LYRA Chocolate
Download Document

PRINCIPLES OF PERSONAL DATA PROCESSING IN THE OPERATION OF THE E-SHOP


 The controller LYRA GROUP s.r.o., with its registered office at Pri parku 1, 951 12 Ivanka pri Nitre, Company ID: 44473826, as a manufacturer and supplier of chocolate products and operator of the e-shop (hereinafter referred to as the “Controller”), declares that, in order to ensure the protection of the rights of data subjects, it has adopted appropriate technical and organizational measures that ensure lawful processing of personal data.
The Controller has also published all mandatory information contained in the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (“GDPR”), and in Act No. 18/2018 Coll. on Personal Data Protection and on Amendments and Supplements to Certain Acts, as amended (hereinafter referred to as the “Personal Data Protection Act”), and has implemented a transparent system for recording security incidents and any questions from the data subject or other persons.
Individual information can be obtained by the data subject by email: [email protected], in person at Konečná 1077, 951 12 Ivanka pri Nitre, or on our website in the section: GDPR - Lyra chocolate. The privacy policy stated at this link also serves as the general basis in relation to this statement and applies unless this statement provides otherwise.
References to the GDPR in this document also include references to the relevant provisions of the Personal Data Protection Act.
Below we provide information on the processing and protection of personal data in accordance with the GDPR and the Personal Data Protection Act.

Position of the Controller
 We process your data for our own purposes as the Controller. This means that we determine the purposes for which we collect and otherwise process your personal data, determine the means of processing, and are responsible for the security and lawfulness of such processing.

Processors
 In certain cases, the Controller may also process personal data of data subjects through processors who have entered into a personal data processing agreement with the Controller pursuant to Article 28 of the GDPR. The processors process the personal data of data subjects on behalf of the Controller. The processing of personal data through a processor does not adversely affect the exercise and enforcement of the rights of the data subject. The Controller only uses processors that provide appropriate technical, organizational, and other measures so that the processing meets the GDPR requirements and ensures full protection of the rights of the data subject.
The Controller uses the following categories of processors for the processing of personal data of data subjects:

  • companies providing technical solutions, maintenance, and support for IT systems used by the Controller in the operation of the e-shop;
  • companies providing transportation – courier services;
  • companies providing payment services.

Purposes of personal data processing and legal basis
 As the Controller, we only collect from you the data that we necessarily need to provide full services in the production, sale, and delivery of chocolate products through the e-shop and during the provision of customer support. The purposes and legal bases for processing personal data are as follows:

  • Processing for the purpose of receiving your order: based on your initiative or interest in our products by placing an order, your personal data is processed pursuant to Article 6(1)(b) GDPR – where processing is necessary to take steps at your request prior to entering into a contractual relationship, i.e., during pre-contractual relations;
  • Processing for the purpose of fulfilling the order: i.e., completing the sale and delivery of selected goods; the receipt and processing of personal data for the purpose of fulfilling the order (delivery of products) is carried out pursuant to Article 6(1)(b) GDPR – where such processing is necessary for the performance of the contract to which you, as the client, are a party. We also process personal data within the scope of this contract for the purposes of mutual communication and for fulfilling obligations and exercising rights arising from this contractual relationship;
  • Email communication or other forms of inquiries: if you wish to contact us, provide feedback, a review, or address any issues, you can reach out to us, and we will gladly assist you. For this purpose, we may process your contact personal data pursuant to Article 6(1)(f) GDPR. Our legitimate interest in this case is to assist our customers and to handle questions, requests, or complaints from third parties. You have the right to object to such processing at any time;
  • Processing for the purpose of user account registration (customer account): within the e-shop, you have the option to register a user account, which allows you to shop more easily, view all your past purchases in one place, and use potential bonuses or discounts. The collection and processing of personal data for this purpose are carried out pursuant to Article 6(1)(a) GDPR – i.e., based on your consent for the registration of the user account. You have the right to withdraw your consent at any time.

Processing of data for receiving updates via Newsletter
 On our website, you can register your email address if you wish to be informed in a timely manner about our news and promotions. The collection and processing of personal data for this purpose are carried out pursuant to Article 6(1)(a) GDPR – specifically based on your consent to receive updates by email. You may withdraw your consent at any time. However, newsletters may also be sent without your express request, based on the legal ground of legitimate interest pursuant to Article 6(1)(f) GDPR (our legitimate interest is maintaining and developing our customer base). You have the right to object to such processing at any time.

Categories of processed personal data
 Depending on the specific purpose of processing, we process different categories of your personal data, specifically:
a) Creating and receiving orders / processing orders for goods and services delivery – name and surname, residence address or other mailing address, telephone number, email;
b) Email communication or inquiries – residence address or other mailing address, telephone number, email;
c) User account registration – email, username, and password, as well as profile data to the extent of: name and surname, residence address or other mailing address, telephone number, email;
d) Sending marketing updates via newsletter – email.

Retention period for your personal data
 Your personal data processed pursuant to Article 6(1)(b) GDPR – within the fulfillment of the Controller’s obligations towards customers – is processed for the duration of the contract and subsequently for the period during which the data may be needed to prove, exercise, or defend legal claims. These personal data are also processed to fulfill our legal obligations in the area of taxation and accounting (e.g., storing accounting records of your confirmed orders and invoices under Act No. 431/2002 Coll. on Accounting, as amended, and for fulfilling tax obligations under Act No. 595/2003 Coll. on Income Tax, Act No. 222/2004 Coll. on Value Added Tax, Act No. 563/2009 Coll. on Tax Administration, etc.). Such data must be kept for the retention period specified by applicable legislation. We follow the principle of data minimization under Article 5(1)(e) GDPR, and therefore personal data that are not subject to mandatory archiving will be deleted or anonymized.

Personal data processed under Article 6(1)(a) GDPR – based on your consent (e.g., for receiving marketing updates or for creating a customer account) – are processed for the duration of the consent, but no longer than 3 years. Before the expiration of the processing period, we will contact you to allow renewal of your consent. If you do not renew or withdraw your consent, your data will be deleted from our records, securely erased from electronic systems, and physically destroyed.

Personal data processed under Article 6(1)(f) GDPR – based on legitimate interest (e.g., when you submit an inquiry without entering into a contractual relationship) – are deleted immediately after the request is resolved unless transferred into a pre-contractual or contractual relationship. Data processed on this legal basis for other purposes (e.g., newsletters) will also be deleted if you object.

As the Controller, we will securely erase your personal data without undue delay once:

  • all contractual relationships with you have ended; and/or
  • all your obligations towards the Controller have been settled; and/or
  • all complaints and requests have been resolved; and/or
  • all rights and obligations between you and the Controller have been settled; and/or
  • all purposes of processing have been fulfilled, including expiration or withdrawal of consent; and/or
  • the retention period has expired; and/or
  • a justified request for deletion has been made; and/or
  • all statutory obligations requiring retention of your personal data have ceased.

Any personal data obtained accidentally will never be systematically processed. If possible, we will inform the data subject of such accidental collection and assist in restoring control over their personal data. After resolving the situation, all accidentally obtained personal data will be securely and promptly deleted. For more information about the exact retention period of your personal data, please contact us using the contact details provided on our website.

Disclosure of data
 The Controller never publicly discloses the collected data.

Transfer of personal data to third countries
 We do not knowingly transfer personal data to so-called third countries (i.e., countries outside the European Union (EU) and the European Economic Area) or international organizations.

Rights and obligations of the data subject
 The customer is obliged to provide only complete and truthful data.
The customer agrees to update their data in case of any changes, at the latest before placing the first order after such change occurs.
If the customer provides personal data of a third party (name, surname, phone number), they confirm that they do so with the consent of that third party and that the third party has been informed of the procedures, rights, and obligations described on this page.

As our customer and a data subject, you have the right to control how your personal data is handled. You may exercise the following rights:

  • In person at the Controller’s address: Pri parku 1, 951 12 Ivanka pri Nitre;
  • Through our customer hotline: +421 902 117 041;
  • By email: [email protected]; or
  • In writing at: LYRA GROUP s.r.o., Pri parku 1, 951 12 Ivanka pri Nitre.

We will respond as soon as possible, but no later than within 30 days of receiving your request. Under applicable law and the GDPR, you have the following rights:

Right of access
 You have the right to request confirmation of whether your personal data is being processed and, if so, to obtain a copy of such data along with information specified in Article 15 GDPR. If we process a large volume of your data, we may request that you specify the scope of your request.

Right to withdraw consent
 If the processing of your personal data is based on consent, you have the right to withdraw this consent at any time.

Right to rectification
 To ensure that we always process accurate and up-to-date data, please inform us of any changes as soon as they occur. If we process inaccurate data about you, you have the right to request its correction.

Right to erasure
 If the conditions under Article 17 GDPR are met, you may request the deletion of your personal data, for example, if you have withdrawn your consent and no other legal basis for processing exists, or if the data is processed unlawfully, or the purpose for which it was collected no longer applies. However, we will not delete data that is required for the establishment, exercise, or defense of legal claims.

Right to restriction of processing
 If the conditions under Article 18 GDPR are met, you can request that we restrict the processing of your personal data, for example, during verification of the accuracy of the data or if you object to its deletion but need it to establish, exercise, or defend legal claims.

Right to data portability
 If the processing is based on your consent or a contract and is carried out by automated means, you have the right to receive your personal data in a commonly used, machine-readable format or, if technically feasible, to have it transmitted directly to another controller.

Right to object to processing
 If your personal data is processed based on our legitimate interests, you have the right to object. Unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims, we will cease processing and delete your data. You may also object to processing for direct marketing purposes (e.g., newsletters) at any time, after which we will stop such processing.

Right to lodge a complaint
 If you believe that the processing of your personal data violates the GDPR or the Personal Data Protection Act, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. For the Slovak Republic, the supervisory authority is the Office for Personal Data Protection, located at Park One, Nám. 1. mája 18, 811 06 Bratislava, Slovak Republic, website: www.dataprotection.gov.sk, tel.: +421 2 32 31 32 14.

LYRA GROUP, s.r.o.
 Ivanka pri Nitre, July 2025