Information on the processing of employees' personal data

Information on rights in relation to the protection of personal data

Obchodní společnost KREDIT, spol. s r.o., registered office Slavkov No. 284, Postal Code: 687 64, ID No.: 181 88 494, registered no. in the Commercial Register maintained by the Regional Court in Brno, under file No. C 1828 (hereinafter referred to as the "Administrator") hereby informs about the basic principles and principles in accordance with Article 13 et seq. of the European Regulation 2016/679 of the Parliament and of the Council of 27 April 2016 on the protection of natural persons in the processing of personal data and on the free movement of such data and on Directive 95/46/EC (hereinafter referred to as "GDPR"), employees about the processing of their personal data processed by the Controller in connection with the creation of employment relationship.

1. Important contact details for data protection within the Controller

Contact details of the person in charge of processing and protection of personal data data:

2. Definition of personal data and special categories of personal data

The controller will process strictly personal data corresponding to the specified purposes of their processing. These are the identification data filled in by the employee in the personal questionnaire, in the employee's submitted CV, or any other documents submitted (proof of education, motivation letter etc.), or data provided personally by the employee to the Controller, such as contact data of the employee, etc. Any data relating to previous work, skills, knowledge (qualifications) and, consequently, qualifications to work for Administrator. In connection with the provision of domestic and foreign employment travel, other personal data may also be processed, in particular passport number passport number of the employee. In addition, personal data resulting from the following are processed by the employer from the employment relationship, such as the amount of wages and other monetary and non-monetary benefits provided to the employee, data on family members in in connection with the application of tax benefits, or other personal data necessary for the fulfilment of the employer's legal obligations in connection with employment relationship.

In connection with the verification of the employee's medical fitness to perform the agreed type of work, a special category of personal data is processed data, namely data on the employee's state of health - the employee's fitness to the fitness for work, drawn up by an occupational health doctor, as well as, where applicable records of the employee's occupational accident or occupational disease occurring during the period of the duration of the employment relationship.

3. Purpose and legal basis for processing

The above-mentioned personal data of the employee will be processed by the Administrator exclusively for the performance of the employer's rights and obligations in connection with employment law relationship, i.e. an employment contract, an agreement to perform work or employment agreement. Alternatively, they are processed on the basis of a granted consent of the data subject or the processing is necessary for the purposes of legitimate interests of the Controller or a third party.

4. Period of processing of personal data

Personal data are processed by the Controller for the time necessary to ensure rights and obligations arising from the employment relationship, i.e. at least for for the duration of the employment relationship and for the period of time imposed on the Controller generally binding legal regulations.

5. Method of processing and data protection

Personal data about the employee is obtained directly from the employee.

The employee's personal data is processed by the Administrator's employees, namely automatically in electronic form in the PERM program and manually in personal employee's file stored in the office of the Human Resources Department.

In processing, the Controller will comply with all security principles for the protection of processing of personal data. To this end, the Controller has adopted technical and organisational measures to ensure the protection of personal data so that unauthorised or accidental access to or alteration of personal data, destruction or loss, unauthorised transmission, or unauthorised processing, as well as misuse. In the event of transfer of data for processing to a third party to a processor, the controller has contractually ensured the conditions under which they can processors may handle such personal data, for what purposes, including their an obligation to comply with all obligations and procedures set out in the GDPR to protect personal data.

6. Transmission of personal data

The controller expects to transfer or disclose personal data to the following to processors and, in the cases provided for by law, to state and administrative authorities authorities and other institutions.

Employees' personal data will be processed by the following data processors:

• an occupational health physician,
• an external OHS and OSH technician,
• cooperating advisors of the Controller in case of legitimate interest, in particular tax advisors, auditors, IT associates and lawyers,
• entities providing accommodation or transport for employees during a domestic or foreign business trip,
• entities providing training for employees,
• customers of the Controller in the case of performance of work at a customer of the Controller,
• national authorities of EU and non-EU countries in the case of arranging the stay of employees in a given country for the performance of their work duties,
• insurance companies in the case of providing insurance benefits as a result of damage incurred by employees in the performance of their employment duties

7. Information on the rights of the data subject

The data subject has the right to request the Controller to provide information about the processing of his or her personal data.

The data subject shall have the right to have inaccurate data rectified by the controller without undue delay. personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the data subject has the right to have incomplete personal data completed, including by providing an additional declaration.

The data subject shall have the right to have the personal data erased by the controller without undue delay. data relating to the data subject, and the controller has an obligation to erase the data without undue delay if one of the following grounds applies set out in the GDPR.

The data subject has the right to have the controller restrict the processing of personal data, in in the cases provided for in the General Data Protection Regulation.

The data subject has the right to object to the processing of personal data concerning him or her if the Controller processes personal data on the following grounds:

• the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller,
• the processing is necessary for the purposes of the legitimate interests of the Controller or of a third party,
• for direct marketing purposes,
• for scientific or historical research purposes or for statistical purposes.

The data subject has the right to the portability of personal data, i.e. to obtain personal data relating to him or her which he or she has provided to the controller in a structured, commonly used in a structured, commonly used and machine-readable format, and the right to transmit that data to another controller without hindrance from the controller, in the cases provided for in the GDPR.

If the processing of personal data is based on consent to processing of personal data provided by the data subject, the data subject has the right to to withdraw that consent at any time.

If the data subject considers that there has been a breach of the law in in relation to the protection of his or her personal data, he or she has the right to lodge a complaint with the a supervisory authority. The supervisory authority in the Czech Republic is the Office for Data Protection Authority.

In order to exercise their rights, data subjects may contact the Controller by e-mail - kredit@kredit.cz or by e-mail of the HR manager.