Privacy policy
I. Basic Information
We approach your personal data responsibly and therefore, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the “GDPR Regulation”) and Act No. 18/2018 Coll. on the protection of personal data and on the amendment of certain laws (hereinafter referred to as the “Act”), we, as the data subject (a natural person whose personal data is processed), provide you with our identification and contact details, as well as the contact details of the responsible person on our website, along with other necessary information which can be found in the tabs on the left. In accordance with Article 24 of the GDPR Regulation and Section 31 of the Act, the controller has adopted appropriate technical, organizational, personnel, and security measures and safeguards, taking into account:- the principles of personal data processing, which are legality, fairness, and transparency, restriction and compatibility of the purposes of personal data processing, as well as data minimization, pseudonymization, and encryption, and integrity, confidentiality, and availability;
- the principles of necessity and proportionality (also relating to the scope and amount of personal data processed, retention period, and access to personal data of the data subject) concerning the purpose of the processing operation;
- the nature, scope, context, and purpose of the processing operation;
- the resilience and recovery of personal data processing systems;
- instructions for authorized persons of the controller;
- measures for prompt detection of personal data breaches and immediate reporting to the supervisory authority and the responsible person;
- measures to ensure correction or deletion of incorrect data or to exercise other rights of the data subject;
- risks with varying likelihood and severity for the rights and freedoms of natural persons (particularly accidental or unlawful destruction of personal data, loss or alteration of personal data, misuse of personal data – unauthorized access or unauthorized provision, risk assessment considering the origin, nature, probability, and severity of the risk associated with processing, and identification of best practices to mitigate the risk).
II. Information on the Purpose of Processing Personal Data, Its Legal Basis, and the Scope of Personal Data
2.1 Information on the Purpose of Processing for Which Personal Data is Intended
One of the principles of personal data processing is the principle of purpose limitation. According to this principle, personal data may only be collected for specific, explicitly stated, and legitimate purposes and may not be further processed in a manner incompatible with those purposes.
The processing of personal data should be closely linked to the purpose of the processing, especially regarding the list or scope of personal data processed, which should be necessary to achieve the intended purpose. It is incorrect to artificially or additionally expand the list or scope of personal data concerning the purpose. If the purpose and the list or scope of personal data are determined by law, it must be respected. If the list or scope of personal data is determined by the controller, care should be taken not to unnecessarily expand it beyond the purpose.
The Personal Data Protection Act imposes an obligation on the controller to provide the data subject with information about the purpose of processing personal data intended for them, even when the personal data is not obtained directly from the data subject. This information must be provided to the data subject no later than at the time of obtaining their personal data, or within a reasonable time beforehand, clearly and comprehensibly, in a manner that allows the data subject to understand and become familiar with it.
At Slovškrob a.s., we obtain the personal data we truly need to provide a comprehensive service and process it when delivering the products and goods you have ordered, providing customer and product support, or handling any complaints that may arise. We also process personal data to fulfill legal obligations in the areas of taxation and accounting, specifically when preparing and issuing customer invoices.
2.2. Legal Bases for Processing Personal Data
Below we outline the legal bases for processing personal data for specific purposes during the various procedural steps in the provision of our services:
- When communicating with clients by phone, in person, via electronic/paper mail, or through the online contact form, we process data under Article 6(1)(f) of the GDPR – legitimate interest, to respond to your inquiry, suggestion, or question about the services and products provided, where it is necessary to verify the relevance of the request or to facilitate subsequent contact with the client as the data subject.
- In the case of expressing interest in our services, when placing an order for products/goods by phone, in person, via electronic/paper mail, or through the application https://www.rootie.eu/, we process data under Article 6(1)(b) of the GDPR – where processing is necessary to take necessary measures according to the requirements of the orderer as the data subject before concluding and confirming the order, i.e., during the pre-contractual relationship – for example, identifying the client when creating or defining a request or order, specifying or changing the address and delivery time.
- After confirming the order, i.e., after the contractual relationship between Slovškrob a.s. and you as the data subject customer is established, during the necessary cooperative communication with the client, informing about changes in order status, during final personal delivery, or when preparing and issuing a tax document – invoice, we process data under Article 6(1)(b) of the GDPR – where processing is necessary to fulfill the contractual relationship of which the data subject is a party.
- Through the website https://www.rootie.eu/, you have the option to voluntarily create and register a user account, enabling simplified online shopping and record-keeping of all purchases, or to register your email address to receive product news newsletters, where we process data under Article 6(1)(a) of the GDPR – based on your consent to process personal data for the purpose of creating and maintaining a user account or receiving current news in the form of newsletters to the provided email address.
2.3 Scope of Processed Personal Data
Data for Newsletter Subscription – Product News
– Email address
Data Required to Fulfill an Order
– First and last name
– Email address
– Permanent address, or another delivery address
– Phone number
Data Required to Register a User Account
– First and last name
– Email address
– Correspondence address for registration purposes
– Phone number
– Personal access password
Billing Information
– First and last name
– Correspondence address for billing purposes
Contact Information for Deliveries
– First and last name
– Correspondence address for delivery
– Phone number – for confirming the date, time, and place of delivery, or in case of changes to the order
– Email address – for sending electronic order confirmations and order status updates, as well as an emergency communication tool if the customer is unavailable at the provided phone number.
III. Information on the Retention Period of Personal Data
Information on the Processing Period of Personal Data or information on the criteria for its determination:
Your personal data, which we have processed or are processing under Article 6(1)(b) of the GDPR – in fulfilling the obligations of Slovškrob a.s. towards orderers and clients, is also processed to fulfill our legal obligations in the areas of taxation and accounting, as stipulated by generally binding legal regulations (e.g., retaining individual accounting records of your confirmed orders and invoices for the delivery of selected goods to your contact address under Act No. 431/2002 Coll. on Accounting as amended, to prove compliance with tax obligations under tax laws such as Act No. 595/2003 Coll. on Income Tax, Act No. 563/2009 Coll. on Tax Administration, etc.), we must retain for the period specified by the relevant legal regulations. In any case, we adhere to the principle of data minimization under Article 5(1)(e) of the GDPR, so your personal data not subject to archiving under special legal regulations will be deleted or anonymized.
Personal data processed under Article 6(1)(a) of the GDPR – based on your consent for processing personal data for the purpose of creating and maintaining a user account or for sending current marketing news, is processed for a period of 3 years or until consent is withdrawn. At the end of the processing period, we will contact you in writing or via email, allowing you to renew and extend your consent for the defined processing purpose for the next period. If consent is not renewed or extended, or if there is no response to the contact, we will no longer process your personal data – meaning the data will be aically removed from records, electronic data will be technically deleted from systems, and physically shredded.
Personal data processed under Article 6(1)(f) of the GDPR – based on legitimate interest, obtained in response to your inquiry or question regarding provided services and products, where it was necessary to verify the relevance of the request or to facilitate potential subsequent contact with the client/data subject, will be deleted immediately after the issue is resolved unless it proceeds to a pre-contractual or contractual relationship.
As a Controller, we ensure the deletion of personal data without unnecessary delay after:
- all contractual relationships between you and our Company have ended; and/or
- all your obligations towards our Company have ceased; and/or
- all your complaints and requests have been resolved; and/or
- all other rights and obligations between you and our Company have been settled; and/or
- all processing purposes stipulated by legal regulations or for which you gave consent have been fulfilled, if processing was based on the data subject’s consent; and/or
- the period for which consent was granted has expired, or the data subject has withdrawn their consent; and/or
- the data subject’s request for deletion of personal data has been granted, and one of the reasons justifying the request has been met; and/or
- the legal basis for processing has ceased and the retention period defined with regard to the principle of data minimization has also expired;
- and there is no longer a legitimate interest of our Company, all obligations of our Company set by generally binding legal regulations that require the retention of the data subject’s personal data (especially for archiving purposes, tax audits, etc.), or which could not be fulfilled without retaining them, have ceased.
Any accidentally obtained personal data is not processed systematically for any defined purpose by us. If possible, we inform the data subject whose accidentally obtained personal data belongs about the accidental acquisition and, according to the nature of the case, provide necessary assistance to restore control over their personal data. Immediately after these necessary steps to resolve the situation, all accidentally obtained personal data is securely destroyed without delay.
If you are interested in more information about the specific retention period of your personal data, please contact us using the contact details provided on our website.
IV. Rights of the Data Subject
The Regulation of the European Parliament and the Council (EU) 2016/679 of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the “GDPR Regulation”) and Act No. 18/2018 Coll. on the Protection of Personal Data and on Amendments and Additions to Certain Acts (hereinafter referred to as the “Act”) guarantee you as a data subject the following rights:
a) The right of the Data Subject to access personal data, which includes:
- The right to obtain confirmation from the Controller as to whether personal data concerning the Data Subject is being processed;
- If personal data concerning the Data Subject is being processed, the right to access the processed personal data and the right to obtain the following information:
- Information about the purposes of the processing;
- Information about the categories of personal data concerned;
- Information about the recipients or categories of recipients to whom the personal data has been or will be disclosed, particularly in the case of recipients in third countries or international organizations;
- If possible, information about the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- Information about the existence of the right to request from the Controller rectification or erasure of personal data or restriction of processing concerning the Data Subject, or to object to such processing;
- Information about the right to lodge a complaint with a supervisory authority;
- If the personal data is not collected from the Data Subject, any available information as to its source;
- Information about the existence of aed decision-making, including profiling, referred to in Article 22 paragraphs 1 and 4 of the Regulation, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject;
- The right to be informed about appropriate safeguards pursuant to Article 46 of the Regulation relating to the transfer of personal data, if personal data is transferred to a third country or international organization;
- The right to obtain a copy of the personal data undergoing processing, subject to the condition that the right to obtain a copy of the processed personal data must not adversely affect the rights and freedoms of others;
The right of the Data Subject to access personal data essentially means that the Data Subject has the right to obtain from us confirmation as to whether personal data concerning them is being processed, and if so, the right to access that personal data. At the request of the Data Subject, we will provide a copy of the personal data undergoing processing. For any additional copies requested by the Data Subject, we may charge a reasonable fee based on administrative costs. If the Data Subject submits the request electronically, the information will be provided in a commonly used electronic format unless the Data Subject requests otherwise. The information must be provided immediately, but no later than within 1 month. We have the right to extend the processing time of the request by an additional 2 months if the request is complex or frequent. However, we must inform the Data Subject of the reason for the extension within 1 month. In the case of an unfounded or excessive request, we have the right to charge a fee corresponding to the costs or to refuse the request. We must explain the reason for the refusal and the right of the Data Subject to lodge a complaint with a supervisory authority.
b) The right of the Data Subject to rectification of personal data, which includes:
- The right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning the Data Subject;
- The right to have incomplete personal data completed, including by means of providing a supplementary statement from the Data Subject;
The right of the Data Subject to rectification of personal data means that you can ask us at any time to correct or complete your personal data if it is inaccurate or incomplete. The Data Subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.
c) The right of the Data Subject to erasure of personal data (the so-called “right to be forgotten”), which includes:
- The right to obtain from the Controller the erasure of personal data concerning the Data Subject without undue delay where one of the following grounds applies:
- The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
- The Data Subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
- The Data Subject objects to the processing pursuant to Article 21 paragraph 1 of the Regulation and there are no overriding legitimate grounds for the processing, or the Data Subject objects to the processing pursuant to Article 21 paragraph 2 of the Regulation;
- The personal data has been unlawfully processed;
- The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;
- The personal data has been collected in relation to the offer of information society services referred to in Article 8 paragraph 1 of the Regulation;
- The right to have the Controller, who has made the personal data public, considering available technology and the cost of implementation, take reasonable steps, including technical measures, to inform other controllers which are processing the personal data, that the Data Subject has requested the erasure of any links to, or copy or replication of, those personal data;
V. Cookie Usage Policy
In accordance with § 55 paragraph 5 of the Act of the National Council of the Slovak Republic No. 351/2011 Coll. on Electronic Communications, as amended, we would like to inform you about the use of cookies and draw your attention to the possibility of changing the settings of your internet browser if the current settings for the use of cookies do not suit you.
5.1 What are cookies?
Cookies are small text files that can be sent to your internet browser when you visit websites and stored on your device (computer or another device with internet access, such as a smartphone or tablet), specifically in the folder for internet browser files. Cookies usually contain the name of the website they come from, their creation date, and information that helps the website “notice” certain inputs, settings, and preferences (such as login, language, font size, and other display preferences) for a certain period, so you do not need to enter them again during subsequent visits or when navigating the site. Cookies can also capture how you use the site and analyze it. There are so-called session cookies that are deleted after closing the browser window, and so-called permanent cookies that are stored for a longer period on your hard drive and only after the specified time do they get deleted by the browser.
5.2 Why do we use cookies and their legal basis?
We use cookies to optimally create and continuously improve our services, tailor them to your interests and needs, improve their structure and content, and create interesting offers for you. As the Operator, we do not use your data obtained through cookies as contact data to contact you by mail, email, or phone. To the extent that the implemented cookies process data, this processing is carried out in accordance with Article 6 paragraph 1 letter a) of the GDPR Regulation – based on the consent given to maintain the best possible functionality and optimization of the website.
5.3 How can you change cookie settings?
Upon your initial visit to our website, you will be presented with information regarding the use of cookies. In the settings section, you can adjust the range of enabled cookies during your visit to our site. Alternatively, most internet browsers are originally set to aically accept cookies. You can change this setting by blocking cookies or notifying you when cookies are being sent to your device. Instructions for changing cookies can be found in the “help” option of each browser. If you use different devices to access websites (e.g., computer, smartphone, tablet), we recommend adjusting each browser on each device to your cookie preferences.
5.4 Why keep cookie settings?
Using cookies and enabling them in the web browser is up to you. However, changing their settings may result in some of our web pages having limited functionality and reduced user comfort.