Declaration on the processing of personal data pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and the instruction of data subjects (hereinafter referred to as the GDPR).

1. Personal data controller
KUTULU represented by Pavla Boháčová, based in Borská 38, Dalovice, 362 63, Czech Republic, CI No: 04318501, VAT No: CZ8861012006, enrolled in the trade register maintained by CH Carlsbad (hereinafter referred to as the “controller”) hereby informs you, in accordance with Article No. 12 of the GDPR, about the processing of your personal data and your rights.

2. The scope of personal data processing
Personal data are processed to the extent in which the relevant data subject has provided them to the controller in connection with entering into a contractual or other legal relationship with the controller, or which the controller has collected otherwise and processes in accordance with applicable law, or to fulfil the controller's obligations.

3. Sources of personal data

  • Directly from the data subject
  • Supplier
  • Distributor
  • Publicly accessible registers, lists and records (e.g. Commercial Register, Trade Register, Cadastre of Real Estate, public telephone directory, etc.)

4. Categories of personal data that are subject of processing

  • Address and identification data used for unambiguous and unmistakable identification of the data subject (e.g. name, surname, title, birth certificate number, date of birth, permanent address, identification number, VAT number) and data enabling contact with the data subject (contact details – e.g. contact address, phone number, email address, and other similar information)
  • Descriptive data (e.g. bank account details)
  • Other data necessary for the performance of the contract
  • Data provided in excess of the relevant laws and processed within the consent of the data subject (processing of photographs).

5. Categories of data subject

  • Controller’s customer (only for subjects registered in the e-shop)
  • Carrier
  • Service provider
  • Distributor
  • Another person who is in a contractual relationship with the controller

6. Categories of recipients of personal data  

  • Financial Administration
  • Public institutions, authorities
  • Processor
  • Contractors
  • State and other bodies within the fulfilment of legal obligations stipulated by the relevant legal regulations
  • Other recipients (e.g. transfer of personal data abroad – EU countries)

7. Purpose of personal data processing

  • Purposes contained within the consent of the data subject
  • Negotiating the contractual relationship
  • Performance of the contract
  • Protection of the rights of the controller, recipient or other persons concerned (e.g. recovery of the controller's claims)
  • Archiving maintained as per requirements of the Act
  • Fulfilment of legal obligations of the controller
  • Protection of the vital interests of the data subject

8. Method of processing and protection of personal data
The processing of personal data is carried out by the controller. The processing is carried out in the premises and headquarters of the controller or by the processor. The processing is done with the use of computer technology, or for personal data in paper form, it is done manually, and in compliance with all security principles for the management and processing of personal data. For this purpose, the controller has adopted technical and organizational measures to ensure the protection of personal data, in particular measures to prevent unauthorized or accidental access to, alteration, destruction or loss of personal data, unauthorized transfers, unauthorized processing and other misuse of personal data. All subjects to whom personal data may be disclosed respect the right of data subjects to privacy and are required to comply with applicable data protection legislation.

9. Personal data processing period
In accordance with the deadlines specified in the relevant contracts, in the filing and shredding rules of the controller or in the relevant legislation, this is the period necessary to secure the rights and obligations arising from both the contractual relationship and the relevant legislation.

10. Instructions
The controller processes the data with the consent of the data subject, except in cases stipulated by law where the processing of personal data does not require the consent of the data subject. In accordance with Article 6 (1) of the GDPR, the controller may process the following data without the consent of the subject:

  • The data subject has given his consent for one or more specific purposes.
  • Processing is necessary for the performance of a contract to which the data subject is a contracting party or for the implementation of measures taken prior to the conclusion of the contract at the request of this data subject.
  • Processing is necessary to fulfil the legal obligation applicable to the controller.
  • Processing is necessary to protect the vital interests of the subject or another natural person.
  • Processing is necessary for the fulfilment of a task carried out in the public interest or during the exercise of public authority entrusted to the controller.
  • Processing is necessary for the purposes of the legitimate interests of the relevant controller or of a third party, except where the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data take precedence over those interests.

11. Data subjects' rights 
11.1.In accordance with Article 12 of the GDPR, the controller shall, at the request of the data subject, inform the data subject of the right of access to personal data and the following information:

  • The purpose of processing.
  • The category of personal data affected.
  • Recipients or categories of recipients to whom personal data have been or will be disclosed.
  • The planned period for which personal data will be stored.
  • Any available information on the source of the personal data, if not obtained from the data subject, and whether automated decision making, including profiling, is taking place.

11.2. Any data subject who discovers or assumes that the controller or processor is processing his personal data in a way that is contrary to the protection of the privacy and personal life of the data subject or to the law, in particular if the personal data are inaccurate for the purpose of their processing, can:

  • Ask the controller for an explanation.
  • Require the controller to remedy this situation. In particular, this may be blocking, correcting, supplementing or deleting personal data.
  • If, pursuant to Section 1, the data subject's request is found justified, the controller shall immediately remedy the defective condition.
  • If the controller does not comply with the data subject's request pursuant to Section 1, the data subject shall have the right to contact the supervisory authority directly, i.e. the Office for Personal Data Protection.
  • The procedure referred to in Section 1 shall not preclude the data subject from contacting the supervisory authority directly.
  • The controller shall have the right to request reasonable compensation not exceeding the costs necessary to provide the information.

This declaration is publicly available here on the controller's website.