Privacy Policy and Data Protection in accordance with the GDPR
(hereinafter also referred to as the “Policy”)

1. Introductory provisions
   1. The data controller within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the “GDPR”) is:
      • Company / name: SPOLCENTRUM s.r.o.
      • Registered office / address: Přemyslovo náměstí 1325/26; Brno; 627 00
      • Company registration number: 26943522
      • Represented by: Ing. Přemysl Pazdera
      • Contact: email: info@slunecnidvur.cz, tel.: +420 608 400 065
   2. (hereinafter referred to as the “controller”).
   3. When processing personal data, the controller acts in accordance with the GDPR, Act No. 101/2000 Coll., on the Protection of Personal Data, Act No. 89/2012 Coll., the Civil Code, and other relevant legislation.
   4. Below is a list of personal data, the method of processing, the period for which your personal data is processed, the purpose of processing, as well as information provided to you as data subjects by the controller.
       
2. Categories of personal data
   1. The controller processes only the essential basic data, namely:
      • identification data (your first name and surname, business name, residential or registered address, or your delivery address where applicable, company registration number, VAT number, and date of birth)
      • contact details (your email address and telephone number, or IP address)
   2. The controller processes personal data that you have provided to them or personal data that the controller has obtained in connection with the fulfilment of your order.
       
3. Reason and purpose of personal data processing
   1. The legal basis for the processing of personal data is:
      • performance of a contract to which you, as the data subject, are a party
      • compliance with the controller’s legal obligations
      • the controller’s legitimate interest in providing direct marketing
      • Your consent to the processing of personal data for the purposes of providing direct marketing (sending commercial communications and newsletters)
   2. The controller processes personal data for the purpose of fulfilling your order, for the purpose of fulfilling its own legal obligations towards the state (e.g. tax obligations) and for the purpose of marketing activities.
   3. You may withdraw the consent you have given to the controller for the sending of commercial communications at any time.
       
4. Retention period for personal data
   1. The controller retains your personal data for the period necessary to exercise the rights and fulfil the obligations arising from the contractual relationship, or for the period necessary to comply with archiving obligations under other legislation (the Accounting Act, the Archives and Records Act, the VAT Act), but for no longer than 10 years from the termination of the contractual relationship. Unless you withdraw your consent to the processing of personal data for direct marketing purposes, the data will be processed for a maximum of 3 years.
   2. Once the retention period for personal data has expired, we will delete your personal data.
       
5. Security of personal data
   1. Taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing, as well as the varying likelihood and severity of the risks to the rights and freedoms of natural persons posed by the processing, the controller has implemented appropriate technical and organisational measures to meet the requirements of the GDPR and protect the rights of data subjects.
       
6. Recipients of personal data
   1. The controller transfers personal data to the following recipients:
      • external accountants
      • payment service providers and payment processors for the purpose of securing the transfer of funds
   2. We do not transfer your personal data to countries outside the European Union. Personal data is processed both manually and automatically.
       
7. Your rights
   1. Right of access to personal data (Article 15 of the GDPR)
      1. You have the right to request access to the personal data concerning you that is being processed and to the following information:
         1. the purpose of processing personal data
         2. the categories of personal data being processed
         3. the categories of recipients to whom the personal data have been or will be disclosed
         4. the duration of the processing and storage of personal data
         5. any available information regarding the source of the personal data, where it has not been obtained from you
         6. whether automated decision-making, including profiling, takes place
   2. Right to rectification of personal data (Article 16 of the GDPR)
      1. You may contact us with a request for rectification if the data we hold about you is inaccurate, incomplete or out of date. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
   3. Right to erasure of personal data (Article 17 of the GDPR)
      1. You may contact us to request that your personal data be erased if:
         1. the data is no longer necessary for the purpose for which it was collected or otherwise processed
         2. you have withdrawn your consent to the processing of the data
         3. the data has been processed unlawfully
         4. the data must be erased to comply with a legal obligation under EU or Member State law to which the controller is subject
         5. you have objected to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of the GDPR
   4. Right to restriction of processing of personal data (Article 18 of the GDPR)
      1. You have the right to restriction of processing of personal data if:
         1. you contest the accuracy of the personal data, for a period enabling us to verify the accuracy of the personal data
         2. the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead
         3. we no longer need the personal data for the purposes of processing, but you require it for the establishment, exercise or defence of legal claims
         4. you have objected to the processing pursuant to Article 21(1) of the GDPR, until it has been established whether our legitimate grounds override your legitimate grounds
      2. If you have obtained a restriction on processing, you will be notified in advance that the restriction on processing will be lifted.
   5. Right to data portability (Article 20 of the GDPR)
      1. You may request that we provide you with your personal data in a structured, commonly used and machine-readable format, or that this data be transferred directly to another controller, provided that:
         1. the processing is based on consent pursuant to Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR, or on a contract pursuant to Article 6(1)(b) of the GDPR
         2. the processing is carried out by automated means
   6. The right to withdraw consent to the processing of personal data at any time
      1. You may withdraw your consent to the processing of personal data at any time, without affecting the lawfulness of processing based on consent prior to its withdrawal.
   7. Right to object to the processing of personal data (Article 21 of the GDPR)
      1. You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you based on Article 6(1)(e) or (f), including profiling based on these provisions. We will no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
      2. Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling insofar as it relates to such direct marketing.
   8. Right to lodge a complaint
      1. If you believe that we are processing your personal data unlawfully, you have the right to lodge a complaint with the supervisory authority, which is:
         • Authority: Office for Personal Data Protection
         • Address: Pplk. Sochora 27, 170 00 Prague 7
         • DS ID: qkbaa2n
         • Email: posta@uoou.cz
         • Telephone: +420 234 665 111 (Switchboard)
         • Fax: +420 234 665 444
            
8. Personal data breach
   1. If a personal data breach is likely to result in a high risk to your rights and freedoms, we will notify you of the breach without undue delay. The notification will describe the nature of the personal data breach and include at least the information and measures referred to in Article 33(3)(b), (c) and (d) of the GDPR.
   2. This notification is not required if any of the following conditions are met:
      1. we have implemented appropriate technical and organisational protection measures, and these measures were applied to the personal data affected by the personal data breach, in particular those that render such data unintelligible to any person who is not authorised to access it, such as encryption
      2. we have taken remedial measures to ensure that the high risk to your rights and freedoms is no longer likely to materialise
      3. it would require disproportionate effort
          
9. Data Protection Officer
   1. The controller does not have a designated Data Protection Officer. You may contact us directly regarding matters relating to the processing of personal data.
   2. Contact details:
      • Postal address: Přemyslovo náměstí 1325/26; Brno; 62700
      • Email: info@slunecnidvur.cz
      • All contact details can also be found on the controller’s website: www.slunecnidvur.cz.

This Policy is effective from 1 April 2026.