This privacy policy (the “Policy“) informs you how company SG Distribution s.r.o., ID: 17335108, with registered office at Varšavská 715/36, Vinohrady, 120 00 Praha 2, the Czech Republic, registered at the Municipal court of Prague C 370167 (hereinafter referred to as the “Company“), obtains, stores and further processes your personal data.

This Policy describes the purposes of the processing of personal data, the methods of processing, information about the individual categories of personal data processed, the potential recipients of personal data, the period of storage of personal data and your rights in relation to the protection of personal data.

This Policy also applies to the website https://cannalab.eu/ (the “Website“) operated by the Company.

The Company protects all personal data processed as strictly confidential and handles it in accordance with applicable and effective data protection laws. The security of your personal data is a priority for the Company.

General provisions

This Privacy Policy applies to:

  • the processing of personal data of visitors to the Website by the Company during their visit to the Website;
  • the processing of personal data of Company customers;
  • the processing of personal data in the performance of the Company’s legal obligations;
  • the processing of personal data that is necessary for the purposes of protecting the legitimate interests of the Company.

The purpose of this Policy issued by the Company in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27. April 2016, as amended (hereinafter referred to as “GDPR“), and in accordance with Czech Act No. 110/2019 Coll., on Personal Data Processing, as amended, is to provide information on what personal data the Company, as a personal data controller, processes about natural persons in the provision of its services and for what purposes and for how long the Company processes such personal data in accordance with applicable law, to whom and for what reason it may transfer such data, as well as to inform about what rights natural persons have in connection with the processing of their personal data and how they can exercise such rights.

This Policy is effective as of 1 June 2024 and is issued in accordance with the GDPR in order to comply with the Company’s information obligations as a controller under Articles 13 and 14 of the GDPR.

Personal data controller

The Company is a personal data controller within the meaning of Article 4(7) of the GDPR. The Company therefore collects, stores and uses (and otherwise processes) your personal data for the performance of its business activities (the individual purposes for which personal data is processed are defined in more detail below).

Data protection officer

The Company is not obliged to appoint a data protection officer. Thus, the Company has not appointed a data protection officer.

The Company, as data controller, can be contacted in writing at:

SG Distribution s.r.o.

Varšavská 715/36, Vinohrady

120 00 Praha 2

Czech Republic

Alternatively, at the following e-mail address: info@cannalab.eu or call at number +31203636796 from Monday to Friday, within business hours from 10:00 to 18:00.

PERSONAL DATA PROCESSED BY THE COMPANY

According to Article 4(1) of the GDPR, personal data is any information relating to an identified or identifiable natural person. The identified person in this case is:

  • visitors to the Website;
  • customers of the Company.

An identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, a network identifier or to one or more specific elements of that natural person’s physical, physiological, genetic, psychological, economic, cultural or social identity.

The following personal data may be processed by the Company.

  • Basic personal data

  • Name and surname;
  • Company name (if it includes the name of a natural person);
  • Address of residence, registered office, or place of business;
  • Identification number, VAT number.

  • Contact personal data

  • e-mail;
  • telephone number;
  • contact address.

  • Payment data

  • bank account number;
  • details of payments made;
  • other data from potential tax documents.

  • Record of written communication

This includes in particular personal data contained in email and written communications with the Company.

  • Purposes, method and period of time of processing the personal data

During the Company’s business activity of providing services to customers and visiting the Website, personal data of customers and visitors to the Website is processed.

When visiting the Website, cookies are processed, for more information on what cookies are used and how the Company processes them, please visit the Cookies section of the website https://cannalab.eu/.

Personal data of customers may be processed by the Company for the following legal reasons:

  • Performance of the contract

The Company enters into contracts with its customers on the basis of which the services offered by the Company are provided. From the point of view of fulfilling its contractual obligations, the Company therefore processes customers’ personal data primarily in order to comply with its contractual obligations towards its customers, which include customer care and support, notifying customers about changes to the services, etc.

The Company notifies its customers about changes to the provided services in order to fulfill its contractual obligations. The company does not send commercial e-mails within the meaning of Act No. 480/2004 Coll., on certain Information Society Services.

The personal data of customers is stored for the duration of the contractual relationship between the Company and the customer and for 36 months after its termination, unless otherwise stated below.

  • Performance of the legal obligations

The Company processes personal data in cases where it is necessary for the fulfilment of legal obligations imposed on the Company by the relevant legal regulations. In particular, this includes personal data through which the Company can demonstrate that it complies with the obligations imposed by the GDPR. For this purpose, the Company is entitled to retain personal data for the relevant legal period.

The Company also processes personal data to comply with tax and accounting regulations. This primarily involves storing invoices and other accounting documents. The documents are retained for a period of 10 years after the end of the financial year to meet the fiscal retention obligation.

  • Legitimate interest

The Company has a legitimate interest in continuously improving its services, for this reason the Company may analyze the behavior of its customers and visitors to the Website in order to continue to improve its offer.

Furthermore, the Company may process personal data in order to evaluate possible security risks and eliminate them in order to maintain the highest security standards of the Website.

The Company also processes personal data for the purpose of defending itself in the event of litigation.

For this purpose, the Company is entitled to retain personal data for the period of limitation pursuant to Act No. 89/2012 Coll., Civil Code, as amended (hereinafter referred to as the “Civil Code“).

  • Transfer of Personal Data to Third Parties

The Company uses the professional services of third parties in its business activities. If these third parties process personal data transmitted by the Company, they have the status of personal data processors and process personal data only in accordance with the instructions given to them by the Company and may not use it otherwise.

Specifically, these are:

  • external providers of tax consultancy and accounting services;
  • external providers of legal services;
  • external providers of marketing services;
  • external cloud service providers;
  • external software developers;
  • external providers of IT systems, network and hardware management services.

The Company has entered into personal data processing agreements with the processors of personal data referred to in the preceding paragraph which guarantee at least the same level of protection of personal data as this Policy.

The Company also transfers personal data to administrative authorities and other public authorities in the performance of its legal obligations, if such obligation is imposed on the Company by the relevant legislation. In particular, the Company may transfer any personal data referred to in this Policy to law enforcement authorities if they request it in accordance with the legislation governing criminal proceedings.

The Company does not transfer personal data outside the EU or to international organizations, nor does it make automated individual decisions.

  • Personal Data Security

The Company has put in place and maintains the necessary technical and organizational measures, internal control processes and information security measures in accordance with the best interests of its users, commensurate with the potential risk to data subjects. At the same time, the Company takes into account the state of technological development in order to protect personal data against accidental loss, destruction, alteration, unauthorized disclosure or access. These measures may include, but are not limited to:

  • taking reasonable steps to ensure the accountability of employees and members of the Company’s bodies and entities cooperating with the Company who have access to personal data;
  • training of Company staff;
  • regular data backups;
  • implementation of data recovery procedures;
  • establishing procedures in the event of security incidents;
  • Physical protection of devices on which personal data is stored;
  • software protection of devices on which personal data is stored.

Employees and members of the Company’s bodies and entities cooperating with the Company shall be bound by a duty of confidentiality with regard to all facts which come to their knowledge in the course of their activities for the Company, even after termination of their employment, membership of the Company’s bodies or cooperation with the Company. The signed declaration of confidentiality is part of the employment contract of the Company’s employee and of contracts concluded with members of the Company’s bodies and cooperating entities.

  • Rights Related to Personal Data Protection

If you exercise any of your rights listed below in Articles 8.1 to 8.8 of this Policy, or guaranteed to you by the relevant valid and effective legislation, the Company will subsequently inform you of the measures taken, where applicable, to delete your personal data or restrict the processing of your personal data, if this was the subject of your request. In addition, the Company will also notify to this effect any recipient of personal data to whom your personal data has been provided pursuant to Article 7 of this Policy, provided that such notification is possible and/or does not require disproportionate effort.

To exercise your rights and/or obtain relevant information, you may contact the Company by email at info@cannalab.eu or in writing at the address of the Company’s registered office as set out above in this Policy.

If you exercise your rights, the Company may require you to provide certain identifying information that you have previously provided to the Company. The provision of such data is necessary to verify that the relevant request was actually sent by the person whose personal data the Company processes.

The Company undertakes to send a reply or a statement no later than one month after receiving your request. In justified cases, the Company reserves the right to extend this period by up to two months.

  • Right to access to Personal Data

According to Article 15 of the GDPR, you have the right to access your personal data, which includes in particular the right to obtain from the Company:

  • confirmation of whether it processes your personal data;
  • information about the purposes of the processing of your personal data;
  • information about the categories of personal data processed;
  • information about the recipients to whom your personal data has been or will be disclosed;
  • information about the intended duration of the processing of your personal data;
  • information about the existence of the right to request from the Company the rectification or erasure of your personal data or the restriction of its processing or to object to such processing;
  • information about the right to lodge a complaint with a supervisory authority;
  • information about the source of the personal data, if not obtained from you;
  • information about whether you are the subject of a decision by the Company based solely on automated processing of your personal data, including automated profiling based on your personal data;
  • information about appropriate safeguards when your personal data is transferred outside the EU.

The Company will always provide the first copy of your personal data free of charge.

In the event of a repeated request, the Company is entitled to charge a reasonable fee for a copy of the personal data.

  • Right to Correction or completion of inaccurate Personal Data

According to Article 16 of the GDPR, you have the right to correct inaccurate personal data that the Company processes about you. Taking into account the purposes of the processing, you also have the right to complete incomplete personal data that the Company processes about you. The Company will carry out the rectification or completion without undue delay, but always taking into account its technical possibilities.

  • Right to Erasure of Personal Data

Pursuant to Article 17 of the GDPR, you have the right to have your personal data erased if the Company does not demonstrate legitimate grounds for processing such personal data. The Company declares that it has mechanisms in place to ensure the automatic anonymization or erasure of personal data in the event that they are no longer needed for the purpose for which they were processed or in the event that the period of processing of personal data set out in this Policy or by law has expired.

Right to Restriction of the Processing of Personal Data

According to Article 18 of the GDPR, if you dispute the accuracy of your personal data, the reasons for their processing, or object to their processing pursuant to Article 21(1) of the GDPR, you have the right to limit the processing of your personal data by the Company for the time necessary to verify the legitimacy of your complaint or objection.

Right to Personal Data Portability

According to Article 20 of the GDPR, you have the right to the portability of your personal data that you have provided to the Company in a structured, commonly used and machine-readable format. You also have the right to ask the Company to transfer your personal data to another controller in this context.

If the exercise of this right could adversely affect the rights and freedoms of third parties, your request cannot be granted.

Right to Object

According to Article 21 GDPR, you have the right to object to the processing of your personal data by the Company.

If the Company does not demonstrate that there is a compelling legitimate reason for processing your personal data that overrides your interests or rights and freedoms, the Company will terminate the processing of your personal data without undue delay based on your objection.

Right to withdraw consent for processing of personal data

If consent is given to the Company for the processing of personal data, it may be withdrawn at any time. Withdrawal of consent must be made by an express, intelligible, and specific expression of will, either in writing at the address of the Company’s registered office or via the e-mail address: info@cannalab.eu.

  • Right to lodge a complaint with the data protection authority

Data Subjects have the right to lodge a complaint regarding the processing of their personal data by the Company with the administrative authority listed below:

Úřad pro ochranu osobních údajů

Pplk. Sochora 727/27

170 00 Praha 7

Website of the authority: www.uoou.cz

Updates to the policy

The Company hereby notifies that it is entitled to modify or update this Policy. Any changes to this Policy will become effective upon posting on the Website.