Personal Data Processing Information

On the basis of Regulation (EU) 2016/679 of 27.4.2016 with effect from 25.5.2018

This information is provided by Gitano cosmetics a.s. (hereafter simply referred to as the “administrator”), Ruská 117/17, +420 728 608 266,, on the basis of Article 13 of Regulation (EU) 2016/679 (hereafter simply referred to as the Regulation).


1.    An explanation of the terms:

       Personal data is data which can lead to the identification of a natural person, especially: the name and surname, residential address, e-mail address, telephone number, identification number of a natural person-entrepreneur and tax identification number of a natural person-entrepreneur (hereafter simply referred to as a data subject).

       The administrator (the aforementioned company) is an entity which designates the purpose and means of the personal data processing, undertakes the processing and is responsible for it. The administrator may authorise or commission a processor to process the personal data, unless the special law states otherwise.

       A processor is any entity which processes personal data in compliance with the Act and the Regulation on the basis of the special act or a commission from the administrator and does so according to a concluded personal data processing agreement or on the basis of the data subjects’ consent.

       A database is an internal list of information pertaining to natural persons and their personal data maintained by the administrator.

       Profiling is any form of automated personal data processing involving the use of the data to evaluate some personal aspects of a natural person, especially for the analysis or estimation of some aspects involving his/her work performance, economic situation, state of health, personal preferences, interests, reliability, conduct and any places where said individual can be found or moves.

       Cookies are small pieces of data which a WWW server sends to a browser, which then saves them on the user’s computer. The browser then sends this data back to the server during every subsequent visit to the same server. Cookies are regularly used to differentiate between individual users and user preferences are saved in them, and so on.

       A data protection officer is an expert representative of the administrator who monitors the transparency and lawfulness of the personal data processing undertaken by the administrator, as well as supervises the securing of the data’s integrity; i.e. backing-up and securing the data.

2.    The administrator (the aforementioned company) processes any personal data in accordance with the Regulation and the following principles:

       Legality – it only processes that information which is necessary to meet its contractual obligations

       Expediency – the data is only collected for certain, expressly stated and legitimate purposes,

       Minimisation – the processing pertains to the minimum amount of data which is needed to fulfil the stated tasks

       The storage period – the personal data is only processed for the period which is essential for the given tasks

       Integrity and confidentiality – the administrator has implemented all appropriate technical and organisational measures to secure and protect the data from any unauthorised or unlawful processing and against the loss, destruction or damage thereof.

3.    Personal data protection and information on the processing

       The administrator receives the personal data from the individual data subject as part of the negotiations on the conclusion of a contract, for example by personal submission, by email, in a questionnaire or in any order.

       The administrator will tell the data subject when the provision of the personal data is essential for the fulfilment of the contractual relations or when it is voluntary.

       The personal data will be processed throughout the period of the negotiation of the contract and the duration of the contractual relations.

       The personal data will be further processed in its essential form in order to fulfil the legal obligation to archive accounting documents throughout the period set by law.

       The personal information will be processed and stored throughout the period of the following 24 months in case any dispute arises between the administrator and a data subject

4.    The reasons for processing

       The administrator processes personal information for the following purposes:


   the fulfilment of the administrator’s legal obligations (maintaining accounts, tax and archiving obligations).

   the administrator’s marketing and sales offers (the sale of products, market research)

   the maintenance of a database of natural persons.

   the protection of the administrator’s rights and legally protected interests (justified interest).


5.    The rights and responsibilities of the data subjects

       The data subject is obliged to always provide the administrator with truthful and precise information.

       The date subject is obliged to provide the administrator with verification of the provided data.

       The data subject has the right to request the administrator to provide access to his/her processed data

       The data subject is entitled to have any corrections made to the provided personal data

       The subject is entitled to have his/her provided personal data deleted

       The subject is entitled to limit the processing of the personal data

       If the personal data processing requires the data subject’s consent, he/she may withdraw it at any time.

       The data subject may exercise his/her rights:

           in person at the company’s registered office during office hours: 8:00 am – 4:00 pm

           using the data box: bub8je

           by email:

           by post (the signature must always be verified, see point 5)


       The Data Protection Officer (DPO)


       In order to be able to guarantee the legality, correctitude and transparency of the processing to its customers and business partners, Gitano cosmetics a.s., Ruská 117/17, has voluntarily appointed its own Data Protection Officer who will declare that the company is in compliance with the GDPR rules.


       If you have any questions with regard to the processing of your personal data, do not hesitate to contact our DPO by email at Our DPO will answer your questions as soon as possible and will help you resolve any problems.


6.   The administrator’s rights and responsibilities

       The administrator is entitled to verify the truthfulness and accuracy of the provided personal data

       The administrator is obliged to provide the data subjects with information about the scope and method of processing their provided personal data, if the data subjects so request. The administrator will do so without any undue delay, but at the latest within 30 business days.

       The administrator is entitled to refuse to provide any information or to charge for the provision thereof in the case of any repeated and unjustified requests.

       The administrator will provide the information in electronic form, unless the data subject requests otherwise. In such a case, it is possible to refer to point 5.

7.    The administrator’s justified interests – purposes

       The protection of the administrator and its fundamental or other rights arising from the general legal obligations, regulations and contracts. This especially applies within the framework of various disputes, inspections, investigations and in relation to its contractual partners. The processing period is designated by the generally binding regulations, but up to a maximum of 10 years from the end of termination of the contractual relations.

       The protection of the administrator’s assets and the life and health of the employees and any individuals entering the administrator’s premises. For a period of 3 days from the record being made.

       Collecting any receivables throughout the period of the legal limitation periods, but up to a maximum of 10 years.

8.    Consent to process the personal information

       The data subject provides his/her consent to process that data which does not constitute data, whose purpose means that it is legally required data, data necessary for the fulfilment of any contractual relations or data which is subject to the administrator’s justified interests. The consent is provided in written form or by means of the confirmation of the electronic version of the consent.

       The data subject can withdraw the consent at any time as per point 5.

       The purposes and processing of the data provided on the basis of the consent are set out in the consent form.

9.  The method of processing the personal data

       The data subject’s personal data can be processed automatically and manually

       Access to the personal data may be provided to the administrator’s authorised employees, provided this is essential for the fulfilment of the contractual relationship and for the fulfilment of their employment obligations.

       The personal data may be provided to processors, with whom the administrator has concluded a personal data processing agreement and possibly to any other entities in compliance with the Act and the Regulation.

10.  Cookies

       The administrator uses “cookies” on its website, which are then saved on the visitor’s computer and automatically recognise the user during his/her next visit. Cookies enable, for example, the option of adapting the website to the interests of the data subject or saving a user name which then does not have to be re-entered every time. If the data subject does not want his/her computer to be recognised, it is necessary to modify the settings of the internet browser in such a way so that the cookies are removed from the computer’s hard disk, the cookies are blocked or a warning message appears before a cookie is saved.

11.    Validity

       The administrator may alter and supplement the wording of the Personal Data Processing Information. The administrator will inform the natural person of each such change by email or using some other suitable communication channel at least 5 days before the change comes into effect. If the natural person does not agree with the change, he/she will be entitled to request the deletion of the data from the database without any sanctions.

       This document will come into effect on the date of publication: 07.05.2018


    Your Cart
    Your cart is emptyReturn to Shop