INFORMATION ON PERSONAL DATA PROCESSING

1. FOR JOB APPLICANTS

1.1 Data Controller, PPF Group

The Data Controller of your personal data as a job applicant (hereinafter referred to as "applicant") is always PPF a.s., ID No.: 25099345, registered office: Evropská 2690/17, 160 41 Praha 6 (hereinafter referred to as "PPF a.s.").

For the purposes of a particular selection procedure, another company within the PPF Group or a company that has a service agreement with PPF a.s. and is not part of the PPF Group may be the Data Controller of your personal data together with PPF a.s., provided that the subject matter of the particular selection procedure is a position within that company (hereinafter in Sections 1 and 3 referred to as the "Data Controller").

PPF Group means Air Bank a.s. (including Zonky), Bammer trade a.s., CETIN a.s., CME Services s.r.o., CzechToll s. r. o., EmbedIT s.r.o., Home Credit a.s., Home Credit International a.s, Home Credit Slovakia a.s., Nadace PPF; POLL, s.r.o., PPF banka a.s., PPF Real Estate s.r.o., SCT Cell Manufacturing s.r.o., SOTIO Biotech a.s., SOTIO Biotech AG, Škoda city service s.r.o., Škoda Digital s.r.o., Škoda Ekova (EKOVA ELECTRIC a.s.), Škoda Electric a.s., Škoda ICT s.r.o., ŠKODA PARS a.s., Škoda Transportation a.s., Škoda Transtech Oy, Škoda TVC s.r.o., Škoda Vagonka a.s., TV Nova s.r.o.

For the purposes of this document, companies that have a service agreement with PPF a.s. and are not part of the PPF Group mean OPEN GATE gymnázium a základní škola s.r.o., The Kellner Family Foundation, Pomáháme školám k úspěchu o.p.s.

1.2 Personal Data

Your personal data means only such personal data that you provide to PPF a.s. via the contact form interface of the PPF Group eRecruitment information system or that arise in the context of related communication or during the actual selection procedure, and always only to the extent necessary to fulfil the relevant purposes (i.e. for the purposes of the specific selection procedure).

1.3 Lawfulness of Data Processing

Your personal data is processed for the purposes of the specific selection procedure on the basis of Article 6(1)(b) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("GDPR") – performance of a contract.

After the end of the selection procedure, the Data Controller processes your personal data for the purposes of the Data Controller's legitimate interest, namely for the possible need to prove that the selection procedure was conducted properly and transparently and for the purposes of establishing, defending, and enforcing the Data Controller's rights. The Data Controller processes your personal data in accordance with the applicable and effective data protection legislation.

1.4 Purposes of the Processing of Personal Data

  • processing of personal data for the purposes of the selection procedure;

  • for the purpose of sending a notification SMS about the date and place of the selection procedure;

  • for the purpose of determining and paying the remuneration to the recruitment agency in cases where you have taken up a position through a recommendation from the recruitment agency; or

  • for the purpose of more effective communication in the selection procedure, using a chatbot and/or a personalised video (name and surname) for the purpose of introducing the company to which you are applying through the selection procedure or using other tools to help introduce the advertised job position.

1.5 Period of Storing of Personal Data

Your personal data will be processed for the duration of the selection procedure. After the selection procedure has been completed, your data will continue to be processed for the legitimate interest of the Data Controller for a period of 12 months.

1.6 Data Processor

For some candidates who participate in the selection procedure, their personal data is transferred to job portals who act as Data Processors. The transfer of candidates' personal data to this category of Data Processors only takes place when the candidate applies for the selection procedure through these job portals.

The Data Processor is also the entity managing IT systems and providing IT services for the purpose of managing and organising the selection procedure. This entity is the company Just IT Pro, s.r.o., ID No.: 037 50 281, with registered office at Šlechtitelů 813/21, Holice, 779 00 Olomouc.

The personal data is also passed on to the Data Processor twilio.com, which ensures the sending of informative SMS to the candidate about the date and place of the selection procedure.

In the position of the Data Processor to whom the personal data is transferred is also the entity that covers the functionality and operation of the chatbot and the entity that covers the creation of personalised videos.

Data Controller may share some of the personal data it processes with public authorities or other third parties when performing its obligations under the law.

1.7 Contact Details

PPF a.s. – oddělení lidských zdrojů

Address: Evropská 2690/17, 160 41 Prague 6, Czech Republic

E-mail: recruitment@ppf.cz

Web: www.ppf.eu

1.8 Information on how the rights of a job applicant are exercised

A job applicant may exercise his/her rights directly with the Data Controller at the above-mentioned address, either:

  • electronically via data box; or

  • electronically via email.

If a request is filed electronically, the Data Controller will provide the information also electronically, unless required otherwise by the job applicant. In case of a request filed electronically, the Data Controller must verify the identity of the person who filed the request to prevent the disclosure of information to authorised persons. To verify the identity, the Data Controller will contact the candidate. The Data Controller provides a copy of the processed personal data for free. A request filed repeatedly by the same candidate will be considered an obviously unreasonable request. In such a case, the Data Controller may either charge a reasonable fee to process the applicant or deny the request.

1.9 Your Obligations

Please take into account that you are responsible for the personal data you have provided and made available to the Data Controller, and it is your duty to make sure they are relevant, truthful, exact, and not misleading. You have the duty to make sure that the personal data provided do not contain material of an obscene and defamatory nature and/or are not in breach of the rights of a third person. Personal data provided must not contain malicious code.

If you provide personal data related to another person, e.g. an individual specified as your reference, you are obliged to inform this person thereof and to get his/her approval.

2. FOR PERSONS CONTACTING EMBEDIT VIA CONTACT FORM WITH AN INQUIRY/IN ORDER TO ESTABLISH BUSINESS COOPERATION OR WHOSE PERSONAL DATA ARE PROCESSED WITHIN EMBEDIT’S CRM SYSTEM

2.1 Data Controller

The Data Controller of your personal data as a person (i) contacting us with an inquiry and/or in order to establish business cooperation, or (ii) whose personal data are processed within our CRM system for the purpose of management of our business contacts, is EmbedIT s.r.o., company ID No.: 171 39 708, registered office at Evropská 2690/17, Postal Code 160 00, Prague 6, registered in the Commercial Register maintained by the Municipal Court in Prague, file no. C 367199 (hereinafter in Sections 2 and 3 referred to as "EIT" or " Data Controller").

2.2 Personal Data

Your personal data means only the personal data that you provide to EIT via the contact form (i.e. interface on the EIT’s website), or the personal data which arise in the context of related communication with you (when addressing your inquiry and/or in the course of the actual business cooperation) and always only to the extent necessary to fulfil the relevant purpose. EIT processes the following categories of personal data:

  • Basic identification data (e.g. first and last name);

  • Business information (e.g. name of the company that you relate to and your position or relation to such company); and

  • Business contact details (e.g. e-mail address, telephone number). 

Other categories of personal data may be processed, if those data were provided to EIT within the communication specified above.

2.3 Lawfulness of Data Processing

Your personal data are processed on the basis of Article 6(1)(b) and/or (f) of GDPR – i.e. for the performance of a contract and/or legitimate interests pursued by the Data Controller. EIT has a legitimate interest in targeted and efficient organization of its business contacts and communication with its customers, business partners and parties interested in its services and/or in cooperation with EIT.

2.4 Purposes of the Processing of Personal Data

  • to address your inquiry;

  • to send you a specific response/offer to your inquiry by e-mail or phone;

  • to process the personal data for the purpose of establishing business cooperation; or

  • to manage our business contacts within our Customer Relationship Management (hereinafter “CRM”) system.

2.5 Period of Storing of Personal Data

Your personal data will be processed for the duration of the resolution of your inquiry, for a maximum period of 12 months.

In case there will be interest in establishing business cooperation and/or in case the business cooperation is established, your personal data will be entered into our IT systems (incl. CRM system). Your personal data will be deleted from our IT systems once they will be no longer necessary to achieve the purpose for which they were collected.

2.6 Recipients

Your personal data will not be disclosed to other recipients outside of EIT. In extraordinary situations your personal data may be disclosed to competent supervisory or regulatory authority, public authority or court in case that such disclosure will be necessary: (i) under applicable laws or regulations; (ii) under resolution of relevant authority; or (iii) to protect our legal rights.

2.7 Third countries

Your personal data will not be transferred to countries outside the European Union or the European Economic Area. In case that such transfer will be necessary in the future due to changes in the EIT’s IT architecture or for other reason(s), EIT will ensure that a transfer mechanism will be fully compliant with GDPR.

2.8 Automated decision making

Automated decision-making based on your personal data does not take place.

2.9 Contact details

EmbedIT s.r.o.

Address: Evropská 2690/17, 160 41 Prague 6, Czech Republic

E-mail: sales@embedit.com

web: https://www.embedit.com/

data box: 3258pgf

You can also contact our data protection officer via the following e-mail address: dpo@embedit.com.

2.10 Information on how the rights are exercised

You may exercise your rights directly with the Data Controller at the contact address listed above, namely:

  • electronically via data box;

  • electronically via e-mail.

If the request is made electronically, the Data Controller will also provide the information electronically, unless the you request another method of establishing business cooperation. In the case of an electronically submitted request, the Data Controller is obliged to verify the identity of the person who submitted the request in order to prevent the information from reaching unauthorised persons. To verify the identity, the Data Controller will contact the person submitting an inquiry or interested in establishing business cooperation. The Data Controller provides a copy of the personal data processed free of charge. A request will be considered unfounded if it is submitted repeatedly by the same person. In such a case, the Data Controller will impose a reasonable fee for processing such a request or refuse to comply with the request.

2.11 Your Obligations

Please take into account that you are responsible for the personal data you have provided and made available to the Data Controller, and it is your duty to make sure they are relevant, truthful, exact, and not misleading. You have the duty to make sure that the personal data provided do not contain material of an obscene and defamatory nature and/or are not in breach of the rights of a third person. Personal data provided must not contain malicious code.

3. GENERAL INFORMATION

3.1 Principles and Procedures of Personal Data Processing

We would also like to inform you about the principles and procedures of personal data processing, in compliance with the provisions of Article 5 of the GDPR. Your personal data will be processed as follows:

  • the processing is lawful, fair, and performed in a transparent manner;

  • personal data are only collected for specified, explicit, and legitimate purposes and are not processed in a way incompatible with these purposes;

  • the processed personal data are always proportional and relevant in relation to the purpose for which they are processed;

  • the processed personal data are accurate;

  • personal data are only stored in a form enabling the identification of data subjects for the period required for the given purposes for which they are processed;

  • their integrity and confidentiality are always guaranteed.

3.2 Data Security

The Data Controller has in place and maintains adequate technical and organisational measures, internal controls, and information security processes in accordance with best business practice, appropriate to the potential risk to you as a data subject. The Data Controller also takes into account the state of technological development in order to protect your personal data from accidental loss, destruction, alteration, unauthorized disclosure, or access. These measures include, but are not limited to, taking reasonable steps to ensure the accountability of relevant personnel who have access to your data, training of personnel, regular backups, data recovery and incident management procedures, and software protection of devices on which data containing personal data is stored.

3.3 Information on Rights under the GDPR

  • under Articles 13-14 of GDPR

    • o    you have the right to request information from the Data Controller about the processing of your personal data.

  • under Article 15 of GDPR

    • you have the right to obtain confirmation from the Data Controller as to whether or not your personal data are being processed and, if so, to access your personal data and the following information: (a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or in international organisations; (d) the intended period for which the personal data will be stored or, if this cannot be determined, the criteria used to determine this period; (e) the existence of the right to request from the Data Controller the rectification or erasure of the personal data or the restriction of their processing or to object to such processing.

    • you have the right to lodge a complaint with the supervisory authority. Filing a complaint with the Office for Personal Data Protection means that you have the right to file a complaint regarding the processing of personal data by the controller with the Office for Personal Data Protection, located at Pplk. Sochora 27, 170 00 Praha 7.

    • you have the right to all available information about the source of your personal data.

    • you have the right to receive a copy of your personal data processed by the Data Controller. The Data Controller may charge a reasonable fee for additional copies based on administrative costs. If you make a request electronically, the information will be provided in the electronic form that is commonly used unless you request otherwise.

  • under Article 16 of GDPR

    • you have the right to have inaccurate personal data concerning you corrected by the Data Controller without undue delay. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by providing an additional declaration.

  • under Article 17 of GDPR

    • you have the right to have your personal data erased by the Data Controller without undue delay if one of the following reasons applies:

      • the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;

      • you have objected to processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for processing, or you have objected to processing pursuant to Article 21(2) GDPR;

      • personal data have been processed unlawfully; or

    • personal data must be erased to comply with a legal obligation under the law of the European Union or its Member State to which the Data Controller is subject.

      • the above mentioned right to be forgotten does not apply if the processing of your personal data is necessary:

      • for exercising the right to freedom of expression and information;

      • to comply with a legal obligation requiring processing under the law of the European Union or its Member State to which the Data Controller is subject or to carry out a task carried out in the public interest or in the exercise of official authority if the Controller is entrusted with such task

      • for reasons of public interest in the field of public health;

      • for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89(1) of the GDPR; or

      • for the establishment, exercise or defence of legal claims.

  • under Article 18 of GDPR

    • you have the right to have the Data Controller restrict the processing of your personal data in any of the following cases:

      • if you dispute the accuracy of your personal data, for the time necessary for the Data Controller to verify the accuracy of your personal data;

      • the processing is unlawful, and you would refuse the erasure of your personal data and instead request a restriction on its use;

      • the Data Controller no longer needs your personal data for the purposes of processing, but you would require it for the establishment, exercise, or defence of legal claims; or

      • if you object to processing pursuant to Article 21(1) GDPR until it is verified that the legitimate grounds of the Data Controller outweigh your legitimate grounds.

    • where processing has been restricted pursuant to the paragraph above, such personal data may, except for storage, be processed only with your consent or for the establishment, exercise, or defence of legal claims, for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State thereof.

  • under Article 19 of GDPR

    • the Data Controller shall notify the individual recipients to whom the personal data have been disclosed of any rectification or erasure of personal data or restriction of processing, except where this proves impossible or involves a disproportionate effort. The Data Controller will only inform you of these recipients if you request it.

  • under Article 20 of GDPR

    • you have the right to obtain the personal data concerning you that you have provided to the Data Controller in a structured, commonly used, and machine-readable format, and the right to transfer this data to another data controller without hindrance from the Data Controller, under the conditions set out in the GDPR. In exercising your right to data portability under the previous sentence, you have the right to have your personal data transferred by the Data Controller directly to the other Data Controller, if technically feasible.

  • under Article 21 of GDPR

    • you have the right to object to the processing of your personal data at any time on grounds relating to your particular situation, based on Article 6(1)(f) GDPR - the legitimate interest of the controller, including profiling based on these provisions. Furthermore, the controller will not process personal data unless it demonstrates compelling legitimate grounds for the processing which override your interests or rights and freedoms or for the establishment, exercise, or defence of legal claims.

    • you can exercise your right to object by automated means using technical specifications.

  • under Article 22 of GDPR

    • you have the right not to be subject to any decision based solely on automated processing, including profiling, which has legal effects concerning you or significantly affects you in a similar way. This does not apply if the decision is:

      • necessary for the conclusion or performance of the contract between you and the Data Controller;

      • permitted by the law of the European Union or a Member State thereof which applies to the Data Controller, and which also provides for appropriate measures to ensure the protection of your rights and freedoms and legitimate interests; or

      • based on your express consent.

  • under Article 34 of GDPR

    • where a particular personal data breach is likely to result in a high risk to your rights and freedoms, the Data Controller has a duty to notify you of the breach without undue delay.

    • however, notification under this paragraph shall not be required if any of the following conditions are met:

      • the Data Controller has put in place appropriate technical and organisational safeguards and these safeguards have been applied to the personal data affected by the personal data breach, in particular those which render the personal data incomprehensible to anyone not authorised to have access to it, such as encryption.

      • the Data Controller has taken subsequent measures to ensure that the high risk to the rights and freedoms referred to in the first paragraph of this Article is no longer likely to occur.

      • it would require a disproportionate effort. In such a case, you will be informed in an equally effective manner by means of a public notice or similar measure.