Personal Data Protection

PROTECTION OF PERSONAL DATA AND COOKIE NOTICE

/ Principles and Information on the Protection of Personal Data

provided by the Controller to the Data Subject when obtaining personal data from the Data Subject and a cookie notice of the online store www.catus-airsoft.eu /

I. Controller

1.1. The identity and contact details of the Controller are:

Business name: Helena Žitňanová - CATUS Slovakia
Business address: 97405 Banská Bystrica, Zvolenská cesta 5579/46, Slovak Republic

Registered with the District Office Banská Bystrica, Trade Register Number 601-13554
Company ID: 40091911
Tax ID: 1020059282
VAT ID: SK1020059282
Bank account: SK37 1100 0000 0026 2875 6195

The Seller is a VAT payer.

1.2. The email and telephone contact information for the Controller is:

Email: obchod@catus.sk
Tel.: +421 48 413 15 24

1.3. The mailing address of the Controller for the delivery of correspondence is:

Helena Žitňanová – CATUS Slovakia
Zvolenská cesta 46, 974 05 Banská Bystrica, Slovak Republic

1.4. In accordance with Article 13(1) and (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as the “Regulation”), and also in accordance with Act No. 18/2018 Coll. on the Protection of Personal Data and on Amendments and Supplements to Certain Acts, as amended, and with Act No. 452/2021 Coll. on Electronic Communications, as amended, the Controller hereby provides the Data Subject (the Buyer), from whom the Controller (the Seller) collects personal data relating to them, with the following information, notices, and explanations:

II. References

2.1. These privacy principles and notices form an integral part of the General Terms and Conditions published on the Seller’s Website.

2.2. Pursuant to §3(1)(n) of Act No. 102/2014 Coll., the Seller informs the consumer that there are no specific relevant codes of conduct to which the Seller has committed to adhere. A code of conduct shall mean an agreement or set of rules that define the behavior of the seller, who has undertaken to comply with such a code in relation to one or more particular business practices or business sectors, provided that these are not established by law, other legal regulations, or a public authority measure. The Seller has not committed to such codes of conduct, and the consumer is informed that no such codes are available for review or access

III. Personal Data Protection and Use of Cookies. Explanation and Clarification of Cookies, Scripts, and Pixels

3.1. The Controller of the website provides this brief explanation of the function of cookies, scripts, and pixels:

3.1.1. Cookies are text files that contain a small amount of information and are downloaded to your device when you visit a website. These files allow the website to remember your actions and preferences (such as login name, language, font size, and other display settings) over a period of time, so you do not have to re-enter them each time you visit the website or browse its pages.

A script is a part of programming code used to ensure proper and interactive functioning of websites. This code runs on the Controller’s server or on your device.

A pixel is a small, invisible text or image element on a website used to monitor website traffic. To do this, various data is stored via pixels.

3.1.2. Cookies are categorized as follows:

Technical or functional cookies – ensure the proper functioning of the Controller’s website and its usability. These cookies are used without consent.

Statistical cookies – the Controller collects statistics regarding the use of its website. These cookies are used only with consent.

Marketing / Advertising cookies – used for creating advertising profiles and similar marketing activities. These cookies are used only with consent.

3.2. How to control cookies:

3.2.1. You can control and/or delete cookies at your discretion – see details at aboutcookies.org. You can delete all cookies stored on your computer or other device, and most browsers can be set to prevent cookies from being stored.

3.3. The Controller’s website uses the following cookies:

All cookies used by the Controller can be found at https://www.cookieserve.com by entering the Controller's web address: https://www.catus.sk

Technical or functional cookies – accessed by the website Controller. Duration: 2 years.

Statistical cookies – accessed by the website Controller. Duration: 2 years.

Marketing and advertising cookies – accessed by the website Controller. Duration: 2 years.

3.3.1. Cookies shared with third parties:

Google Analytics, Google Ads:
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
For more information on privacy protection, see:
https://support.google.com/analytics/topic/2919631?hl=en&ref_topic=1008008

META Pixel (Facebook):
Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
For more information on privacy protection, see:
https://www.facebook.com/about/privacy/

IV. Processed Personal Data

4.1. The Controller processes the following personal data on its website:
first name, last name, residence address, email address, landline phone number, mobile phone number, billing address, delivery address, data obtained from cookies, IP addresses.

V. Contact Details of the Data Protection Officer

5.1. The Controller has appointed a Data Protection Officer in accordance with Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
Contact:
Email: obchod@catus.sk
Phone: +421 48 413 15 24

5.2. The Controller is also the Seller as defined in the General Terms and Conditions of this website.

VI. Purposes of Processing Personal Data of the Data Subject and Duration of Processing

6.1. The purposes of processing personal data of the Data Subject are in particular:

6.1.1. Registration, creation, and processing of contracts and client data for the purpose of entering into contracts with third parties.

6.1.2. Processing of accounting documents and documents related to the Controller’s business activities.

6.1.3. Compliance with legal regulations related to the archiving of documents and records, for example under Act No. 431/2002 Coll. on Accounting, as amended, and other relevant regulations.

6.1.4. Activities of the Controller in connection with fulfilling a request, order, contract, or similar arrangements of the Data Subject.

6.1.5. Newsletters, marketing, and similar promotional activities of the Controller, in cases where the Data Subject has given consent for such marketing and promotional activities.

6.2. The Controller retains the personal data of the Data Subject only for the time strictly necessary to fulfill the contract and for subsequent archiving according to the legal periods required by applicable regulations. If the Data Subject has consented to receiving marketing emails and similar offers, their personal data will be processed for such purposes until the consent is withdrawn, but no longer than 10 years.

VII. Legal Basis for Processing Personal Data of the Data Subject

7.1 In cases where the Controller processes personal data based on the consent of the Data Subject, such processing will commence only after the Data Subject has given their consent.

7.2 In cases where the Controller processes the personal data of the Data Subject for the purpose of negotiating pre-contractual relationships, concluding, and fulfilling a purchase contract, and for the related delivery of goods, products, or services, the Data Subject is obliged to provide personal data for the proper fulfillment of the purchase contract. Otherwise, it is not possible to ensure the fulfillment. Personal data for this purpose are processed without the consent of the Data Subject.

VIII. Recipients or Categories of Recipients of Personal Data

8.1 Recipients of the Data Subject’s personal data will be or may at least include:

8.1.1 Statutory bodies or their members of the Controller.

8.1.2 Persons performing work activities under an employment or similar relationship for the Controller.

8.1.3 Sales representatives of the Controller and other persons cooperating with the Controller in fulfilling the Controller’s tasks. For the purposes of this document, all natural persons performing dependent work for the Controller based on an employment contract or agreements on work performed outside an employment relationship shall be considered employees of the Controller.

8.1.4 Recipients of the Data Subject’s personal data will also include the Controller’s collaborators, business partners, suppliers, and contractual partners, in particular: accounting companies, companies providing services related to software development and maintenance, companies providing legal services to the Controller, consulting companies, companies providing transport and delivery of products to buyers and third parties, marketing companies, companies operating social networks, companies providing payment gateways and other payment methods.

8.1.5 Recipients of personal data will also include courts, law enforcement authorities, the tax office, and other state authorities if required by law. In such cases, the personal data will be provided by the Controller to these authorities and state institutions based on and in accordance with the legal regulations of the Slovak Republic.

8.1.6. List of third parties – processors and recipients who process the Data Subject’s personal data:

Slovenská pošta, a.s., Partizánska cesta 9, 975 99 Banská Bystrica, Slovakia, Company ID: 36631124 – third party providing transport services

Direct Parcel Distribution SK, s.r.o., with registered office at Technická 7, 82104 Bratislava, Slovakia ID: 35834498 – third party providing transport services

Packeta Slovakia s. r. o., with registered office at Kopčianska 3338/82A, 851 01 Bratislava, Slovakia ID: 48136999 – third party providing transport services

STRIPE PAYMENTS EUROPE, LIMITED, C/O A & L Goodbody, IFSC, North Wall Quay, Dublin, D01 H104, Ireland – third party providing payment gateway services

PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, 2449, LUXEMBOURG, Luxembourg – third party providing payment gateway services

Ecomail.cz, Na Zderaze 1275/15, 120 00 Prague 2, Czech Republic – third party providing technology and cloud services

Hríbik Dušan, Ing. ANTE, Zvolenská cesta 111, Banská Bystrica 97401, Slovakia – third party providing accounting services

Internet Mall Slovakia s.r.o., Galvaniho 6, 821 04 Bratislava – Ružinov district, Slovakia – third party providing goods sales services

Heureka Shopping s.r.o., Karolinská 650/1, 186 00 Prague 8 – Karlín, Czech Republic, ID: 02387727 – third party providing customer satisfaction monitoring of the website and operating the “Verified Customers” service

8.2. The Operator of the online store collects satisfaction with purchases through email questionnaires as part of the “Verified Customers” program, in which the Operator’s online store participates. The Operator sends the Data Subject – Buyer an email questionnaire each time the Data Subject – Buyer makes a purchase from the Operator’s online store, unless the Data Subject – Buyer refuses the sending of electronic mail for direct marketing purposes according to Act no. 452/2021 Coll., as amended.

The processing of personal data for the purpose of sending questionnaires within the “Verified Customers” program is carried out by the Operator based on its legitimate interest, which lies in measuring the satisfaction of the Data Subject – Buyer with the purchase through the Seller’s online store.

For sending questionnaires, evaluating the Data Subject’s – Buyer’s feedback, and market position analyses, the Operator uses a data processing intermediary, which is the operator of the Heureka.sk portal. For these purposes, the Operator may transfer information about the purchased goods and the email address of the Data Subject – Buyer.

The Data Subject’s – Buyer’s personal data are not disclosed to any third party for their own purposes in connection with sending email questionnaires.

The Data Subject – Buyer may object to receiving email questionnaires within the “Verified Customers” program at any time by refusing further questionnaires via the link provided in the questionnaire email. Upon objection, the Operator will no longer send the questionnaire to the Data Subject – Buyer.

IX. Information on the transfer of personal data to third countries and the retention period:

9.1. Not applicable. The Operator does not transfer personal data of individuals to third countries.

X. Information about the existence of relevant rights of the Data Subject

10.1. The Data Subject has, among others, the following rights:

10.1.1. The provisions of point 10.1 do not affect any other rights of the Data Subjects.

10.1.2. The right of the Data Subject to access data pursuant to Article 15 of the Regulation, which includes:

the right to obtain from the Controller confirmation as to whether personal data concerning the Data Subject are being processed, and if so, to what extent,

the right to know the content of the personal data and to request information from the Controller about the reasons for processing, in particular information about: the purpose of processing, categories of personal data concerned, recipients or categories of recipients to whom the personal data have been or will be disclosed, especially in the case of recipients in third countries or international organizations, the expected storage period or, if not possible, the criteria used to determine that period, the existence of the right to request from the Controller rectification or erasure of personal data or restriction of processing, the right to object to such processing, the right to lodge a complaint with a supervisory authority, information about the source of the data if not obtained directly from the Data Subject, the existence of automated decision-making including profiling as per Article 22 paragraphs 1 and 4 of the Regulation, and in those cases, at least meaningful information about the logic involved and the significance and envisaged consequences of such processing for the Data Subject,

appropriate safeguards pursuant to Article 46 of the Regulation relating to the transfer of personal data, if the personal data are transferred to a third country or international organization.

10.1.3. The right to obtain a copy of the personal data undergoing processing, provided that the exercise of this right does not adversely affect the rights and freedoms of others.

10.1.4. The right of the Data Subject to rectification pursuant to Article 16 of the Regulation, which includes:

the right to have inaccurate personal data concerning the Data Subject corrected without undue delay,

the right to have incomplete personal data completed, including by means of providing a supplementary statement by the Data Subject.

10.1.5. The right to erasure of personal data (the “right to be forgotten”) pursuant to Article 17 of the Regulation, which applies if one of the following grounds is met:

the personal data are no longer necessary for the purposes for which they were collected or otherwise processed,

the Data Subject withdraws consent on which the processing is based and there is no other legal ground for processing,

the Data Subject objects to processing pursuant to Article 21 paragraph 1 of the Regulation and there are no overriding legitimate grounds for the processing,

the personal data have been unlawfully processed,

the personal data must be erased to comply with a legal obligation under the law of the European Union or the Member State to which the Controller is subject,

the personal data were collected in relation to the offer of information society services to a child according to Article 8 paragraph 1 of the Regulation.

10.1.6. The right for the Controller who has made personal data of the Data Subject public, taking into account the available technology and the cost of implementation, to take reasonable steps, including technical measures, to inform other Controllers processing the personal data that the Data Subject requests them to erase all links to, copies of, or replicas of those personal data. However, the right to erasure of personal data under Article 17 paragraphs 1 and 2 of the Regulation does not arise if processing is necessary for:

10.1.7. Exercising the right of freedom of expression and information.

10.1.8. Compliance with a legal obligation under the law of the European Union or the law of a Member State to which the Controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.

10.1.9. Reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) and Article 9(3) of the Regulation.

10.1.10. Archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes pursuant to Article 89(1) of the Regulation, insofar as the right under Article 17(1) of the Regulation is likely to render impossible or seriously impair the achievement of the objectives of such processing, or for the establishment, exercise, or defense of legal claims.

10.1.11. The right of the Data Subject to restriction of processing pursuant to Article 18 of the Regulation, which includes:

10.1.12. The right to obtain restriction of processing when one of the following applies:

The accuracy of the personal data is contested by the Data Subject, during the period enabling the Controller to verify the accuracy of the personal data.

Processing is unlawful, and the Data Subject opposes the erasure of the personal data and requests restriction instead.

The Controller no longer needs the personal data for processing purposes, but the Data Subject requires them for the establishment, exercise, or defense of legal claims.

The Data Subject has objected to processing pursuant to Article 21(1) of the Regulation, pending verification whether the legitimate grounds of the Controller override those of the Data Subject.

10.1.13. The right that, in cases where processing has been restricted, such personal data shall only be processed, apart from storage, with the consent of the Data Subject or for the establishment, exercise, or defense of legal claims, or to protect the rights of another natural or legal person, or for reasons of important public interest of the Union or a Member State.

10.1.14. The right to be informed before the lifting of the restriction on processing.

10.1.15. The right of the Data Subject to the notification obligation towards recipients according to Article 19 of the Regulation, which includes: the right that the Controller informs each recipient to whom personal data have been disclosed of any rectification, erasure, or restriction of processing carried out pursuant to Articles 16, 17(1), and 18 of the Regulation, unless this proves impossible or involves disproportionate effort; and the right that the Controller informs the Data Subject about those recipients if the Data Subject requests it.

10.1.16. The right of the Data Subject to data portability pursuant to Article 20 of the Regulation, which means: the right to receive personal data concerning the Data Subject, which the Data Subject has provided to the Controller, in a structured, commonly used, and machine-readable format, and the right to transmit those data to another Controller without hindrance by the Controller, if:

a) the processing is based on the Data Subject’s consent according to Article 6(1)(a) or Article 9(2)(a) of the Regulation, or on a contract according to Article 6(1)(b) of the Regulation, and simultaneously

b) the processing is carried out by automated means, and simultaneously:

10.1.17. The right to receive personal data in a structured, commonly used, and machine-readable format and to transmit those data to another Controller without hindrance, provided that this right does not adversely affect the rights and freedoms of others;

10.1.18. The right to have personal data transmitted directly from one Controller to another, if technically feasible;

10.1.19. The right of the Data Subject to object pursuant to Article 21 of the Regulation, which includes:

10.1.20. The right to object at any time on grounds relating to the Data Subject’s particular situation to processing of personal data concerning them that is carried out based on Article 6(1)(e) or (f) of the Regulation, including profiling based on those provisions;

10.1.21. In the exercise of the right to object under 10.1.20, the right that the Controller no longer processes the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the Data Subject, or for the establishment, exercise, or defense of legal claims;

10.1.22. The right to object at any time to processing of personal data concerning the Data Subject for direct marketing purposes, including profiling to the extent that it is related to such direct marketing; whereupon personal data shall no longer be processed for such purposes;

10.1.23. In connection with the use of information society services, the right to exercise the right to object by automated means using technical specifications;

10.1.24. The right to object on grounds relating to the Data Subject’s particular situation to processing of personal data concerning the Data Subject carried out for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) of the Regulation, except where processing is necessary for the performance of a task carried out for reasons of public interest;

10.1.25. The right of the Data Subject relating to automated individual decision-making according to Article 22 of the Regulation, which means:

10.1.26. The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the Data Subject or similarly significantly affects them, except in cases according to Article 22(2) of the Regulation [i.e., except where the decision is: (a) necessary for entering into, or performance of, a contract between the Data Subject and the Controller,

10.1.27. permitted by Union or Member State law to which the Controller is subject, with appropriate safeguards to protect the Data Subject’s rights and freedoms and legitimate interests, or (c) based on the Data Subject’s explicit consent].

XI. Instruction on the Data Subject’s right to withdraw consent to the processing of personal data:

11.1. The Data Subject has the right to withdraw their consent to the processing of personal data at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

The Data Subject may withdraw their consent to the processing of personal data at any time — either in full or partially. Partial withdrawal of consent may relate to a specific type of processing operation(s), while the lawfulness of processing for the remaining processing operations remains unaffected. Partial withdrawal of consent may also relate to a specific purpose or certain specific purposes of personal data processing, while the lawfulness of processing for other purposes remains unaffected.

The right to withdraw consent to personal data processing may be exercised by the Data Subject in writing, addressed to the Controller’s registered office as recorded in the trade register at the time of withdrawal, or electronically via electronic means (by sending an email to the Controller’s email address provided in the identification of the Controller in this document)

XII. Instruction on the Data Subject’s right to lodge a complaint with the supervisory authority:

12.1. The Data Subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement, if they consider that the processing of personal data concerning them violates the Regulation. This is without prejudice to any other administrative or judicial remedies.

The Data Subject has the right to be informed by the supervisory authority to which the complaint was submitted about the progress and outcome of the complaint, including the possibility of seeking a judicial remedy under Article 78 of the Regulation.

12.2. The supervisory authority in the Slovak Republic is the Office for Personal Data Protection of the Slovak Republic, Hraničná 12, 820 07 Bratislava 27, Slovak Republic. Tel.: +421 2 3231 3214, Email: statny.dozor@pdp.gov.sk

XIII. Information related to automated decision-making, including profiling:

13.1. Since, in the case of the Controller, the processing of the Data Subject’s personal data does not involve automated decision-making including profiling as referred to in Article 22(1) and (4) of the Regulation, the Controller is not obliged to provide the information referred to in Article 13(2)(f) of the Regulation, i.e., information about automated decision-making including profiling and the applied procedure, as well as the significance and the envisaged consequences of such processing of personal data for the Data Subject. This does not apply.

XIV. Final provisions

14.1. These Privacy Policy and instructions on personal data protection and cookies constitute an integral part of the General Terms and Conditions and the Complaint Procedure. The documents — General Terms and Conditions and Complaint Procedure of this Website — are published on the domain of the Seller’s Website.

14.2. These Privacy Policy provisions shall become valid and effective upon their publication on the Seller’s Website from July 1, 2024.