-1.png){kind=logo}
Personal Data Protection
If you are a customer, newsletter subscriber or a visitor to the website www.drrhaco.com (hereinafter the “Website”), you entrust your personal data to the controller specified below. The controller is responsible for their protection and security. Please ознакомьтесь with personal data protection, the principles and the rights you have in connection with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the General Data Protection Regulation, hereinafter “GDPR”).
Who is the controller?
Dr. Rhaco, s.r.o., Company ID (IČ) 09568310, VAT ID (DIČ) CZ09568310, registered office: Korunní 2569/108, Vinohrady, 101 00 Prague 10, registered with the Municipal Court in Prague, file No. C337663 (hereinafter the “Controller”).
The Controller determines how personal data will be processed and for what purpose, for how long, and selects any additional processors who will assist with the processing of personal data.
Contact details
If you wish to contact the Controller during the processing, you may contact the Controller by phone at +420 602 609 454 or by e-mail at: info@drrhaco.com.
Scope of processed personal data, purpose of processing, processing period, legal basis for processing
The Controller processes personal data that you provide yourself, within the scope specified below, for the purposes described below, on the legal bases stated below and for the periods stated below:
PERSONAL DATA OF CUSTOMERS – NATURAL PERSONS
Purpose of processing: performance of a contract
Scope of personal data: first name, last name, e-mail address, phone number, delivery address and/or billing address, and/or Company ID and registered office.
Processing period: for the period necessary to perform the contract and for the duration of limitation periods.
Legal basis: processing is necessary for the performance of a contract.
Purpose of processing: accounting, fulfilment of archiving obligations
Scope of personal data: first name, last name, billing address, and/or Company ID and registered office.
Processing period: for 10 years, unless legal regulations require a longer period.
Legal basis: fulfilment of legal obligations imposed on the Controller.
Purpose of processing: marketing – sending newsletters
Scope of personal data: first name, last name, e-mail address.
Processing period: for a necessary and reasonable period.
Legal basis: the Controller’s legitimate interest (direct marketing).
Purpose of processing: sending advertising and marketing communications
Scope of personal data: first name, last name, e-mail address.
Processing period: for 4 years from the granting of consent, at the latest until consent is withdrawn.
Legal basis: consent.
Purpose of processing: promotion and marketing of the Controller
Scope of personal data: your photographs and videos that you provide to the Controller.
Processing period: for a necessary and reasonable period, at the latest until consent is withdrawn.
Legal basis: consent.
Purpose of processing: obtaining a customer reference
Scope of personal data: first name, last name, e-mail address.
Processing period: for the period necessary to obtain a customer reference.
Legal basis: the Controller’s legitimate interest in obtaining feedback on its services.
Purpose of processing: maintaining a customer account
Scope of personal data: first name, last name, e-mail address, phone number, delivery address and/or billing address, and/or Company ID and registered office.
Processing period: from registration until the customer deletes the account or until the Controller deletes the account due to customer inactivity (no earlier than 2 years from the customer’s last login to the customer account).
Legal basis: consent.
PERSONAL DATA OF CUSTOMERS – CONTACT PERSONS OF CUSTOMERS – LEGAL ENTITIES (in particular members of statutory bodies, authorised employees)
Purpose of processing: performance of a contract
Scope of personal data: first name, last name, e-mail address, phone number.
Processing period: for the period necessary to perform the contract and for the duration of limitation periods.
Legal basis: processing is necessary for the performance of a contract.
Purpose of processing: marketing – sending newsletters
Scope of personal data: first name, last name, e-mail address.
Processing period: for a necessary and reasonable period.
Legal basis: the Controller’s legitimate interest (direct marketing).
Purpose of processing: sending advertising and marketing communications
Scope of personal data: first name, last name, e-mail address.
Processing period: for 4 years from the granting of consent, at the latest until consent is withdrawn.
Legal basis: consent.
Purpose of processing: promotion and marketing of the Controller
Scope of personal data: your photographs and videos that you provide to the Controller.
Processing period: for a necessary and reasonable period, at the latest until consent is withdrawn.
Legal basis: consent.
Purpose of processing: maintaining a customer account
Scope of personal data: first name, last name, e-mail address, phone number.
Processing period: from registration until the customer deletes the account or until the Controller deletes the account due to customer inactivity (no earlier than 2 years from the customer’s last login to the customer account).
Legal basis: consent.
PERSONAL DATA OF PERSONS WHO CONTACT THE CONTROLLER
Purpose of processing: responding to inquiries from persons who contact the Controller
Scope of personal data: first name, last name, e-mail address, phone number.
Processing period: for the period necessary to respond to the inquiry.
Legal basis: legitimate interest in responding to the inquiry.
PERSONAL DATA OF WEBSITE VISITORS – COOKIES PROCESSING
Cookies are text files containing a small amount of information that are downloaded to your device when you visit our Website. Cookies are then sent back on each subsequent visit to the Website or to another website that recognises them.
Cookies perform various tasks, for example enabling efficient navigation between web pages, remembering your preferences and generally improving the user experience. They can also help ensure that online advertisements are more tailored to you and your interests.
The Controller uses the following cookies on the Website:
- Necessary cookies: required for the operation of the Website, enabling, for example, access to secure areas and other basic website functions. The Controller may process this category of cookies even without your consent.
- Analytical/statistical cookies: enable the Controller, for example, to recognise and determine the number of visitors and to track how visitors use the Website. They help the Controller improve how the Website works, for example by enabling users to easily find what they are looking for. The Controller processes these cookies only with your prior consent.
- Advertising cookies: used to track preferences and enable the display of advertising and other content that best matches your interests and online behaviour. The Controller processes these cookies only with your prior consent.
The Controller notes that third parties (including, for example, providers of external services) may also use cookies and/or access data collected by cookies on the Website.
Further information about cookies and their current list can be found via individual internet browsers, most often in the “Developer Tools” section.
Consent may be expressed via a checkbox in the so-called cookie bar. You can also refuse cookies later in your browser settings or set the use of only certain cookies.
Security and protection of personal data
The Controller protects personal data to the maximum possible extent using modern technologies corresponding to the current state of technical development. The Controller has adopted and maintains all possible (currently known) technical and organisational measures preventing misuse, damage or destruction of your personal data.
Disclosure of personal data to third parties
The Controller’s collaborators and suppliers have access to your personal data.
To ensure specific processing operations that the Controller cannot provide on its own, the Controller uses the services and applications of the providers listed below:
These are providers of the following platforms:
- providers of services for processing cookies files: Google Ireland Limited, Meta Platforms Ltd, Seznam.cz, a.s.
- carriers: PPL CZ s.r.o., Zásilkovna s.r.o.
- payment gateway provider: GoPay Czech
Please note that due to changing service providers for certain services, it is not possible to list all current and future processors of personal data by name. Therefore, the above list of processors may change over time.
Transfer of data outside the European Union
The Controller processes data exclusively in the European Union or in countries that ensure an adequate level of protection based on a decision of the European Commission.
The Controller does not transfer personal data to an international organisation.
Voluntary provision of personal data
You provide personal data to the Controller voluntarily. Failure to provide personal data may affect the Controller’s ability to conclude a contract or provide the data subject with performance that is based on the necessary knowledge of information about the data subject, including personal data.
Your rights in connection with personal data protection
In connection with personal data protection, you have a number of rights. If you wish to exercise any of these rights, please contact the Controller via e-mail: info@drrhaco.com.
Right of access to personal data
You have the right to obtain from the Controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, you have the right to access the personal data and the following information:
- the purposes of the processing,
- the categories of personal data concerned,
- the recipients or categories of recipients to whom the personal data have been or will be disclosed,
- the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period,
- the existence of the right to request from the Controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing,
- the right to lodge a complaint with a supervisory authority,
- any available information as to the source of the personal data, where the personal data are not collected from you directly.
You also have the right to request from the Controller a copy of the processed personal data, provided that this does not adversely affect the rights and freedoms of others. For additional copies requested by the data subject, the Controller may charge a reasonable fee based on administrative costs. Where you submit the request by electronic means, the information shall be provided in a commonly used electronic form, unless you expressly request a different format.
Right to rectification
If anything changes or you find your personal data to be outdated or incomplete, you have the right to have your personal data completed and corrected.
Right to restriction of processing
You have the right to have the Controller restrict processing of your personal data in any of the following cases:
- if you believe that the Controller processes inaccurate personal data, for the period necessary for the Controller to verify the accuracy of the personal data;
- the processing is unlawful and you request restriction of use instead of erasure;
- the Controller no longer needs the personal data for the purposes of processing, but you require them for the establishment, exercise or defence of legal claims.
Right to data portability
You have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format, and the right to transmit those data to another controller without hindrance from the Controller, where:
- the processing is based on consent or on processing necessary for the conclusion and performance of a contract with you; and
- the processing is carried out by automated means.
In exercising your right to data portability, you have the right to have the personal data transmitted directly from the Controller to another controller, where technically feasible. The right to data portability shall not adversely affect the rights and freedoms of others.
Right to erasure (“right to be forgotten”)
You have the right to obtain from the Controller the erasure of personal data concerning you without undue delay, and the Controller has the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
- you withdraw consent on which the processing is based and there is no other legal ground for the processing;
- you lodge justified objections to the processing of personal data;
- the personal data have been processed unlawfully;
- the personal data must be erased for compliance with a legal obligation in EU or Czech law;
- the personal data were collected in relation to the offer of information society services based on consent given by a child.
Right to lodge a complaint with the Office for Personal Data Protection
You have the right to lodge a complaint regarding the processing of your personal data by the Controller with the supervisory authority, which for the Czech Republic is the Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Prague 7.
Right to object
You have the right to object to the processing of personal data. If you raise a justified objection to processing for the purposes of direct marketing or profiling, personal data will no longer be processed for these purposes.
The objection will be assessed and the Controller will subsequently inform you whether the objection has been upheld and the Controller will no longer process the data, or that the objection was not justified and processing will continue. Until the objection is resolved, processing will be restricted.
Right not to be subject to automated decision-making, including profiling
You have the right not to be subject to any decision based solely on automated processing, including profiling (i.e., any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to you), which produces legal effects concerning you or similarly significantly affects you. This right does not apply if the automated decision is necessary for the conclusion or performance of a contract between you and the Controller or is based on your explicit consent; in such cases, however, you have the right to obtain human intervention on the part of the Controller, to express your point of view and to contest the decision.
Right to withdraw consent to processing
If the processing of personal data is based on your consent, you may withdraw your consent to processing at any time by sending an electronic message to info@drrhaco.com or via the link provided in the marketing communication. Withdrawal of consent does not affect processing carried out by the Controller on the basis of another legal title, in particular for the performance of a purchase contract, provision of a service, or processing that was based on consent until the moment of its withdrawal.
Confidentiality
The Controller assures you that its collaborators and processors who will process your personal data are obliged to maintain confidentiality regarding personal data and security measures, disclosure of which would jeopardise the security of your personal data. This confidentiality continues even after the termination of contractual relationships with the Controller.
These personal data processing principles are effective from 20 February 2026. The Controller is entitled to change these personal data protection and processing principles at any time.