according to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC 

These Rules of Personal Data Protection and Processing (hereinafter referred to as the “Rules”) describe which personal data of clients, who are natural persons, or also personal data of other clients relating to natural persons who act on behalf of them (hereinafter referred to as the “Data Subject”), are processed in the course of business activities of the company Czech Wool company s.r.o., with registered office in Šedesátá 7015, 760 01 Zlín, Czech Republic, ID No.: 039 22 391, registered in the Commercial Register maintained by the Regional Court in Brno, Section C, Entry 87406 (hereinafter referred to as the “Controller“).

These Rules determine the types of personal data which we collect and process as you use our services, as well as the way we use, share and protect your personal data. You can also find here an explanation of rights available to you with regard to your personal data and how you can contact us. Hereby we advise you below on the processing of your personal data and your rights in accordance with Article 12 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as “GDPR“).

Personal data’ means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

PROCESSORS AND RECIPIENTS OF PERSONAL DATA

The Controller is entitled to transmit personal data to third parties with whom he concluded an agreement on personal data processing and who will process personal data for the Controller as his processors. In line with the above, the Controller may transmit the Data Subject’s personal data to the following third parties or categories of third parties:

1) contractual carrier selected by the buyer in the order form for the purpose of the goods delivery, namely:  
- United Parcel Service Czech Republic s.r.o., ID No.: 25684094
- General Logistics Systems Czech Republic s.r.o., ID No.: 26087961

2) payment card issuer if the purchase was made from the Controller and if the goods were paid for with a payment card. 

The Controller is entitled to transmit personal data relating to information systems administration and relating to marketing services to the following recipients: 
- wpj s.r.o., ID No.: 288 60 608
- MERVIN, s.r.o., ID No.: 262 39 884
- Facebook Ireland Limited, IE9692928F
- Google Ireland Limited, IE6388047V
- Fragile media s. r. o., ID No.: 28212797
- Incomaker s.r.o., ID No.: 04161301

The Data Subject’s personal data are further transmitted to the following categories of recipients:
- suppliers of the Data Subject;
- employees of the Data Subject;
- persons in another contractual relationship with the Controller (e.g. providers of marketing and advertising services, law offices, cooperating mortgage advisers); 
- financial institutions and insurance companies;
- state bodies which perform statutory obligations laid down in applicable legal regulations.  
 

The Controller shall not provide the Data Subject’s personal data to other than the above specified processors and recipients.

CATEGORIES OF PROCESSED PERSONAL DATA

The Controller is entitled to process namely the following personal data of the Data Subject:
- address and identification data serving for unambiguous and unmistakeable identification of the Data Subject (e.g. name, surname, title, date of birth, or birth identification number, permanent residence address, business premises address, mailing address, ID No., Tax ID No.) and contact information of the Data Subject (e.g. contact address, telephone number, fax number, email address or other similar information); 
- identity card or passport, issuing authority, date of expiry, or copies thereof;
- descriptive data (e.g. bank details, payment information or credit card details); 
- images, photographs and videos;
- account login details, including username under which the Data Subject is identifiable on the Internet, password and unique user ID; 
- personal data provided beyond the scope of applicable laws and processed based on a consent granted by the Data Subject (e.g. use of personal data for purposes of recruitment procedures, use of personal data for promotion etc.);  
- personal setting (preferences), including marketing/targeting cookies setting by the Data Subject;  
- other data necessary for contract performance;
- other personal data provided by the Data Subject to the Controller.  

Beyond the scope of the above, the Controller specifies which data are processed in connection with the behaviour of the Data Subject: 

1) Website visits 

When a person visits the Controller’s website, this person agrees with its information, such as IP address, browser setting and preferred language of the visited website, including the time of the visit, being collected when the person is visiting the website. The Controller monitors pages visited by the person, namely the links clicked, in order to personalize the displayed content. During website visits, cookies are stored in the visitor’s browser and subsequently read by the Controller. 

2) Online shopping

The most frequently provided data are those collected from an order form for goods or other services on the Controller’s web interface. They include namely data necessary for the conclusion of and performance under a purchase contract (identification data, contact information, data necessary for the contract performance – purchased goods, volume of provided services, customer segment). The Controller expressly states that in case of the purchase of health-related products, health data are not processed as the purchase of a certain type of product does not imply the health condition and the goal of the Controller is not to establish for whom the product is intended. 

3) User account – “Registration in the Sheep Family”

If a Data Subject wishes to enjoy the benefits of a user account, he needs to register in the user account. The user account is protected by a password selected by the Data Subject. The Controller is unable to access the password and therefore, in case of the password loss, the Controller is unable to send the password to the Data Subject; the Controller can only generate a form for entry of a new password. The Data Subject can access his personal data in his user account and can change it if needed. In his user account, the Data Subject can view the history of completed purchase orders, purchased products and incomplete purchase orders, whereas an incomplete purchase order remains saved until the next login in the user account. The Data Subject may also save his favourite products. If the Data Subject is registered in the Sheep Family, identification data, contact information, demographic data, login data (without the password) and data created during the contract duration, including complaints and returns of the products, are processed. 

4) Subscription to commercial communications – “Inspiration into your mailbox”

The Data Subject may subscribe to commercial communications at the web interface www.woolville.com. If you then choose to unsubscribe, you can do so through an unsubscribe link in the footer of each email containing the commercial communications. In such case, the Controller processes identification data, contact information and demographic data.

5) Use of the service “The sheep tracks your product availability”

If a product is out-of-stock in the Controller’s online store, the potential buyer may set availability tracking. In such case, when the product becomes available again, the Controller informs the Data Subject via his email address that is processed for this purpose. 

6) Linking the Controller’s website to social media

The Controller offers to Data Subjects the option of linking their social media to the Controller’s website. It enables automatic login in the user account (“quick registration”), as well as the possibility of sharing articles from the Controller’s blog on the Data Subject’s social media. The social media linking can be cancelled at any time. The Data Subjects acknowledge that this functionality is supported through social plugins. As a result of the social media linking, the Data Subject’s social media or other websites may display the Controller’s targeted advertising. 

7) Sale over the phone

If sale of a product is closed over the phone, the Controller stores in particular recordings of telephone calls which are monitored. Other personal data, as specified in Point 2) of this Section (“Online shopping”), are also processed. If the Data Subject provides to the operator his health data, the data is stored only in the recording and is not subject to specific processing. 

8) Assessment on assessment portals

If the Data Subject does not decline participation in the customer satisfaction survey, this questionnaire may be sent to his email address after the concluded sale. It is entirely at the discretion of the Data Subject, whether he will complete the assessment; when the questionnaire is completed, contact information and data necessary for the contract performance is processed. 

PURPOSES AND LEGAL BASIS FOR PERSONAL DATA PROCESSING

The Controller processes the Data Subject’s personal data for the following purposes:
a) conclusion and performance of a contract under Article 6(1)(b) of GDPR; 
b) compliance with a legal obligation imposed on the Controller by a generally binding legal regulation under Article 6(1)(c) GDPR (such as the Controller’s obligation to keep accounting and tax documents);  
c) identification, exercise or defence of the Controller’s legal claims under Article 6(1)(f) GDPR; s
d) sending of commercial communications under Article 6(1)(f) GDPR carried out for the Controller’s legitimate interest consisting in direct marketing;
e) other Controller’s marketing purposes related to the offer of products and services; sending information on organized events, products, services and other activities (e.g. in the form of newsletters, telemarketing); contacting for market research and market survey purposes; contacting for the purpose of sending Christmas or Easter or other holiday greetings, sending of discount vouchers, gifts etc. under Article 6(1)(a) GDPR. 

PERIOD OF PERSONAL DATA PROCESSING

Personal data shall be processed only for such periods which are necessary with regard to the purpose of their processing. With regard to the above:
- for the purpose described under point a) above, personal data shall be processed until the extinction of obligations (which shall not affect the Controller’s right to further process the personal data thereafter – in the necessary scope for the purposes according to points b), c) d) and/or e) above;
- for the purpose described under point b) above, personal data shall be processed for the duration of the Controller’s relevant legal obligation; 
- for the purpose described under point c) above, personal data shall be processed until the end of the 4th calendar year following after the end of the warranty period under the contract (if quality warranty has been stipulated in the contract), however, at least until the end of the 5th calendar year following after the extinction of contractual obligations;  
- in the event of commencement and continuation of court, administrative or other proceedings concerning the Controller’s rights and obligations in relation to the Data Subject concerned, the period of personal data processing for the purpose described under point c) above shall not end prior to the termination of such proceedings;  
- for the purpose of sending commercial messages described under point d) above, personal data shall be processed until the Data Subject expresses his disagreement with such processing;
- for the purpose described under point e) above, personal data shall be processed for a period of time, for which the Data Subject separately gave consent to the Controller with personal data processing. In such case, the Data Subject agrees that the Controller may contact the Data Subject with the purpose to renew his consent.

Latest by the end of the calendar quarter following the expiry of the above period of processing, the personal data, in respect of which the purposes of their processing ceased to exist, shall be destroyed of (by shredding or in another manner preventing unauthorized persons gaining access to the personal data) or anonymized. 

METHOD OF PERSONAL DATA PROCESSING

The processing of personal data is carried out by the Controller. The processing is carried out by respective employees authorized by the Controller, or by the Controller’s Processors, at the Controller’s registered office. The Controller may collect or obtain personal data through his websites at www.woolville.com, forms, online or telephone contact, personal meeting or otherwise. The processing is executed by means of computer technology and/or manual processing, if the personal data is available in documentary form, while observing all safety measures for personal data management and processing. For this purpose, the Controller adopted necessary technical and organisational measures to ensure personal data protection, namely measures preventing unauthorized or accidental access to personal data, its modification, destruction or loss, unauthorized transfers, unauthorized processing, as well as other misuse of personal data. All third parties to whom the personal data may be made available shall respect the Data Subjects’ right to privacy and data protection and shall proceed according to applicable legal regulations governing personal data protection.

Neither automated individual decision-making, nor profiling on the basis of provided data will be conducted. Personal data of the Data Subjects will not be transferred to third countries.

INFORMATION PROVIDED TO DATA SUBJECTS PURSUANT TO GDPR

In connection with the processing of their personal data, the Data Subjects have a number of rights, including the right to request from the Controller the following:
- the right of access to their personal data (under Article 15 of GDPR);
- the right to rectification or erasure of personal data (under Article 16 or 17 of GDPR);   
- the right to restriction of processing of personal data (under Article 18 of GDPR); 
- the right to object to the processing of personal data (under Article 21 of GDPR): 
- the right to portability of personal data (under Article 20 of GDPR);  
- the right to withdraw their consent with personal data processing in written or electronic form sent to the Controller’s mailing address or email address specified in these Rules.  

If the Data Subject learns or believes that his personal data is being processed without respect for the private and family life-of the Data Subject or contrary to legal regulations, the Data Subject may request from the Controller to provide an explanation and/or rectify of the situation. Such request shall be made in writing and sent either by post to the Controller’s mailing address or via email to: info@woolville.com.

If the request of the Data Subject is found to be justified, the Controller shall without delay remove the defective condition. This shall not affect the right of the Data Subject to refer directly to the supervisory authority, i.e. the Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Praha 7, Czech Republic, +420 234 665 555, www.uoou.cz.

RULES FOR USING COOKIES

The Controller uses cookies on his website. Cookies are small text files that can be used by websites to make a user’s experience more efficient.

The Controller uses cookies to personalize content and advertisements, provide social media functions and analyse website traffic. The website traffic data is shared also with the Controller’s partners in social media, advertising and analytics area, who may combine the data with other information provided by the website users or collected during their use of the partner services.

The law states that the Controller can store cookies on the user’s device if they are strictly necessary for the website operation (see Strictly necessary cookies section) even without the user’s consent. For all other types of cookies, the user’s consent must be obtained, the full wording of which can be found here and which can be withdrawn at any time here.

Types of cookies

Strictly necessary

Strictly necessary cookies are cookies that the website needs to use in order to perform its basic functions. They provide basic functions such as website navigation and enable users access to secure areas of the website. The website cannot function property without these cookies.

Cookies can be blocked = banned, but some parts of the website may not be displaying correctly, and some feature may not work as intended. Cookie settings for the most frequently used browsers are available here:

- Google Chrome
- Firefox
- Internet Explorer a Edge
- Safari
- Opera     

Analytics and performance

These cookies are used to improve the website functioning. They are used, for instance, to understand how visitors interact with the website and usually help to provide information on metrics such as total visits, bounce rate, traffic source etc. Analytics cookies further help visitors to find easily what they are looking for. They may also be used to improve the website performance and speed.

Preference

Preference cookies enable a website to remember information that changes the way the website behaves or looks, like the preferred language of the user or the region that the user is in.

Advertising and marketing

Advertising cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third-party advertisers.

Unclassified cookies

These are cookies that have not been classified into any of the above-named categories according to their type and purpose. 

CONCLUSION

The Controller reserves the right to amend at any time the Rules of Personal Data Protection and Processing, whereas the most current version will always be posted on the website www.woolville.com.