Processing and protection of personal data

ZM-TECH s.r.o. internal directive on the processing and protection of personal data

The Internal Directive on the processing and protection of personal data addresses the implementation of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the "GDPR Regulation") in ZM-TECH s.r.o. (hereinafter referred to as the "Company"). It therefore addresses the Company's obligations in the field of GDPR, the Company's actions and its position as a data controller.

1. CONTROLLER AND PROCESSOR OF PERSONAL DATA

The data controller and processor of personal data is ZM-TECH s.r.o., company registration number 255 51 868, with registered office at Grohova 117/21, 603 00 BRNO – PISÁRKY, registered with the Regional Court in Brno under file number C 32858 (hereinafter referred to as the "Company"). The Company determines how personal data will be processed and for what purpose, for how long, unless this is implied by law. The Company has the right to select any additional processors to assist it with the processing of personal data.

Questions and comments regarding the processing of personal data, including the withdrawal of explicit written consent, can be sent in writing to the correspondence address resort Sněžné Amanita, Sněžné 140, 592 03, or by e-mail to recepce@resortsnezne.cz.

2. PERSONAL DATA

This is any information relating to an identified or identifiable natural person (i.e. a person who can be directly or indirectly identified from a set of data). Personal data can be verbal (e.g. name, birth number, telephone number), pictorial (e.g. photograph) and network identifiers (e.g. IP address, cookies).

3. DATA SUBJECT

The data subject is the natural person whose personal data is processed by the Company (job applicants, former employees, hotel guests, suppliers and contractors).

4. DATA PROTECTION PRINCIPLES AND RULES

The Company processes all personal data in accordance with the applicable and generally binding laws of the Czech Republic and in accordance with the GDPR.

All employees of the Company are familiar with the rules on data protection, data handling and data security. They are bound by confidentiality and other internal rules. The Company regularly conducts internal audits, which, among other things, monitor compliance with the rules for working with personal data and the implementation of the data protection policy. All access to personal data is controlled and based on the rights of individual employees according to the positions they hold.

5. CATEGORIES OF DATA SUBJECTS

5.1 Job applicants

5.1.1 Purpose and legal basis for processing personal data

The Company processes personal data for the purposes of recruitment, including for the purpose of offering suitable positions in the future.

  • Personal data necessary to carry out a selection procedure for a specific job position - processing is necessary for the performance of a contract pursuant to Article 6(1)(b) GDPR
  • Personal data necessary to contact the applicant - processing is necessary for the purpose of the Company's legitimate interest pursuant to Article 6(1)(f) of the GDPR
  • Protection of persons, health and property (CCTV) - processing is necessary for the purpose of the Company's legitimate interest under Article 6(1)(f) of the GDPR
  • There is no automated decision-making

5.1.2 Categories of personal data

  • Identification data used to identify the data subject precisely, unambiguously and unmistakably - name, surname, titles, date of birth, permanent address, etc.
  • Qualifying data
  • Contact details - telephone, mobile phone, e-mail
  • Identification data from the CCTV system

5.1.3 Categories of recipients of personal data

  • Company
  • Processors under contract to the extent appropriate
  • Personal data are not transferred to third parties

5.1.4 Sources of personal data

  • Personal data collected directly from job applicants
  • CCTV footage

5.1.5 Information provided to data subjects

These are available from the Data Protection Officer and on the website https://www.resort-snezne.eu in the document Processing and protection of personal data.

Information about CCTV via pictograms placed at the entrances to the recorded area.

5.1.6 Technical and organisational measures taken

Locked office, locked cabinets with personal data of applicants in the HR manager's office, data backup, regularly updated anti-virus and anti-spam protection, access to the IS is logged, logging into the IS under a unique name and password, logging out after work, CCTV system, adherence to internal guidelines and set work processes, sending letters with personal data by registered mail including archiving of mail slips, limitation of the circle of persons with access to personal data (HR manager, Manager, Company management), except in cases imposed or permitted by law or agreed with the candidate, we do not disclose information about personal data to third parties. Regular security training for employees with access to applicants' personal data is conducted.

5.1.7 Scheduled time limits for erasure of personal data

Immediately after the end of the selection process, if the job applicant is not hired, his/her personal data will be properly destroyed in accordance with the law. In the event that we receive explicit written consent from the applicant that his/her personal data may be stored in a personnel database, personal data may be retained for a period of three years for suitable offers of employment. In justified cases, CVs and related documents will be kept for a maximum of three years for the Company's legitimate interests in the event of legal action by an unsuccessful applicant.

If the applicant wishes to withdraw consent to the processing of his/her personal data, this can be done in writing by e-mail to Ludmila.Presnajderova@ivfzlin.cz or by correspondence to Klinika reprodukční medicíny a gynekologie Zlín, U Lomu 638, 760 01 ZLÍN..

The camera system makes a recording three months, which is automatically deleted after the expiry of this period. The live recording is available to the Receptionists, the Manager and the IT officer. The Manager and the IT officer can trace back the data in the recording.

5.2 Former employees

5.2.1 Purpose and legal basis for processing personal data

The Company processes personal data for the purposes of maintaining payroll, personnel and related records for the performance of the underlying employment relationship.

  • Personal data necessary for pension and social security purposes, etc. - processing is necessary for the purpose of fulfilling a legal obligation under Article 6(1)(c) GDPR
  • Personal data related to the settlement of all obligations towards the former employee (e.g. for the purpose of payment of wages) - processing is necessary for the purpose of the performance of a contract pursuant to Article 6(1)(b) GDPR
  • Personal data necessary for communication with the former employee - processing is necessary for the purpose of the Company's legitimate interest under Article 6(1)(f) GDPR
  • There is no automated decision-making

5.2.2 Categories of personal data

  • Identification data used to identify the data subject precisely, unambiguously and unmistakably - name, surname, titles, date of birth, permanent address, etc.
  • Contact details - telephone, mobile phone, e-mail
  • Payroll data - bank account number

5.2.3 Categories of recipients of personal data

  • Company
  • Health insurance companies
  • Social security authorities
  • Entities requesting cooperation under specific legislation
  • Legal advisors
  • Processors under contract to the extent appropriate
  • Personal data are not transferred to third parties

5.2.4 Sources of personal data

  • Personal data obtained directly from former employees
  • Personal data collected in connection with communication with the authorities

5.2.5 Information provided to data subjects

They are available on the website www.resort-snezne.eu in the document Processing and protection of personal data.

5.2.6 Technical and organisational measures taken

Locked office, locked cabinets with personal data of former employees in the HR manager's office, letters with personal data are sent by registered mail, submission slips are archived, data backup, regularly updated antivirus and antispam protection, compliance with internal guidelines and set work processes, limitation of the circle of persons with access to personal data (HR, economic department, Company management), access to the IS is logged and password-protected, passwords are not shared, employees log out of the IS after leaving work, except as required or permitted by law or agreed with the former employee, we do not disclose information about personal data to third parties. Regular training of persons having access to the personal data of former employees takes place.

5.2.7 Scheduled time limits for erasure of personal data

We keep the data stored in the personnel file for the period prescribed by law. Unnecessary documents are disposed of without undue delay. In justified cases, some documents are retained to protect the employer's rights for the period of limitation periods due to possible legal action or inspection by an administrative authority.

5.3 Hotel guests

5.3.1 Purpose and legal basis for processing personal data

  • Ensuring payment for accommodation services - processing is necessary for the purpose of performance of the contract pursuant to Article 6(1)(b) GDPR
  • Acquiring a new guest - processing is necessary for the purpose of the Company's legitimate interest under Article 6(1)(f) GDPR
  • Protection of persons, health and property (CCTV) - processing is necessary for the purpose of the Company's legitimate interest under Article 6(1)(f) of the GDPR
  • There is no automated decision-making

5.3.2 Categories of personal data

  • Identification and contact data - name, surname, address, telephone, mobile phone
  • Payment data - bank account number
  • Identification data from the CCTV system

5.3.3 Categories of recipients of personal data

  • Company
  • Legal advisors
  • Entities requesting cooperation under specific legislation
  • Processors under contract to the extent appropriate
  • Personal data are not transferred to third countries

5.3.4 Sources of personal data

  • Personal/telephone/email contact with the guest
  • Data from websites and social networks
  • When dealing with complaints from data subjects
  • CCTV footage

5.3.5 Information provided to data subjects

They are available on the website www.resort-snezne.eu in the document Processing and protection of personal data.

Information about the CCTV system via pictograms placed at the entrances to the recorded area.

5.3.6 Technical and organisational measures taken

Locked office, data backup, regularly updated anti-virus and anti-spam protection, compliance with internal directives and set work processes, limitation of the circle of persons with access to personal data (receptionists, company management), access to the IS is logged and password protected, passwords are not shared, employees log out of the IS after leaving work, except where required or permitted by law or agreed with the former employee, we do not provide information about personal data to third parties.

5.3.7 Planned time limits for erasure of personal data

Personal data are processed by the Company for as long as necessary to fulfil the purpose in question and in accordance with the time limits set out in generally binding legislation of the Czech Republic, or as long as necessary for the establishment, exercise or defence of legal claims.

The camera system shall record three months, which shall be automatically deleted after the expiry of this period. The live recording is available to the Receptionists, the Manager and the IT officer. The Manager and the IT officer can trace back the data in the recording.

5.4 Suppliers and contractors

The Company processes personal data to the extent that it has been provided by the data subject in connection with the conclusion of a contract. It also processes data that are freely available in public registers.

5.4.1 Purpose and legal basis for processing personal data

  • Conclusion of a contractual relationship - the processing is necessary for the purpose of performance of the contract pursuant to Article 6(1)(b) GDPR
  • Performance of a contract between the Company and a contractual partner (record keeping, activity control, statistical purposes, etc.) - processing is necessary for the purpose of performance of the contract pursuant to Article 6(1)(b) GDPR
  • Performance of legal obligations under applicable law (accounting, advertising regulation, tax obligations, etc.) - processing is necessary for the purpose of fulfilling a legal obligation under Article 6(1)(c) GDPR
  • Sending commercial communications (direct marketing) - processing is necessary for the purpose of the Company's legitimate interest under Article 6(1)(f) GDPR
  • Protection of persons, health and property (CCTV footage) - processing is necessary for the purpose of the Company's legitimate interest under Article 6(1)(f) of the GDPR
  • There is no automated decision-making

5.4.2 Categories of personal data

  • Identification data for the unambiguous, unmistakable and precise identification of data subjects (first name, surname, company name, ID number, etc.)
  • Contact details (telephone, mobile phone, e-mail, address)
  • Other data specified in the contract, on invoices, etc.
  • Birth number only where required by law
  • Technical data from communication with the data subject (IP address, time of communication)
  • Identification data from the CCTV system

5.4.3 Categories of recipients of personal data

  • Company
  • Subjects requesting cooperation under specific legislation
  • Public institutions
  • Legal, economic and tax advisors and auditors for the purpose of providing consultancy services
  • Processors under contract to the extent appropriate
  • Personal data are not transferred to third countries

5.4.4 Sources of personal data

  • In contract negotiations
  • In the performance of the terms of existing contracts
  • When dealing with complaints from data subjects
  • CCTV footage

5.4.5 Information provided to data subjects

They are available on the website www.resort-snezne.eu in the document Processing and protection of personal data.

Information about the CCTV system via pictograms placed at the entrances to the recorded area.

5.4.6 Technical and organisational measures taken

Locked office, data backup, regularly updated antivirus and antispam protection, accessing up to the PC with unic name and password, logging off the computer after work, letters with personal data are sent by registered mail, submission slips are archived, the movement of foreign persons is only possible when accompanied by employees, camera system, compliance with internal directives and set work processes, limitation of the circle of persons with access to personal data (economic department, company management) except as required or permitted by law or as agreed with a contractor, we do not disclose information about personal data to third parties.

5.4.7 Scheduled erasure periods

Personal data is processed by the Company for as long as necessary to fulfil the purpose and in accordance with the time limits specified in generally binding legal regulations of the Czech Republic, or as long as necessary for the establishment, exercise or defence of legal claims.

The camera system shall record three months, which shall be automatically deleted after the expiry of this period. The live recording is available to the Receptionists, the Manager and the IT officer. The Manager and the IT officer can trace back the data in the recording.

6. INFORMATION ON THE RIGHTS OF DATA SUBJECTS

The data subject has the right to request information from the Company as to whether or not personal data concerning the data subject is being processed and to request access to such personal data.

The data subject also has the right to have his or her personal data rectified (in the case of inaccurate personal data and the completion of incomplete personal data).

If one of these reasons is given, he or she has the right to have the personal data erased:

  • the personal data are no longer necessary for the purposes for which they were collected or otherwise processed
  • the data subject withdraws the consent on the basis of which the data were processed and there is no further legal basis for processing the data
  • the data subject objects to the processing and there are no overriding legitimate grounds for the processing
  • the personal data have been unlawfully processed
  • the personal data must be erased in order to comply with a legal obligation under European Union (EU) or Czech law applicable to the Company.

In the cases described in Article 17(3)(a)-(e) of the GDPR, the law does not apply.

The right to restrict processing may be used if:

  • the data subject denies the accuracy for the time necessary to verify the accuracy of the personal data
  • the processing is unlawful and the data subject requests a restriction on the use of the personal data instead of erasure
  • the personal data are no longer needed by the Company for the purposes of the processing but are required by the data subject for the establishment, exercise or defence of legal claims
  • the data subject objects to the processing of the personal data. The processing of personal data will be limited until it is verified that the legitimate grounds of the Company outweigh the legitimate grounds of the data subject.

The right to data portability means that the Company can be asked to obtain/transmit personal data if the processing of personal data is based on consent (under GDPR Article 6(1)(a) or Article 9(2)(a) or on a contract under Article 6(1)(b)) and the processing is carried out by automated means.

In the case of personal data processed on the basis of consent, the data subject has the right to withdraw his or her consent. Withdrawal of consent shall not affect the lawfulness of processing based on consent given before its withdrawal.

The data subject has the right to lodge a complaint with the supervisory authority, which is the Office for Personal Data Protection (ÚOOÚ), Pplk. Sochora 27, 170 00 Prague 7, www.uoou.cz.

In the event that the processing of personal data by the Company results in a breach of the security of such data which will result in a high risk to the rights and freedoms of natural persons, the Company shall notify such breach without undue delay to the ÚOOÚ and on its website.

7. BASIC LEGISLATION GOVERNING PERSONAL DATA

  • Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) with effect from 25 May 2018
  • Act No. 110/2019 Coll., on the processing of personal data
  • Act No. 111/2019 Coll., Act amending certain acts in connection with the adoption of the Act on the processing of personal data