This Policy describes the purposes of the processing of personal data, the methods of processing, information about the individual categories of personal data processed, the potential recipients of personal data, the period of storage of personal data and your rights in relation to the protection of personal data..
This Policy also applies to the website www.rubgallery.com (the “Website“) operated by the Gallery.
The Gallery protects all personal data processed as strictly confidential and handles it in accordance with applicable and effective data protection laws. The security of your personal data is a priority for the Gallery.
1. General provisions
- the processing of personal data of visitors to the Website by the Gallery during their visit to the Website;
- the processing of personal data of Gallery customers;
- the processing of personal data in the performance of the Gallery’s legal obligations;
- the processing of personal data that is necessary for the purposes of protecting the legitimate interests of the Gallery;
- the processing of personal data based on the consent given to the Gallery.
The purpose of this Policy issued by the Gallery in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27. April 2016, as amended (hereinafter referred to as “GDPR”), is to provide information on what personal data the Gallery, as a personal data controller, processes about natural persons in the provision of its services and for what purposes and for how long the Gallery processes such personal data in accordance with applicable law, to whom and for what reason it may transfer such data, as well as to inform about what rights natural persons have in connection with the processing of their personal data and how they can exercise such rights.
This Policy is effective as of 1 March 2022 and is issued in accordance with the GDPR in order to comply with the Gallery’s information obligations as a controller under Articles 13 and 14 of the GDPR.
2. Personal data controller
The Gallery is a personal data controller within the meaning of Article 4(7) of the GDPR. The Gallery therefore collects, stores and uses (and otherwise processes) your personal data for the performance of its business activities (the individual purposes for which personal data is processed are defined in more detail below).
3. Data protection officer
The Gallery is not obliged to appoint a data protection officer. Thus, the Gallery has not appointed a data protection officer.
The Gallery, as data controller, can be contacted in writing at:
Mgr. David Voda
779 00 Olomouc
Alternatively, at the following e-mail address: firstname.lastname@example.org
4. Personal data processed by the gallery
According to Article 4(1) of the GDPR, personal data is any information relating to an identified or identifiable natural person. The identified person in this case is:
(i) visitors to the Website;
(ii) customers of the Gallery;
(iii) recipients of commercial communications.
An identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, a network identifier or to one or more specific elements of that natural person’s physical, physiological, genetic, psychological, economic, cultural or social identity.
The following personal data may be processed in connection with the provision of the Gallery’s services.
4.1. Basic personal data
- Name and surname;
- Adress of residence, registred office or place of business;
- Identification number, VAT number.
4.2. Contact personal data
4.3. Payment data
- bank account number;
- details of payments made;
- other data from tax documents.
4.4. Record of written communication
This includes in particular personal data contained in email and written communications with the Gallery.
During the Gallery’s business activity of selling artworks and other goods to customers and visiting the Website, personal data of customers and visitors to the Website is processed.
When visiting the Website, cookies are processed, for more information on what cookies are used and how the Gallery processes them, please visit the Cookies section of the website www.rubgallery.com.
Personal data of customers may be processed by the Gallery for the following legal reasons:
5.1. Performance of the contract
The Gallery enters into contracts with its customers on the basis of which the objects offered by the Gallery are sold. From the point of view of fulfilling its contractual obligations, the Gallery therefore processes customers’ personal data primarily in order to comply with its contractual obligations towards its customers.
When entering into a purchase contract, customers provide the Gallery with the following personal data:
- Name and surname,
- Residential address, resp. billing address,
- Telephone number,
- e-mail address,
- payment details,
- in case of further written communication with the Gallery, the personal data contained in the communication.
The personal data of customers is stored for the duration of the contractual relationship between the Gallery and the customer and for five years after its termination.
5.2. Performance of the legal obligations
The Gallery processes personal data in cases where it is necessary for the fulfilment of legal obligations imposed on the Gallery by the relevant legal regulations. In particular, this includes personal data through which the Gallery can demonstrate that it complies with the obligations imposed by the GDPR. For example, the Gallery holds data which demonstrates that customers have given consent to the processing of their personal data.
5.3. Legitimate interest
The Gallery has a legitimate interest in continuously improving its services, for this reason the Gallery may analyse the behaviour of its customers and visitors to the Website in order to continue to improve its offer.
Furthermore, the Gallery may process personal data in order to evaluate possible security risks and eliminate them in order to maintain the highest security standards of the Website.
The Gallery also processes personal data for the purpose of defending itself in the event of litigation.
For this purpose, the Gallery is entitled to retain personal data for the period of limitation pursuant to Act No. 89/2012 Coll., Civil Code, as amended (hereinafter referred to as the “Civil Code“).
5.4. Processing of personal data on the basis of consent
The Gallery also processes personal data for the purpose of sending commercial communications if consent has been given. Consent may be withdrawn at any time.
For marketing purposes, the Gallery mainly processes contact data (typically an e-mail address) or basic personal identification data.
The Gallery retains personal data for the above-mentioned purposes for as long as the consent for processing is given.
6. Transfer of Personal Data to Third Parties
The Gallery uses the professional services of third parties in its business activities. If these third parties process personal data transmitted by the Gallery, they have the status of personal data processors and process personal data only in accordance with the instructions given to them by the Gallery and may not use it otherwise.
Specifically, these are:
- external providers of tax consultancy and accounting services;
- external providers of legal services;
- external providers of marketing services;
- external cloud service providers;
- external software developers;
- external providers of IT systems, network and hardware management services.
The Gallery has entered into personal data processing agreements with the processors of personal data referred to in the preceding paragraph which guarantee at least the same level of protection of personal data as this Policy.
The Gallery also transfers personal data to administrative authorities and other public authorities in the performance of its legal obligations, if such obligation is imposed on the Gallery by the relevant legislation. In particular, the Gallery may transfer any personal data referred to in this Policy to law enforcement authorities if they request it in accordance with the legislation governing criminal proceedings.
The Gallery does not transfer personal data outside the EU or to international organisations, nor does it make automated individual decisions.
7. Personal Data Security
The Gallery has put in place and maintains the necessary technical and organisational measures, internal control processes and information security measures in accordance with the best interests of its users, commensurate with the potential risk to data subjects. At the same time, the Gallery takes into account the state of technological development in order to protect personal data against accidental loss, destruction, alteration, unauthorised disclosure or access. These measures may include, but are not limited to:
- taking reasonable steps to ensure the accountability of employees and members of the Gallery’s bodies and entities cooperating with the Gallery who have access to personal data;
- training of Gallery staff;
- regular data backups;
- implementation of data recovery procedures;
- establishing procedures in the event of security incidents;
- Physical protection of devices on which personal data is stored;
- software protection of devices on which personal data is stored.
Employees and members of the Gallery’s bodies and entities cooperating with the Gallery shall be bound by a duty of confidentiality with regard to all facts which come to their knowledge in the course of their activities for the Gallery, even after termination of their employment, membership of the Gallery’s bodies or cooperation with the Gallery. The signed declaration of confidentiality is part of the employment contract of the Gallery’s employee and of contracts concluded with members of the Gallery’s bodies and cooperating entities.
8. Rights Related to Personal Data Protection
If you exercise any of your rights listed below in Articles 9.1 to 9.8 of this Policy, or guaranteed to you by the relevant valid and effective legislation, the Gallery will subsequently inform you of the measures taken, where applicable, to delete your personal data or restrict the processing of your personal data, if this was the subject of your request. In addition, the Gallery will also notify to this effect any recipient of personal data to whom your personal data has been provided pursuant to Article 7 of this Policy, provided that such notification is possible and/or does not require disproportionate effort.
To exercise your rights and/or obtain relevant information, you may contact the Gallery by email at email@example.com or in writing at the address of the Gallery’s registered office as set out in Article 3 of this Policy.
If you exercise your rights, the Gallery may require you to provide certain identifying information that you have previously provided to the Gallery. The provision of such data is necessary to verify that the relevant request was actually sent by the person whose personal data the Gallery processes.
The Gallery undertakes to send a reply or a statement no later than one month after receiving your request. In justified cases, the Gallery reserves the right to extend this period by up to two months.
According to Article 15 of the GDPR, you have the right to access your personal data, which includes in particular the right to obtain from the Gallery:
- confirmation of whether it processes your personal data;
- information about the purposes of the processing of your personal data;
- information about the categories of personal data processed;
- information about the recipients to whom your personal data has been or will be disclosed;
- information about the intended duration of the processing of your personal data;
- information about the existence of the right to request from the Gallery the rectification or erasure of your personal data or the restriction of its processing or to object to such processing;
- information about the right to lodge a complaint with a supervisory authority;
- information about the source of the personal data, if not obtained from you;
- information about whether you are the subject of a decision by the Gallery based solely on automated processing of your personal data, including automated profiling based on your personal data;
- information about appropriate safeguards when your personal data is transferred outside the EU.
The Gallery will always provide the first copy of your personal data free of charge.
In the event of a repeated request, the Gallery is entitled to charge a reasonable fee for a copy of the personal data.
8.2. Right to Corection or completion of inaccurate Personal Data
According to Article 16 of the GDPR, you have the right to correct inaccurate personal data that the Gallery processes about you. Taking into account the purposes of the processing, you also have the right to complete incomplete personal data that the Gallery processes about you. The Gallery will carry out the rectification or completion without undue delay, but always taking into account its technical possibilities.
8.3. Right to Erasure of Personal Data
Pursuant to Article 17 of the GDPR, you have the right to have your personal data erased if the Gallery does not demonstrate legitimate grounds for processing such personal data. The Gallery declares that it has mechanisms in place to ensure the automatic anonymization or erasure of personal data in the event that they are no longer needed for the purpose for which they were processed or in the event that the period of processing of personal data set out in this Policy or by law has expired.
8.4. Right to Restriction of the Processing of Personal Data
According to Article 18 of the GDPR, if you dispute the accuracy of your personal data, the reasons for their processing, or object to their processing pursuant to Article 21(1) of the GDPR, you have the right to limit the processing of your personal data by the Gallery for the time necessary to verify the legitimacy of your complaint or objection.
8.5. Right to Personal Data Portability
According to Article 20 of the GDPR, you have the right to the portability of your personal data that you have provided to the Gallery in a structured, commonly used and machine-readable format. You also have the right to ask the Gallery to transfer your personal data to another controller in this context.
If the exercise of this right could adversely affect the rights and freedoms of third parties, your request cannot be granted.
8.6. Right to Object
According to Article 21 GDPR you have the right to object to the processing of your personal data by the Gallery.
If the Gallery does not demonstrate that there is a compelling legitimate reason for processing your personal data that overrides your interests or rights and freedoms, the Gallery will terminate the processing of your personal data without undue delay based on your objection.
If consent is given to the Gallery for the processing of personal data, it may be withdrawn at any time. Withdrawal of consent must be made by an express, intelligible and specific expression of will, either in writing at the address of the Gallery’s registered office or via the e-mail address firstname.lastname@example.org.
Data Subjects have the right to lodge a complaint regarding the processing of their personal data by the Gallery with the administrative authority listed below:
Úřad pro ochranu osobních údajů
Pplk. Sochora 727/27
170 00 Praha 7
Website of the authority: www.uoou.cz
The Gallery hereby notifies that it is entitled to modify or update this Policy. Any changes to this Policy will become effective upon posting on the Website.