Consent to the processing of personal data

Privacy Policy

Adopted in accordance with the Regulation (EU) 2016/679 of the European Parliament and Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter "GDPR") and in accordance with Act No. 110/2019 Coll., on the processing of personal data.

  1. Introduction

The company MUSIC STALL s.r.o., with its registered office at U strouhy 276, 196 00 Prague 9, Company ID: 27400247, VAT ID: CZ27400247, registered in the Commercial Register at the Municipal Court in Prague, Section C, File 110074, as the operator of the online store www.film-game.cz (hereinafter referred to as "Data Controller"), processes personal data of so-called data subjects – natural persons who:

  • Are interested in making a purchase in the online store (potential customers);

  • Have purchased or are purchasing in the online store (customers).

The Data Controller ensures that the processing of personal data of data subjects is lawful, fair, transparent, accurate, confidential, and that personal data is processed only to the extent necessary. The Data Controller also ensures that personal data is properly secured and that all rules set out by GDPR and other legal regulations governing personal data handling are adhered to.

These policies were adopted, among other reasons, to demonstrate compliance with the legal regulations regarding personal data processing by the Data Controller. The explanation of individual terms related to the processing of personal data under these policies is provided in Article 12 below.

  1. Data Controller

The Data Controller of personal data is the company MUSIC STALL s.r.o., with its registered office at U strouhy 276, 196 00 Prague 9, Company ID: 27400247, VAT ID: CZ27400247, registered in the Commercial Register at the Municipal Court in Prague, Section C, File 110074.

The Data Controller can be contacted in one of the following ways:

  • In person (or by mail) at the Data Controller's office at the following address: Music Stall s.r.o., Film-Game.cz, Beranových 125, 199 00 Prague 9 Letňany, Czech Republic;

  • Electronically via email: info@filmgame.cz;

  • By phone at: +420 723 797 676.

3. Purposes of Processing, for Which Personal Data is Intended, and Legal Basis for Processing

3.1. Performance of the Purchase Agreement

The Data Controller processes personal data primarily for the purpose of concluding and fulfilling the purchase agreement, namely at least so that the Data Controller can deliver the goods purchased in the online store to the customer.

The legal basis for this processing is Article 6(1)(b) GDPR – performance of a contract to which the data subject is a party.

3.2. Fulfillment of the Legal Obligations of the Data Controller

The Data Controller processes personal data for the purpose of fulfilling legal obligations, arising from, for example, accounting and tax laws, consumer protection laws, etc., including the obligation of the Data Controller to be able to demonstrate that personal data is processed in accordance with binding legal regulations, especially in accordance with GDPR.

The legal basis for this processing is Article 6(1)(c) GDPR – compliance with a legal obligation to which the Data Controller is subject.

3.3. Legitimate Interests of the Data Controller

The Data Controller may process personal data for the purpose of:

  • Direct marketing (see Article 5 below);

  • Determining, exercising, or defending legal claims (especially legal claims arising from the concluded purchase agreement).

The legal basis for this processing is Article 6(1)(f) GDPR – legitimate interest of the Data Controller.

3.4. Consent of the Data Subject

With the consent of the data subject, the Data Controller may process personal data for the purpose of:

  • Direct marketing (see Article 5 below);

  • Establishing and managing a customer account (see Article 10 below).

The legal basis for this processing is Article 6(1)(a) GDPR – consent of the data subject.

4. Processing of Personal Data Based on Consent

4.1. Voluntariness

Granting consent for the processing of personal data is entirely voluntary. Failure to grant consent will not have any adverse consequences for the data subject.

4.2. Withdrawal of Consent

Each data subject has the right to withdraw consent for the processing of personal data at any time, especially by one of the following methods:

  • Through the customer account;

  • By electronic notification sent to the Data Controller's email address (see Article 2 above);

  • By written notification sent to the Data Controller's registered office or one of the Data Controller's premises (see Article 2 above);

  • By phone at the Data Controller's contact details (see Article 2 above).

Consent for managing the customer account can also be withdrawn by deleting the customer account (see section 10.2 below).

The withdrawal of consent does not affect the legality of the processing based on the consent given before its withdrawal.

5. Direct Marketing

5.1. General

The processing of personal data for the purposes of direct marketing refers to the processing of personal data for the purpose of sending commercial communications in the sense of Act No. 480/2004 Coll., on Certain Information Society Services, as amended (hereinafter "Act No. 480/2004 Coll.").

Commercial communication refers to any form of communication, including advertising and encouragement to visit the online store's pages, intended for the direct or indirect promotion of goods or services or the image of the Data Controller (especially newsletters).

5.2. How Does It Actually Work?

The processing of personal data for the purpose of sending commercial communications to potential customers (i.e., individuals who have not yet made a purchase in the online store but have decided to receive commercial communications) is only possible with their consent to process personal data. Similarly, sending commercial communications to potential customers can only be done based on their consent (in accordance with § 7(2) of Act No. 480/2004 Coll.).

The processing of personal data for the purpose of sending commercial communications to customers (i.e., individuals who have already made a purchase in the online store) is also possible without their consent, based on the legitimate interest of the Data Controller (see section 3.3 above or recital 47 of the GDPR). Similarly, sending commercial communications to customers regarding the Data Controller's own similar products or services can be done without their consent (in accordance with § 7(3) of Act No. 480/2004 Coll.), provided that the customer has not originally objected or does not subsequently object. [For further details, see https://www.uoou.cz/gdpr-a-nbsp-primy-elektronicky-marketing/d-30715]

5.3. Termination of Processing for Direct Marketing Purposes

The Data Controller will terminate the processing of personal data for direct marketing purposes immediately after the customer or potential customer expresses their disagreement with such processing. Disagreement can be expressed, for example, by one of the following methods:

  • Withdrawal of consent to the processing of personal data (see section 4 above);

  • Expressing disagreement with the processing of personal data, using the same method as withdrawal of consent (see section 4 above);

  • Unsubscribing, which can be done in each commercial communication;

  • Raising an objection to such processing (under the conditions of Article 21 of the GDPR).

Regardless of the above, the Data Controller will terminate the processing of personal data for direct marketing purposes no later than 3 years after the last purchase in the online store (concluding the purchase agreement). Any further purchase will therefore extend the processing period by another 3 years.

In the event that no purchase is made in the online store, the Data Controller will terminate processing simultaneously with the deletion of the customer account (see section 10.2 below).

6. Categories of Personal Data Recipients

A recipient of personal data is anyone to whom the Data Controller provides personal data.

The Data Controller will provide personal data primarily to the following recipients: entities providing accounting or tax services, postal or delivery services, newsletter distribution services, legal services, IT services, payment gateway operators, payment system providers, domain administrators, providers of technical support, etc. These recipients will process personal data either as independent controllers (i.e., entities that determine the purposes and means of processing personal data independently of the Data Controller) or as processors (i.e., entities that process personal data for the Data Controller, based on its instructions).

In addition, the Data Controller will provide personal data to public authorities when required by applicable legal regulations. These recipients will process personal data as independent controllers. However, public authorities exercising their investigative powers are not considered recipients.

7. Transfer to Third Countries or International Organizations

The Data Controller will not transfer personal data to third countries or international organizations within the meaning of Articles 44 and subsequent of the GDPR.

8. Duration of Personal Data Processing

Personal data will be processed only for the period necessary for the purposes of their processing. The termination of one of the legal grounds for processing personal data does not affect the processing of personal data (to the necessary extent) based on another legal ground.

8.1. Fulfillment of the Purchase Agreement

For this purpose, the Data Controller will process personal data for up to 30 days after the last obligation arising from the purchase agreement has been fulfilled. This does not affect the possibility for the Data Controller to further process this personal data based on other legal grounds and for the purposes stated in these principles.

8.2. Fulfillment of Legal Obligations by the Data Controller

For this purpose, the Data Controller will process personal data for the duration of the applicable legal obligation set forth by binding legal regulations.

8.3. Legitimate Interests of the Data Controller

8.3.1. Direct Marketing

For this purpose, the Data Controller may process personal data until the objection to such processing is expressed, but no longer than 3 years after the last purchase in the online store (see section 5.3 above).

8.3.2. Legal Claims

For this purpose, the Data Controller may process personal data for the duration of the relevant legal claim, but no longer than 1 year after the expiration of the limitation period according to binding legal regulations. In the case of the initiation and continuation of judicial, administrative, or any other proceedings in which rights or obligations arising from the relevant legal claim are addressed, the processing period of personal data for this purpose will not end before the final conclusion of such proceedings.

8.4. Consent of the Data Subject

8.4.1. Direct Marketing

For this purpose, the Data Controller may process personal data until the moment:

  • Withdrawal of consent to process personal data (see section 4 above);

  • Expression of objection to the processing of personal data, in the same manner as consent can be withdrawn (see section 4 above);

But no longer than until the cancellation of the customer account (see section 10.2 below).

8.4.2. Customer Account Management

For this purpose, the Data Controller may process personal data until the cancellation of the customer account (see section 10.2 below).

8.5. Deletion of Personal Data

Immediately after the processing period expires according to sections 8.1, 8.2, or 8.3.2 above, the Data Controller will anonymize or delete the relevant personal data for which the purpose of processing has ceased.

In the cases described in sections 8.3.1 or 8.4 above, the Data Controller will cease processing personal data for the specified purposes immediately after the consent is withdrawn, objection is expressed, or the customer account is cancelled.

9. Rights of Data Subjects

Every data subject has, among others, the following rights:

  • The right to request access to their personal data (under the conditions of Article 15 GDPR);

  • The right to rectification or erasure of personal data (under the conditions of Articles 16 or 17 GDPR);

  • The right to restriction of personal data processing (under the conditions of Article 18 GDPR);

  • The right to object to processing (under the conditions of Article 21 GDPR);

  • The right to data portability (under the conditions of Article 20 GDPR);

  • The right to withdraw consent to process personal data (see section 4 above).

Every data subject who believes that the Data Controller is processing their personal data in a way that conflicts with the protection of their private and personal life, or with the relevant legal regulations, especially if the personal data is inaccurate in relation to the purpose of processing, can:

a) Request an explanation from the Data Controller (contact details see section 2 above), or

b) Request the Data Controller to rectify, complete, or erase the personal data (contact details see section 2 above).

If the data subject believes that their right to the protection of personal data has been violated, they also have the right to file a complaint with the supervisory authority, which is the Office for Personal Data Protection, located at Pplk. Sochora 27, Holešovice, 170 00 Prague 7.

10. Customer Account

10.1. Creation of a Customer Account

Creating a customer account is entirely voluntary, as the Data Controller allows for purchases in the online store even without the creation of a customer account (i.e., without registration).

In order for the Data Controller to store personal data entered into the account creation form (or any data later added to the customer account), consent is required.

Until the potential customer enters into a purchase agreement with the Data Controller (i.e., becomes a customer), and subsequently after fulfilling all obligations arising from the concluded purchase agreement, the Data Controller will not handle the personal data in any other way than for the purposes of managing the customer account. This does not affect the possibility of the Data Controller processing personal data based on other legal grounds, especially consent granted for direct marketing purposes (sending commercial communications).

10.2. Cancellation of Customer Account

A customer account can be canceled at any time through the customer account or by sending a request to cancel the customer account to one of the contact addresses listed in section 2 above.

Regardless of the above, the Data Controller may cancel the customer account after 3 years from the last purchase made by the customer in the online store, or the Data Controller may cancel the customer account if the customer breaches their obligations arising from the purchase agreement.

If no purchase has ever been made in the online store, the Data Controller may cancel the customer account after 3 years from its creation.

11. Cookies and Other Technical Data

Further information about so-called cookies and other technical data processed during visits to the online store’s website is provided in a separate document titled "Cookies."

12. Key Terms

  • Personal Data refers to any information about an identified or identifiable natural person (the "data subject"). A natural person is considered identifiable if they can be identified, directly or indirectly, by reference to a specific identifier, such as a name, surname, date of birth, address, email, phone number, identification number, location data, network identifier, or one or more special characteristics related to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

  • Processing of Personal Data refers to any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or any other form of making available, alignment or combination, restriction, erasure, or destruction.

  • Customer refers to a natural person who has entered into a purchase agreement with the Data Controller through the online store, i.e., a person who has a "customer relationship" with the Data Controller.

  • Potential Customer refers to a natural person who has not yet entered into a purchase agreement with the Data Controller through the online store, i.e., a person who does not have a "customer relationship" with the Data Controller.

13. Additional Information on the Processing of Personal Data

The Data Controller is obligated to implement technical and organizational measures to prevent unauthorized or accidental access to personal data, their alteration, destruction, loss, unauthorized transmission, or any other unauthorized processing or misuse. This obligation applies even after the processing of personal data has ended.

For inquiries regarding the processing of personal data, the Data Controller can be contacted through one of the contact addresses listed in section 2 above of these guidelines.

General information about the processing of personal data can also be found on the website of the Office for Personal Data Protection at www.uoou.cz.

These guidelines become effective on September 15, 2023.