Privacy Policy

We take care of your data, we take care of your skin

Dear Customers and Business Partners,
The document you are currently reading contains basic information on how Ryor a.s. processes your personal data. We appreciate that you share your personal data with us and we are determined to protect it to the greatest extent possible. We also strive to be as transparent as possible, especially about how we process your personal data.

With regard to the new European Union legislation, this information memorandum was prepared in accordance with Regulation (EU) 2016/697 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR).

Privacy Administrator

Ryor a.s. is an entirely Czech cosmetic company, which manufactures, distributes and sells cosmetic products.

Company ID No.: 26746042
Registered Office: Praha 5, Pod Spiritkou 4, PSČ 150 00
HMain Production Facility: Kyšice, Karlovarská 207, PSČ 273 51

The company has been incorporated in the Commercial Register at the Municipal Court in Prague, Section B, File 8049 on the 28th January 2003.
SpRyor a.s. processes personal data in accordance with the following conditions:

What data Ryor a.s. processes

Ryor a.s. processes only the personal data of its business partners/customers (hereinafter referred to as the Data Provider) that are provided in connection with the business contact/purchase of the goods/purchase of the service. The data that is provided to the Data Provider in connection with the business contact/purchase of the goods/purchase of the service are as follows:

  • Name
  • Billing address
  • Mailing address
  • Phone number
  • E-mail
  • Payment information
  • IP address

Providing personal information arising from business transactions to Ryor a.s. represents generally a legal and contractual requirement.

As regards the provision of personal data for marketing purposes, which does not constitute the fulfilment of the contractual and statutory obligations of the Privacy administrator, consent is always required from the Data Provider. The situation when the Data Provider does not grant Ryor a.s. his/her/its consent to the processing of personal data for marketing purposes does not constitute a reason for Ryor a.s. to refuse to provide its product or service under a contract.

Officer

Ryor a.s.’s Personal Data Protection Officer is a person in the field of personal data protection who does everything in his/her power to ensure the correct processing, especially in accordance with applicable law. The officer is the most qualified person to handle questions and requests related to personal data.

The officer on behalf of Ryor a.s. is Jan BRABEC, who can be contacted at e-mail gdpr@ryor.cz or by phone at +420 317 071 500.

Acquisition of personal data

Personal data are obtained by Ryor a.s. directly from the customer/business partner, especially from mutual communication, sent correspondence or billing information or from concluded contracts.

In addition, personal data may also originate from publicly available sources, registers and records, e.g. from the business register, the debtors' register, professional registers, etc.

Additionally, Ryor a.s. can obtain personal data from third parties that are authorised to access and process the personal data of the Data Provider and with which it cooperates.

Personal data may also be obtained by Ryor on the basis of information placed by the Data Provider on social networks and on the Internet.

Why personal data are processed

Ryor a.s.'s customers/business partners personal data are processed for reasons arising from commercial contracts and purchase of goods or services so that the goods/services ordered by the data subject were delivered in the required quality and/or quantity, at the required place and at the time requested.

In that manner, personal data are processed for the purpose of securing the conclusion and subsequent fulfilment of a contractual obligation between Ryor a.s. and a customer/business partner. Other legal obligations arise from such a relationship and therefore the administrator must also process personal data for that purpose.

We process the data primarily for the purpose of

  • Goods delivery
  • Securing payment for goods
  • Ensuring the required service
  • Ensuring a proper claim period
  • Answering any queries about the goods or service.

Thanks to the granting of the Data Provider’s consent to the data processing, Ryor a.s. can constantly improve its services and business relationships towards its customers and business partners.

Legitimate interests

For its business purposes Ryor a.s. needs to process the personal data of its customers/business partners/employees/visitors and one of the legal titles of collecting personal data is a legitimate interest.

Personal data are processed by Ryor a.s. also to protect its legitimate interests. Ryor a.s.’s legitimate interests include in particular the proper performance of all its contractual obligations, the proper performance of all its legal obligations, the protection of the business and assets of Ryor a.s. and, last but not least, the protection of the environment and ensuring sustainable development.

Performance of a business contract or negotiation of its conclusion

Ryor a.s. processes the personal data of its customers/business partners in order to fulfil a specific contractual obligation (to provide a service or sale of goods) or to negotiate it. In the event of the conclusion of a business contract, whether written, electronic or oral, Ryor a.s. processes only the necessary data. This processing of personal data is legal processing. Ryor a.s. adheres to the purpose of the contract and processes only the personal data it needs to fulfil the purpose of the contract. The most common case is a business contract that results in the delivery of goods, and Ryor a.s. needs personal details of the subject - name, surname and address - for its fulfilment.

Ryor a.s. continually assesses newly emerging situations to see if the data processing interest is genuinely legitimate and for what purpose it is necessary to process personal data.

Access to data entrusted

Ryor a.s. declares that all data provided is properly managed and safe. Ryor a.s. ensured such technical and organisational safeguards for the data of its customers/business partners to prevent any unauthorised or accidental access to personal data or another misuse. Ryor a.s. places great importance on data protection. All relevant employees are bound by confidentiality and may not use the provided personal data for any purpose other than that to which they were made available to them.

Under certain but well-defined conditions, Ryor a.s. is required to pass on some personal data in accordance with applicable law, for example to the Police, the Customs Administration, the Tax Office and to other state authorities concerned.

Cookies

Cookies are stored on individual computers using web browsers. Ryor a.s does not collect cookies. Cookies do not serve to collect any personal data and therefore they do not pose any risk to our customers/business partners.

The legal basis for data processing

The lawfulness of the processing is determined by the valid legislation on the protection of personal data, which governs the processing, if it necessary for the fulfilment of the contract, of the Ryor a.s.’s legal obligation, for the protection of its legitimate interests or the processing takes place based on the consent provided by the Data Provider.

The lawfulness of the processing is also based, for example, on Act No. 563/1991 Coll., On Accounting, in accordance with which billing data are processed and stored, on Act No. 89/2012 Coll., the Civil Code, in accordance with which the administrator protects its legitimate interests or Act No. 235/2004 Coll., On Value Added Tax.

In order to ensure the utmost protection of the Data Provider's privacy, the Data Provider shall be entitled to object that his or her personal data are processed solely for the most imperative reasons of law or that personal data is blocked.

Right to information concerning the processing of personal data

You are entitled to request information from the administrator about whether personal data is processed or not. If personal data is processed, you are entitled to request information from the administrator, in particular concerning the identity and contact details of the administrator, its representative and, where applicable, of the personal data protection officer, the purposes of processing, categories of personal data concerned, recipients or categories of recipients of personal data, the source of processed personal data and the automated decision making and profiling.

If the administrator intends to process your personal data further for a purpose other than that for which it was obtained, it shall provide you with information about that other purpose and other relevant information prior to such further processing. The information provided to you under this paragraph is contained in this memorandum, but that does not prevent you from asking for it again.

Rights of the Data Provider

As regards the processing of personal data, Ryor a.s.’s Data Providers are entitled mto:

  • withdraw his/her consent at any time
  • correct or amend his/her data
  • require the restriction of the processing
  • in certain cases, to object to the processing
  • require data portability
  • access to personal data

In the event of an emergency occurring in connection with the loss of personal data, the Data Provider shall be entitled to be informed about a personal data breach.

Other rights set out in the Personal Data Protection Act and in the General Personal Data Protection Regulation No. 2016/679 after its entry into force.

Right to amendment

If, for example, a change occurred on the part of the Data Provider, such as a change of residence, phone number or other personally identifiable information, s/he shall be entitled to request the Administrator for the rectification of the processed personal data. In addition, you are also entitled to the completion of incomplete personal information, including by providing an additional statement.

Right of deletion

In certain specified cases, the Data Provider is entitled to require Ryor a.s. to delete his/her personal information. Such cases include, for example, that the data processed are no longer needed for the above-mentioned purposes.

Ryor a.s. will erase personal information after the processing time has expired automatically. The Data Provider is entitled, however, to contact Ryor a.s. with his/her request at any time. Such a request is then subject to an individual assessment by the relevant persons/authorities and the Data Provider will be informed by Ryor a.s. in detail about its processing.

Right to restricted processing

Ryor a.s. processes personal data only to the extent necessary. However, if the Data Provider would feel that Ryor a.s., for example, exceeds the above-mentioned purposes for which personal data is processed, a request may be made at any time for the Provider's personal data to be processed solely for the most imperative reasons of law or for personal data to be blocked. Such a request is then subject to an individual assessment by the relevant persons/authorities and the Data Provider will be informed by Ryor a.s. in detail about its processing.

Right to data portability

If the Data Provider wishes Ryor a.s. to provide his or her personal data to another administrator, or to another company, it passes his/her personal data in the appropriate format to the designated entity. All this under circumstances if Ryor a.s. will not be hindered by any legal or other significant obstacles.

Right to object and the automated individual decision-making

If the Data Provider discovers or just believes that Ryor a.s. performs personal data processing in violation of personal privacy or in violation of legal regulations, the Data Provider may contact Ryor a.s. and request the explanation or the remove of the resulting malfunction.

Right to file a complaint with the Office for Personal Data Protection

You may at any time file your complaint regarding the processing of your personal data WITH the Surveillance Authority, at the Personal Data Protection Authority, Pplk. Sochora 27, 170 00 Prague 7, website address https://www.uoou.cz/.

Right to withdraw the consent

You have the right to revoke your consent with personal data processing at any time, either by sending an appeal to Ryor a.s. Karlovarská 207, 273 51 Kyšice, Czech Republic, or by e-mail at gdpr@ryor.cz.

You are entitled to request information from the administrator about whether or not your personal data is processed and, if so, you have access to information on the processing purposes, categories of personal data concerned, recipients or categories of recipients, the period of retention of personal data, information about your rights (the right to require the administrator to correct or erase your data, restricted processing, object to such processing), the right to file a complaint to the Personal Data Protection Authority, information on the source of personal data, information on whether automated decision-making and profiling and information on the procedure utilised, as well as on the meaning and implications of such processing for you, information and warranties in the case of the transfer of personal data to a third country or international organisation. You are entitled to a copy of the processed personal data. The right to obtain this copy, however, must not adversely affect the rights and freedoms of other parties.

Passing data to a third party

In no event Ryor a.s. will transmit personal data to third parties with the exception when Ryor a.s. is required, within legal limits, to provide this data to government authorities, such as tax administrators, courts, law enforcement or similar bodies.

The retention time of data

Ryor a.s. will store customer data throughout the entire period of the purchase of goods and also for the duration of the utilisation of Company's services.

Customer/business partner's personal data will be processed and stored for at least the duration of the contract. Some personal data, necessary for tax and billing purposes, for example, will be retained for a longer period, usually 5 years starting with the year following the occurrence of the retained fact.

Customer data will be processed on the basis of the consent granted and will be retained for a defined period unless the customer's consent to the processing of personal data is revoked.

To this end, however, it is necessary to point out that after the termination of the customer relationship, the customer data will be retained for the necessary time determined by the relevant laws of the Czech Republic. These include primarily a consumer protection law and tax laws.

Data obtained from customers in relation a specific service provided by our company will be processed and stored only to the extent necessary for basic identification, such as name, telephone number, contact address or e-mail address.

Data processing without customer consent

Ryor a.s. processes personal data of its customers for legitimate interests. The actual conclusion of the business contract between Ryor a.s. and the customer emerges by the purchase of goods or by the provision of a service by the customer, with the contract also being represented by the use of the service or the sale of goods without any signature. Ryor a.s. is legally obliged to keep tax documents, electronic communication, etc…

Security of personal data

All personal data provided is protected by standard technologies and protection processes.

It is necessary to mention or to point out that it is not objectively possible, under any system, to fully guarantee the security of personal data.

However, Ryor a.s. is assuring that newly created protection processes and systems are and will be regularly reviewed to ensure that the system is free from vulnerabilities, that it is not attacked and that security measures adopted are regularly updated.

It should be noted that it is not possible to ensure the security of their data without the cooperation of customers/business partners and their responsibility. It is necessary to protect your unique passwords and to keep access data for Ryor a.s. services confidential. It is important to keep in mind that e-mails, chats, blogs, social networks are not necessarily encrypted and therefore it is not advisable to use these forms of communication when providing confidential information and personal data.

Revocation of the consent to the processing of personal data

Voluntary consent to the processing of personal data may be revoked by the data subject at any time either by sending an appeal to Ryor a.s. Karlovarska 207, 273 51 Kyšice, Czech Republic or by e-mail at gdpr@ryor.cz.

The revocation of the consent is without prejudice to the processing of legitimate personal data that is processed on a legal basis other than the consent (i.e., in particular if the processing is necessary for the fulfilment of the contract or of the legal obligations stated in the applicable legislation.

Non-disclosure of personal data

In the event that personal data will not be provided to Ryor a.s. and the transfer of certain personal data and its processing is legally required for the provision of services/sale of goods, it may be that Ryor a.s. will not be able to provide goods/services to its customers/business partners in full extent or quality.

In order to maximally protect your privacy, you are entitled to require that your personal data is processed solely for the most imperative reasons of law or that personal data is blocked.

This information memorandum provides the basic information we are required to provide as a personal data administrator.

If you have any questions about the processing of your personal data, please contact Ryor a.s. by e-mail at gdpr@ryor.cz or by phone at +420317 071 500. In all cases, you can contact us at our mailing address: Karlovarská 207, 273 51 Kyšice.