I want a free quote
CZ

Information Memorandum on the Processing of Personal Data of NESS Czech s.r.o.

When processing personal data, NESS Czech s.r.o. is governed by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, hereinafter referred to as theRegulation.” 

Content: 

  1. Introductory Provisions 
  2. Contact Details of the Company (Article 13, points 1a, b of the Regulation) 
  3. Professional Terms 
  4. Compliance with Legal Provisions and Basic Principles of Processing (Article 5, 6 of the Regulation) 
  5. Personal Data (Categories of Personal Data – General) (Article 12 of the Regulation) 
  6. Sources of Personal Data (Article 13, 14 of the Regulation) 
  7. Legal Basis for Processing Personal Data (Article 13, point 1c of the Regulation) 
  8. Purposes of the Processing of Personal Data (Article 13, points 1c, d of the Regulation) 
  9. Categories of Processing of Personal Data (Article 12) 
  10. List of Personal Data Processed (Articles 12, 13, 14 of the Regulation) 
  11. Methods of Processing Personal Data (Article 12 of the Regulation) 
  12. Is Your Data Analyzed? (Profiling) (Article 13, 2f of the Regulation) 
  13. Who Else Does the Company Allow Access to Your Personal Data? (Article 13, point 1e of the Regulation) 
  14. Retention Period of Personal Data (Article 13, point 2a, Article 22 of the Regulation) 
  15. Transfer of Personal Data Outside the EU (Article 44 of the Regulation) 
  16. Cookies and Browser Usage Policy 
  17. Your Rights (Articles 12, 14, 13, 2b, c, d, 15, 16, 17, 18, 19, 20, 21 of the Regulation) 
  18. Restrictions (Article 23 of the Regulation) 
  19. Method of Exercising the Rights of Data Subjects and Handling Requests from Data Subjects (Article 12 of the Regulation) 

1) INTRODUCTORY PROVISIONS 

Purpose of the Information Memorandum on the Processing of Personal Data: 

NESS Czech s.r.o., identification number: 45786259 (hereinafter also referred to as the “Company” or “we”), hereby issues this Information Memorandum on the processing of personal data by the Company as a personal data controller (hereinafter also referred to as the “Memorandum”). 

The purpose of this Memorandum is to inform you (hereinafter referred to as “you”), as data subjects, i.e. persons whose personal data is processed by the Company (in particular the Company’s customers, business partners (suppliers) of the Company, job applicants for employment with the Company, employees of the Company, and visitors to the Company’s website), about the processing of your personal data carried out by the Company and your rights related to this processing. 

This Memorandum applies only to the processing of personal data that is carried out by the Company as the data controller. 

Conversely, this Memorandum does not apply to the processing of personal data that is (or may be) carried out by the Company as a processor of personal data for third parties, who determine the purposes and means of such processing (and are thus in the position of data controllers in relation to such processing of personal data). 

This Memorandum may be amended, supplemented, or otherwise updated by the Company. The current version of the Memorandum can be found on the Company’s website at www.ness.com/ness-czech/. We encourage you to review the current version of the Memorandum periodically. 

 

2) CONTACT DETAILS OF THE COMPANY 

Personal Data Controller: 

NESS Czech s.r.o. 

Tel: +420 244 026 400 

In the Park 2335/20, 

148 00 Prague 4, Chodov 

Email: nesscz@ness.com 

Contact details for our offices in the Czech Republic can be found at www.ness.cz/kontakt. 

Please direct any questions regarding the processing of your personal data to our Data Controller. 

Data Protection Officer: 

Czech DPO Office s.r.o. 

Anny Letenské 7, Prague 2 – Vinohrady 

Website: www.czechdpooffice.eu 

Email: poverenec@czechdpooffice.eu 

Questions can be sent via the contact form on the above web portal or HERE. 

 

3) TECHNICAL TERMS 

Unless otherwise expressly stated in this Memorandum, technical terms used in this Memorandum shall have the following meanings: 

  • Personal Data: Any information about your person that identifies you or allows for the direct or indirect identification of your person. 
  • Recipient: A natural or legal person (another company) to whom your personal data is provided (e.g., transport companies or public authorities). 
  • Controller: The person who determines the purposes and means of the processing of personal data. In the case of the processing of your personal data within the scope of this Memorandum, the Company is the controller of your personal data. 
  • Data Subject: Your person, as the natural person to whom the personal data relates. 
  • Third Country: A country other than a Member State of the European Union, Iceland, Norway, and Liechtenstein. 
  • Website User: A visitor to the Company’s website. 
  • Processing of Personal Data: Any treatment of personal data such as collection, recording, arrangement, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or any other disclosure, arrangement or combination, restriction, erasure, or destruction. 
  • Processor: A natural or legal person, agency, or other entity that processes personal data on behalf of the Company (e.g., accounting or law firms). 

 

4) COMPLIANCE WITH LEGISLATION AND BASIC PROCESSING PRINCIPLES 

Compliance with Legislation 

The protection of your personal data is our priority, and we comply with all obligations and requirements set out in the relevant data protection legislation when processing your personal data. 

Basic Principles of Personal Data Processing 

When processing personal data, we follow the following basic principles of personal data processing: 

  • Legality, Fairness, and Transparency: We process your personal data fairly, lawfully, and transparently. 
  • Purpose Limitation: We collect (and process) your personal data only for specific, explicit, and legitimate purposes and do not process it further in a manner incompatible with those purposes. 
  • Data Minimization: We process your personal data only to the extent that is reasonable, relevant, and necessary for the purposes of processing your personal data. 
  • Accuracy: We only process accurate personal data and, if necessary, we update your personal data. 
  • Storage Limitation: We process (store) your personal data only for the period necessary concerning the purposes of processing or as required by applicable law. 
  • Integrity and Confidentiality: We process your personal data in a manner that ensures appropriate security of your personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. 
  • Accountability: We are responsible for ensuring compliance with the above processing principles and for processing your personal data in accordance with the law. 

 

5) PERSONAL DATA (CATEGORIES OF PERSONAL DATA) 

(See point 10 of the Memorandum for details) 

The Company processes the following personal data (categories of personal data) about data subjects, depending on the nature of the relationship between the Company and the data subject (e.g., whether the person is a customer, job applicant, or another data subject) and the specific situation of the data subject: 

  • Identification Data: Data used to identify a person, such as academic title, first name, surname, date of birth, job title or function, etc. 
  • Contact Details: Data used for contacting and communicating with a specific person, such as telephone number, email address, permanent or temporary residence address, other contact addresses. 
  • Payment Details: Data used for making payments, such as bank account number. 
  • Details of Legal Claims: Data on claims made against the Company or by the Company against an individual, such as data on a claim for damages. 
  • Audiovisual Data: Data captured in the form of audiovisual recordings, e.g., photographs sent by you (e.g., as part of your CV). 
  • Contract Data: Data related to services supplied by the Company or services supplied to the Company, related requests, complaints, claims, including related communications. 
  • Professional Profile Data: Details of education and professional qualifications, such as information provided in professional CVs. 
  • Other Data: Other personal data that may be processed as necessary for the purposes outlined in this Memorandum. 

 

6) SOURCES OF PERSONAL DATA 

The personal data processed by the Company is obtained from the following sources: 

  • Directly from the data subjects: Employees, job applicants, clients, suppliers, through phone, email, contact forms, or the website. 
  • Publicly accessible registers, lists, and records: Including commercial registers, trade registers, land registers, and social networks. 
  • From third parties: Such as government authorities, your advisors, etc. 

If you have any questions about the specific source of your personal data processed by the Company, you can contact the Data Controller (see point 2 of this Memorandum), who will provide you with all information in accordance with Article 14, Regulation 2016/679 of the European Parliament. 

 

7) LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA 

The Company processes personal data only for the purposes for which it has the relevant legal basis for processing: 

  • Processing based on a legal obligation: We process your personal data because we are required to do so by applicable law, for example, in the context of tax, accounting, or archive management. 
  • Processing necessary for the performance of a contract: This includes processing personal data for the purposes of entering into, amending, or terminating contractual relationships, performing rights and obligations under contracts, and maintaining records of these relations and related communications. 
  • Processing based on consent: We may process your personal data with your consent for specific purposes, and we will only use it for those purposes for which consent has been given. 
  • Processing based on legitimate interest: For further details, see point 8 of the Memorandum (Purposes of processing personal data). 
  • Processing necessary for the protection of vital interests: For example, humanitarian purposes or responses to natural or man-made disasters. 

 

8) THE PURPOSES OF THE PROCESSING OF PERSONAL DATA BY THE COMPANY 

  • Acquiring new customers: Registration of inquiries, preparation of offers and contracts, and consultations with potential clients. 

Legal basis: Legitimate interest—efficient operation of the Company and development of business opportunities. 

  • Insurance agenda: Processing of personal data for making insurance claims, whether against or by the Company. 

Legal basis: Legitimate interest—possibility of the Company’s insurance claim against the insurer. 

  • Recruitment activity: Processing of personal data for recruiting new employees, including receiving, processing, recording CVs, conducting interviews, and making offers. 

Legal basis: Legitimate interest—efficient operation of the Company. 

  • Management of personnel, payroll, accounting, and tax agenda: Processing personal data for employment relations, tax returns, and accounting. 

Legal basis: Legal obligation and legitimate interest—ensuring the proper operation of the Company and compliance with legal obligations. 

  • Archiving: Processing for fulfilling legal archiving obligations (e.g., tax, accounting, and archives regulations). 

Legal basis: Legal obligation. 

  • Audits: Processing of personal data for mandatory company audits (e.g., accounting, tax). 

Legal basis: Legal obligation. 

  • Interaction with public authorities: Processing personal data to comply with requirements from law enforcement or other authorities. 

Legal basis: Legal obligation. 

  • Ensuring the safety and security of the Company’s assets: Monitoring the entrance areas to the Company for security purposes. 

Legal basis: Legitimate interest—protection of property and safety of clients and employees. 

  • Marketing and promotion: Processing personal data for promoting the Company, including sending PF and other promotional requests. 

Legal basis: Legitimate interest—building the Company’s reputation. 

  • Cooperation with supervisory authorities: Processing personal data for cooperation with authorities such as social security, tax authorities, etc. 

Legal basis: Legal obligation. 

  • Performance of activities of the Data Protection Officer: Processing data for handling requests from data subjects, ensuring compliance with data protection legislation. 

Legal basis: Legal obligation—GDPR. 

  • Web and social networking: Processing personal data for presenting basic information about the Company and services. 

Legal basis: Legitimate interest—providing information to the public. 

  • Cooperation with suppliers: Processing personal data for operational purposes, including IT services, legal services, etc. 

Legal basis: Contract and legitimate interest—ensuring the proper operation of the Company. 

  • Protection of legal interests: Processing personal data related to legal claims or defense against claims. 

Legal basis: Legitimate interest—protection of the Company’s rights and interests. 

  • Effective management and administration of the Company: Processing personal data for ensuring smooth internal administration and compliance with legal requirements. 

Legal basis: Legitimate interest—ensuring the proper functioning of the Company. 

 

9) CATEGORIES OF PROCESSING OF PERSONAL DATA 

The Company processes personal data for the following categories of data subjects: 

  • Jobseekers 
  • Employees 
  • Suppliers and contractors (e.g., IT, legal, accounting, training, etc.) 

  

10) A LIST OF THE PERSONAL DATA PROCESSED 

  1. Potential customers
  • Identification data: Name, surname of the company representative 
  • Contact details: Email address, telephone 
  • Contact records: Communication via email 
  • Legal basis for processing personal data: Legitimate interest of the controller, implementation of pre-contractual measures for the provision of the service — ensuring that data subjects are informed before entering into a contract. 
  • Purpose of processing: Registration of inquiries, preparation of offers and contracts at the request of the customer. 
  1. Jobseekers

Based on the selection process, we process the data provided in candidates’ CVs and during the recruitment process. These include: 

  • Identification data: Name, surname, title, date of birth 
  • Contact details: Email address, telephone, contact address 
  • Information on previous work experience and previous position 
  • Email communication with candidates: Invitation to interview, ongoing communication 
  • Legal basis for processing personal data: Legitimate interest of the controller for executing the selection procedure and the possibility of offering a job position. 
  • Purpose of processing: To carry out tasks within the recruitment procedure for the potential conclusion of an employment relationship. 
  1. Staff

The company processes all employee data related to the employment relationship, including information from the recruitment process. 

  • Identification data: First name, surname, maiden name, previous surname, place of birth, marital status, nationality, national ID number, employee photo taken on arrival. 
  • Contact details: Permanent address, mailing address, telephone, email 
  • Data required for processing payroll and compulsory deductions: Birth number (ID), health insurance number for foreigners, bank account number, bank code, name of the bank for salary payments; name, surname, and birth number of your spouse/registered partner; names, surnames, and birth numbers of your children; information on whether you claim tax benefits (including copies of birth certificates of children and confirmation from the other spouse that they do not claim tax benefits, and in the case of adult children, confirmation of studies); information on whether you are receiving a disability pension (if so, which level) or old-age pension or hold a disabled person’s card, including the date of claim; details of wages; holiday details; travel/expenses details; records of use of a company mobile phone, if allocated to you; records of movement of a company vehicle, if allocated to you. 
  • Attendance and performance details 
  • Any disciplinary actions 
  • Criminal record extracts 
  • Details of training courses attended 
  • Data collected by security systems: CCTV footage 
  • Health records: Results of compulsory occupational health examinations 
  • Legal basis for processing personal data: Legitimate interest, legal obligation 
  • Purpose of processing: Preparation of employment contract, ensuring personnel and payroll administration (payroll, attendance, and leave records), ensuring accounting and tax administration, ensuring qualification development (training, seminars), records of assigned property, ensuring occupational health examinations, cooperation with supervisory authorities, ensuring property security and data protection. 
  1. Suppliers and contractors

The company processes personal data necessary for concluding contractual relationships, as well as data provided by contractual partners. These include suppliers of legal, economic, administrative, operational services, IT services, training, and educational services, and insurance companies. 

  • Identification data: Name, surname, title, date of birth, place of residence 
  • Contact details: Telephone, email address, correspondence address, account number 
  • Criminal record extracts 
  • Email communication 
  • Legal basis for processing personal data: Contractual performance, legal obligation 
  • Purpose of processing: To provide services ensuring the proper functioning of the company. 

11) METHODS OF PROCESSING PERSONAL DATA 

The company processes and stores all personal data through secure internal databases with limited access rights and adequate technical and security measures, in accordance with legislative requirements. 

All documentary documents containing personal data are protected by sufficient technical and organizational security measures (restricted access, locked areas). 

12) IS YOUR DATA ANALYZED? (PROFILING) 

The company does not automatically process your data for the purpose of optimization or sorting. 

13) WHO ELSE DOES OUR COMPANY ALLOW ACCESS TO YOUR PERSONAL DATA? 

Recipients who are (independent) data controllers 

These recipients have the status of independent controllers and process your personal data for their own purposes. These include mainly state administration authorities (e.g., social security authorities, tax offices, insolvency administrators, data protection authority). 

No separate contract for the processing of your personal data is concluded with these recipients, as they have the same obligations as the company with regard to personal data processing and are responsible for it themselves. 

Other 

In all other cases, your personal data is shared only based on your consent to such sharing. 

Partial personal data may be provided to our suppliers in the fields of legal, economic, administrative, operational, IT, or training services, also based on your consent. 

Furthermore, your personal data may be processed by the Data Protection Officer (see section 2) to monitor the company’s compliance with data protection legislation. 

List of the company’s personal data processors: 

  • Elanors 
  • Prevent Medical 
  • Blue Care 
  • So-Ry Agency 

Specific questions should be directed to the Data Controller (see section 2). 

14) RETENTION PERIOD OF PERSONAL DATA 

We process (store) your personal data only for the time necessary to fulfill the purposes for which it was collected. 

In the case of processing personal data based on legal obligations, we process it for the period specified by law, particularly in tax and accounting regulations. 

If you have given your consent to the processing of your personal data, we process it for the period specified in this consent. 

Specific deadlines for individual documents are outlined in the company’s Archival Rules. 

For specific questions about the retention period of your personal data, please contact the Data Controller (see section 2). 

TRANSFER OF PERSONAL DATA OUTSIDE THE EU 

We process personal data within the Czech Republic or in EU member states. We transfer personal data to non-EU countries only at the request of the data subject or a superior authority, to the extent provided by law. 

COOKIES AND BROWSER USAGE POLICY 

The company’s websites store files commonly referred to as cookies on your device, in accordance with the law. Cookies are small data files composed of letters and numbers that help websites remember actions and settings you have made, so you don’t have to re-enter them. 

Cookies are not a security risk, but they are important for privacy protection. Cookies cannot be used to identify site visitors or misuse login credentials. You can restrict or block cookies in the settings of your browser. 

15) YOUR RIGHTS 

a) Right to withdraw consent to the processing of personal data

If we process your personal data based on your consent, you have the right to withdraw your consent at any time in any of the ways set out in section (F) below. 

You may withdraw consent in whole or in part, regarding only some of your personal data or specific processing purposes. 

b) Right of access to personal data

You have the right to obtain confirmation from the company as to whether or not we are processing your personal data. 

If we process your personal data, you have the right to access it and to receive the information outlined in this memorandum. 

We will provide you with a copy of the personal data processed. The first copy is free of charge. We may charge a reasonable fee for further copies, taking into account administrative costs. 

The company will provide the aforementioned confirmations, information, and copies in writing or electronically. If you make a request electronically, the certificates, information, and copies will be provided electronically unless you request otherwise. 

c) Right to rectification and completion of personal data

You have the right to have inaccurate personal data corrected without undue delay. Considering the purposes of processing, you also have the right to have incomplete personal data completed, including by providing an additional declaration. 

d) Right to erasure (“right to be forgotten”)

You have the right to have us delete your personal data without undue delay if: 

  • Your personal data is no longer necessary for the purposes for which it was collected or processed; 
  • You withdraw consent, and there is no other legal reason for processing; 
  • You object to the processing (see more in Article 19 below) and there are no overriding legitimate grounds for the processing; 
  • You object to processing for direct marketing purposes; 
  • The personal data has been processed unlawfully; 
  • The data must be erased to comply with a legal obligation. 

If your personal data meets the conditions for erasure, we will delete it without undue delay, unless we need it for a legal obligation, to establish, exercise, or defend legal claims, or for archiving purposes. 

If your data has been disclosed, we will take reasonable steps, including technical measures, to inform other controllers processing your data about your request for erasure. 

e) Right to restriction of processing

You have the right to restrict the processing of your personal data in the following cases: 

  • You dispute the accuracy of your personal data for the time necessary to verify its accuracy; 
  • The processing is unlawful, and you request a restriction on its use instead of erasure; 
  • We no longer need the data for processing purposes, but you require it for establishing, exercising, or defending legal claims; 
  • You object to the processing, pending verification of whether our legitimate grounds override yours. 

If processing is restricted, the data will only be used with your consent or for establishing legal claims or protecting rights. 

f) Right to object

You have the right to object to the processing of your personal data if the processing is based on a legitimate interest of the company, including profiling, unless we demonstrate that the legitimate interest or legal claim overrides your rights and freedoms. 

In the case of direct marketing, you can object to the processing of your personal data at any time and without providing a reason. 

g) Right to data portability

You have the right to receive personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller. 

This right applies only to personal data provided by you and processed on the basis of your consent or a contract.