The purpose of the following Data Protection Policy (hereinafter referred to as “the Policy”) is to inform the subjects whose data we are processing about all activities involved in the processing as well as about principles used to protect their privacy.
Personal data administrator:
Gruber & Kyrianová consulting, s.r.o., IČ 17500265, domiciled Šlejnická 2019/1, 160 00 Praha 6 (hereinafter also “we,” “our,” “the Company”). Administrator Contact: Mgr. Hana Kyrianová, Telephone: 732 159 734, E-mail: kyrianova@gkconsulting.cz (hereinafter “the contact“)
GDPR: The General Data Protection Regulation (EU) 2016/679; Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Data Protection Directive) (hereinafter “GDPR”) effective since May 25, 2018.
Personal Data: In accordance with GDPR, personal data include all information relating to an identified or identifiable natural person (i.e. the Subject = you; see below).
Special Category Data: Zvláštním osobním údajem se rozumí údaj o rasovém či etnickém původu, politických názorech, náboženském vyznání či filozofickém přesvědčení nebo členství v odborech, a zpracování genetických údajů, biometrických údajů za účelem jedinečné identifikace fyzické osoby a údajů o zdravotním stavu či o sexuálním životě nebo sexuální orientaci fyzické osoby.
Data Subject = You: Data Subject is an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing Personal Data: Per Art. 4 (2) of GDPR, ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise changing availability, alignment or combination, restriction, erasure or destruction.
Controller: Per Art. 4 (7) of GDPR, ‘controller’ means the natural or legal person, public authority, agency or other body (including the Company) which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor: Per Art. 4 (8) of the GDPR, ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; including defined business partners of the Company which serve the Company as Personal Data Controller in accordance with instructions of the Company / person responsible.
Supervisory Authority: The supervisory authority within the Czech Republic is the Office for Personal Data Protection (Úřad pro ochranu osobních údajů, hereinafter “ÚOOÚ”).
Hazardous Processing: Hazardous processing is defined as processing that may jeopardize the rights and freedoms of data subjects, is regular and/or includes special categories of data relating to criminal convictions and offences or related security measures per Art. 10 of the GDPR.
Contract: Contract means any contract entered in written, electronic or any other legally defined form; including a cooperation based on one-off or occasional agreements based on general legal framework and/or specific conditions of one of the parties. A contract may also be entered orally or subsequently (e.g. acting based on an e-mailed proposition, by supplying goods/services ordered by an e-mail etc.).
We process personal identifiers, contact data and psychological profiles of Company programme participants. We also process banking data of the payers. All data are processed in accordance with relevant laws and regulations.
We offer expert assistance in assessing and selecting prospective employees; we organise courses on personal and professional development; for our clients we provide employee and client satisfaction surveys.
We process the following categories of data subjects:
Clients – participants in Company programmes (e.g. assessing prospective employees, coaching or training)
Clients – employers or paying self-participants
Company webpage visitors
We also process a negligible amount of personal data of our goods/services suppliers and potential employees.
All personal data are processed for a clearly defined purpose and retention period:
| Data Subject Category | Purpose of Processing | Legal Basis for Processing | Retention Period |
|---|---|---|---|
| Programme Participants (no direct contract with us) | Assessing the participant as a prospective employee, creating a psychological profile and providing output to a potential employer, collecting feedback | – based on your consent as a participant – bor the given purpose, we are processing personal identifiers, contact data, video recordings and psychological profile | For the given purpose, collected data may be processed and archived for up to 1 year or until consent is revoked |
| Distribution of business information in the form of e-mail newsletters | -based on your consent as a subscriber -for the given purpose, we are processing personal identifiers, contact data in accordance with the Act No. 420/2004 Coll. | For the given purpose, collected data may be processed for indefinite time, until the recipient cancels the subscription | |
| Programme Participants (with a direct contract with us) | Fulfilling a contract | -based on fulfilling contractual obligations -for the given purpose, we are processing personal identifiers, contact data and accounting data (esp. bank account no. and other information included on invoices), video recordings and psychological profile | For the given purpose, collected data may be processed for the duration of the contract |
| Fulfilling our obligations regarding taxes and accounting practices | -based on fulfilling legal obligations as set by relevant laws and regulations (esp. regarding accounting and VAT payments) -for the given purpose, we are processing personal identifiers, contact data and accounting data (esp. bank account no. and other information included on invoices | For the given purpose, collected data may be processed and archived for up to 5 years after the end of fiscal year in which the contract took place | |
| Laying contractual claims | -based on our rightful interest -for the given purpose, we are processing personal identifiers, contact data, accounting data and history of cooperation / communication of our clients / contacts in legal persons. These data are necessary even after termination of contract for potential claims, debt requisition and/or further cooperation | For the given purpose, collected data may be processed and archived for up to 3 years after contract termination; should a legal dispute follow, then for the whole duration of the dispute | |
| Maintaining a client database, distributing business information in the form of e-mail newsletters, webpage statistics | -based on our rightful interest -for the given purpose, we are processing personal identifiers, contact data and sometimes also information about previous cooperation in accordance with the Act No. 420/2004 Coll. To monitor your interest in our services we use the Mailchimp online service. We process data about which links in the newsletter you used and how often you did it to offer you our most suitable services | For the given purpose, collected data may be processed and archived for indefinite time, newsletters until the recipient cancels the subscription | |
| Employers (and their contact persons) | Fulfilling a contract | -based on fulfilling contractual obligations -for the given purpose, we are processing personal identifiers, contact data and accounting data (esp. bank account no. and other information included on invoices) | For the given purpose, collected data may be processed for the duration of the contract |
| Fulfilling our obligations regarding taxes and accounting practices | -based on fulfilling legal obligations as set by relevant laws and regulations (esp. regarding accounting and VAT payments) -for the given purpose, we are processing personal identifiers, contact data and accounting data (esp. bank account no. and other information included on invoices) | For the given purpose, collected data may be processed and archived for up to 5 years after the end of fiscal year in which the contract took place | |
| Laying contractual claims | -based on our rightful interest -for the given purpose, we are processing personal identifiers, contact data, accounting data and history of cooperation / communication of our clients / contacts in legal persons. These data are necessary even after termination of contract for potential claims, debt requisition and/or further cooperation | For the given purpose, collected data may be processed and archived for up to 3 years after contract termination; should a legal dispute follow, then for the whole duration of the dispute | |
| Maintaining a client database, distributing business information in the form of e-mail newsletters, webpage statistics | -based on our rightful interest -for the given purpose, we are processing personal identifiers, contact data and sometimes also information about previous cooperation in accordance with the Act No. 420/2004 Coll. To monitor your interest in our services we use the Mailchimp online service. We process data about which links in the newsletter you used and how often you did it to offer you our most suitable services | For the given purpose, collected data may be processed and archived for indefinite time, newsletters until the recipient cancels the subscription | |
| Webpage Visitors | Webpage adjustments and fine-tuning | -based on our rightful interest -for the given purpose, we use Google Analytics to observe webpage visitor behaviour. We use general statistical data in no way connected with specific persons | For the given purpose, collected data may be processed and archived for indefinite time. |
| Candidate Employees | Selecting suitable employees among candidates | -based on employment contract negotiation -for the given purpose, we are processing personal identifiers (first name, surname), contact data and other information provided by candidates in their CVs, motivation letters and elsewhere | For the given purpose, collected data may be processed and archived for up to 6 months after the selection ends (so that the Company may address other candidates in case a selected employee terminates the contract). We may keep them for longer if you give your explicit consent. |
| Proving non-discrimination | -based on our rightful interest to select a candidate, to address an unsuccessful candidate should the selected one terminate the contract and to prove non-discrimination during the process -for the given purpose, we are processing personal identifiers (first name, surname), contact data (e-mail, phone no.) and other information provided by candidates in their Cvs, motivation letters and elsewhere | For the given purpose, collected data may be processed and archived for up to 3 years (if needed to prove non-discrimination) | |
| Suppliers of Goods and Services | Assuring contractual obligations are fulfilled, incl.contact with the other party | -based on fulfilling contractual obligations -for the given purpose, we are processing personal identifiers (first name, surname, tax identifiers IČO and DIČ), contact data (e-mail, phone no., bank account no.) and signature | For the given purpose, collected data may be processed and archived for up to 3 years after contract termination |
| Fulfilling company obligations regarding accounting | -based on fulfilling legal obligations as set by relevant laws and regulations (esp. Act No. 563/1991 Coll. on accounting, No.340/2015 Coll. on registering contracts and No. 134/2016 Coll. on public tenders) -for the given purpose, we are processing personal identifiers (first name, surname, company name, IČO and DIČ tax identifiers), contact data (e-mail, phone no., bank account no.) and signature | For the given purpose, collected data may be processed and archived for up to 5 years (accounting documents) or 10 years (tender documentation) after contract termination | |
| Debt requisition or evidence for legal dispute | -based on our rightful interest to obtain what the company is due according to the contract and/or by law -for the given purpose, we are processing personal identifiers, contact data, accounting data and history of cooperation / communication of our clients / contacts in legal persons. These data are necessary even after termination of contract for potential claims, debt requisition and/or further cooperation | For the given purpose, collected data may be processed and archived for up to 3 years after contract termination; should a legal dispute follow, then for the whole duration of the dispute |
When the retention period in the above table transpires, personal data may be kept for state statistical purposes, for research and/or archival purposes only.
We may also transfer your personal data for valid reasons to other subjects (hereinafter “the Recipients”).
Personal data may be transferred to the following recipients:
Legality
We process your personal data within relevant legal framework, especially GDPR.
Consent of the Data Subject
Wherever necessary, we process your personal data only the way and within the scope you gave us consent to.
Minimising and Limiting Processing of Personal Data
We process your personal data only within the scope necessary for the purpose they were collected for; and for a duration not longer than is necessary for that purpose.
Accuracy of the Processed Personal Data
When we process personal data we emphasise ther accuracy and use appropriate means to ensure they are accurate and up-to-date.
Transparency
This Policy and Contacts in Art. I offer you a way to find out how we process your personal data and at what scope.
Limitation by Purpose
We process your personal data only at a scope necessary for the purpose they were collected for and in accordance with it.
Safety
The way we process your personal data ensures their proper safeguarding, including their protection by appropriate technical and/or organisational measures against unauthorised/illegal processing as well as against accidental loss, damage or destruction.
When processing personal data we do not use automated individual decision-making, not even based on profiling.
Automated individual decision-making including profiling is considered to be any form of decision-making based on automated processing of personal data, i.e. without any human intervention, based i.a. on assessing certain personal aspects of data subjects, especially for the purpose of analysis and/or forecast of their work performance, economic situation, health, personal preferences and interests, reliability, behaviour, location and/or movement.
You have the right to access to personal data concerning you, namely the right to request confirmation whether we are processing personal data concerning you or not; as well as other information about processed data and processing methods as defined by the GDPR (purpose of processing, category of personal data, recipients, planned retention period, source of personal data, your right to rectification, restriction and/or erasure, your right to object and to file a complaint). Upon your request, the Company shall provide you with a copy of your personal data, free of charge. In case of repeated requests we may charge a fee appropriate to the administrative costs incurred.
To obtain access to your personal data, please use contacts in Chapter I.
Where processing of personal data depends on your consent, you have the right to revoke your consent at any time.
To obtain access to your personal data, please use contacts in Chapter I.
Should you find your personal data administered by the Company are in any way inaccurate, you have the right to demand they be rectified without needless delay. When relevant to the specific situation, you may also demand your personal data to be expanded upon.
You have the right to demand we erase personal data that concern you without needless delay in the following cases:
To demand erasure in the above-listed cases, please use contacts in Chapter I.
To find out whether there are reasons disallowing erasure, please use contacts in Chapter I.
You have the right to restrict the Company in processing your personal data in cases when:
While the restriction of personal data processing lasts, the Company may process your personal data (except for archiving) only with your consent or to establish, exercise or defend legal claims or to protect the rights of another legal / natural person or in the public interest of the EU or one of its Member States. As noted above, you may demand restriction using contacts in Chapter I
You have the right to object against processing your personal data in the following cases:
To object against processing, please use contacts in Chapter I.
In case the processing is based on your consent or is necessary to fulfill a contract between you and the Company, you have the right to receive personal data concerning you and which you have provided, in a structured, commonly used and machine-readable format, if we use such. You have the right to transmit those data to another controller without hindrance or request the Company to transmit to another controller, if technically possible.
To receive your personal data, please use contacts in Chapter I.
We are currently not using personal data to automated decision-making. If we did, you would have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affect you, unless:
Should a potential failure to safeguard personal data result in possible high risk to your rights and freedoms, the Company shall inform you about it without needless delay. As long as your personal data were processed using technical and/or organisational means precluding their readability for unauthorised persons or subsequent measures taken by the Company eliminate high risk, the Company is not obliged to inform you about it.
If you believe your rights have been violated by processing your personal data, you have the right to file a complaint to the supervisory authority. The relevant authority for the Czech Republic is the Office for Personal Data Protection (ÚOOÚ).
This Data Protection Policy comes into effect on 15.9.2022.
THIS IS WHERE WE TRAIN AND CONSULT:
Gruber&Kyrianová Consulting s.r.o.
Šlejnická 2018/1
160 00 Praha 6
Česká republika