top of page

Personal Data Processing Policy 

Ing. Arch. Karin Krettková, ID No.: 07888252 

with registered office at Rybářská 6, 747 22, Dolní Benešov 

tel.: 773 479 86  8 

e-mail: krettkova@gmail.com

(hereinafter also referred to as the "Entrepreneur" or "Administrator"),  as the operator of the collture e-shop (hereinafter also referred to as the "e-shop"), issues the following principles for the processing of personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR) and Act No. 110/2019 Coll., on the processing of personal data, as amended, the following principles for the processing of personal data.

 

The controller hereby provides information on the processing of personal data of natural persons that occurs during visits to the e-shop website, communication with the entrepreneur, and the provision of services related to ordering, purchasing, and selling goods in the e-shop.  

effective date: 1.9.2025

last update: 1.9.2025

II. Personal Data Controller

  1. The personal data controller is the Business listed in the header of this document. 

  2. The controller can be contacted via the contact points listed in the header of this document. Contact can be made for any questions regarding the processing of personal data or to exercise the rights of the Data Subject arising from these principles. 

I. Terms

  1. Natural person, Data subject – a natural person or data subject refers to customers, suppliers, e-shop users, those interested in commercial communications, and any other third parties performing activities related to the e-shop. 

  2. Personal data controller – a personal data controller is a person who determines the manner, reason, purpose, and duration of personal data processing, as well as a person responsible for complying with obligations arising from legal regulations in the field of personal data protection. 

III. Purpose of personal data processing

1. The controller processes: 

a) personal data for marketing purposes and for the purpose specified in the consent to the processing of personal data granted by the data subject (Article 6(1)(a) of the GDPR);   

b) personal data for the purpose of concluding and performing contracts (Article 6(1)(b) of the GDPR); 

c) personal data for the purpose of fulfilling obligations in accordance with Act No. 563/1991 Coll., on accounting, as amended, and in accordance with Act No. 235/2004 Coll., on value added tax, as amended (Article 6(1)(c) of the GDPR); 

d) personal data for the purpose of protecting the legitimate interests of the Controller (Article 6(1)(f) of the GDPR). 

2. The provision of personal data to the Controller pursuant to paragraph 1(a) of this section is optional and entirely voluntary. Failure to provide personal data pursuant to letter a) of this paragraph is not a reason for the Entrepreneur to refuse to conclude a purchase contract. The provision of personal data to the Controller pursuant to paragraph 1, letters b), c), and d) of this paragraph is a mandatory legal and contractual condition for the conclusion of contractual documentation between the Entrepreneur and the Data Subject. If the Data Subject does not provide the Controller with personal data pursuant to letters b), c), and d) of this paragraph, it will not be possible to conclude contractual documentation with the Data Subject and provide them with contractual performance on the part of the Controller.  

3. The legitimacy and obligation to process personal data arises in particular from Article 6(1) of the GDPR, based on which the processing of personal data is lawful in such a case if it is necessary for the fulfilment of obligations arising from legal regulations or a contract, or if consent has been given for such processing. The compliance of the processing with legal regulations also follows from Act No. 127/2005 Coll., the Electronic Communications Act, as amended, for the purpose of storing data or gaining access to data stored in the Data Subject's terminal equipment, Act No. 89/2012 Coll., the Civil Code, as amended, for the protection of the legitimate interests of the Controller, furthermore, Act No. 563/1991 Coll., on Accounting, as amended, for processing and storing billing data, and Act No. 235/2004 Coll., on Value Added Tax, as amended, for tax purposes. 

IV. Scope of personal data processing

1. Personal data provided by the Data Subject for the purpose specified in Section II of these Personal Data Protection Principles shall be processed by the Controller to the following extent:  

a) general identification data – name, surname, residential address (street, house number, municipality, postal code), or identification number; date of birth is processed only if this data is required for a specific type of contract based on legal regulations, and this data is necessary for its performance;  

b) general contact details – telephone number, email address; 

c) Billing details – in particular, bank account number, VAT number, if applicable, and other information arising from invoices; 

d) Information obtained from mutual communications – in particular, information resulting from e-mail messages, SMS messages, telephone call records, or information obtained through the order form; 

e) Geolocation information – information provided by the Data Subject based on data from an internet browser, mobile application, or other device tracking geolocation information about the Data Subject; 

f) Technical data – information about the technical operation of the e-shop when the Data Subject visits the e-shop website; technical data is automatically and irretrievably deleted 15 days after it is obtained; 

g) Customer profile information – if consent is given, the Controller may process customer profile information about the goods viewed, purchased, and requested by the Data Subject; based on the Data Subject's consent to the use of statistical, preference, and marketing cookies, the Controller may process information about the Data Subject's profile informing about the Data Subject's behavior in the online environment and their preferences. 

2. The above scope results from legal regulations and contractual obligations for the purpose of ensuring the proper fulfilment of the Entrepreneur's obligations and for other purposes mentioned above. If the Data Subject grants consent to the Controller, the scope of personal data processing is adapted to ensure a personalised offer of the Entrepreneur's goods and services. 

V. Obtaining personal data

1. The Controller obtains personal data from the Data Subject or third parties. Personal data is collected primarily based on the following: 

a) forms completed by the Data Subject on the e-shop website or completed in connection with viewing the e-shop website; 

b) mutual communication between the Entrepreneur and the Data Subject, in particular based on e-mail or SMS communication; 

c) contracts concluded between the Entrepreneur and the Data Subject, in particular purchase contracts concluded based on an order placed by the Data Subject; 

d) from third parties authorised to process the Data Subject's personal data, if the Controller cooperates with them; 

e) cookies, i.e., small text files necessary for the secure and proper functioning of e-shops, to the extent approved by the Data Subject. 

VI. Recipients of personal data

1. The recipient of personal data may be a person obliged to deliver goods based on a purchase contract concluded between the Entrepreneur and the Data Subject. If the Data Subject consents to the use of statistical, preference, and marketing cookies, the recipient of personal data may be a third party.  

2. If the Data Subject consents to the use of statistical and preference cookies, the data may be transferred to a third party – Google Czech Republic s.r.o., ID No.: 27604977, with its registered office at Prague 5, Stroupežnického 3191/17, PSČ 15000, via the web tool "Google Analytics", or to other third parties in the field of statistics and preferences processing personal data exclusively for statistical and preference purposes.  

3. If the Data Subject consents to the use of marketing cookies, the data may be transferred to a third party, Google Czech Republic s.r.o., ID No.: 27604977, with its registered office at Prague 5, Stroupežnického 3191/17, PSČ 15000, via the "AdWords" web tool and via the website www.youtube.cz, or to other third parties in the field of marketing who process personal data exclusively for marketing and advertising purposes.    

4. The controller shall transfer personal data processed for the fulfilment of obligations arising from special legal regulations to state administration bodies or other competent authorities in cases where it is required to do so by law. The controller shall not transfer any other data to third parties. 

5. The controller declares that it will not transfer personal data to a third country or international organisation. 

VII. Period of processing and archiving of personal data

1. The controller processes and archives personal data for at least the duration of the obligation arising from the contract concluded between the entrepreneur and the data subject. In the case of processing personal data resulting from technical cookies, processing and archiving take place for a period of 15 days from the date of acquisition. 

2. A longer period for the processing and archiving of personal data is given in the following circumstances: 

a) In the case of personal data processed for marketing, statistical, and preference purposes, the Controller shall retain such personal data for a maximum period of 3 years from the date of acquisition; 

b) in the case of personal data processed for tax and invoicing obligations, the Controller shall store such personal data for a period of 5 years from the year following the occurrence of the stored event; 

c) in the case of personal data processed for the exercise of the Controller's legitimate interests, the retention period is set at a maximum of 6 years from the termination of the contractual relationship between the Controller and the Data Subject. 

3. The Data Subject's personal data will never be stored for longer than the period specified by law. After the retention and archiving period has expired, the Controller will ensure that the data is deleted so that the personal data is irretrievably lost and can no longer be used or misused. 

VIII. Personal data security

1. The controller declares that all personal data is protected, taking into account the costs incurred for implementation, the technical state of security technology, the nature, scope, meaning, and purpose of personal data processing, as well as the expected and serious risks affecting the fundamental rights and freedoms of the data subject. 

2. The controller uses security measures in the form of passwords generated based on recommendations from security experts, as well as licensed firewalls and antivirus software. And when handling, this mainly involves protection consisting of the use of passwords, firewalls, and antivirus software, all in accordance with Article 32 of the GDPR. 

IX. Copyright

  1. The Buyer acknowledges that, given the nature of the goods offered by the seller, in particular the nature of Cut-outs and other similar goods offered by the seller, the copyright to the goods belongs to the seller or its author, if different from the seller. In such a case, the buyer acquires only a copy of the copyrighted work, the use of which is governed by the relevant legal regulations, in particular the Copyright Act. 

  2. Originals of the cut-outs remain the property of the Seller. The Buyer is entitled only to reproducible copies. 

  3. Copying and reselling purchased goods or parts thereof without the Seller's consent is prohibited. 

  4. It is strictly prohibited to copy and resell purchased goods or parts thereof without the seller's consent. 

X. Rights of the Data Subject

1. About the processing of personal data by the Controller, the Data Subject has the following rights in particular: 

a) the right to withdraw consent (Article 7 of the GDPR) – the Data Subject is entitled to withdraw their consent to the processing of personal data that is not necessary for the fulfilment of a contractual or legal obligation. Consent may be withdrawn at any time in writing by emailing: ADD or by sending a letter to the Controller's registered office; 

b) right of access (Article 15 of the GDPR) – The data subject has the right to request information from the Controller as to whether the Controller is processing their personal data. If the Controller processes personal data about the data subject, the data subject has the right to request access to the following information: 

a. the purpose of the processing; 

b. the scope of the processing; 

c. the source of the personal data processed; 

d. the recipients of the personal data; 

e. the duration of the processing; 

f. the existence of the right to request from the Controller the erasure, rectification, or restriction of the processing of personal data; 

g. automated profiling, if any; 

h. the possibility of complaining to a supervisory authority; 

c) right to rectification (Article 16 of the GDPR) – The data subject has the right to request the Controller to rectify inaccurate, altered, outdated or incomplete personal data concerning the data subject, and the Controller is obliged to rectify such data without undue delay upon request by the data subject; 

d) right to erasure (Article 17 of the GDPR) – The data subject has the right to request that the controller permanently and irrevocably erase (destroy) personal data relating to him or her if the legal grounds specified in Article 17 of the GDPR are met. The Controller is obliged to carry out such erasure without undue delay upon request by the Data Subject. 

e) right to restriction of processing (Article 18 of the GDPR) – The data subject has the right to request that the Controller restrict the processing of their personal data for a certain period of time. In such a case, the Controller shall store (archive) the personal data but shall not otherwise further process it. In the event of restriction of processing of personal data, the Controller shall notify the Data Subject of the planned lifting of the restriction of processing of personal data; 

f) the right to data portability (Article 20 of the GDPR) – the Data Subject is entitled to request from the Controller the data concerning him/her in a standard structured format and the right to transfer this data to another controller. The Controller is not entitled to prevent the transfer of personal data in the following cases: 

a.  if the processing is based on consent, and 

b. the processing is carried out by automated means.  

c. The right to data portability shall not affect the human rights and freedoms of third parties. 

g) the right to object (Article 21 of the GDPR) – The data subject has the right to object to the controller's processing of personal data in cases where the processing of personal data is based on the legitimate interests of the controller, a third party, or is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller, including personal data obtained based on profiling. In the event of an objection, the Controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the rights of the Data Subject or for the establishment, exercise or defence of legal claims. The right to object is free of charge. The right to object also applies to cases of direct marketing. 

h) right to complain (Article 77 of the GDPR) – If the Data Subject believes that the Controller is processing personal data in violation of the law, they are entitled to complain to the Controller or the Office for Personal Data Protection; 

i) Right to be informed in the event of a breach of security – The Data Subject has the right to inform the Controller if, given the circumstances, it is likely that a breach of personal data security will occur, posing a high risk to the rights and freedoms of natural persons. In such a case, the Data Subject shall notify the Controller of the risk of a breach without undue delay, and the Controller is obliged to address the circumstances of the potential breach. 

2. The Controller notes that the information processing and handbook on the rights of Data Subjects is also available on the website of the Office for Personal Data Protection. 

XI. Supervisory Authority 

1. By concluding the contract, the buyer agrees to the processing of their personal data in the seller's database after the purchase contract has been fulfilled. The buyer is entitled to revoke their consent to the processing by expressing their disagreement with this processing in writing. The seller secures the personal data of buyers against misuse. 

2. Personal data is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter also referred to as the "GDPR"). 

3. By concluding the contract, the buyer agrees that the seller will process their personal data in accordance with the GDPR, in particular their name, surname, place of residence, delivery address, email address, and telephone number, for the purpose, on the basis, and to the extent specified in the Personal Data Protection section available on the seller's website, with which the buyer familiarized themselves before concluding the contract. 

XII. Updates to the Personal Data Policy

1. The Controller reserves the right to update this Personal Data Processing Policy from time to time. The valid and effective version of the Personal Data Processing Policy will always be published on the Controller's website. ADD  

2. The Personal Data Processing Policy is valid and effective from September 1, 2025. 

bottom of page