MEMORANDUM OF UNDERSTANDING

Memorandum of understanding regarding personal data processing in accordance with the European Parliament and Council regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and information for subjects of the company LIME Concept s.r.o., registered at Korunni 2569/108,Vinohrady, 101 00 Praha 10, ICO: 262 22 787, which is your personal data controller.

Dear customer,

the purpose of this memorandum of understanding is to provide you with information about what personal data we collect, how we treat your data, how we acquire your data, how we use your data, who can access your data, where you can find information about the personal data we collect and what your legal rights are relating to your personal data.

I. General information

Our company must adhere to many legal obligations when processing our customers’ personal data, especially when fulfilling our contractual obligations. In relation to this, without your personal data, we would not be able to provide you with our products and services. We also process your personal data beyond our legal duties, to provide you and our other customers with better care and individually tailored offers. To be able to do this we need your consent. If you do not give us your consent, our product offers to you may be limited or otherwise altered, depending on the amount of your personal data we will be allowed to process. Unless otherwise stated, the information about personal data processing in this memorandum applies to all of our prospective customers who have not entered into contract with us yet, but who we are in contact with, as well as our former customers.

II. Who has access to your personal data

Your personal data can be primarily accessed by our employees, whose job requires processing of your personal data in the course of their work, but only as necessary, while adhering to all of our security arrangements.

Your personal data is also shared with third parties who are involved in our customer data processing, or the third parties can access your data when otherwise legally required. The third parties are primarily personal data processing companies, who are carefully selected by our company. Our company only allows the third parties access to your personal data when we have confirmed that they apply appropriate data protection and security controls, so that your data cannot be accidentally or unlawfully destroyed, lost, damaged, altered or otherwise unlawfully processed and that nobody can gain unauthorised access to your data.

Other third parties that may have access to your data include our service and technology providers and suppliers, delivery and marketing service providers who, as part of our promotional campaign, deliver magazines, competition prizes and presents to our customers, and security personnel who are responsible for the protection of our company’s personnel and property using camera recording systems in our individual stores, etc.

III. The personal data we collect and why

Our company may collect the following information about you:

(a) your personal details – primarily your first name, surname, title, date of birth,

(b) your contact details – the details that you consented to provide in your personal data processing agreement, or that you subsequently updated, such as your postal address, delivery address, email and phone number.

We collect as many of your details as necessary for customer identification. We collect this information:

(a) to be able to send you, primarily via text messages and emails, promotional offers, information about rewards, sales, discounts, benefits and other Customer Loyalty Program events,

(b) to be able to assess customer shopping histories in order to provide tailored services as per (a) above,

(c) to conclude or update a contract with data subjects and for the subsequent fulfilment of this contract,

(d) to fulfil our legal obligations and

(e) for our company’s legitimate interests in protecting persons and property.

IV. Personal data processing principles

Personal data is processed by the data controller’s authorized employees or data processors in its offices, branches and its place of business. When processing your personal data we are committed to respecting the highest data protection standards and we always follow these rules:

(a) when processing your personal data we are dedicated to being transparent and we clearly state the reason why we collect your data, what procedures and tools we use and we only process your data for as long as necessary. We only process accurate personal information and we guarantee that the data processing happens in accordance with, and is necessary for, fulfilling the clearly stated reason,

(b) when processing your personal data we follow procedures that maintain the highest security standards and that protect your data against unauthorised or unlawful access and processing, and against accidental loss, destruction or damage as well as other unauthorised use,

(c)we will always provide you with clear information about your data processing and about your right to receive full and accurate information about this process, as well as your other related rights,

(d) our company strives to follow all appropriate technical and organizational procedures to maintain the highest possible security standards while taking into account all potential security risks. All personnel (employees, third parties and data processors) who access customer personal data are sworn to secrecy about the information they obtain while processing the personal data.

V. Personal data processing legal basis

Our company is allowed to process your personal data based on:

(a) execution and fulfilment of the contract between our company and you

(b) fulfilment of our legal obligations

(c) protection of our legal rights and interests, our legitimate interests, or that of a third party, if these interests take precedence over your interests or your fundamental rights and freedoms

(d) your consent

VI. Personal data processing extent and method

Our company processes your personal data to the extent necessary for fulfilment of the purposes mentioned above. The methods that our company uses include both manual and automated processes  in both electronic and paper form. One of the methods that our company uses is automated personal data profiling of our customers. This method also results in derived customer information. We use this method mainly to comply with our legal obligations and to protect the rights and legally protected interests of our company, our clients and third parties. To a certain extent, our company may use these results when preparing individually tailored products and services.

Your personal data is primarily processed by our authorized  employees and when necessary by third parties (see above ‘Who has access to your personal data’). Before we share your personal data with a third party we always sign a personal data processing agreement with this party, which offers the same guarantees when processing personal data as our own company is legally obliged to observe.

Security cameras

At the entrance to our stores we inform you that we monitor our premises with camera recording systems, based on our legitimate interest in protecting our property and other individuals and also as evidence in case of an incident. We also monitor all till transactions, based on our legitimate interest in preventing fraud and also as evidence, e.g. in case you arrive home and realize that you forgot something in store, but that you have paid for. Together with the store recordings we also save individual till transaction recordings.

VII. How long we process and keep your data

Our company processes our customers’ personal data for only as long as necessary, depending on the reason why they have been processed. We regularly re-evaluate our need for processing certain personal information that we have collected for specific reasons. If we discover that there is no reason to retain the data any more, we discard it. The general rule is that the personal data processed while:

(a) fulfilling the contract, we process throughout the contract duration period and when the contract with the customer expires, the data is usually retained for a period necessary to fulfil legal or contractual obligations,

(b) fulfilling our legal obligation, we process for a period of time stated in relevant legal regulations,

(c) offering products and services, we process for the duration of the consent the customer gave us,

(d) protecting legitimate interests, we process for as long as our legitimate interests to retain them require.

VIII. Your rights as a data subject

We would like to assure you that we process your data transparently, properly and in compliance with law. As a data subject you have the right to access, correct or delete your personal data, or limit your data processing, unless otherwise stated in a specific regulation. You have the right to transfer the data that you provided with your consent and when executing a contract with us, that is the right to obtain your personal data in the form of a machine readable, standard format copy. You have the right to oppose your data processing if the data is processed on the basis of our legitimate interests, i.e. our camera recording system. You have the right to retract your consent to specific personal data processing anytime. If you retract your consent, the legal processing of your personal data before the retraction is not affected. You have the right to file a complaint with our company or with the personal data protection office, which is the Office for Personal Data Protection (Úřad na ochranu osobních údajů), the address and contact details of this office are available at www.uoou.cz.