PERSONAL DATA PROTECTION AND COOKIE INFORMATION

/ Principles and instructions on personal data protection

provided by the operator to the data subject when obtaining personal data from the data subject and instructions on cookies of the Internet store www.wvagon.com /

Operator

1.1. Identity and contact details of the Operator are:

Business name: Dávid Lazar

Place of business: 97101 Prievidza, Ulica A. Stodolu 162/12, Slovak Republic

Registered in the trade register: Prievidza District Office, Trade register number: 340-38603
IČO: 50357271

DIČ: 1121511006
Bank account: SK05 0900 0000 0052 0409 4048

The seller is not value added tax payer

1.2. Email contact and telephone contact for the Operator is:


Tel. No.: +421908852898

1.3. Address of the Operator for sending documents:

Dávid Lazar, A. Stodolu 162/12, Prievidza 97101, Slovak Republic

1.4. The Operator hereby, in accordance with Article 13, paragraphs 1 and 2 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 May 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC General Data Protection Regulation (hereinafter referred to as the “Regulation”), further in accordance with Act No. 18/2018 Coll. The Act on the Protection of Personal Data and on Amendments to Certain Acts, as amended, and in accordance with Act No. 452/2021 Coll. The Act on Electronic Communications, as amended, provides the Data Subject - (Buyer), from whom the Operator (Seller) obtains personal data concerning him/her, with the following information, instructions and explanations:

References

2.1. These principles and instructions on the protection of personal data form part of the General Terms and Conditions published on the Seller's Website.

2.2. Pursuant to §3, para. 1, letter n), of Act No. 102/2014 Coll. The seller informs the consumer that there are no special relevant codes of conduct to which the seller has committed to comply, whereby a code of conduct is understood to mean an agreement or a set of rules that define the behavior of the seller who has committed to comply with this code of conduct in relation to one or more specific business practices or business sectors (if these are not established by law or other legal regulation or measure of a public administration body) that the seller has committed to comply with, and the manner in which the consumer can familiarize himself with them or obtain their text.


III. Privacy and use of cookies. Instructions and explanation of cookies, scripts, and pixels

3.1. The website operator provides the following brief explanation of the function of cookies, scripts, and pixels:

3.1.1. Cookies are text files that contain a small amount of information that is downloaded to your device when you visit a website. Thanks to this file, the website stores information about your actions and preferences (such as login name, language, font size, and other display settings) for a certain period of time, so that you do not have to enter them again the next time you visit the website or browse its individual pages

A script is a piece of program code that is used for the correct and interactive function of websites. This code runs on the operator's server or on your device.

Pixels are small, invisible text or images on a website that are used to monitor website traffic. To do this, various data are stored using pixels.

3.1.2.Cookies are divided

Technical or functional cookies – ensure the proper functioning of the Operator’s website and its use. These cookies are used without consent.

Statistical cookies – The Operator obtains statistics regarding the use of its websites. These cookies are used only with consent.

Marketing / Advertising cookies – Used to create advertising profiles and similar marketing activities. These cookies are used only with consent.

3.2.How to control cookies:

3.2.1.You can control and/or delete cookies at your discretion – see details at aboutcookies.org. You can delete all cookies stored on your computer or other device and you can set most browsers to prevent them from being stored.

3.3. The Operator's website uses the following cookies:

All cookies used by the Operator can be found on the website https://www.cookieserve.com/ by entering the Operator's web address https://www.wvagon.com

Technical or functional cookies - the information is accessed by the Operator of the website. Cookies are valid for 2 years.

Statistical cookies - the information is accessed by the Operator of the website. Cookies are valid for 2 years.

Marketing and advertising cookies - the information is accessed by the Operator of the website. Cookies are valid for 2 years.

3.3.1.Cookies made available to third parties:

Google analytics, Google ADS: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. For more information on privacy, please see https://support.google.com/analytics/topic/2919631?hl=sk&ref_topic=1008008

Processed personal data

4.1.The operator processes the following personal data on its website: name, surname, place of residence, email address, home telephone number, mobile phone number, billing address, delivery address, data obtained from cookies, IP addresses.

Contact details of the person responsible for supervising personal data protection

5.1.The operator has appointed a person responsible for personal data protection in accordance with Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Contact:

Email: [email protected]

Tel. No.: +421908852898

5.2.The Operator is also the Seller within the meaning of the term set out in the General Terms and Conditions of this website.

Purposes of processing personal data of the Data Subject and period of processing personal data

6.1.The purposes of processing personal data of the Data Subject are mainly:

6.1.1.recording, creation and processing of contracts and client data for the purpose of concluding contracts with third parties.

6.1.2.processing of accounting documents and documents related to the business activities of the Operator.

6.1.3.compliance with legal regulations in connection with the archiving of documents and documents, e.g. under Act No. 431/2002 Coll., the Accounting Act, as amended, and other relevant regulations.

6.1.4. the activity of the Operator in connection with the fulfillment of the request, order, contract and similar institutes of the Data Subject.

6.1.5. Newsletter, marketing and similar advertising activities of the Operator. In the event that the Data Subject grants the Data Subject consent to the Operator with marketing and similar advertising activities.

6.2. The Data Subject's personal data is stored by the Operator only for the period strictly necessary for the purposes of fulfilling the contract and their subsequent archiving in accordance with the statutory deadlines imposed on the Operator by legal regulations. In the event that the Data Subject has agreed to the sending of advertising emails and similar offers, the Data Subject's personal data are processed for these purposes until the Data Subject withdraws their consent. However, for a maximum period of 10 years.

VII. Legal basis for processing personal data of the Data Subject

7.1 In the event that the Operator processes personal data based on the consent of the Data Subject, such processing will only be initiated after the Data Subject has given such consent.

7.2. In the event that the Operator processes personal data of the Data Subject for the purposes of negotiating pre-contractual relations and concluding and fulfilling a purchase contract, and the related delivery of goods, products or services. The Data Subject is obliged to provide personal data for the proper performance of the purchase contract, otherwise the performance cannot be ensured. Personal data for the given purpose is processed without the consent of the Data Subject.

VIII. Recipients or categories of recipients of personal data

8.1. The recipients of personal data of the Data Subject will be or may at least be:

8.1.1. statutory bodies of the Operator or their members.

8.1.2.persons performing work activities in an employment or similar relationship for the Operator.

8.1.3.sales representatives of the Operator and other persons cooperating with the Operator in fulfilling the tasks of the Operator. For the purposes of this document, all natural persons performing dependent work for the Operator on the basis of an employment contract or agreements on work performed outside of an employment relationship will be considered employees of the Operator.

8.1.4.The recipients of the personal data of the Data Subject will also be the Operator's collaborators, its business partners, suppliers and contractual partners, in particular: an accounting company, a company providing services related to the creation and maintenance of software, a company providing legal services to the Operator, a company providing consultancy to the Operator, companies providing transport and delivery of products to buyers and third parties, marketing companies, companies operating social networks, companies providing payment gateways and other payment methods.

8.1.5. The recipients of personal data will also be courts, criminal prosecution authorities, tax authorities and other state authorities, if so provided by law. Personal data will be provided by the Operator to the relevant authorities and state institutions on the basis of and in accordance with the legal regulations of the Slovak Republic.

8.1.6. List of third parties - intermediaries and recipients who process the personal data of the Data Subject:

Direct Parcel Distribution SK, s.r.o., identification number 35 834 498, with its registered office at Pri letisku 5, 821 04 Bratislava - third party providing transport services

Packeta Slovakia s. r. o., Kopčianska 3338/82A, Bratislava - Petržalka city district 851 01 - third party providing transport services

General Logistics Systems Slovakia s.r.o., Budča 1039, 962 33 Budča, Slovak Republic - third party providing transport services

Zásilkovna s.r.o., Prague, IČO: 28408306 , Českomoravská 2408/1a, 190 00 Prague - Libeň - third party providing transport services

DPD-služby, s.r.o. ,IČO: 25131036, Hvozdnice 140, 252 05 Hvozdnice - Hvozdnice - third party providing shipping services

Shoptet, a.s., Dvořeckého 628/8, 169 00 Prague 6, Czech Republic, IČ: 28935675, DIČ: CZ28935675 - third party providing the ShoptetPay payment gateway

Heureka Shopping s.r.o, Karolinská 650/1, 186 00 Prague 8 – Karlín, Czech Republic, IČ: 02387727 - third party providing satisfaction monitoring with the functioning of the website and ensuring the functioning of the Verified by customers service

8.2. The e-commerce operator determines satisfaction with the purchase through e-mail questionnaires as part of the Verified by Customers program, in which the Operator's e-commerce is involved. The Operator sends the Data Subject - Buyer every time the Data Subject - Buyer makes a purchase from the e-commerce operator, unless, pursuant to Act No. 452/2021, as amended, the Data Subject - Buyer refuses to receive e-mail for direct marketing purposes. The Operator processes personal data for the purpose of sending questionnaires as part of the Verified by Customers program based on the Operator's legitimate interest, which consists in determining the satisfaction of the Data Subject - Buyer with the purchase through the Seller's e-commerce. For sending questionnaires, evaluating the Data Subject - Buyer's feedback and analyzing market position, the Operator uses a processing intermediary, which is the operator of the Heureka.sk portal, to which the Operator may transfer information about the purchased goods and the e-mail address of the Data Subject - Buyer for these purposes. The Data Subject - Buyer's personal data is not transferred to any third party for its own purposes when sending e-mail questionnaires. The Data Subject - Buyer may object to the sending of e-mail questionnaires within the Verified by Customers program at any time by refusing further questionnaires using the link in the e-mail with the questionnaire. In the event of an objection by the Data Subject - Buyer, the Operator will not send the questionnaire to the Data Subject - Buyer.

Information on the provision of personal data to third countries and their retention period:

9.1. Not applicable. The Operator does not transfer personal data of persons to third countries.

Information on the existence of relevant rights of the Data Subject:

10.1.The Data Subject has, among others, the following rights, whereby:

10.1.1.Point 10.1 does not affect other rights of the Data Subject.

10.1.2.The Data Subject's right to access data pursuant to Article 15 of the Regulation, which includes:

the right to obtain from the Controller confirmation as to whether or not the Data Subject's personal data are being processed, and if so, to what extent. At the same time, if they are processed, they have the right to find out their content and request information from the Controller about the reason for their processing, in particular information about: The reason for their processing, the categories of personal data concerned, the recipients or categories of recipients to whom the personal data have been or will be provided, in particular in the case of recipients in third countries or international organisations, the expected period of storage of personal data or, if this is not possible, information about the criteria for determining it, the existence of the right to request from the Controller the correction of personal data relating to the Data Subject or their erasure or restriction of processing and the existence of the right to object to such processing, the right to lodge a complaint with a supervisory authority if the personal data were not obtained from the Data Subject, any available information regarding their source, the existence of automated decision-making, including profiling referred to in Article 22(1) of the GDPR. 1. and 4. of the Regulation and, in these cases, at least meaningful information about the procedure used, as well as the significance and foreseeable consequences of such processing of personal data for the Data Subject, about the appropriate safeguards pursuant to Article 46 of the Regulation regarding the transfer of personal data, if personal data are transferred to a third country or an international organization.

10.1.3. the right to obtain a copy of the personal data being processed, provided that the right to obtain a copy of the processed personal data does not adversely affect the rights and freedoms of others.

10.1.4. the Data Subject's right to rectification pursuant to Article 16 of the Regulation, which includes the right: to have the Controller rectify inaccurate personal data concerning the Data Subject without undue delay. the right to complete incomplete personal data of the Data Subject, including by providing a supplementary statement of the Data Subject, the right of the Data Subject to erase personal data (the so-called "right to be forgotten") pursuant to Article 17 of the Regulation, the content of which is:

10.1.5. the right to obtain from the Controller the erasure of personal data concerning the Data Subject without undue delay where one of the following grounds applies:

the personal data are no longer necessary for the purposes for which they were collected or otherwise processed, the Data Subject withdraws the consent on the basis of which the processing is carried out, provided that there is no other legal basis for the processing of the personal data, the Data Subject objects to the processing of the personal data pursuant to Article 21(1) of the Regulation and there are no overriding legitimate grounds for the processing of the personal data, or the Data Subject objects to the processing of the personal data pursuant to Article 21(2) of the Regulation, the personal data have been processed unlawfully, the personal data must be erased in order to comply with a legal obligation under European Union law or the law of a Member State to which the Controller is subject, the personal data have been collected in connection with the offering of information society services pursuant to Article 8(1) of the Regulation. 1. of the Regulation;

10.1.6. the right to obtain from the Controller, who has disclosed the personal data of the Data Subject, taking into account available technology and the cost of implementation, reasonable measures, including technical measures, to inform other controllers processing the personal data that the Data Subject has requested them to erase all links to, or copies or replications of, those personal data, provided that the right to erasure of personal data subject to the rights under Article 17(1) and (2) of the Regulation shall not apply where the processing of personal data is necessary:

10.1.7. for the exercise of the right to freedom of expression and information.

10.1.8. for compliance with a legal obligation which requires processing under European Union law or the law of a Member State to which the Controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.

10.1.9.for reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) of the Regulation, as well as Article 9(3) of the Regulation.

10.1.10.for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1) of the Regulation, insofar as the right referred to in Article 17(1) of the Regulation is likely to render impossible or seriously impair the achievement of the objectives of such processing of personal data; or for the establishment, exercise or defence of legal claims;

10.1.11. the right of the Data Subject to restrict the processing of personal data pursuant to Article 18 of the Regulation, which includes:

10.1.12. the right to have the Controller restrict the processing of personal data where one of the following applies: the Data Subject contests the accuracy of the personal data, for a period enabling the Controller to verify the accuracy of the personal data, the processing of the personal data is unlawful and the Data Subject objects to the erasure of the personal data and requests the restriction of their use instead, the Data Subject no longer needs the personal data for the purposes of the processing, but the Data Subject needs them for the establishment, exercise or defence of legal claims, the Data Subject has objected to the processing pursuant to Article 21(1) of the Regulation, pending verification of whether the legitimate grounds on the part of the Controller override those of the Data Subject;

10.1.13. the right to obtain that, where the processing of personal data has been restricted, such restricted personal data shall, with the exception of storage, be processed only with the consent of the Data Subject or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the European Union or of a Member State;

10.1.14. the right to be informed in advance of the lifting of the restriction on the processing of personal data;

10.1.15. the right of the Data Subject to comply with the notification obligation towards recipients pursuant to Article 19 of the Regulation, which includes: the right for the Controller to notify each recipient to whom the personal data have been provided of any rectification or erasure of personal data or restriction of processing carried out pursuant to Article 16, Article 17(1) and Article 18 of the Regulation, unless this proves impossible or involves disproportionate effort, the right for the Controller to inform the Data Subject about these recipients if the Data Subject so requests;

10.1.16.the right of the Data Subject to data portability pursuant to Article 20 of the Regulation, which includes: the right to receive the personal data concerning the Data Subject, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the Controller, if:

a/ the processing is based on the consent of the Data Subject pursuant to Article 6(1)(a) of the Regulation or Article 9(2)(a) of the Regulation, or on a contract pursuant to Article 6(1)(a) of the Regulation; b) of the Regulation, and at the same time

b/ the processing is carried out by automated means, and at the same time:

10.1.17. the right to receive personal data in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the Controller, will not have adverse consequences for the rights and freedoms of others;

10.1.18. the right to transfer personal data directly from one controller to another controller, where technically feasible;

10.1.19. the right of the Data Subject to object pursuant to Article 21 of the Regulation, which contains:

10.1.20. the right to object at any time, on grounds relating to the particular situation of the Data Subject, to processing of personal data concerning him or her, which is carried out on the basis of Article 6(1)(a) of the GDPR. e) or f) of the Regulation, including objection to profiling based on these provisions of the Regulation;

10.1.21. in the event of exercising the right to object at any time, on grounds relating to the particular situation of the Data Subject, to processing of personal data concerning him or her, which is carried out on the basis of Article 6(1)(e) or (f) of the Regulation, including objection to profiling based on these provisions of the Regulation, the right for the Controller to no longer process the personal data of the Data Subject, unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject, or for the establishment, exercise or defence of legal claims

10.1.22. the right to object at any time to processing of personal data concerning the Data Subject for direct marketing purposes, including profiling to the extent that it is related to direct marketing; provided that if the Data Subject objects to the processing of personal data for direct marketing purposes, the personal data shall no longer be processed for such purposes;

10.1.23. in connection with the use of information society services, the right to exercise the right to object to the processing of personal data by automated means using technical specifications;

10.1.24. the right to object, on grounds relating to the Data Subject's particular situation, to the processing of personal data concerning the Data Subject, where the personal data are processed for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1) of the Regulation, except where the processing is necessary for the performance of a task carried out for reasons of public interest;

10.1.25.the right of the Data Subject to automated individual decision-making pursuant to Article 22 of the Regulation, which includes:

10.1.26.the right not to be subject to a decision based solely on automated processing of personal data, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, except in cases pursuant to Article 22(2) of the Regulation [i.e. except in cases where the decision: (a) is necessary for entering into, or the performance of, a contract between the Data Subject and the Controller,

10.1.27.authorised by European Union law or the law of a Member State to which the Controller is subject and which also lays down suitable measures to safeguard the rights and freedoms and legitimate interests of the Data Subject or (c) based on the Data Subject's explicit consent.

1. Information on the right of the Data Subject to withdraw consent to the processing of personal data:

11.1. The Data Subject shall have the right to withdraw his/her consent to the processing of personal data at any time, without this affecting the lawfulness of the processing of personal data based on the consent granted before its withdrawal.

The Data Subject shall have the right to withdraw his/her consent to the processing of personal data at any time – in whole or in part. Partial withdrawal of consent to the processing of personal data may concern a certain type of processing operation/processing operations, while the lawfulness of the processing of personal data to the extent of the remaining processing operations remains unaffected. Partial withdrawal of consent to the processing of personal data may concern a certain specific purpose of the processing of personal data/certain specific purposes of the processing of personal data, while the lawfulness of the processing of personal data for other purposes remains unaffected.

The Data Subject may exercise the right to withdraw consent to the processing of personal data in written form to the address of the Controller registered as its registered office in the Commercial Register at the time of withdrawal of consent to the processing of personal data or in electronic form via electronic means (by sending an e-mail to the Controller's e-mail address specified in the identification of the Controller in this document).

XII. Information on the Data Subject's right to lodge a complaint with a supervisory authority:

12.1. The Data Subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if he or she considers that the processing of personal data concerning him or her infringes the Regulation, all without prejudice to any other administrative or judicial remedies.

The data subject has the right to have the supervisory authority to which the complaint was lodged inform him or her, as the complainant, of the progress and outcome of the complaint, including the possibility of filing a judicial remedy pursuant to Article 78 of the Regulation.

12.2. The supervisory authority in the Slovak Republic is the Office for Personal Data Protection of the Slovak Republic, Hraničná 12, 820 07 Bratislava 27, Slovak Republic. Tel. contact: +421 /2 3231 3214, Email: [email protected],

XIII. Information related to automated decision-making, including profiling:

13.1. Since the Controller does not process the personal data of the Data Subject in the form of automated decision-making, including profiling referred to in Article 22(1) and (4) of the Regulation, the Controller is not obliged to provide information pursuant to Article 13(2)(f) of the Regulation, i.e. information on automated decision-making, including profiling, and on the procedure used, as well as on the significance and foreseeable consequences of such processing of personal data for the Data Subject. Not applicable.

XIV. Final provisions

14.1. These Principles and instructions on the protection of personal data and instructions on cookies form an integral part of the General Terms and Conditions and the Complaints Procedure. The documents – General Terms and Conditions and the Complaints Procedure of this Website are published on the domain of the Seller's Website.

14.2. These Personal Data Protection Principles shall enter into force and effect upon their publication on the Seller's Website on 9.5.2025