DECLARATION ON THE PROCESSING OF PERSONAL DATA (Privacy policy)
This declaration is valid for the company Nilobit CZ, s.r.o., Španělská 770/2, 120 00 Praha 2 – Vinohrady, IČ: 27416101, DIČ: CZ27416101.
This declaration is intended for our customers, business partners, job applicants, employees, and the general public and contains a declaration on the processing of personal data provided in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data (hereinafter referred to as “GDPR”). The declaration fulfills the obligation to provide information set out in Articles 13 and 14 and the obligation to inform data subjects about their rights and procedures for exercising their rights under Articles 15 to 22 and 34 of the GDPR.
The GDPR is transposed into Czech legislation by Act No. 110/2019 Coll., on the Processing of Personal Data. This Act regulates the specific conditions for the processing of personal data in the Czech Republic and sets out the obligations of controllers and processors of personal data, including rules for the protection of the rights of data subjects. The Act also defines sanctions for breach of obligations in the processing of personal data.dpo.it@nilobit.com
Processing of Personal Data
Employees
During their employment with the company, employees provide personal data and are also recorded with data that has the character of personal data in a wide variety and variable scope. Typically, this includes employee number, first name, last name, maiden name, title, permanent and temporary residence (street and number, postal code, city), date of birth, personal identification number, bank account number (IBAN), name of health insurance company, supplementary pension savings, ID card number, and more. Additionally, data of family members or household members may be processed, such as names, surnames, and personal identification numbers, income data, copies of birth certificates. This is supplemented by other complex information during activities in IT systems, such as IP addresses, identifiers, activity and operation times, called phone numbers and call times, information about sent SMS and transferred data, information related to work safety, completed training, issued certificates and permits, insurance. It may also include data related to tax obligations such as study confirmations, mortgage loans, disability and changed work capacity, old-age pension, or information from state authorities such as ordered wage deductions. During work, call recordings, camera recordings may be made. The source of this information is mostly the data subject themselves (personnel questionnaire, submitted reports and documents), or their activity in automatic systems and the digital footprint left. Personal data also appears according to its nature in business correspondence with customers, in emails and chats, in meeting notes, as authorship of documents, in advice and responses to customers. Optionally, it may include photographs, video recordings, and voice recordings.
We process personal data to the necessary extent for the following reasons:
• Fulfillment of the employment contract and performance of work
• Fulfillment of legal obligations arising from the employment relationship, especially reporting obligations to state authorities, courts, and police, and fulfillment of archiving obligations
• Legitimate interests in protecting rights and legally protected interests, especially the protection of information technology, property, and intellectual property, the scope of processed data reflects the employee’s position and authority
• Legitimate interests of the controller in fulfilling its economic contracts with customers, in company management, and for efficient management, the scope of processed data reflects the employee’s position and authority
Personal data is processed only for the duration necessary for the purposes of processing, according to which the duration and scope differ:
• For the fulfillment of the employment contract and performance of work for the duration of the employment relationship; for the results of your work according to their usability
o Contractual and pre-contractual correspondence, emails, and notes for the fulfillment of the contract for the duration of the contract, up to 5 years from the creation
o In other cases, usually up to 1 year from the creation, up to 3 months from the end of the employment relationship
• For the fulfillment of legal obligations in relation to tax obligations for 10 years from the end of the relevant period
• For the fulfillment of legal obligations in relation to pension insurance for 30 years from the end of the relevant period
• For the protection of rights and legally protected interests of the controller for 5 years from the acquisition of the data, except for camera recordings, which are kept for up to 1 month from the acquisition
• For the legitimate interests of the controller in fulfilling contracts for up to 5 years
• For data processed based on consent for the duration of its validity
Personal data is made accessible according to its nature to company employees or their partners who manage the given agenda, or only to the company director. Recipients of personal data include social and pension insurance administration, health insurance companies, tax authorities, labor offices, labor inspectorates, mobile operators, damage insurers, judicial authorities, and police. Data processors according to the controller’s instructions are IT system service organizations, companies providing training and testing in the areas of work safety, education, and professional training. Recipients of some data, especially in the areas of security and audit, may also be customers when ensuring their legitimate interests arising from the protection of rights and fulfilling their legal obligations in relation to the controller’s contracts. Data is not transferred to countries outside the EU. If we need to provide contact details of our employees to our customers or suppliers outside the EU, these employees will be informed in advance, or they will do so themselves as part of their work.
This processing does not involve automated decision-making or profiling. In some cases, this processing involves systematic monitoring, especially activities carried out in IT systems, access to client environments, and other places, for data security and protection.
Current and Potential Clients and Suppliers
As part of our business activities and provision of services, the supply of products, which is primarily aimed at companies and organizations (B2B), the personal data of employees of our customers and suppliers is processed. These employees should be informed by their employer about such a possibility. The transfer of their personal data is usually based on their job description, job position. Given that this is primarily a “work” identity of the data subjects, the risk of interference with personal rights and causing damage to these subjects is undoubtedly lower. The data obtained usually comes directly from the data subject or from his employer, or his colleagues. In the case of statutory bodies or entrepreneurs-natural persons (SEO), we can then draw information from public sources, such as the commercial register, trade register, insolvency register, professional social network LinkedIn.
We process personal data to the extent strictly necessary for the following reasons:
• For the purpose of fulfilling the contract, in particular orders, work contracts, service contracts, delivery of our products, which is the fundamental legitimate interest of our company.
• For the purpose of negotiating the conclusion of a contract, in particular offers, demonstrations, answers to questions, information about products and services, which is the fundamental legitimate interest of our company and meets the interests of the subjects
• Legitimate interests in protecting rights and legally protected interests, in particular the protection of information technology, property and intellectual property.
• Based on consent in the case where the purpose is active direct marketing of our products and services beyond the legitimately expected scope resulting from the previous reasons.
We process personal data only for the period that is necessary for the purposes of their processing, according to which the period and scope vary. In particular, we ensure that if a person is no longer an employee of the customer and we become aware of this, the personal data stored is minimized in terms of scope and type.Pro oprávněné zájmy správce při plnění hospodářských smluv (B2B)
o Regular pre-contractual business correspondence, emails and notes maximum 3 years from the date of creation
o Documents for project analyses and configurations, if they contain personal data and no economic contract is concluded, maximum 3 months from the end of the pre-contractual negotiations
o Contractual correspondence and emails and notes for the performance of the economic contract for the duration of the contract, maximum 5 years from the date of creation
o In other cases, within 1 year from the date of creation, maximum 3 months from the end of cooperation with the customer, as the employer of the entity
o For recordings of service call reports, maximum 6 months
o Applications for training, lists of issued certificates, attendance lists 2 years
o Business cards handed over, contact details passed on, contact details from inquiries, etc., up to 1 year
• To fulfill legal obligations in relation to tax obligations for a period of 10 years from the end of the decisive period
• To protect the rights and legally protected interests of the controller for a period of 5 years from the acquisition of the data
• For data processed on the basis of consent, for the period of validity of the consent
Personal data are made available, depending on their nature, primarily to the company’s employees who manage the given agenda, primarily to the company’s executive. In some situations, the recipients of personal data may include tax authorities, employment offices, judicial authorities and the police. The data processors according to the controller’s instructions are then IT system service organizations.
Recipients of basic contact details of customer employees may also be our suppliers in the performance of individual contracts, and in the case of basic contact details of suppliers, our customers; in this case, we would notify foreign employees of such a situation in advance. In these cases, the data is not transferred to countries outside the EU. This processing does not involve automated decision-making or profiling.
Web interface
As part of our business and service provision, we operate websites on the Internet. The websites are accessible anonymously. When browsing the websites, we may collect the following data in addition to the previously mentioned personal data: website address, IP address, time of access to the website, website address from which the visitor comes, browser and operating system of the visitor, preferred language, amount of data transferred, occurrence of errors in technical processing, session identifier (related to login) and cookies.
Cookies are small text files that are stored on your hard drive depending on the browser used and that ensure the supply of certain information to the system that stored the cookie. Most of the cookies we use are deleted after the end of the browser session (so-called session cookies). Other cookies remain on your end device and allow us to recognize your browser on your next visit (persistent cookies). In the settings of the browser you use, you can refuse to accept cookies or limit this refusal, for example, only to cookies from other entities, so-called third-party cookies. You can set the purposes for which cookies are used in the relevant settings of our website functions, where you can also revoke any consent you have given.
Our customer services are available within the web interface. Customers can log in with their name and password to the environment where the corresponding agendas are made available to them.dpo.it@nilobit.com
We process personal data for the following reasons:
• Legitimate interest in operating the website, ensuring the technical functionality of logging in and tracking the browser’s identity while navigating between website pages – a session identifier (implemented as cookies) is used for this purpose
• Legitimate interest in protecting rights and legally protected interests, in particular the protection of information technology, property and intellectual property, the scope and purpose of processing is limited to monitoring technical logs to ensure the security and stability of web servers.
We process personal data only for the period necessary for the purposes of their processing, according to which the period and scope vary.
• For the legitimate interests of the administrator in operating the website, for logging in for a maximum of 13 months. Since cookies are stored in the visitor’s browser, he has full control over their deletion.
• For the legitimate interests of the administrator in protecting rights, we store security logs for a maximum of 6 months
• Based on consent for the duration of the consent. This processing may involve automated decision-making and profiling in third-party services by the relevant third parties.
Processing on the basis of instructions from our clients
As part of our business activities and provision of services, which are primarily aimed at companies and organizations (B2B), personal data is processed on the basis of processing contracts with these entities. By their nature, these are two groups of data:
• Data that serves the purpose of fulfilling the contract between us, as a processor, and our customer, who is either directly the controller or the processor.
We process personal data for the client exclusively according to their instructions, for the following reasons:
• For the purpose of fulfilling the contract, for the purpose of maintenance, service configuration or other parameterization of the environment for the client. For this purpose, we process data to a defined extent.
We process personal data only for the period specified in the processing contract.
When processing to a defined extent, there is no automated decision-making or profiling. Other processing is governed by the instructions in the processing contract.
Rights of the data subject
In connection with the processing of personal data, the subjects of these data have the rights listed below.
In order to exercise these rights, it may be necessary to establish identity in order to ensure that the right is exercised by the person who is the data subject. We carry out the identification as the controller in accordance with the right exercised, in some cases we may use verification using these data (login details).
You can send your request by e-mail to privacy.cz@nilobit.com.
Right to access personal data
Right to confirmation
The SÚ has the right to obtain from us confirmation as to whether or not personal data concerning him or her are being processed, and if so, he or she has the right to access these personal data and the following information:
a. purposes of the processing
b. categories of personal data concerned
c. recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations
d. the planned period for which the personal data will be stored or, if that cannot be determined, the criteria used to determine that period
e. the existence of the right to request from the controller rectification or erasure of personal data concerning the data subject or restriction of processing, or to object to such processing
f. the right to lodge a complaint with a supervisory authority;
g. all available information on the source of the personal data, unless they are obtained from the data subject
h. the fact that automated decision-making, including profiling, is being carried out and, at least in such cases, meaningful information concerning the process involved, as well as the significance and envisaged consequences of such processing for the data subject
i. where personal data are transferred to a third country or an international organisation, you, as the data subject, have the right to be informed of the appropriate safeguards applicable to the transfer
Right to a copy
The SÚ has the right to a copy of the processed personal data. We can provide the copy in person or by sending it by hand, in which case we will request payment of the postage. If possible, a copy will be available for electronic transmission. In the event of a repeated request for a copy, we will only provide data that we have not yet provided and that we are processing newly, or information that we are not processing any new data. This does not limit the possibility of issuing a complete copy of the data again for a fee.
Right to correction of inaccurate data
If the SÚ finds that the data we are processing about it is inaccurate, erroneous, untrue or incomplete, it has the right to correct it. It is in our interest to keep the information as accurate as possible! On the other hand, in some archival records, data is intentionally maintained as it was valid at the time of its creation (e.g. residence in the contract, etc.). If the request for rectification is granted, we will notify the original recipients, if any, unless this proves impossible or involves disproportionate effort and, if requested by the SÚ, we will inform them of the recipients.
Right to erasure
The SÚ has the right for us as the controller to erase personal data concerning us without undue delay and we as the controller have the obligation to erase personal data without undue delay where one of the following grounds applies:
a. the personal data are no longer necessary for the purposes for which they were collected or otherwise processed
b. the data subject withdraws consent on the basis of which the data were processed and there is no other legal ground for the processing
c. the data subject objects to the processing on the basis of legitimate interests and there are no overriding legitimate grounds for the processing or the data subject objects to the processing for direct marketing purposes
d. the personal data have been processed unlawfully
e. personal data must be deleted to comply with a legal obligation set out
As the controller, we have mechanisms in place to ensure automatic anonymization or deletion of personal data when it is no longer needed for the purpose for which it was processed.
Right to restriction of processing
The SÚ has the right to request us to restrict processing in parallel
a. with the exercise of the right to rectification, until your request is processed
b. in the case of unlawful processing instead of their deletion
c. in the case where it needs the data for the determination, exercise or defense of legal claims
d. has objected to their processing on grounds of legitimate interest, until it is verified whether the legitimate reasons of the controller outweigh the legitimate reasons of the data subject
Restriction of processing means that these personal data may, with the exception of their storage, be processed only with the consent of the data subject, or for the determination, exercise or defense of legal claims, for the protection of the rights of another natural or legal person or for reasons of important public interest.
Right to data portability
If the SÚ has given us consent to certain data or we process the data on the basis of a contract between us, and we process the data automatically, you can ask the SÚ to transfer them in a structured format.
Right to object to legitimate interest.
The data subject has the right to object to the processing of personal data concerning him or her, if it is processed on the basis of the legitimate interest of the controller declared by us. We will stop processing the data as the controller unless we demonstrate compelling legitimate grounds for the processing which override the interests or rights and freedoms of the SÚ, or unless we process it for the establishment, exercise or defence of legal claims.
Right to object to direct marketing
If the SÚ objects to the processing of personal data for direct marketing purposes, we will stop processing the data for this purpose and exclude them from all further direct marketing.
Right not to be subject to a decision based on automated decision-making, including profiling
Since we as the data controller do not issue decisions that would have legal effects for the SÚ solely on the basis of automated processing or profiling, the exercise of this right is only hypothetical.
Right to withdraw consent
If the SÚ grants us consent to any processing, you can withdraw this consent, preferably in a similar way to how the consent was granted: if on the website, then on the website, if by email, then by email from the same address, if by phone, then by phone from the same phone number. You can always withdraw your consent in writing, or ask us for an overview of the consents granted to processing. You can also easily withdraw your consent to the processing of cookies by deleting them or blocking them in your web browser.
Right to contact a supervisory authority
If the SÚ is not satisfied with how we process personal data or how we fulfill our rights in this regard, it can contact the Office for Personal Data Protection with complaints.
Supervisory authority: Office for Personal Data Protection
https://www.uoou.cz
Pplk. Sochora 27
170 00 Prague 7
Methods of processing personal data
Risk management in the area of information security
The company approaches data protection responsibly, therefore, when implementing planned changes, it carries out checks in order to identify, analyze and evaluate risks and, if necessary, implement action plans to mitigate the identified risks. The identified risks are also part of the processes leading to changes in the process settings, so that any shortcomings are effectively eliminated, monitored and controlled.
Information Security Organization
The company’s information security is based on well-known industry norms and standards governing information security controls, such as ISO 27002. Employees are required to protect company information and any partner or customer data. The company’s suppliers and third parties are also required to protect company information and any partner or customer data (which includes implementing specific privacy measures). The third-party access control standard establishes measures that minimize the potential risks associated with third-party access to company information assets through company systems. Contracts with third parties include breach notification obligations and the right to audit. Contracts with third parties include requirements for data ownership and the return or secure disposal of data upon termination of the contract.
Human Resources Security
Employee and contractor background checks are conducted in accordance with local labor laws. Employees, contractors, and third parties are required to maintain confidentiality as part of their employment. Employees are required to adhere to security policies and standards.
Access Control Management
All users are granted access through a unique user account and mandatory authentication mechanisms. User account permissions and data access rights are granted to the extent necessary based on roles, job requirements, and job functions. User passwords must meet certain complexity requirements to comply with password policies used for information security.
Data Protection
Mechanisms are used to protect the data being transferred, both internally and externally. Each user device and service system/storage uses mechanisms to protect stored data, such as full disk encryption, application data encryption, data anonymization or tokenization, authentication, session timeout, user access rights, and logging/monitoring. Access to data is limited by default and will only be verified and allowed through user accounts with properly granted permissions.
COOPERATION WITH OTHER PARTIES IN THE PROCESSING OF PERSONAL DATA
We have a list of companies that process personal data for our company, which is its controller, processor. In addition to this transfer, information obligations towards state authorities are fulfilled. We will submit the list in its current version if necessary.