Generally, we need to process personal data in order to:
At EUROWAG we process your personal data for the following purposes of processing and based on the following legal grounds. When doing so, EW entities act as joint controllers within the meaning of Article 26 GDPR.
In the table below is also a general information of how long we store and process your personal data. These are general retention periods that may be shortened if the data is no longer necessary for the purposes or prolonged, if it is required by law or our legitimate interests.
More detailed description of the purposes and legitimate interest we pursue can be found here.
 The essence of our joint controller arrangement at EUROWAG is follows: (i) the GDPR and ePrivacy related compliance agenda is subject to the oversight and advice of the Group DPO who handles all data subject requests with the help of local personnel; (ii) all purposes in this Group Privacy Notice are joint purposes of all EW entities meaning that all entities are entitled to process the same personal data jointly, but based on a strict „necessary“ principle; (iii) the necessary principle allows sharing of any personal data processing for the purposes designated herein between any EW entities provided it is necessary; (iv) each EW entity may process its own personal data for its own purposes that not joint purposes, but must inform Group DPO and data subjects about such processing in line with Article 13 and 14 of the GDPR.
Below you can find the overview:
The list of legitimate interests pursued by Eurowag is as follows:
Where the law requires us to use consent instead of legitimate interest in any of the above cases, we rely on consent.
Detailed description of legitimate interests we pursue and their relevance to the purposes of processing can be found here.
Generally, we collect your personal data directly from you. In this case provision of personal data is voluntary. You can provide your personal data to us by different means and ways.
However, we may also obtain your personal information from other sources (e.g. our processors, other third parties or public registers). You can find more information in the table below.
There are several legal regulations that oblige us to collect and process certain personal data about you. This is in particular the obligation the prevent, control, evaluate and detect money laundering, processing of accounting and tax information and fulfilling the purpose of security of personal data and IT systems.
If the collection of personal data relates to a contractual relationship it is often a contractual requirement or a requirement that is necessary for the conclusion of a contract. Failure to provide personal data (whether yours or your colleagues') may result in failure to conclude or performance of a contractual relationship with the company you represent.
When the legal ground for processing your personal data on individual purpose is consent, the provision of your personal data is strictly voluntary and failure to provide it will not have any negative effect or consequences on you.
We take the confidentiality of your personal data very seriously and have internal policies in place to ensure that your data is only shared with authorised personnel at EUROWAG or a verified third party.
Our staff might have access to your personal data on a strictly need-to-know basis typically governed and limited by function, role and department. We also ensure that selection of our sub-contractors and any processing of personal data by them is compliant with the GDPR or other national law.
Necessary personal data of our clients, business partners or other natural persons are provided to the following categories of recipients:
If public authorities ask us to provide your personal data, we will review the statutory conditions for accepting the request and ensure that we will not comply with the request if the conditions are not met.
In case that you have a question about our current processors, do not hesitate to contact our DPO for further information.
By default, we do not transfer personal data to third countries outside the European Economic Area (EU, Iceland, Norway and Liechtenstein) unless it is necessary. For example, when we provide services for our customers we can use our establishments and business partners from Turkey, Bosnia and Herzegovina, Montenegro, Russia, Ukraine, North Macedonia or Serbia. We can also use various cloud services and social network services provided by multiple providers from the USA.
Although we have never noted any problem with the misuse of any personal data in these countries, according to the European Commission’s decisions, these countries are considered not to guarantee an adequate level of protection (of personal data) and therefore we have to proceed on the basis of the adequate safeguards under Article 46 GDPR or on the basis of the exceptions for specific situations under Article 49 GDPR. That is why we conclude Standard Contractual Clauses approved by the European Commission with data importers in a third country.
In light of the judgment Court of Justice of the EU in the Schrems II case of 16 July 2020, we also apply additional safeguards in relation to transfers to the USA, if we cannot rely on new Data Privacy Framework importer certification. In case the importer is certified, we may transfer your personal data, based on EU-US Commission’s adequacy decision in compliance with Article 45 GDPR requirements, without adopting any other measures.
In some cases, yes. We have identified certain processing operations that likely falls under “automated individual-decision making including profiling” within the meaning of Article 22 GDPR, which are described below:
*We have also identified certain processing operations that are less likely to fall under the Article 22 GDPR, but we inform about these cases anyway.
We would like to bring the following rights to your attention predominantly:
"You also have the right to object to the processing of your personal data on the basis of the legitimate interests (we follow, as explained above) and on the legal basis of a public interest.”
"If we process your personal data on the basis of consent, you have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.”
“You have the right to effectively object to the processing of personal data for direct marketing purposes, including profiling.”
In addition, the GDPR provides you with a number of data subject rights as well as conditions for their exercise. While some rights are “automatic” such as consent withdrawal or direct marketing objection, some rights are not as they are linked to specific conditions that might not be met in every case. It is the role of our authorised staff, overseen by the DPO, to properly assess your request and inform you in a timely manner, usually within one month (period which can be prolonged).
You also have a right to file a complaint to the relevant data protection supervisory authority or apply for judicial remedy. Please note that leading supervisory authority according to place of the main establishment for EUROWAG is the Office for Protection of Personal Data of the Czech republic (www.uoou.cz), but you can also enforce your rights with help of any concerned supervisory authority from country where EW entities operates and is for you more suitable because of language or distance. More information about supervisory authorities of EEA states you can find here.
We respect standard GDPR rights to all data subjects whose personal data we process within EUROWAG worldwide. Therefore, all data subjects, regardless of the country of operation, will therefore be granted with GDPR rights, which will be additionally supplemented by specific rights according to national third country law.
In this context, please take into your account that some rights in third countries may not be practically exercised due the reasons beyond our control (e.g. right to portability or right to be forgotten).
Please read relevant privacy policies to better understand processing of your personal data by social media platforms providers (e.g. Facebook, Google or LinkedIn), who are separate controllers. We only have a typical admin control over the personal data processed by us via our own company profile.
EUROWAG is responsible for processing your data only to a certain extent, for example if you visit our profile, if we communicate with each other on a social network or if we target you with advertising on social networks. On our profiles on social networks, we can process your personal data and cookies for marketing or statistical purposes together with relevant providers of social networks such as joint controllers in the sense of GDPR. Typically, when we use page insights services to our fan page. Therefore we are obliged to inform you about the basic parts of the agreements that we concluded according to Art. 26 GDPR:
In case when we use paid targeted ads campaign services provided by social network providers, we use them as our processors based on concluded Data Protection Addendums.
Generally, we need to process personal data in order to:
Data protection and privacy compliance is not a one-off obligation for us but an ongoing effort. Therefore, information we provide in this notice may change or cease to be relevant. From these reasons we may change this Group Privacy Notice from time to time by posting the most current version on our website. In case we change this Group Privacy Notice substantially, we would bring such changes to your attention by explicit notice, on our websites or by email or by in-app activity such push notification.
Created by December 2023