1. Introduction and definitions
1. 1.
This document provides information on terms and conditions under which the company Second Foundation Tech a.s. (“Company”) processes personal data of job applicants after filling in the vacancy form on the Company’s website, sending a CV via the web form or via e-mail to the Company’s e-mail address and when participating in the selection procedure for the vacancy. The Company’s contact email for any matters connected to data processing is: gdpr@second-foundation.eu.
1.2.
Unless stated otherwise in this document, the terms shall have the following meaning:
- „Company” or “Controller” means the company Second Foundation Tech a.s., Company ID No. 14078601, seated at Na Florenci 2139/2, Nové Město, 110 00 Praha 1, registered under File No. B 26919 in the Commercial Register maintained by the Municipal Court in Prague;
- “Data subject” means a natural person to whom the processed Personal Data is related, particularly the Job applicant;
- “Job applicant” means a person applying for a position with the Company, whether in an employment or other labor law relationship with the Company or as a self-employed person working with the Company and/or providing services to the Company under a business contract;
- “GDPR” means General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council, in conjunction with Act No. 110/2019 Coll., on the processing of personal data as amended;
- “Personal data” means any information relating to Data subject;
- “processing” means any operation or set of operations which is performed on Personal data or on sets of Personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2. Information on Personal data processing
2. 1.
Overview. The Company informs Job applicants about their Personal data it processes, legal basis and purpose for such processing, period of such processing and Personal data storing, measures ensuring security of Personal data, whether and to whom the Personal data is made available or transmitted and about the rights of Job applicants in connection with the Personal data processing.
2. 2.
Controller identification. The Company determines the purposes and means of the processing of Personal data and is therefore their Controller. The Controller can also use various suppliers who processes Personal data as processors. The Company may transmit Personal data to state authorities or third parties if it has such statutory obligation or it is allowed to do so under statutory legal regulations or if all the GDPR requirements are met also to other companies in the Company’s group of companies.
2. 3.
No data protection officer. The Company is not a subject to the obligation to designate a data protection officer, as it does not fulfill any of the conditions set out in Article 37 of the GDPR. The Company did not even proceed to the voluntary designation of the data protection officer. Unless expressly stated or otherwise specified, the issue of personal data protection falls within the competence of the Administrative Board of the Company or a person authorized by it.
2. 4.
Type of processed personal data, purpose and reason for processing.
- In connection with the negotiation of possible cooperation and conclusion of contract between the Company and the Job applicant, the Controller works with Personal data that the Data subjects provided (for example, first name, surname, CV) and made public about themself on social networks Facebook, Twitter, Instagram, LinkedIn, etc. (hereinafter referred to as “social networks“). Such processing is a pre-contractual measure and is in legitimate interest of Controller.
- Based on the consent of the Job applicant granted to the Company for processing of Personal data for the purposes of record keeping of potential employees or associates of the Company, the Controller processes Personal data provided by Data subjects (such as first name, surname, email, CV) and those published about themselves on social networks. If Job applicant give the Company the consent with processing of his/her Personal data, the Company will keep the Personal data for the purposes of other potential job offers during 2 years following the day the consent was granted by the Job applicant. The Job applicant can of course withdraw the given consent any time sooner – in such a case the Company will erase the relevant Personal data immediately, unless there is other title stipulated by law obliging or entitling the Company to keep the relevant Personal data longer.
2. 5.
Retention period of Personal data. The Controller stores Personal data for the duration of the purpose for which specific Personal data is processed. Personal data is stored until the conclusion of an employment or other contract with the Job applicant or, if no contract is concluded with the Job applicant, until the end of the selection procedure for the position but no later than 6 months from the date of delivery of the Personal data to the Administrator. (unless there exist legal title under GDPR to store the Personal data longer to protect the justified interest of the Company). In the event that the Job Seeker has given consent to the Administrator to process Personal data for the purpose of record keeping of potential employees or associates of the Company (i.e. including unsuccessful Job applicants and for the period after the end of the selection procedure for the position), the Personal data will be retained until the consent is withdrawn but no longer than 2 years from the date of delivery of the Personal data to the Administrator.
2. 6.
Means of Personal data processing and their security. Personal data is kept in paper and electronic form and their processing can be performed manually or automatically. Personal data recorded in paper form are stored in secure cabinets and are accessible only to workers who need them to perform their tasks. The same applies to data recorded in electronic form, the disclosure of which is subject to entry of unique access data. The Controller does not pass on Personal data to anyone else without consent, unless such an obligation arises from law, or it is a recipient bound by a duty of confidentiality or respective legal and contractual obligations and in the extent permitted by GDPR. If the Controller uses Personal data processors to fulfill its legal or contractual obligations or for any other reason, these are always those entities that provide sufficient guarantees for the implementation of appropriate technical and organizational measures to ensure proper and sufficient protection of Personal data. Some processors may work with the Personal data in another EU country or outside the EU. Outside the EU, the data will be transmitted under the conditions required by the GDPR (for more information, see the European Commission’s website). Upon request, the Controller will provide with information about specific processors. There is no automated decision-making, including profiling, when processing Personal data.
2. 7.
Rights of the Data subject. As the Data subject, the Job applicant have the following rights in accordance with the GDPR:
- Right of access to Personal data: the right to obtain information on whether Personal data of Data Subject is processed and, if so, the right to access to this Personal data.
- Right to rectification of inaccurate Personal data and the right to have incomplete Personal data completed: The right to rectification of inaccurate data and the right to have incomplete data completed; the rectification or completion takes place without undue delay, and always with regard to technical possibilities.
- Right to erasure: the right to erase Personal data if (i) they are no longer necessary for the purposes for which they were collected or otherwise processed, (ii) the processing was unlawful, (iii) Data subject objected to the processing and there are no overriding legitimate grounds for processing of Personal data, or the law requires erasure, (iv) the Company as a Controller is required to erase data under its legal obligation, or (v) the Data subject withdrew the consent to the processing of Personal data.
- Right to restriction of processing: if the Data subject requests to obtain restriction of processing, the Company is only allowed to store personal data, not further process it, with the exceptions set out in the GDPR. The right to restriction may be exercised in the following cases:
- If the Data subject contests the accuracy of Personal data; in this case, the restrictions apply for the time necessary for the Company to verify the accuracy of the personal data.
- If the Company processes Personal data unlawfully, but instead of erasure the Data subject requests only restriction of their use.
- If the Company no longer needs Personal data for the above-mentioned purposes of processing, but the Data subject requests the data for the establishment, exercise or defense of legal claims.
- If the Data subject objects to processing, the data processing is restricted pending the verification whether the legitimate interest of the Company override Data subject’s interest.
- Right to data portability: if the Data subject wishes the Company to transmit Personal data to another controller, it may exercise its right to data portability, if technically feasible. In the event that the exercise of this right would adversely affect the rights and freedoms of other persons, the Company will not be able to comply with the request.
- Right to object: the right to object to the processing of Personal data which are processed for the purpose of protecting the legitimate interests of the Company or for the purpose of fulfilling a task performed in the public interest or in the exercise of public power. If the Company does not prove that there is a justified legitimate reason for the processing which overrides the interest of the Data subject or rights and freedoms, it shall terminate the processing on the basis of the objection without undue delay.
- Right to withdraw the consent. If the Company processes Personal data on the basis of the consent of the Data subject, such consent is voluntary and may be withdrawn. The consent may be withdrawn at any time, using the contact details provided in Articles 1.1 and 1.2 mentioned above. Following the withdrawal of the consent, the Company may no longer process such personal data, unless it has another legal reason for processing. Withdrawing the consent does not affect the legitimacy and lawfulness of processing of Personal data on the basis of consent before its withdrawal. The processing of Personal data on the basis of other legal reasons mentioned above (fulfillment of a legal obligation, fulfillment of a contract to which you are a party, legitimate interest of the Company) is not subject to consent, therefore it is not possible to request that the Company does not process such Personal data based on withdrawal of the consent.
- Right to file a complaint with the Office for Personal Data Protection: the Data subject can file a complaint with the Office for Personal Data Protection if the Data subject claims that the processing of data violated his/her right to personal data protection during their processing or related legislation, including violating the above mentioned rights. The Office for Personal Data Protection is located at the address Pplk. Sochora 27, 170 00 Prague 7. More information about its activities is available on the website https://www.uoou.cz/.
3. Additional information
For further information, questions, requests and any complaints regarding the processing of Personal data, contact the Controller at the address of its seat or the above-mentioned contact e-mail address.
Second Foundation Tech a.s.