Data Privacy

DATA PROTECTION POLICY

The purpose of the following  Data Protection Policy (hereinafter referred to as  “the Policy”) is to inform the subjects whose data we are processing about all activities involved in the processing as well as about principles used to protect their privacy.

I  Persons Responsible

Personal data administrator:

Tres consulting s.r.o., IČ 283 78 784, domiciled Lužická 1682/19, Vinohrady, 120 00 Prague 2
(hereinafter “we,” “our,” “the Company”)

Administrator contacts: PhDr. Alexandra Fonville, Ph.D.
Phone: 775 039 480
E-mail: fonville@tresconsulting.cz
(hereinafter “the Contact”)

II  Definition of Terms

GDPR:

The General Data Protection Regulation (EU) 2016/679; Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Data Protection Directive) (hereinafter “the GDPR”)

Personal Data:

In accordance with GDPR, personal data include all information relating to an identified or identifiable natural person (i.e. the Subject = you; see below).

Special Category Data:

In accordance with GDPR, Special Category Data are any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Data Subject = You:

Data Subject is an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

Processing Personal Data:

Per Art. 4 (2) of the GDPR, ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Controller:

Per Art. 4 (7) of the GDPR, ‘controller’ means the natural or legal person, public authority, agency or other body (including the Company) which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Processor:

Per Art. 4 (8) of the GDPR, ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

Supervisory Authority:

The supervisory authority within the Czech Republic is the Office for Personal Data Protection (ÚOOÚ).

Hazardous Processing:

Hazardous processing is defined as processing that may jeopardize the rights and freedoms of data subjects and/or includes special categories of data relating to criminal convictions and offences or related security measures per Art. 10 of the GDPR.

Contract:

Contract means any contract entered in written, electronic or any other legally defined form; including a cooperation based on one-off or occasional agreements based on general legal framework and/or specific conditions of one of the parties. A contract may also be entered orally or subsequently (e.g. based on an e-mailed proposition, by supplying goods/services ordered by an e-mail etc.).

III  Processed Personal Data

We process personal identifiers, contact data and psychological profiles of Company programme participants. We also process banking data of the payers. All data are processed in accordance with relevant laws and regulations.

IV Data Subject Categories, Purposes of Processing and Retention Periods

We offer expert assistance in assessing and selecting prospective employees; courses on personal and professional development; for our clients we provide employee and client satisfaction surveys.

We process the following categories of data subjects:

a) clients – participants in Company programmes (e.g. assessing prospective employees, coaching or training)

b) clients – employers or paying self-participants

c) Company webpage visitors

We also process a negligible amount of personal data of our goods/services suppliers and potential employees.

All personal data are processed for a clearly defined purpose and retention period.

Data Subject Category

Purpose of Processing

Legal Basis for Processing

Retention Period

Programme Participants

(no direct contract with us)

Assessing the participant as a prospective employee, creating a psychological profile and providing output to a potential employer, collecting feedback

Based on your consent as a participant

For the given purpose, we are processing personal identifiers, contact data, video recordings and psychological profile

For the given purpose, collected data may be processed and archived for up to 1 year or until consent is revoked

Distribution of business information in the form of e-mail newsletters

Based on your consent as a subscriber

For the given purpose, we are processing personal identifiers, contact data in accordance with the Act No. 420/2004 Coll.

For the given purpose, collected data may be processed for indefinite time, until the recipient cancels the subscription

Programme Participants

(with a direct contract with us)

Fulfilling a contract

Based on fulfilling contractual obligations

For the given purpose, we are processing personal identifiers, contact data and accounting data (esp. bank account no. and other information included on invoices), video recordings and psychological profile

For the given purpose, collected data may be processed for the duration of the contract

Fulfilling our obligations regarding taxes and accounting practices

Based on fulfilling legal obligations as set by relevant laws and regulations (esp. regarding accounting and VAT payments)

For the given purpose, we are processing personal identifiers, contact data and accounting data (esp. bank account no. and other information included on invoices)

For the given purpose, collected data may be processed and archived for up to 5 years after the end of fiscal year in which the contract took place

Laying contractual claims

Based on our rightful interest

For the given purpose, we are processing personal identifiers, contact data, accounting data and history of cooperation / communication of our clients / contacts in legal persons. These data are necessary even after termination of contract for potential claims, debt requisition and/or further cooperation

For the given purpose, collected data may be processed and archived for up to 3 years after contract termination; should a legal dispute follow, then for the whole duration of the dispute

Maintaining a client database, distributing  business information in the form of e-mail newsletters, webpage statistics

Based on our rightful interest

For the given purpose, we are processing personal identifiers, contact data and sometimes also information about previous cooperation in accordance with the Act No. 420/2004 Coll.

To monitor your interest in our services we use the Mailchimp online service.

We process data about which links in the newsletter you used and how often you did it to offer you our most suitable services

For the given purpose, collected data may be processed and archived for  indefinite time, newsletters until the recipient cancels the subscription

Employers (and their contact persons)

Fulfilling a contract

Based on fulfilling contractual obligations

For the given purpose, we are processing personal identifiers, contact data and accounting data (esp. bank account no. and other information included on invoices)

For the given purpose, collected data may be processed for the duration of the contract

Fulfilling our obligations regarding taxes and accounting practices

Based on fulfilling legal obligations as set by relevant laws and regulations (esp. regarding accounting and VAT payments)

For the given purpose, we are processing personal identifiers, contact data and accounting data (esp. bank account no. and other information included on invoices)

For the given purpose, collected data may be processed and archived for up to 5 years after the end of fiscal year in which the contract took place

Laying contractual claims

Based on our rightful interest

For the given purpose, we are processing personal identifiers, contact data, accounting data and history of cooperation / communication of our clients / contacts in legal persons. These data are necessary even after termination of contract for potential claims, debt requisition and/or further cooperation

For the given purpose, collected data may be processed and archived for up to 3 years after contract termination; should a legal dispute follow, then for the whole duration of the dispute

Maintaining a client database, distributing  business information in the form of e-mail newsletters, webpage statistics

Based on our rightful interest

For the given purpose, we are processing personal identifiers, contact data and sometimes also information about previous cooperation in accordance with the Act No. 420/2004 Coll.

To monitor your interest in our services we use the Mailchimp online service.

We process data about which links in the newsletter you used and how often you did it to offer you our most suitable services

For the given purpose, collected data may be processed and archived for  indefinite time, newsletters until the recipient cancels the subscription

Webpage Visitors

Webpage adjustments and fine-tuning

Based on our rightful interest

For the given purpose, we use Google Analytics to observe webpage visitor behaviour. We use general statistical data in no way connected with specific persons

For the given purpose, collected data may be processed and archived for  indefinite time.

Potential Employees

Selecting suitable employees among candidates

Based on employment contract negotiation

For the given purpose, we are processing personal identifiers (first name, surname), contact data and other information provided by candidates in their CVs, motivation letters and elsewhere

For the given purpose, collected data may be processed and archived for up to 6 months after the selection ends (so that the Company may address other candidates in case a selected employee terminates the contract). We may keep them for longer if you give your explicit consent.

Proving  non-discrimination

Based on our rightful interest to select a candidate, to address an unsuccessful candidate should the selected one terminate the contrast and to prove non-discrimination during the process

For the given purpose, we are processing personal identifiers (first name, surname), contact data (e-mail, phone no.) and other information provided by candidates in their Cvs, motivation letters and elsewhere

For the given purpose, collected data may be processed and archived for up to 3 years (if needed to prove non-discrimination)

Suppliers of Goods and Services

Assuring contractual obligations are fulfilled, incl.contact with the other party

Based on fulfilling contractual obligations

For the given purpose, we are processing personal identifiers (first name, surname), contact data (e-mail, phone no., bank account no.) and signature

For the given purpose, collected data may be processed and archived for up to 3 years after contract termination

Fulfilling company obligations regarding accounting

Based on fulfilling legal obligations as set by relevant laws and regulations (esp. Act No. 563/1991 Coll. on accounting, No.340/2015 Coll. on registering contracts and No. 134/2016 Coll. on public tenders)

For the given purpose, we are processing personal identifiers (first name, surname, company name, IČO + DIČ tax identifiers), contact data (e-mail, phone no., bank account no.) and signature

For the given purpose, collected data may be processed and archived for up to 5 years (accounting documents) or 10 years (tender documentation) after contract termination

Debt requisition or evidence for legal dispute

Based on our rightful interest to obtain what the company is due according to the contract and/or law

For the given purpose, we are processing personal identifiers, contact data, accounting data and history of cooperation / communication of our clients / contacts in legal persons. These data are necessary even after termination of contract for potential claims, debt requisition and/or further cooperation

For the given purpose, collected data may be processed and archived for up to 3 years after contract termination; should a legal dispute follow, then for the whole duration of the dispute

When the retention period in the above table transpires, personal data may be kept for state statistical purposes, for research and/or archival purposes only

V  Personal Data Recipients and Transfer of Personal Data

We may also transfer your personal data for valid reasons to other subjects (hereinafter “the Recipients).

Personal data may be transferred to the following recipients:

* in case of assessed persons to their employers / potential employers;

* to processors who process your personal data in accordance with our instructions and Article 28 of the GDPR:

* our external accountants

* our external IT specialists

* provider of our software for the distribution of business information;

* state institutions and other subjects that are entitled to them by law;

* other subjects in case of emergency which requires they be provided to preserve health, life, property and/or public interest or when it is necessary to protect the Company rights, property or safety.

VI  Principles of Personal Data Processing

Legality

We process your personal data within relevant legal framework, esp. the GDPR.

Consent of the Data Subject

Wherever necessary, we process your personal data only within the scope you gave us consent to.

Minimising and Limiting Processing of Personal Data

We process your personal data only within the scope necessary for the purpose they were collected for; and for a duration not longer than is necessary for that purpose.

Accuracy of the Processed Personal Data

When we process your personal data we emphasise ther accuracy and use appropriate means to ensure they are accurate and up-to-date.

Transparency

This Policy and contacts in Art. I offer you a way to find out how we process your personal data and at what scope.

Limitation by Purpose

We process your personal data only at a scope necessary for the purpose they were collected for and in accordance with it.

Safety

The way we process your personal data ensures their proper safeguarding, including protection by appropriate technical and/or organisational measures against unauthorised/illegal processing as well as against accidental loss, damage or destruction.

VII  Automated Individual Decision-Making Including Profiling

When processing personal data we do not use automated individual decision-making, not even based on profiling.

Automated individual decision-making including profiling is considered to be any form of decision-making based on automated processing of personal data, i.e. without any human intervention, based i.a. on assessing certain personal aspects of data subjects, especially for the purpose of analysis and/or forecast of their work performance, economic situation, health, personal preferences and interests, reliability, behaviour, location and/or movement.

VIII  Your Rights as the Data Subject

The Right to Access Own Personal Data

You have the right to access to personal data concerning you, namely the right to request confirmation whether we are processing  personal data concerning you or not; as well as other information about processed data and processing methods as defined by the GDPR (purpose of processing, category of personal data, recipients, planned retention period, source of personal data, your right to rectification, restriction and/or erasure, your right to object and to file a complaint). Upon your request, the Company shall provide you with a copy of your personal data, free of charge. In case of repeated requests we may charge a fee appropriate to the administrative costs incurred.

To obtain access to your personal data, please use contacts in Chapter I.

The Right to Revoke Consent with Processing Personal Data, When the Processing Requires Consent

Where processing of personal data depends on your consent, you have the right to revoke your consent at any time.

To revoke your consent, please use contacts in Chapter I.

The Right to Rectification, Restriction and/or Erasure

Should you find your personal data administered by the Company are in any way inaccurate, you have the right to demand they be rectified without needless delay. When relevant to the specific situation, you may also demand your personal data to be expanded upon.

To demand rectification, restriction and/or erasure, please use contacts in Chapter I.

The Right to Erasure of Personal Data

You have the right to demand we erase personal data that concern you without needless delay in the following cases:

* when you revoke consent with processing your personal data and the Company has no other legal reason for their processing that would overrule your right to erasure;

* when you object against processing (see below);

* when your personal data are no longer needed for the purpose they were collected / processed for;

* when personal data were being processed in breach of the law;

* when personal data were collected when offering services to a person younger than 18 years;

* when personal data have to be erased to comply with the Company’s legal obligation to Czech / European laws.

To demand erasure in the above-listed cases, please use contacts in Chapter I.

The Right to Erasure of Personal Data is Denied When Their Processing Is Necessary:

* to preserve the freedom of speech and information;

* to comply with other legal obligations;

* to protect public interest in the area of public health;

* for archival purposes in public interest, for scientific and/or historical research, for statistical purposes; in cases when their erasure would likely jeopardize / preclude the task the processing was being done for;

* to establish, exercise or defend legal claims.

To find out whether there are reasons disallowing erasure, please use contacts in Chapter I.

The Right to Restriction of Personal Data Processing

You have the right to restrict the Company in processing your personal data in cases when:

* you contest the accuracy; the restriction lasts for a period enabling the Company to verify the accuracy of personal data.

* the processing is unlawful, you oppose the erasure of your personal data and request the restriction of their use instead.

* your personal data are no longer needed for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.

* when you have objected to processing (see below); in this case  the restriction lasts until it is determined whether the legitimate grounds of the Company override yours or not.

While the restriction of personal data processing lasts, the Company may process your personal data (except for archiving) only with your consent or to establish, exercise or defend legal claims or to protect the rights of another legal / natural person or in the public interest of the EU or one of its Member States. As noted above, you may demand restriction using contacts in Chapter I.

The Right to Object Against Processing

You have the right to object against  processing your personal data in the following cases:

* when processing personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company or for the purposes of the legitimate interests pursued by the Company and you object against processing, we may not process your personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms; or for the establishment, exercise or defence of our legal claims.

* when your personal data are processed for direct marketing purposes and you object, the Company shall no longer process your personal data.

* when your personal data are processed for scientific and/or historical research or for statistical purposes, the Company shall no longer process your personal data unless the processing is necessary for the performance of a task carried out for reasons of public interest.

To object against processing, please use contacts in Chapter I.

The Right to Data Portability

In case the processing is based on your consent or is necessary to fulfill a contract between you and the Company, you have the right to receive personal data concerning you and which you have provided, in a structured, commonly used and machine-readable format, if we use such. You have the right to transmit those data to another controller without hindrance or request the Company to transmit to another controller, if technically possible.

To receive your personal data, please use contacts in Chapter I.

The Right Not to Subject to any Decision-making Based Solely on Automation, Including Profiling

We are currently not using personal data to automated decision-making. If we did, you would have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affect you, unless:

* automated decision-making were authorised by law;

* automated decision-making were necessary to fulfill obligation of a contract between you and the company;

* you had provided explicit consent with automated decision-making.

The Right to Be Informed About a Failure to Safeguard Personal Data

Should a failure to safeguard personal data result in possible high risk to your rights and freedoms, the Company shall inform you about it without needless delay.  As long as your personal data were processed using technical and/or organisational means precluding their readability for unauthorised persons or subsequent measures taken by the Company eliminate high risk, the Company is not obliged to inform you about it.

The Right to File a Complaint to the Supervisory Authority

If you believe your rights have been violated by processing your personal data, you have the right to file a complaint to the supervisory authority. The relevant authority for the Czech Republic is the Office for Personal Data Protection (ÚOOÚ).

Úřad pro ochranu osobních údajů

Podplukovníka Sochora 27
Prague 7

Post Code 170 00

phone: 234 665 111

E-mail: posta@uoou.cz
Digital Box Address: qkbaa2n

www.uoou.cz

This Data Protection Policy comes into effect on May 25, 2018.