Personal data protection

Privacy Policy

I. Basic Provisions

  1. Personal data controller. armády 641/40, 787 01 Šumperk (hereinafter referred to as the "Controller").
  2. Contact details of the Administrator:
    • Delivery address: nám. Jan Zajíce 2817/12, 787 01 Šumperk, Czech Republic
    • E-mail: info@ampul.eu
    • Telephone: +420 720 051 077 (or +420 739 995 885)
    • The controller has not appointed a data protection officer, as no such obligation arises under Article 37 of the GDPR. Any questions or requests regarding the processing of personal data can be sent to the above e-mail address.
  3. Personal data - definition. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier (for example, a name, an identification number, location data or a network identifier) or to one or more elements of that natural person's physical, physiological, genetic, mental, economic, cultural or social identity
  4. Data Protection Commitment: the Controller declares that it processes personal data in accordance with applicable law and takes care to protect the privacy of data subjects. We use modern technical and organizational procedures to ensure the security of your personal data and keep them up to date. The controller does not sell or rent personal data to third parties.

II. Sources and categories of personal data processed

  1. Sources of data: the Controller processes personal data that you have provided to the Controller (e.g. when creating an order or registering on the website) or personal data that the Controller has obtained in the course of fulfilling your order. In addition, the controller may process data that it obtains from our communications with you (e.g. if you contact us with a query or complaint).
  2. Categories of data. It may also process data about your purchases and interactions with the controller (e.g. order history or communications).
  3. Technical and online data: some technical data such as IP address, browser data, cookies or other online identifiers may also be automatically collected when you visit the website. This data helps to ensure the proper functioning of the website and to analyze traffic. The user is not directly identified on the basis of the cookies themselves. The use of cookies for analytical and marketing purposes is based on your consent, which you express via the cookie bar (see Cookie Policy for details).

III. Lawful basis and purpose for processing personal data

  1. Lawful grounds for processing: the processing of your personal data is lawful if at least one of the following legal grounds is met:
    • Performance of a contract concluded between you and the controller pursuant to Article 6(1)(b) GDPR - this includes pre-contractual acts at your request and subsequent performance of the contract (e.g. processing of an order, delivery of goods and arranging payment).
    • The fulfilment of the controller'slegal obligations under Article 6(1)(c) of the GDPR - in particular the fulfilment of obligations under accounting and tax regulations (e.g. issuing and keeping tax documents) or obligations under consumer protection laws.
    • The legitimate interest of the controller pursuant to Article 6(1)(f) GDPR - in particular the legitimate interest in protecting legal claims and the operation of the controller's business, as well as direct marketing (sending commercial communications to existing customers). In the case of the use of legitimate interest for sending marketing emails, the controller proceeds in accordance with Section 7(3) of Act No. 480/2004 Coll., on certain information society services ( soft opt-in for customers who have purchased from us). You have the right to object to processing based on legitimate interest at any time - see Article VI below.
    • Your consent to the processing of your personal data for purposes not covered by other legal grounds - typically to send you commercial communications and newsletters if you are not our customer. We use consent as a legal basis e.g. if you have not placed an order for goods or services and still wish to receive our newsletter - then your consent is required under Article 6(1)(a) GDPR in conjunction with Section 7(2) of Act No. 480/2004 Coll. Consent is always voluntary, specific, informed and unambiguous expression of the data subject's will- we do not require it for processing that we may carry out on another legal basis and you can withdraw your consent at any time.
  2. Purposes of processing personal data: we process your data only for the purposes set out in advance, and specifically:
    • The processing of your order and the performance of the contract - in particular the delivery of the ordered goods, the provision of payment, communication regarding the status of the order or any complaints, and the exercise of other rights and obligations arising from the contractual relationship between you and the controller. When creating an order, we only require from you the data necessary for the successful execution of the order (identification and contact data, delivery data, etc.); the provision of these data is a necessary requirement for the conclusion and performance of the contract - without their provision, it would not be possible to conclude the contract or for the controller to properly perform it. This purpose also includes keeping the necessary records and fulfilling the legal obligations related to the contract (e.g. keeping accounting documents).
    • Sending commercial communications and marketing activities - in particular sending newsletters and offers by e-mail. We carry out these activities either on the basis of our legitimate interest (for existing customers within the limits of the law) or on the basis of your consent (for persons who have subscribed to the newsletter without prior purchase). In any such email you will be given the opportunity to simply unsubscribe.
    • Protecting our rights and preventing disputes - where necessary, data may also be processed to protect our legal claims, resolve any disputes, recover debts or prevent fraud. This purpose is based on our legitimate interest to protect our business and only takes place to the extent justified (e.g. keeping relevant documents for a certain period of time in case of a claim or litigation).
  3. Automated decision-making and profiling: the Controller does not carry out automated individual decision-making within the meaning of Article 22 GDPR, i.e. no decision is made solely on the basis of automated processing (including profiling) that would have legal effects on you or affect you in a similarly significant way. None of our decisions regarding you are made purely automatically without human judgement. Should the controller intend to carry out automated decision-making in specific cases in the future, it will only do so on the basis of your explicit consent and after all conditions under the GDPR have been met.

IV. Data retention period

  1. Duration of processing: the controller shall only retain personal data for as long as is strictly necessary for the purposes of the processing, having regard to the reasons for which it processes the data, as well as any legal archiving obligations. We set specific retention periods for selected purposes:
    • Performance of a contract and legal obligations: for the duration of the contractual relationship and thereafter for as long as necessary to protect the rights and fulfil the obligations of the controller, but no longer than 20 years from the termination of the contract. This period is based on the obligations to retain business and tax documents and also takes into account the limitation periods for any claims. In exceptional cases, some data may need to be retained for longer (e.g. where there is a pending litigation or other legal process) for the period necessary to protect the legal claims of the controller.
    • Marketing purposes: for as long as you withdraw your consent to processing (or object to processing for marketing purposes), but no longer than 10 years from the time the data was collected for that purpose. If personal data is processed on the basis of your consent and you do not withdraw your consent, it will still be deleted after a reasonable period of time to ensure that it is not kept for longer than is fair and necessary. We may ask you to renew your consent before this period expires.
  2. Data erasure: After the expiry of the specified retention period, the controller will securely erase or anonymise the personal data concerned. This will permanently end the processing for that purpose, unless you have set up a customer account for that data (in which case the data will be deleted or anonymised as part of the account cancellation process, but at the latest after the expiry of the above periods).

V. Recipients of personal data (subcontractors of the controller)

  1. Categories of recipients: to the extent necessary, your personal data may be disclosed to the following third party recipients:

    • External suppliers of goods and transport: persons involved in the delivery of goods or the execution of payments under contract - for example, transport companies (couriers) ensuring the delivery of ordered goods, or the bank and payment gateway processing your payment.
    • E-shop and IT service providers: persons providing e-shop operation and related services - for example, server and data storage operators, software administrators, IT support providers, or external administrators involved in the operation of the ampul.eu website and our internal systems. These entities process data exclusively on the instructions of the controller and on the basis of a data processing agreement.
    • Marketing and analytical services: persons providing marketing services, website traffic analysis or related services for the controller - for example, marketing agencies sending newsletters, customer satisfaction assessment tools, personalised advertising services, etc.

  2. Transfer of data outside the EU: The controller does not primarily intend to transfer your personal data to third countries (non-EU/EEA countries) or international organisations. However, some of the external service providers listed below may be based or store data in countries outside the EU (in particular the USA). Therefore, if personal data is transferred outside the EU as part of the use of a service, this is only under conditions that ensure an adequate level of protection of personal data in accordance with Chapter V of the GDPR. This means that the transfer will take place either on the basis of an adequacy decision of the European Commission in that country (e.g. for transfers to the US, this may be the EU-US Data Privacy Framework, for which the European Commission issued an adequacy decision on 10/7/2023), or on the basis of appropriate safeguards under Article 46 of the GDPR, such as standard contractual clauses or binding corporate rules. In cases of transfers to third countries, the controller always ensures that the recipients of the data provide an equivalent level of protection for personal data as in the EU.

  3. Specific third-party services: the Controller uses the following external services to process certain marketing and support activities that may process your personal data:

    • Google Analytics - a tool for analysing website traffic; it records cookies and data about the use of our website.
    • Google Ads (AdWords) - advertising platform; records cookies and data about your movement around the site for the purpose of targeting ads.
    • Google Shopping - a service for sending purchase review requests; if you agree in the checkout process, your email address is forwarded for a one-off request for a review of the item you have purchased.
    • Heureka.cz - price comparison engine; records information about the purchase (conversion) and your email address for the "Verified by customers" service (satisfaction rating).
    • Zboží.cz - price comparator; records purchase conversions and email addresses for rating purposes.
    • Sklik - Seznam.cz's advertising system; records cookies, site usage data and conversions (orders placed) for evaluation and ad targeting.
    • Hledejceny.cz - price comparison engine; records purchase conversions and email addresses for sending evaluation questionnaires.

    Note: Some of these services use cookies or similar tracking technologies on our site. Details of how these technologies work and what data we process through them can be found in a separate Cookie Policydocument. Where legally required, these cookies (e.g. marketing cookies) are only used after you have given your consent via the cookie bar.

VI. Your rights

  1. Rights of the data subject:
    • The right to access your personal data under Article 15 of the GDPR - you can ask us to confirm whether we are processing your personal data and, if so, you have the right to obtain a copy of the data and information about the processing.
    • Right to rectification of personal data under Article 16 of the GDPR - if you find that we hold outdated or inaccurate data about you, you have the right to request that it be rectified or completed.
    • Right to erasure of personal data ("right to be forgotten") under Article 17 GDPR - subject to the conditions set out in the GDPR, you have the right to request that we erase your personal data. For example, if the data is no longer needed for the stated purposes or you withdraw consent and there is no other legal basis for processing.
    • Right to restriction of processing under Article 18 GDPR - in certain situations, you can request that we temporarily restrict the processing of your personal data (for example, if you contest the accuracy of the data or if there are proceedings pending against your objection to processing).
    • Right to data portability under Article 20 of the GDPR - you have the right to obtain the personal data you have provided to us in a structured, commonly used and machine-readable format and to transfer that data to another controller. This right applies to data processed by automated means on the basis of your consent or the performance of a contract.
    • The right to object to the processing of personal data under Article 21 GDPR - this applies in particular to processing based on our legitimate interest. If you object to processing for direct marketing purposes, we will no longer process your personal data for this purpose. In other cases of legitimate interest, we will stop the processing unless we can demonstrate compelling legitimate grounds for continuing that override your rights and freedoms.
    • Right to withdraw consent to the processing of personal data at any time - if the processing is based on your consent, you have the right to withdraw this consent at any time (without retroactive effect). Withdrawal of consent does not adversely affect other aspects of our cooperation - for example, we may continue to supply you with goods or services if we have another lawful reason for doing so. You can withdraw your consent in the same way you gave it (e.g. by clicking the unsubscribe link in an email, by editing the settings in your customer account, or by sending an email to the administrator). Withdrawal of consent does not affect the lawfulness of previous processing carried out up to the time of withdrawal of consent.
  2. Right to lodge a complaint: you also have the right to lodge a complaint regarding the processing of your personal data with a supervisory authority. In the Czech Republic, this authority is the Office for Personal Data Protection (www.uoou.cz). You can file a complaint if you believe that the processing of your personal data violates the law.
  3. Exercising your rights: you can exercise your rights by using the contacts listed in Part I above. We will provide you with all communications and statements regarding the rights you have exercised free of charge. However, if your request is manifestly unfounded or unreasonable (in particular because it is repetitive), we may charge a reasonable fee for administrative costs under the GDPR or refuse to comply with the request commission.europa.eu. We will respond to your requests within 1 month of receipt, in complex cases this period may be extended by a further two months.

VII. Conditions for the security of personal data

  1. Technical and organisational measures: the controller declares that he/she has taken all appropriate technical and organisational measures to protect personal data against misuse, loss, damage or unauthorised access.
  2. Data storage security: the controller has taken specific technical measures to secure data storage, both in electronic form (servers, databases) and in paper form (documents containing personal data). These measures include in particular: encrypted web access (securing the HTTPS protocol for the ampul.eu website), encryption of customer passwords in the database, regular updates of the system and security software, firewalls and virus protection, and regular data backups.
  3. Personnel security: the Controller declares that only authorised persons (employees or collaborators of the Controller or authorised processors) who have been duly trained on data protection obligations and are bound by confidentiality have access to personal data. No unauthorised person has access to your personal data.

VIII. Final provisions

  1. Acknowledgement of Awareness. You are always referred to this Policy and have the opportunity to read it in detail before placing an order.
  2. Consent via the form: In some cases (e.g. when registering for a customer account or subscribing to a newsletter without prior purchase) we may need your consent to process your personal data. You give such consent by ticking the relevant box in the online form. This tick represents your free, specific, informed and unambiguous consent to this Policy (the consent box is not pre-ticked). By ticking the box, you confirm that you have read the Privacy Policy and that you accept it in full. You may withdraw your consent at any time (see Article VI, paragraph 1 above).
  3. Changes to the terms and conditions: the controller is entitled to change or update these terms and conditions at any time. It will always post the new version of the Privacy Policy on its website and notify you of any material changes (or send it to your email address if you have provided it to the Controller). We therefore recommend that you keep an eye on this page, where you can always find the latest version of the Policy.
  4. Effective date: This Privacy Policy is effective as of March 1, 2025 and fully replaces the previous version dated May 25, 2018. The Controller retains older versions of this Policy for reference and will provide them to you upon request.