical information (screen resolution, type of device, type of browser, operating system, etc.), IP address, geographical location data (country and city from which the user accessed the website).
• Cloud service providers and other IT technology and support suppliers such as Microsoft Ireland Operations Ltd., with registered office at One Microsoft Place South County Business Park Leopardstown Dublin 18, D18 P521, Ireland within the SharepointOnline, OneDrive, Office365 service (Microsoft Privacy Policy), PromoTron Solutions a.s., with registered office Čirůvková 127/10, Prague 10, ID: 07029918 (Promotron personal data processing policy), vpsFree.cz z.s., with registered office at Nad Dalejským údolím 2699/9, Prague 5, ID: 26568055 (Processing policy personal data vpsFree), IDrive Inc., with registered office at 26115 Mureau Road, Suite A, Calabasas, CA 91302, ID: 95-4527848 (IDrive personal data processing policy), STORMWARE s.r.o., with registered office at Za Prachárnou 4962/45, Jihlava, IČ : 25313142 (Stormware Personal Data Processing Policy), Readdle GmbH, with registered office WeWork c/o Readdle GmbH, Stresemannstrasse 123, 10963 Berlin, Germany (Readdle Personal Data Processing Policy), IceWarp Czech Republic/ Apptc.me, s.r.o. with registered office at Thamova 18, Prague, ID: 24145190 (IceWarp Personal Data Processing Policy)
• The provider of the newsletter service and the processor of personal data in this case is: ECOMAIL.CZ, s.r.o., with registered office at Na Zderaze 1275/15, Prague 2, IČO: 02762943 (Ecomail personal data processing policy)
• Since October 13, 2025, we have also been using Google Firebase (Realtime Database) as part of our company's quotation application, which is used to securely store work notes on quotations. The data is stored in Google data centers within the EU (region europe-west1) (Google Firebase Privacy Policy).
• Since October 13, 2025, we have been using Google Apps Script, which is used to automatically monitor product availability and send email notifications to customers who have requested this service. Only the customer's email address and information about the monitored product are processed as part of this process. The data is processed in accordance with Google's privacy policy (Google Privacy Policy).

The Administrator uses the professional and specialized services of other entities in fulfilling its obligations and duties under the contracts. If these suppliers process personal data transmitted by the Controller, they have the status of data processors and process personal data only within the framework of instructions from the Controller and may not use them otherwise. This includes, in particular, the collection of outstanding debts, the activities of experts, lawyers, auditors, IT systems administration, internet advertising or commercial representation. We carefully select each such entity and enter into a data processing agreement with each, which sets out the processor's strict obligations to protect and secure personal data. The processors are companies based both in the Czech Republic and in a member state of the European Union or so-called safe countries. The transfer and processing of personal data in countries outside the European Union is always in accordance with the applicable legislation. The controller transfers personal data to the administrative authorities and authorities specified by the applicable legislation in the performance of its legal obligations.

The controller processes personal data manually and automatically. The controller keeps records of all activities, both manual and automated, in which personal data are processed.

For commercial communications of the controller or third parties, the controller uses the name of the company or other appropriate designation from which it is clear that the communication is a commercial communication within the meaning of applicable law. It shall always be clear from commercial communications sent by the controller that the controller is the sender. We may send commercial communications either to our customer contacts on the basis of the legitimate interest of the controller, and only until you object, or on the basis of your explicit consent to the processing of personal data for marketing and commercial purposes. In the commercial communications sent, there is also a contact to opt-out of receiving these communications.

Accounting entity (according to the Accounting Act)

• financial statements and annual reports - 10 years No. 563/1991 Coll., on accounting - § 31 and § 32
• accounting documents, ledgers, depreciation schedules, inventory lists, chart of accounts, reports - 5 years
• accounting records used by accounting units to document bookkeeping (tax documents, etc.) - 5 years
• entrepreneurs (VAT payers) and accounting units
• documents from persons liable for value added tax - 10 years
• No. 235/2004 Coll., on value added tax - § 35 and § 35a
• employers - copies of registration lists - 3 years No. 582/1991 Coll., on the organization and implementation of social security - § 35a (4) and § 37 (1)
• a list of partners and members of the statutory body of the company's supervisory board for individual calendar months (before 2014, since 1 January 2014 this obligation has been abolished) and a list of calendar months for which the company has not paid social security contributions and contributions to the state employment policy - 6 years (3 years after payment of the contributions)
• payroll (payroll of old-age pension beneficiaries) - 30 years (10 years)
• data required for the determination and payment of insurance premiums - 10 years, No. 589/1992 Coll., social security contributions and state policy contributions
• employment - § 22c
• internal regulation by which the employer determines the rights from labour relations more favourably - 10 years No. 262/2006 Coll., Labour Code - § 305 (4)

• founding documents, statutes, articles of association, rules of procedure, organizational charts and schemes, documents on transformation of legal entities, documentation on dissolution and termination
• according to the internal directive, or shredding plan, always with the consent of the relevant state regional archive No. 499/2004 Coll., on archiving and file service and on amendments to certain acts - § 3 (2), Annex No. 1
• minutes and minutes of the meetings of the statutory body and the supervisory body, reports of the supervisory body, minutes of general meetings with annexes, annual reports, audit reports
• extraordinary inventories of assets at the formation, division or liquidation of companies, contracts for the transfer of ownership of real estate and documents certifying the transfer of ownership of real estate, documentation of registration and certification of trademarks financial documents (financial statements), business plans, development studies, product documentation (final drawings of assemblies or assemblies, brochures, catalogues, sample books)

According to Article 15 of the Regulation, the data subject will have the right of access to personal data, which includes the right to obtain from the controller:

• confirmation of whether it processes personal data.
• information on the purposes of the processing, the categories of personal data concerned, the recipients to whom the personal data have been or will be disclosed, the intended duration of the processing, the existence of the right to request the controller to rectify or erase personal data relating to the data subject or to restrict or object to the processing, the right to lodge a complaint with a supervisory authority, any available information on the source of the personal data if not obtained from the data subject, the fact that automated decision-making, including profiling, takes place, appropriate safeguards in the event of transfer of the data outside the EU.
• if the rights and freedoms of others will not be adversely affected, a copy of the personal data. In the event of a repeated request, the controller will be entitled to charge a reasonable fee for a copy of the personal data. The right to confirmation of the processing of personal data and to information will be exercised in writing to the address of the controller's registered office or by email to info@unimark.cz. The right to a copy of personal data may be exercised at the controller's shop, subject to proof of the legitimacy of the request.

According to Article 16 of the Regulation, the data subject will have the right to rectification of inaccurate personal data processed about him or her by the controller. The customer of the controller is also obliged to notify changes to his/her personal data and to provide evidence that such a change has occurred. He/she is also obliged to provide us with cooperation if it is established that the personal data we process about him/her is not accurate. We will carry out the rectification without undue delay, but always taking into account the technical possibilities. A request for rectification of personal data may be made to the controller, subject to proof of the legitimacy of said request.

According to Article 17 of the Regulation, the data subject will have the right to have personal data relating to him or her erased if the controller does not demonstrate legitimate grounds for processing such personal data. The controller has mechanisms in place to ensure the automatic anonymisation or erasure of personal data when they are no longer needed for the purpose for which they were processed. If the data subject considers that his or her personal data have not been erased, he or she may contact us in writing at the address of the controller's registered office.

Pursuant to Article 18 of the Regulation, the data subject will have the right to restrict processing until the complaint is resolved if he or she contests the accuracy of the personal data, the grounds for the processing or if he or she objects to the processing in writing to the address of the controller's registered office or by email to info@unimark.cz.

According to Article 19 of the Regulation, the data subject will have the right to be notified by the controller in the event of rectification, erasure or restriction of the processing of personal data. We will inform the individual recipients if personal data are rectified or erased, except where this proves impossible or involves disproportionate effort. Upon request of the data subject, we may provide information about these recipients. The request can be sent in writing to the address of the controller's registered office or by email to info@unimark.cz.

According to Article 20 of the Regulation, the data subject will have the right to the portability of the data concerning him or her which he or she has provided to the controller in a structured, commonly used and machine-readable format, and the right to request the controller to transmit those data to another controller. Where the data subject provides us with personal data in connection with a service contract or on the basis of consent and the processing is carried out by automated means, the data subject has the right to obtain such data from us in a structured, commonly used and machine-readable format. If technically feasible, the data may also be transferred to a controller designated by you, provided that the person acting on behalf of the controller is duly designated and can be authorised. If the exercise of this right would adversely affect the rights and freedoms of third parties, your request cannot be granted. The request may be made to the controller upon proof of the legitimacy of the request.

According to Article 21 of the Regulation, the data subject will have the right to object to the processing of his or her personal data on the grounds of legitimate interest of the controller. If the controller fails to demonstrate that there is a compelling legitimate ground for the processing which overrides the interests or rights and freedoms of the data subject, the controller shall terminate the processing without undue delay on the basis of the objection. The objection may be sent in writing to the address of the controller's registered office or by email to info@unimark.cz.

Consent to the processing of personal data for marketing and business purposes effective from 25 May 2018 may be withdrawn at any time after this date. Revocation must be made by an express, intelligible and specific expression of will, either by telephone, at the controller's shop or by email to info@unimark.cz. Consent to marketing outreach given for a specific electronic contact can be withdrawn at any time at the controller, on the customer service line or by clicking through from the relevant marketing communication. The processing of data from cookies can be prevented by adjusting the settings of your web browser or by refusing consent in the cookie information bar

The data subject shall have the right not to be subject to any decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. The controller states that it does not carry out automated decision-making without the influence of human judgement having legal effects on data subjects.

The data subject has the right to contact the Office for Personal Data Protection (www.uoou.cz).