Protection of personal data

PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA OF THE COMPANY

Fasay, s.r.o.

The administrator of personal data is Fasay, s.r.o., with its registered office in Brno, Vídeňská 277/68, postal code 639 00, ID: 241 77 997, entered in the Commercial Register kept at the Regional Court in Brno, Section C, Insert 99787, for which Siriporn Hofr, acting.

For better clarity and orientation, the following terms are often repeated in this Policy.

E-SHOP – internet application available in the Internet, developed for the purpose of displaying, selecting and ordering services by the customer, www.thajske-masaze-brno.cz/produkty; www.thajske-masaze-vyskov.cz/produkty; www.thajske-masaze-olomouc.cz/produkty;

THE PROCESSER – performs processing activities on the basis of a contract or other authorization for the Administrator

PERSONAL DATA PROCESSING – is any operation or set of operations with personal data or personal data sets that is performed using or without automated procedures such as collection, recording, arrangement, structuring, imposing, adapting or modifying, retrieving, inspecting, using, making available by transmission, distribution or any other disclosure, sorting or combination, restriction of erasure or destruction;

I. CATEGORIES OF PERSONAL DATA

The administrator processes the personal data of registered Users as well as its unregistered customers. Determines the objectives and means of processing.

Categories of personal data: name, surname, e-mail, mobile phone, billing data, delivery data, bank connection, login to user account, behavior in user account, IP address, cookies.

Voluntarily provided personal data. Users voluntarily provide personal data to the Administrator, as soon as the User registers, he buys in the E-shop of the Administrator or in any other way ( e.g. by email, telephone ), or in any other similar way.

Publicly available personal data. The controller may process personal data from publicly available sources and combine them with those that have been voluntarily provided to the controller by the data subjects.

Website. The controller processes information about when data subjects visit and view its website. This information may include an IP address, web activity, and other information about the interaction with our website. We may collect this data as part of the protocol or using cookies or other tracking technologies.

Social networks. The administrator has a profile on Facebook and Instagram. All information, communications or materials provided through the social media planorm are provided at your own risk. The administrator cannot control all social network users or even providers of these networks. The protection of personal data is solved separately within each of the mentioned platforms.

The data subject can be logged in to Facebook, Google Account at the same time when using the Administrator website. The controller thus allows the data subject to share his experience with websites with friends of the data subject on his profile within social networks. You can also link to the Administrator website by sending via e-mail.

II. PURPOSES OF PROCESSING

All the mentioned categories of personal data are processed by the Administrator, as they are necessary to fulfill the following purposes:

A. Registration for the user account and the E-shop operated by the Administrator allows registration for the Administrator services by establishing a user account. When registering, personal data are required in order to create a user account, which is used to overview orders that the data subject will perform or has already made in the e-shop, loading discounts in the form of bonus credits for further purchases, or management of billing and delivery data. The legal reason for processing personal data for the purposes of registration for a user account is the granting of voluntary, unconditional consent of the personal data subject to the controller. Members are sent a regular newsletter from which members can unsubscribe at any time.

B. Performance of the contract The legal reason for the processing of personal data is the performance of the contract, the contracting party of which is the data subject, or the implementation of measures taken before the conclusion of the service contract. The processing of personal data is carried out for the purpose of the smooth delivery of goods or services ordered by the data subject.

C. Newsletter ( commercial communication ) Sending promotional e-mails to registered users and / or customers to promote similar products and services. The Administrator may send a business message to the contacts of its Users or customers, where, on the basis of a legitimate interest, it promotes similar products and services through direct marketing, but only until, before the beneficiary disagrees. In addition to the case of legitimate interest, the Administrator may also send a business message to those who have given their prior consent to the processing of personal data for marketing and business purposes in advance ( e.g. via the contact form on the Administrator’s website, or a paper form that they passed on and signed with Administrator ). The “ Log out ” function is set in each marketing communication that the Administrator spreads, even if it communicates with its Users.The administrator sends commercial communications regarding the offer of his services or related products, usually twice a month.

D. Subscribe to business messages

E-shop The administrator allows you to subscribe to business messages.

The legal reason for processing personal data for the purposes of sending commercial communications is the granting of voluntary, unconditional consent of the personal data subject to the controller, in the form of a confirmation on the relevant subscription page. Each customer is duly informed through these principles about their rights of data protection parties.

Subscription for business messages takes place in the so-called double opt-in mode, which prevents possible misuse of the e-mail address. In practice, this means that after confirmation, a confirmation of the request for the submission of business messages is sent to the entered e-mail. This confirmation contains an active link, and only by clicking it will the e-mail be included in the database of recipients of business messages.

For the distribution of all business messages, the Administrator uses the Mailchimp.com service and its own email server.

E. Sending transaction messages.

These are messages for registered Users, to ensure awareness of the necessary maintenance or error conditions of the E-shop, as well as new functionalities. At the same time, there are e-mails about the status of the order, delivery of the order or the stage of the complaint procedure, etc. These can be transaction emails or messages via the Information System and the E-shop, or other similar messages.

F. COOKIES

Website Administrator uses cookies. The Administrator informs about their settings and use on a separate subpage of the website.

Cookies are small files that temporarily store information in your browser and are commonly used to distinguish user behavior on the web. However, the user is not identifiable on the basis of this information. Cookies help, for example.:

– to the correct functionality of the site in order to complete the purchase process with the least possible difficulties, the processing of these cookies cannot be refused;

– when remembering login details to an account on the website, so it is not necessary to always enter, these cookies can be rejected;

– when determining which sites and features visitors use most often; based on this, to best adapt our offer, these cookies can be rejected;

– helps to find out which ads visitors view most often, so that they don’t see the same ad when browsing the site, or so that they don’t see an ad for goods they’re not interested in, these cookies can be rejected;

Some marketing cookies may collect information that is subsequently used by third parties and which, for example, directly supports our advertising activities ( so-called „ third-party cookies “ ). For example, information about viewed products may be used to display to the visitor on the website outside the Administrator’s website only such advertising that is relevant to the specific user, without being bothered by advertising that does not interest him. However, you cannot be identified by this information.

The Administrator website uses the following third-party cookies:

Google Ads ( Google Inc ), Sklik ( Sznam.cz, a. S. ), Facebook ( Facebook Inc ), Mailchimp ( The Rocket Science Group, LLC ): for tracking, remarketing

Google Analytics ( Google Inc ): for web analytics

Cookies can be rejected using your web browser or the use of only some cookies can be set. You can also change the cookie settings on the Administrator website.

G. Links to external sites

For optimal information of visitors, links to third-party websites ( are usually business partners with which the Administrator cooperates ) on the Administrator’s website. If the data subject clicks this link, he acknowledges that third party websites have their own data protection policies, which may differ from those of the Administrator’s website.

H. Sending a contact form

The Administrator’s website allows you to contact the Administrator via the contact form.

In addition to the query, the form must contain the name, telephone and e-mail. By pressing the Submit form button, the data subject agrees to the processing of personal data in order to contact back and answer the inserted query.

The period for processing personal data in the case of sending the contact form for which the personal data will be stored by the Administrator is the duration of the query solution, then the personal data is deleted from the Administrator database.

I. Other markelng activities on the Administrator’s website

On the Administrator’s website, you can encounter other marketing activities such as: filling out a questionnaire, quiz, participating in a competition, etc. These are extraordinary, time-limited activities, for which it is always stated separately what personal data the Administrator collects and how they are further handled.

The personal data that are necessary for the proper provision of the service, resp. for the fulfillment of all obligations of the Administrator, whether these obligations result from the contract or from generally binding legal regulations, the Administrator is obliged to process, regardless of the consent given by the data subject, for the period specified by the relevant legal regulations, or in accordance with them, even after possible revocation of the data subject’s consent.

J. Compliance with legal requirements, including participation in court proceedings and legal requirements of public authorities, including compliance with national security or law.

III. PLANNED PROCESSING TIME

For the purposes of registration and maintenance of the User Account, all categories of personal data may be processed for a period of 2 years from the last active inspection of the User Account, if the data subject does not request the cancellation of the account earlier.

For the purposes of fulfilling the rights and obligations arising from the contractual relationship between the Administrator and the customer, for the duration of the contractual relationship between the Administrator and the data subject, where appropriate, for the period necessary to fulfill legal obligations and protect their legitimate interests, but no later than 5 years from the date of termination of the contractual relationship with the data subject.

The time for processing personal data in the case of sending commercial communications is 2 years from the last active inspection of the commercial communication by the customer, if the data subject does not unsubscribe earlier.

An exception is tax documents issued by the Administrator in accordance with § 35 of Act No. 235/2004 Coll., Tax documents are kept for a period of 10 years from the end of the tax period in which the performance took place.

IV. TECHNICAL, SECURITY AND ORGANIZATIONAL MEASURES

Technical and safety measures. With regard to the probability of risks and with regard to the price ratio of possible measures as well as technical possibilities, the administrator has implemented technical security and organizational measures – in all areas, where personal data is processed ( especially web operation, e-shop operation, employee agenda, communication with customers ). The administrator meets the strict requirements of the GDPR parties.

The developers of the Administrator cooperate with lawyers to ensure that the operation of the E-shop and the Administrator’s website and the provision of services by the Administrator complies with the applicable legislation on unsolicited mail and privacy protection.

The administrator cannot disclose all details and circumstances of a technical nature by which he protects his website and Eshop and the personal data he processes. Disclosure of details could make it easier for those who could seek to break systems and security barriers.

The controller states that it uses a secure Information System that provides Personal Data with security commensurate with the state of the art, the costs, nature, scope and purposes of the processing. The administrator considers the Information System to be secure also with regard to possible risks to the rights and freedoms of individuals.

Organizational measures. All employees who have access to Personal Data are bound by confidentiality and must respect security principles. Approaches to all systems, including the Information System, are personalized and password covers, which are created in various ways. The information system registers logs so that the Administrator can control the access of individual employees to individual databases. Employees are regularly trained.

Office. Administrator offices are secure, lockable and strangers do not have access to them without the Administrator’s knowledge. Records kept in paper form are not kept by the Administrator, only where absolutely necessary. In this case, the Administrator keeps them under lock ( safe ).

IV. TRANSMISSION OF PERSONAL DATA TO THIRD PARTIES

Personal data The Administrator transfers only to entities with which it has concluded a proper processing contract or a contract of joint administrators.

Joint administrators. These are the operators of individual establishments in which the Administrator actually provides relaxation and massage services. These entities have access to the Information Reservation System for everyday activities, which is intended primarily for the management of reservations and orders. Business communications, as well as other marketing activities where customers’ personal data is processed, are performed exclusively by the Administrator. The joint administrators agreed that the Administrator acts as a contact person, via e-mail info@fasay.cz or at the registered office address.

Fasay, s.r.o., IČ: 24177997, with its registered office at Vídeňská 277/68, 639 00 Brno, for which Siriporn Hofr, acting

Processors. The Administrator uses only certified processors with whom he has a written contract and who provide the Administrator with at least the same guarantees as the Administrator to data subjects. The controller only uses processors who are from the EU or from safe countries as decided by the European Commission. All these partners are bound by a duty of confidentiality and may not use the data provided for any purpose other than that for which the Administrator made it available to them.

Our processors are an accounting firm, payment gateways, lawyers, developers or marketing specialists, as well as software and cloud solutions. We use the services and our data can be stored on Google LLc., Mailchimp.com, WEDOS Internet, a.s., WebSupport s.r.o. We use the services of couriers and carriers of goods, as well as Sklik.cz, Google Ads, accounting and payroll systems. We provide details about our processors on request.

Legal obligations. The Administrator may transfer personal data to third parties if required by law or in response to legal requirements of public authorities or at the request of a court in litigation.

VI. RIGHTS OF DATA ENTITIES

Administrator, it is possible to request access to personal data and request the correction, modification, deletion or restriction of the processing of personal data there, where they are inaccurate or have been processed in violation of applicable personal data protection laws. The data subject has the right to the portability of personal data, to object to the processing of personal data, the right to withdraw consent to the processing of personal data and the right not to be the subject of automated individual decision-making, including profiling ( which the Administrator does not do ).

The rights of data subjects can be exercised by e-mail: info@fasay.cz.

The controller shall endeavor to comply with the rights of data subjects without delay. However, there may be circumstances in which the Administrator cannot provide access (, for example, if the requested information threatens the privacy of others or other legitimate rights, or there, where the cost of providing access would be disproportionate to the risks to the privacy of the individual in the present case ). The Administrator shall take reasonable steps to verify the User’s identity before performing any action by the parties to the rights of the data subjects.

Details of data subjects’ rights:

1. Right of access to personal data

According to Art. 15 GDPR you will have the right to access personal data, which includes the right to obtain from the Administrator:

• confirmation of whether he processes personal data,

• information on the purposes of the processing, the categories of personal data concerned, the recipients to whom the personal data have been or will be made available, the planned processing time, on the existence of the right to request from the Administrator the correction or deletion of personal data concerning the data subject or the restriction of their processing, or to object to such processing, the right to file a complaint with the supervisory authority, any available information on the source of personal data, if not obtained from the data subject, the fact that automated decision-making is taking place, including profiling, on appropriate safeguards for the transfer of data outside the EU,

• in the event that the rights and freedoms of others are not adversely affected, a copy of the personal data.

In the event of a repeated request, the Administrator will be entitled to charge a reasonable fee for a copy of the personal data.

2. Right to correct inaccurate data

According to Art. 16 GDPR, the data subject has the right to correct inaccurate personal data. The data subject is also required to report changes to his or her personal data. At the same time, he is obliged to provide cooperation if it is found that the personal data that the Administrator processes about him are not accurate. The correction will be made by the Administrator without undue delay, but always with regard to the given technical possibilities.

3. Right of deletion

According to Art. 17 GDPR, the data subject will be entitled to delete the personal data concerning him, unless the Administrator proves the legitimate reasons for the processing of this personal data. The controller has mechanisms in place to ensure automatic anonymization or deletion of personal data in the event that they are no longer needed for the purpose for which they were processed.

4. Right to processing restrictions

According to Art. 18 GDPR, the data subject shall have the right to restrict processing until the complaint is resolved, if he denies the accuracy of the personal data, the reasons for their processing or if he objects to their processing.

5. Right to notification of repair, erasure or restriction of processing

According to Art. 19 GDPR, the data subject has the right to be notified in the event of rectification, erasure or restriction of the processing of personal data. If personal data is corrected or deleted, the Administrator will inform individual recipients, except where this proves impossible or requires a disproportionate effort.

6. The right to transfer personal data

According to Art. 20 GDPR, the data subject has the right to the portability of the data concerning him and provided to the controller in a structured, commonly used and machine-readable format, and the right to request the transfer of such data to another controller.

If you provide personal data in connection with the Contract on the Provision of Services of the Administrator or with the consent and their processing is performed automatically, you have the right from the Administrator to obtain such data in a structured, commonly used and machine-readable format. If technically feasible, the data can also be passed on to the administrator designated by you, if the person acting on behalf of the relevant Administrator is duly identified and it will be possible to authorize it.

In the event that the exercise of this right could adversely affect the rights and freedoms of third parties, your request cannot be granted.

7. The right to object to the processing of personal data

According to Art. 21 GDPR, the data subject has the right to object to the processing of his personal data due to a legitimate interest.

In the event that the Administrator does not prove that there is a serious legitimate reason for processing that outweighs the interests or rights and freedoms of the data subject, he shall terminate the processing on the basis of the objection without undue delay. If the objection is filed in the case of processing related to direct marketing, then the Administrator will terminate the processing without undue delay.

8. The right to withdraw consent to the processing of personal data

Consent to the processing of personal data for marketing and business purposes can be revoked at any time after this date. An appeal must be made in an express, comprehensible and certain expression of will.

The processing of data from cookies can be prevented by setting up a web browser.

9. Automated individual decision making, including profiling

The data subject has the right not to be the subject of any decision based solely on automated processing, including profiling, which would have legal effects for him or significantly affect him in a similar way. The controller states that it does not conduct automated decision-making without the influence of human assessment with legal effects for data subjects.

VII. CONCLUSION

These principles can only be changed in writing. Users will be informed about this through the Administrator website.

In case of any questions from the parties to our Privacy Policy, please contact us with confidence via e-mail info@fasay.cz.