RICOM gas, s.r.o.

with registered office at Na Bělidle 1135, 460 06 Liberec

Company registration number: 254 14 852

registered in the Official Register, file C 16655 kept by the Regional Court in Ústí nad Labem


For better clarity and orientation, below are the terms that are often repeated in this Policy.

E-SHOP – Internet application available on the Internet, developed for the purpose of viewing, selecting and ordering services by the customer,;

INFORMATION SYSTEM – internal information system that records various activities within the Controller's business, including records containing personal data;

PERSONAL DATA – any information about the entity based on which it can be identified directly or indirectly;

REGISTERED USER – data subject who has taken the opportunity to set up and use a user account available on the Controller's website;

CONTROLLER – defines goals and means of processing. RICOM gas, s.r.o. with registered office at Na Bělidle 1135, 460 06 Liberec, CRN: 254 14 852, registered in the Official Register, file C 16655 kept by the Regional Court in Ústí nad Labem, mostly in the position of the seller of goods and services;

DATA SUBJECT – natural person to whom Personal Data refers is most likely to be a customer or a potential customer;

USER ACCOUNT – account set up under the conditions set out in the Business Terms and Conditions, which is protected by the password chosen by the user;

WEBSITE – website of the Controller;

PROCESSOR – performs processing activities on the basis of a contract or other authorization for the Controller;

PERSONAL DATA PROCESSING – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other disclosure, alignment or combination, restriction, erasure or destruction.

I. Categories of personal data

The Controller processes the personal data of registered users as well as of unregistered customers. He defines goals and means of processing.

Categories of personal data: name, surname, e-mail, mobile phone, billing information, bank account, login to user account, user account behaviour - shopping habits, IP address, cookies, order history

Voluntarily provided personal data. Users voluntarily provide personal data to the Controller when the user registers, purchases in the e-shop of the Controller or by any other means (e.g. by e-mail, telephone) or in a similar way.

Special categories of personal data (sensitive personal data). The Controller does not process this category of data for his customers.

Publicly available personal data. The Controller can process personal data from publicly available sources and combine them with those that the data subjects have voluntarily provided to the Controller.

Website. The Controller handles information about when data subjects visit and view his website. This information can include an IP address, web activity, and more information about interacting with our website. We may collect this data as part of the log or using cookies or other tracking technologies.

II. Purposes of processing

All of these categories of personal data are processed by the Controller as they are necessary to meet the following purposes:

A. Sign up for a user account

The e-shop operated by the Controller enables registration by setting up a user account. When signing up, personal data is required to create a user account that serves to review the orders that the data subject realizes or has realized in the e-shop, to count possible discounts, or to manage billing and delivery data.

The lawful reason for the processing of personal data for the purpose of registering a user account is the granting of voluntary, unconditional consent of the data subject to the Controller.

Registered users are sent a regular newsletter from which they can sign out at any time.

B. Performance of the contract

The lawful reason for the processing of personal data is the performance of a contract to which the data subject is party, or the implementation of measures taken just prior to the conclusion of the purchase contract.

The processing of personal data is carried out in order to ensure the smooth delivery of the goods or services ordered by the data subject.

C. Newsletter (commercial communication)

Sending promotional emails to registered users and/or customers to promote similar products and services. The Controller may send a commercial message to the contacts of the registered users or customers when, on the basis of legitimate interest, he promotes similar products and services through direct marketing, but only until the recipient expresses disagreement.

Except for the case of legitimate interest, the Controller may also send a commercial message to those who have given prior consent to the processing of personal data for marketing and business purposes in advance (e.g. through the contact form on the Controller's website). The “Logout” function is set in every marketing communication that the Controller sends, even if he communicates with the Users. The Controller sends a commercial message with the offer of his services or related products usually twice a month.

D. Subscription to commercial communication

The Controller's E-shop allows to subscribe to commercial communication.

The lawful reason for the processing of personal data for the purpose of sending business communication is the granting of voluntary, unconditional consent of the data subject to the Controller by means of a confirmation on the relevant subscription site. Every customer is properly informed through this Privacy Policy about the privacy rights.

Subscription to commercial communication is in the so-called double opt-in mode, which prevents the abuse of an email address. In practice, this means that after confirmation, a confirmation of the subscription for a commercial communication is sent to the e-mail. This confirmation contains an active link, and only by clicking it, the e-mail will be included in the recipients database of the subscribers of commercial communication.

E. Sending transactional messages.

These are messages for registered Users, to ensure awareness of the necessary maintenance or error status of the e-shop as well as new functionalities. At the same time, there are emails about the status of the order, the delivery of the order or the stage of the complaint procedure etc. These may be transactional emails or messages via the Information System or other similar messages.


Controller's pages use cookies. The Controller informs about their settings and usage on a separate subpage of the website.

Cookies are small files that temporarily store information in your browser and are commonly used to distinguish user behaviour on the web. However, the user is not identifiable on the basis of this information. Cookies help, for example:

-  proper site functionality to complete the purchase process with as little difficulty as possible, the processing of these cookies cannot be refused;

-  remembering the account login on the web, so it is not needed to enter it every time, these cookies can be refused;

-  determining which sites and functions the visitors use most often; to adjust our offer as best as possible, these cookies can be refused;

Some marketing cookies may collect information that is subsequently used by third parties and which, for example, directly supports our advertising activities (so-called “third-party cookies”). For example, information about viewed products can be used to display to the website visitor, besides the Controller's website, only an advertising that is relevant to the particular user without being bothered by an advertisement that does not interest him. According to these data, you cannot be identified.

The Controller's website uses the following third-party cookies:

AdWords (Google Inc), Sklik (, a. s.), Google Analytics (Google Inc)

You can reject cookies using your web browser or set up only certain cookies. You can also change the cookie settings on the Controller's website.

G. Links to external sites

For optimal visitor awareness, links to third-party sites (usually business partners with whom the Controller works) are placed on the Controller's website. If the data subject clicks on that link, he acknowledges that third-party sites have their own privacy policy that may vary from the Controller's website policy.

H. Sending contact form

The Controller's website allows to contact the Controller via the contact form.

In addition to the query, the name, subject of the query and e-mail should be provided in the contact form. By pressing the “Send” button, the data subject agrees with the processing of personal data for the purpose of re-contacting and answering the inserted query.

The time for processing personal data when sending a contact form and for which the personal information is stored by the Controller, is the duration of the query solution, then the personal data is deleted from the database of the Controller.

I. Other marketing activities on the Controller's website

On the Controller's website, you can see other marketing activities like filling in a questionnaire, quiz, participating in a competition, etc. This is an extraordinary, time-limited activity that always states separately what personal data the Controller collects and how it is dealt with.

Those personal data that are necessary for the proper provision of the service or for the fulfilment of all obligations of the Controller, whether these obligations arise from a contract or generally binding legal regulations, must be processed by the Controller irrespective of the granted consent granted by the data subject for the period stipulated by the relevant legal regulations or in accordance with them also after the withdrawal of the consent of the data subject.

J. Compliance with legal requirements, including participation in court proceedings and statutory requirements of public authorities, including respect for national security or law.

III. Planned processing time

For the purposes of registering and maintaining a user account, all categories of personal data can be processed for a period of 2 years from the last active login to the user account, unless the data subject requests account deletion earlier.

For the purpose of fulfilling the rights and obligations of the contractual relationship between the Controller and the Customer for the duration of the contractual relationship between the Controller and the data subject, or for the period necessary to fulfil legal obligations and to protect legitimate interests, but no later than 5 years from the date of termination of the contractual relationship with the data subject.

The time for the processing of personal data in the case of sending business communications is 2 years from the last active review of the business communication by the subscriber, unless the data subject cancels the subscription earlier.

Exceptions are the tax documents issued by the Controller's Controller in accordance with Section 35 of Act No. 235/2004 Coll., Tax Documents shall be kept for 10 years from the end of the tax period in which the transaction took place.

IV. Technical, safety and organizational measures

Technical and safety measures. With regard to the likelihood of risks and taking into account the ratio between the cost of possible measures and technical possibilities, the Controller has introduced technical, safety and organizational measures - in all areas where personal data are processed (in particular website, e-shop operation, employee agenda, communication with customers). The Controller meets strict GDPR requirements.

The developers of the Controller work with lawyers to ensure that the operation of the e-shop and Controller's website and the provision of services by the Controller is in compliance with the applicable spam and privacy laws.

The Controller cannot disclose all details and circumstances of a technical nature that protect his website and e-shop and the personal data he is processing. By publishing the details, it would be easier for those who might strive to break through systems and security barriers.

The Controller informs that he uses a secure information system that provides personal data with security appropriate to the state of the art, cost, nature, scope and purposes of processing. The Controller considers the information system to be safe also in view of the possible risks to the rights and freedoms of individuals.

Organizational measures. All employees who have access to personal data are bound by confidentiality and must respect the security principles. Approaches to all systems including the information system are customized and password covers are created in different ways. The information system records logs so that the Controller can control individual employees' access to individual databases. Employees are regularly trained.

Office. The offices of the Controller are safe, lockable, and strangers cannot access them without Controller's knowledge. Records in a paper form are not kept by the Controller, only where it is strictly necessary. In this case, the Controller keeps them locked.

V. Transmission of personal data to third parties

The Controller only passes personal data to entities with whom he has a proper processing contract or a joint-venture agreement.

Joint Controllers. These are the operators of the individual branches in which the Controller actually stores the goods, and there can be purchase, as well as the delivery of orders from the e-shop. These entities have access to an information system in the day-to-day business, which is primarily intended for order management. The branches are managed by RICOM energy, CRN: 250 18 191, with registered office at Na Bělidle 1135, Liberec VI-Rochlice, 460 06 Liberec. Business communication as well as other marketing activities where customer personal data is processed are solely done by the Controller. The Joint Controllers agree that the Controller acts as a contact person, by e-mail

Processors. The Controller uses only verified processors with whom he has a written agreement and who provide the Controller with at least the same guarantees as the Controller to the data subjects. The Controller uses only processors from the EU or from countries that are safe according to the European Commission's decision. All of these partners are bound by the confidentiality obligation and may not use the data provided for any purpose other than that to which the Controller has made them disclosed.

Processors are entities with whom Controller cooperates in the field of accounting, advocacy, development and administration of online solutions or marketing specialists, as well as software and cloud solutions. Personal data may be stored on servers of companies NET-SYSTEM s.r.o. or ChciSystem s.r.o. We use the services of delivery experts and goods carriers, accounting and wage system. Details of our processors are provided on request.

Legal duties. Personal data may be handed over by the Controller to third parties, if required by law, or in response to legal requirements of public authorities or at the request of a court in litigation.

VI. Rights of data subjects

The Controller may be asked to allow access to personal data and request the rectification, erasure or restriction of processing of personal data where it is inaccurate or has been processed in violation of applicable data protection laws. The data subject has the right to the transferability of personal data, to object to the processing of personal data, the right to withdraw consent to the processing of personal data, and the right not to be subject to automated individual decision making, including profiling (the Controller does not do this).

The rights of data subjects can be enforced by email

The Controller seeks to comply with the rights of data subjects without delay. However, the circumstances under which the Controller cannot grant access can occur (for example, if the information requested compromises the privacy of others or other legitimate rights, or where the cost of providing access would be disproportionate to the risks to the privacy of the individual in the given case). The Controller shall take reasonable steps to verify the identity of the applicant before performing any of the rights of the data subjects.

Details of the data subjects' rights:

A. Right of access to personal data

Under Article 15 of the GDPR, you will have the right to access personal data, which includes the right to obtain from the Controller:

  • confirmation that he processes personal data,
  • information on the processing purposes, the categories of personal data concerned, the recipients whose personal data have been or will be disclosed, the envisaged period for which the personal data will be processed, the existence of the right to request from the Controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing, the right to lodge a complaint with a supervisory authority, where the personal data are not collected from the data subject, any available information as to their source, the existence of automated decision-making, including profiling, the appropriate safeguards for data transfers outside the EU,
  • if the rights and freedoms of other persons are not adversely affected, also the copy of personal data.

In case of a repeated request, the Controller will be entitled to charge a reasonable fee for a copy of the personal data.

B. Right to rectification

Under Article 16 of the GDPR, the data subject has the right to correct inaccurate personal data. The data subject is also required to notify changes of the personal data. At the same time, he is required to provide cooperation if it is determined that the personal data processed by the Controller are not accurate. The Controller shall perform the rectification without undue delay, always with respect to the technical options.

C. Right to erasure

Under Article 17 of the GDPR, the data subject will have the right to delete the personal data concerning him if the Controller does not prove the legitimate reasons for the processing of such personal data. The Controller has mechanisms in place to ensure automatic anonymization or erasure of personal data if it is no longer needed for the purpose for which it was processed.

D. Right to restriction of processing

Under Article 18 of the GDPR, the data subject has the right to limit the processing until the resolution of the complaint if he denies the accuracy of the personal data, the reasons for its processing or if he objects to their processing.

E. Notification obligation regarding rectification or erasure of personal data or restriction of processing

Under Article 19 of the GDPR, the data subject has the right to be notified in the event of rectification, erasure or restriction of the processing of personal data. The Controller shall communicate any rectification or erasure of personal data to each recipient, unless this proves impossible or involves disproportionate effort.

F. Right to data portability

Under Article 20 of the GDPR, the data subject has the right to the portability of the data relating to him and which he has provided to the Controller in a structured, commonly used and machine-readable format, and the right to request the transmission of such data to another Controller.

If you provide personal data in connection with the Service Agreement of the Controller or on the basis of your consent, and the processing is automated, you are entitled to obtain such information from the Controller in a structured, commonly used and machine-readable format. If technically feasible, data may be transmitted to the Controller you specify if a person acting under the appropriate controller is properly identified and can be authorized.

If this right could adversely affect the rights and freedoms of others, your request can not be accepted.

G. Right to object to the processing of personal data

Under the Article 21 of the GDPR, the data subject has the right to object to the processing of his personal data due to a legitimate interest.

If the Controller does not prove that there are compelling legitimate grounds for processing which override the interests, rights and freedoms of the data subject, he shall terminate the processing without undue delay.

If the objection is made in the case of direct marketing processing, the Controller shall terminate the processing without undue delay.

H. Right to revoke consent to the processing of personal data

The consent to the processing of personal data for marketing and business purposes may be revoked at any time after this date. It is necessary to make the revocation in an explicit, comprehensible and certain manner of will.

Processing of data from cookies can be avoided by setting up a web browser.

I. Automated individual decision-making, including profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or similarly significantly affects him. The Controller that he does not perform automated decision-making without the impact of human judgement with legal effects on data subjects.

VII. Conclusion

Goods and services of the Controller are not primarily intended for persons under 16 years of age. The Controller consciously does not collect personal data of persons under 16 years of age.

This Policy may only be amended in writing. Users will be informed about this via the website of the Controller.

In the case of any queries to the Privacy Policy, please contact us with confidence at


RICOM gas, s.r.o.
Tovární 319
471 54 Cvikov
Czech Republic