PROTECTION OF PERSONAL DATA AND COOKIE NOTICE

/ Principles and information on the protection of personal data

provided by the Controller to the Data Subject at the time of obtaining personal data from the Data Subject and Cookie Notice of the online store www.titzmach.com /

Controller

1.1. The identity and contact details of the Controller are:

Business name: Mária Lazarová
Place of business: Žitavská 175/17, 95197, Žitavany, Slovak Republic

Registered in the Trade Register: District Office Nitra, Trade Register No.: 430-71623
Company ID: 56974426

Tax ID: 1123037025
Bank account: SK59 0900 0000 0052 3357 1085

The Seller is not a VAT payer.

1.2. The Controller’s email and phone contact:
Email: [email protected]
Phone: +421 940 350 526

1.3. Address of the Controller for correspondence:
Mária Lazarová, Žitavany, Žitavská 175/17, 95197, Slovak Republic

1.4. Information for the Data Subject

The Controller hereby, in accordance with:

  • Article 13 (1) and (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR),

  • Act No. 18/2018 Coll. on the Protection of Personal Data as amended,

  • Act No. 452/2021 Coll. on Electronic Communications as amended,

provides the Data Subject (the Buyer), from whom personal data are collected, with the following information, instructions, and explanations regarding the processing of personal data:

References

2.1. These Privacy Principles and Instructions form an integral part of the General Terms and Conditions published on the Seller’s website.

2.2. The Seller hereby informs the consumer that there are no special codes of conduct to which the Seller has committed.

A code of conduct according to Act No. 108/2024 Coll. on Consumer Protection means an agreement or a set of rules defining the Seller’s conduct in relation to one or more commercial practices or sectors, if such rules are not established by law, another legal regulation, or a public authority measure.

The consumer has the right to request information about the existence of such codes of conduct or to request their wording if they exist.

III. Protection of personal data and use of cookies. Information and explanation of cookies, scripts, and pixels

3.1.1. Explanation of functions

Cookies
Cookies are small text files stored on your device when you visit a website. They allow the website to retain information about your preferences and settings (e.g., language, login details, font size, display preferences), so you don’t have to enter them again during subsequent visits.

Scripts
A script is a piece of program code that ensures the proper functioning and interactivity of websites. Scripts can run either on the Controller’s server or directly on your device.

Pixels (tracking pixels)
A pixel is a small, usually invisible image or code on a website that serves to monitor traffic and user behavior. Pixels enable the collection of anonymized data about user interactions with the site, such as visit counts, page views, or ad effectiveness.

3.1.2. Types of cookies
Cookies are classified by purpose as follows:

  • Necessary cookies – required for the proper functioning of the website.

  • Performance (analytical) cookies – used to measure website traffic and performance (e.g., Google Analytics).

  • Functional cookies – store user preferences, such as language or display settings.

  • Marketing cookies – used to display personalized ads and track the effectiveness of marketing campaigns (e.g., Google Ads, Facebook Pixel).

3.3. Cookies used
The Controller’s website uses the following types of cookies:

  • Technical or functional cookies – ensure the correct operation of the website and retention of user preferences. Retention period: 2 years.

  • Statistical cookies – allow the Controller to collect anonymized data on website traffic and user behavior. Retention period: 2 years.

  • Marketing and advertising cookies – used to display personalized ads and track marketing campaign effectiveness. Retention period: 2 years.

All cookies used by the Controller can be found and checked at https://www.cookieserve.com/ by entering the Controller’s website address: https://www.titzmach.com.

3.3.1. Cookies accessible to third parties
Google Analytics, Google Ads
The Controller uses the services of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
More information about privacy and data processing: https://support.google.com/analytics/topic/2919631?hl=en&ref_topic=1008008.

Processed personal data:
The Controller and third parties process anonymized and pseudonymized data about website visits, such as: partially anonymized IP address, date and time of visit, visited pages, browser type, browser language, and other technical information necessary for analytics and marketing.

User consent and rights:
The user may withdraw consent to the processing of cookies at any time or adjust their preferences through the website’s cookie settings or browser settings.

Processed personal data

4.1. Scope of processed data

On its website, the Controller processes the following personal data of Data Subjects (Buyers and visitors):

  • Identification data: first name, surname

  • Contact details: email address, mobile and landline numbers

  • Address details: residence, billing address, delivery address

  • Technical data: IP address, data obtained from cookies and other tracking technologies

  • Other data necessary for orders or communication with the Controller

These data are processed only to the extent necessary to fulfill the purposes, such as concluding and performing the purchase contract, delivering goods, handling complaints, and fulfilling the Controller’s legal obligations.

Contact details of the Data Protection Officer

5.1. Appointment of the DPO
In accordance with Regulation (EU) 2016/679 (GDPR), the Controller has appointed a Data Protection Officer (DPO), who supervises the proper processing of personal data, ensures compliance with data protection legislation, and serves as a contact point for data subjects and supervisory authorities.

Contact:
Email: [email protected]
Phone: +421 940 350 526

5.2. The Controller is also the Seller as defined in the General Terms and Conditions of this website.

Purposes of Processing Personal Data of the Data Subject and Duration of Processing

6.1 Purposes of Processing Personal Data of the Data Subject

The personal data of the Data Subject (Buyer or Visitor) are primarily processed for the following purposes:

  • Record-keeping and processing of contracts and client data – for the purpose of concluding contracts with third parties and duly fulfilling contractual obligations.

  • Processing of accounting documents and related records – necessary for the accounting and business activities of the Controller.

  • Compliance with legal obligations – including archiving of documents in accordance with Act No. 431/2002 Coll. (Accounting Act) and other relevant legal regulations.

  • Fulfilment of requests, orders, and contracts – ensuring the proper processing of orders, deliveries, and related services for the Data Subject.

  • Marketing and newsletters – sending marketing and promotional materials, including newsletters, only with the explicit consent of the Data Subject.

6.2 Duration of Processing Personal Data

The personal data of the Data Subject are stored only for the period necessary to fulfil the purpose, e.g., delivery of goods, handling of complaints, or accounting obligations.

After the purpose has been fulfilled, the data are archived in accordance with statutory deadlines prescribed by legal regulations.

Data processed for marketing purposes are stored only until the consent of the Data Subject is withdrawn, but for no longer than 10 years from the granting of consent.

VII. Legal Basis for Processing Personal Data of the Data Subject

7.1 Processing Based on Consent
If the Controller processes personal data of the Data Subject on the basis of their explicit consent (e.g., for marketing purposes or newsletter distribution), the processing begins only after such consent has been granted by the Data Subject.

7.2 Processing Necessary for Performance of a Contract
If the Controller processes the personal data of the Data Subject for the purposes of pre-contractual relations, conclusion, and performance of a purchase agreement, including delivery of goods, products, or services, the Data Subject is required to provide such data.

Without providing such data, the proper performance of the contract and delivery of goods or services is not possible.

Personal data processed for this purpose do not require the explicit consent of the Data Subject, as the processing is necessary for the performance of a contract (pursuant to GDPR, Article 6(1)(b)).

VIII. Recipients or Categories of Recipients of Personal Data

8.1 Recipients of the Data Subject’s Personal Data
The personal data of the Data Subject may be provided or made available to the following categories of recipients:

  • Statutory bodies and their members of the Controller – persons responsible for the management and control of the e-shop operation.

  • Employees and co-workers of the Controller – persons carrying out work activities under an employment contract, work performance agreement, or work activity agreement.

  • Sales representatives and external associates – persons cooperating with the Controller in fulfilling its business and operational tasks.

  • External partners and service providers – in particular:

    • accounting companies,

    • companies providing software development and maintenance,

    • legal and consulting companies,

    • shipping companies ensuring delivery of products,

    • marketing agencies and operators of social networks,

    • payment gateway providers and other payment methods.

  • State authorities and institutions – courts, law enforcement authorities, tax offices, and other state bodies, only if required by law or other legal regulation. The Controller provides this data in accordance with the legal regulations of the Slovak Republic.

List of Third Parties – Processors and Recipients of Personal Data
The Controller publishes a list of third parties that may process the personal data of the Data Subject for the purpose of fulfilling contracts, delivering goods, or providing the Controller’s services:

  • Direct Parcel Distribution SK, s.r.o.
    Company ID: 35 834 498
    Address: Pri letisku 5, 821 04 Bratislava, Slovak Republic
    Purpose: provision of transport services

  • Packeta Slovakia s.r.o.
    Address: Kopčianska 3338/82A, 851 01 Bratislava – Petržalka
    Purpose: provision of transport services

  • General Logistics Systems Slovakia s.r.o.
    Address: Budča 1039, 962 33 Budča, Slovak Republic
    Purpose: provision of transport services

  • Zásilkovna s.r.o.
    Address: Českomoravská 2408/1a, 190 00 Prague – Libeň, Czech Republic
    Company ID: 28408306
    Purpose: provision of transport services

  • DPD-služby, s.r.o.
    Address: Hvozdnice 140, 252 05 Hvozdnice, Czech Republic
    Company ID: 25131036
    Purpose: provision of transport services

  • Heureka Shopping s.r.o.
    Address: Karolinská 650/1, 186 00 Prague 8 – Karlín, Czech Republic
    Company ID: 02387727
    Purpose: customer satisfaction monitoring and provision of the “Verified by Customers” service

Note: These third parties process personal data only to the extent necessary for the performance of their services and in compliance with GDPR. The Controller is responsible for ensuring that the processing is lawful and secure.

8.2 Customer Satisfaction Surveys
The e-shop operator monitors the satisfaction of the Data Subject (Buyer) with the purchase via email questionnaires within the “Verified by Customers” program, in which the e-shop participates.

The questionnaire is sent only if the Data Subject has not refused to receive electronic mail for direct marketing purposes in accordance with Act No. 452/2021 Coll. and GDPR.

The processing of personal data for the purpose of sending questionnaires is carried out on the basis of the Controller’s legitimate interest, which is to assess customer satisfaction with the purchase and improve service quality.

For the evaluation of feedback and satisfaction analysis, the Controller uses a data processor – the operator of the Heureka.sk portal. The Controller may provide the processor with information about the purchased goods and the Buyer’s email address.

The Buyer’s personal data are not provided to any third party for its own purposes when sending questionnaires.

The Buyer may refuse further questionnaires at any time by clicking the link in the email with the questionnaire. After such objection, no further questionnaires will be sent.

Information on Transfer of Personal Data to Third Countries and Duration of Storage

9.1 Transfer of Personal Data to Third Countries
The Controller does not provide or transfer the personal data of Data Subjects to third countries (outside the EU and EEA).

9.2 Duration of Personal Data Storage
Personal data processed for the purpose of fulfilling a contract are stored for the period necessary for contract performance and subsequent archiving in accordance with statutory deadlines.

Personal data processed for marketing purposes (e.g., sending newsletters or satisfaction surveys) are stored only until the Data Subject withdraws consent, but for no longer than 10 years.

Instruction on the Existence of Relevant Rights of the Data Subject

10.1 General Rights
The Data Subject, among others, has the rights listed below.

10.1.1 Section 10.1 does not limit other rights of Data Subjects under applicable legislation.

10.1.2 Right of Access to Personal Data
Pursuant to Article 15 of the Regulation (GDPR), the Data Subject has the right to obtain confirmation from the Controller as to whether their personal data are being processed. If so, they have the right to obtain information about:

  • the content of processed personal data,

  • the reason for their processing,

  • categories of processed personal data,

  • recipients or categories of recipients to whom the data have been or will be disclosed, including recipients in third countries or international organizations,

  • the envisaged period of storage of personal data or criteria used to determine that period,

  • the existence of the right to request rectification, erasure, or restriction of processing of personal data from the Controller,

  • the existence of the right to object to processing of personal data,

  • the right to lodge a complaint with a supervisory authority,

  • if the personal data were not obtained directly from the Data Subject – any available information about their source,

  • the existence of automated decision-making, including profiling, and in such cases, information about the logic involved, as well as the significance and envisaged consequences of such processing for the Data Subject,

  • appropriate safeguards pursuant to Article 46 of the Regulation relating to the transfer of personal data to third countries or international organizations.

10.1.3 Right to a Copy of Personal Data
The Data Subject has the right to obtain a copy of the personal data being processed, provided that the provision of such a copy does not adversely affect the rights and freedoms of others.

10.1.4 Right to Rectification of Personal Data
Pursuant to Article 16 of the Regulation (GDPR), the Data Subject has the right:

  • to the prompt rectification of inaccurate personal data concerning them,

  • to have incomplete personal data completed, including by providing a supplementary statement.

10.1.5 Right to Erasure (“Right to be Forgotten”) under Article 17 GDPR
The Data Subject has the right to obtain from the Controller the erasure of personal data without undue delay where one of the following grounds applies:

  • the personal data are no longer necessary for the purposes for which they were collected or otherwise processed,

  • the Data Subject withdraws consent on which the processing is based, and there is no other legal ground for the processing,

  • the Data Subject objects to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing,

  • the Data Subject objects to the processing pursuant to Article 21(2) GDPR,

  • the personal data have been unlawfully processed,

  • the personal data must be erased to comply with a legal obligation under EU or Slovak law,

  • the personal data have been collected in relation to the offer of information society services to a child under Article 8(1) GDPR.

10.1.6. Right to inform third parties about the erasure of personal data

The data subject has the right to require the Controller, who has published their personal data, taking into account available technology and reasonable costs, to take appropriate measures (including technical ones) to inform other controllers processing such personal data that the data subject requests their erasure, including any copies or replications.

The right to erasure of personal data does not arise if the processing is necessary for:

10.1.7. exercising the right to freedom of expression and information;

10.1.8. compliance with a legal obligation under EU or Slovak law or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;

10.1.9. reasons of public interest in the area of public health in accordance with Art. 9(2)(h) and (i) and Art. 9(3) GDPR;

10.1.10. archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes pursuant to Art. 89(1) GDPR, where the erasure of personal data is likely to render impossible or seriously impair the achievement of such purposes, or for the establishment, exercise, or defense of legal claims.

10.1.11. Right to restriction of processing of personal data
The data subject has the right to restriction of processing of personal data in accordance with Art. 18 GDPR.

10.1.12. Cases where the data subject may request restriction of processing:

  • The data subject contests the accuracy of the personal data for a period enabling the Controller to verify its accuracy;

  • The processing of personal data is unlawful and the data subject requests restriction of processing instead of erasure;

  • The Controller no longer needs the personal data for processing purposes, but the data subject requires them for the establishment, exercise, or defense of legal claims;

  • The data subject has objected to processing pursuant to Art. 21(1) GDPR, pending verification whether the legitimate grounds of the Controller override those of the data subject.

10.1.13. Consequence of restriction of processing:
Restricted personal data may only be processed:

  • with the consent of the data subject;

  • for the establishment, exercise, or defense of legal claims;

  • for the protection of the rights of another natural or legal person;

  • or for reasons of important public interest of the EU or a Member State.

10.1.14. Right to be informed of the lifting of the restriction:
The data subject has the right to be informed in advance of the lifting of the restriction of processing of personal data.

10.1.15. Right to notification to recipients:
The data subject has the right to require the Controller to notify each recipient to whom personal data has been disclosed of any rectification, erasure, or restriction of processing pursuant to Art. 16, Art. 17(1), and Art. 18 GDPR, unless this proves impossible or involves disproportionate effort. The Controller is also obliged to inform the data subject about such recipients if the data subject so requests.

10.1.16. Right to data portability
The data subject has the right to data portability under Art. 20 GDPR, i.e., the right to receive the personal data provided to the Controller in a structured, commonly used, and machine-readable format, and the right to transmit those data to another controller without hindrance from the Controller, if:
a) the processing is based on the data subject’s consent under Art. 6(1)(a) or Art. 9(2)(a) GDPR, or on a contract pursuant to Art. 6(1)(b) GDPR; and
b) the processing is carried out by automated means.

10.1.17. Restrictions on data portability
The right to receive personal data in a structured, commonly used, and machine-readable format and to transmit those data to another controller shall be exercised in a manner that does not adversely affect the rights and freedoms of others.

10.1.18. Direct transfer of data between controllers
The data subject has the right to have personal data transmitted directly from one controller to another, where technically feasible.

10.1.19. Right to object
The data subject has the right to object under Art. 21 GDPR to the processing of their personal data.

10.1.20. Right to object at any time on grounds relating to a particular situation
The data subject may at any time object, on grounds relating to their particular situation, to the processing of personal data based on Art. 6(1)(e) or (f) GDPR, including profiling based on those provisions.

10.1.21. Consequences of objection
Where the right to object is exercised against the processing of personal data pursuant to Art. 6(1)(e) or (f) GDPR, the data subject has the right to require the Controller to no longer process their personal data, unless the Controller demonstrates compelling legitimate grounds for processing which override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims.

10.1.22. Right to object to direct marketing
The data subject has the right to object at any time to the processing of their personal data for direct marketing purposes, including profiling to the extent related to such direct marketing. If this right is exercised, the personal data may no longer be processed for such purposes.

10.1.23. Right to object to processing by automated means
The data subject has the right to object to the processing of personal data by automated means, particularly when using information society services, in accordance with technical specifications that allow the exercise of this right.

10.1.24. Right to object to processing for scientific, historical, or statistical purposes
The data subject has the right to object, on grounds relating to their particular situation, to the processing of personal data for scientific or historical research or statistical purposes under Art. 89(1) GDPR, except where the processing is necessary for the performance of a task carried out in the public interest.

10.1.25. Rights related to automated decision-making and profiling
The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or significantly affects them, except in cases provided for in Art. 22(2) GDPR:

10.1.26. Exceptions to automated decision-making
Automated decision-making is permissible if:
a) it is necessary for entering into or the performance of a contract between the data subject and the Controller;
b) it is authorized by EU or Member State law, which also lays down suitable measures to safeguard the data subject’s rights, freedoms, and legitimate interests;
c) it is based on the explicit consent of the data subject.

10.1.27. Safeguards for automated decision-making
The Controller must implement appropriate safeguards to protect the rights and freedoms of the data subject, including the right to human intervention, the right to express their point of view, and the right to contest a decision where they are subject to automated decision-making producing legal or significant effects.

Instruction on the right of the data subject to withdraw consent for the processing of personal data:

11.1. Withdrawal of consent for personal data processing
The data subject has the right to withdraw their consent to the processing of personal data at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

Withdrawal of consent may be full or partial:

  • Partial withdrawal may apply to a specific type of processing operation or a specific purpose of personal data processing, while processing of personal data for other operations or purposes remains lawful and unaffected.

The data subject may withdraw their consent:

  • In writing – by sending a written notice to the Controller’s address as registered in the commercial register.

  • Electronically – by sending an email to the Controller’s email address specified in this document.

The Controller is obliged to ensure that the withdrawal of consent takes effect without undue delay.

XII. Instruction on the right of the data subject to lodge a complaint with a supervisory authority:

12.1. Right to lodge a complaint with a supervisory authority
The data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement, if they consider that the processing of their personal data infringes the Regulation (GDPR), without prejudice to any other administrative or judicial remedy.

The data subject has the right to be informed by the supervisory authority with which the complaint has been lodged of the progress and outcome of the complaint, including the possibility of a judicial remedy pursuant to Article 78 of the Regulation.

12.2. Supervisory authority in the Slovak Republic
Office for Personal Data Protection of the Slovak Republic
Address: Hraničná 12, 820 07 Bratislava 27, Slovak Republic
Tel.: +421 2 3231 3214
E-mail: [email protected]

XIII. Information related to automated decision-making, including profiling:

13.1. Automated decision-making and profiling
The Controller does not use automated decision-making, including profiling, pursuant to Art. 22(1) and (4) of the Regulation (GDPR) in the processing of the data subject’s personal data.

Therefore, the obligation to provide information under Art. 13(2)(f) of the Regulation, i.e., information about automated decision-making, including profiling, the logic involved, as well as the significance and envisaged consequences for the data subject, does not apply.

XIV. Final provisions

14.1. Part of the Terms and Conditions
These Data Protection Principles and Instructions, including cookie instructions, form an integral part of the General Terms and Conditions and the Complaints Procedure. The documents – General Terms and Conditions and Complaints Procedure of this Website – are published on the domain of the Seller’s Website.

14.2. Validity and effectiveness
These Data Protection Principles shall become valid and effective upon their publication on the Seller’s Website on 11 August 2025 and remain effective until any update or amendment, which will be published in the same manner.