Information on personal data processing

 

In accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/ EC (General Data Protection Regulation) (hereinafter referred to as the "GDPR Regulation"), you, as the data subjects, are provided with the following information, in particular about(i) what personal data we collect, (ii) how we treat the personal data, (iii) on what legal bases we process the personal data and for what purposes we use the personal data, (iv) to whom we may disclose such personal data, (v) what are your rights in the area of the protection of personal data, as well as (vi) where you can acquire information about your personal data which we process.

Hereby, we would like to ask you to get acquainted with the contents of this Information on personal data processing ("Information"). We are ready to answer your possible queries via contact e-mail olga.pavlickova@unicreditfactoring.cz, or at the address Želetavská 1525/1, Michle, 140 00 Prague 4.

This Information which contains the general principles of personal data processing, is intended for all natural persons whose personal data are processed by our company, especially for clients, business partners, job-seekers, users of our company's website, etc.

 

A. GENERAL INFORMATION:

Identity of the controller:

UniCredit Factoring Czech Republic and Slovakia, a.s.
CIN: 15272028
with the seat at Želetavská 1525/1, Michle, 140 00 Prague 4
registered in the Companies Register held by the Municipal Court in Prague, Section B, Insert no. 649
(the "Company"or also as the "Controller")

Contact details of the Controller:

B. INFORMATION ON PERSONAL DATA PROCESSING:

The Company, as the personal data Controller, treats your personal data in accordance with applicable legislation and always in such a way that the security of your data (personal data) is maintained in utmost extent that is possible. The Company complies with the principles relating to processing of personal data provided by applicable legislation and fully respects the highest standards of personal data protection.

There is no data protection officer in the Company, within the meaning of the GDPR Regulation.

Purposes of personal data processing. Legal basis for personal data processing:

Your personal data is processed by the Controller only to the extent necessary for the respective purpose and for as long as it is necessary to fulfil the respective purpose. After having met the purpose, the Controller may process your personal data for purposes other than those for which it was collected; you shall be always informed of these other purposes by the Controller.

Processing of personal data without your consent:

The Controller processes your personal data without your consent for the following purposes and on the basis of the following legal grounds

  • compliance with the contractual obligations of the Controller, including compliance with the obligation to provide fulfilment under the contract and execution of the payment (storage period for personal data: during the period of contract duration); the legal ground for processing: performance of the contract;
  • compliance with legal obligations, including, e.g. management and processing of the accounting agenda (storage period for personal data: personal data are processed during the period stipulated by the applicable legislation); the legal ground for processing: compliance with the legal obligation;
  • the possibility of exercising and enforcing the legal claims of the Controller, authorized recipients or other relevant persons, respectively the protection of legal claims, including enforcing of legal claims, the development of products and services provided, the resolution of the agenda concerning disputes, mainly for the purposes of litigation or other disputes (storage period for personal data: personal data are processed until the expiration of one year from the end of the limitation period, respectively longer for the period necessary for the purposes of legal claim protection implementation); the legal ground for processing: the legitimate interest of the Controller or a third party;
  • management and processing of the recruitment agenda (storage period for personal data: a) if the job-seeker succeeds and becomes an employee: during the period of employee´s employment duration, b) for other purposes related to the recruitment agenda: until the expiration of one year from the end of the limitation period, respectively longer for the period necessary for the purposes of legal claim protection implementation); the legal ground: (i) performance of the contract (processing to conclude the contract), (ii) the legitimate interest of the Controller)

Processing of personal data with your consent:

The Controller processes your personal data with your consent for the following purposes

  • selected aspects in connection with the management and processing of the recruitment agenda.

Storage period for personal data: personal data are processed during the period of 3 years on the basis of the consent. Legal base for processing is the consent to the personal data processing, given by the data subject.

For the purposes of demonstration of the compliance with the obligation under the applicable data protection legislation by the Controller, the Controller is entitled to store/process information about the consent obtained (i.e. how the consent was obtained and what was concerned by the consent), even after withdrawal of consent by the data subject, during a reasonable period (the longest during the period of 4 years).

 Categories of personal data:

The Company is processing for the above stated purposes your

  • identification data and contact details, i.e. e.g. name, surname, title, date of birth, telephone, e-mail address, address (address of residence, delivery address or other contact address), signature, when concerning the natural person – entrepreneur, also a business company, registered seat and CIN/Tax ID no., electronic mailbox, eSaldo login data, etc.,
  • other personal data, i.e. e.g. bank details (bank account number), IP address, etc.,
  • personal data related to the recruitment agenda, i.e. e.g. identification and contact data, data on achieved education, data on language skills or data on previous employers, as well as other personal data related to the recruitment agenda,
  • data on the financial situation, data stated in the bank registers, data on ownership situation, in connection with the credibility/solvency verification/assessment.

Legal ground for processing of your personal data shall be (see above):

  • compliance with a legal obligation to which the Controller is subject (art. 6 par. 1 letter c) of the GDPR Regulation)
  • performance of a contract to which you are a party, as the data subject (art. 6 par. 1 letter b) of the GDPR Regulation)
  • legitimate interest pursued by the Controller or by a third party (art. 6 par. 1 letter f) of the GDPR Regulation)
  • the consent to the personal data processing, if it has been given by the data subject (art. 6 par. 1 letter a) of the GDPR Regulation)

Your personal data can be processed manually or by automated means directly through the authorised Controller's employees and through the processors acting under the authority of the Controller, on the basis of the Personal Data Processing Agreement.

Personal data source:

Company, as the Controller, collects the personal data of the data subjects (i) from the data subjects (e.g. (a) from the requests of the data subjects, (b) within the negotiations with the data subject concerning the conclusion of the contract, (c) from the application forms completed by the data subject or (d) during the communication (personal or written) with the data subjects, including the communication by electronic means), (ii) from third parties (e.g. (a) from public authorities, (b) from co-operating third parties, (c) from third parties within complying with the Controller´s obligations, (d) under special legislation, (e) from third parties as well, in the cases where the data subject provides a security of the Controller's client commitment) or (iii) from publicly available sources (e.g. from public registers). Where personal data are collected by the Controller from the data subjects, the Controller shall inform the data subjects whether the disclosure of personal data is a legal or contractual requirement and whether the data subject is obliged to provide such personal data and what may be the possible consequences of non-disclosure of personal data.

Recipients, categories of recipients:

Your personal data may be transmitted mainly to the following categories of recipients:

  • public authorities and other entities, to whom the Company is obliged to disclose your personal data, respectively who are entitled to request your personal data from the Company (e.g. tax administrator, customs administration, executors, bankruptcy administrators, courts, law enforcement authorities, etc.)
  • third parties with whom the Company has entered into a written Personal Data Processing Agreement, i.e. the processors (e.g. IT service providers, accounting service providers, auditors, tax advisers, advocates, etc.)
  • business partners of the Company
  • entities linked with the Company by the property
  • other entities (e.g. the insurance companies)

Your personal data may then be possibly disclosed to third parties for any other reason, in accordance with applicable legislation.

The Controller does not intend to transfer personal data to third countries or to international organisation.

Automated decision-making:

Automated decision-making takes place within the processing of personal data, in particular in connection with the verification / assessment of the credibility/solvency of the data subject assessed. In other processing cases, automated decision-making does not take place.

Automated decision-making shall be done in particular in a form (by the procedure) of logical and / or algorithmic operations. The purpose of automated decision-making is thus verification / assessment of the credibility / solvency of the data subject assessed. The result of automated decision-making shall be the decision on the eligibility of funding by the Controller.

What cookies do we use?

  • temporary cookies (session cookies), which can be used in the case of this website to support some functions of add-ons and which are deleted immediately after closing the browser.
  • persistent cookies, which remain stored on the device until they reach a specified date and time of expiration, but usually one year or until deleted by the user.
  • functional and technical cookies, which primarily ensure the correct functioning of the website, the storage of set preferences or the capture of information about the display of error messages.
  • analytical cookies, which are used for statistical purposes, especially for collecting information about the use of the website (eg number, duration and time fluctuation of visits, number of pages viewed, share of new visits, etc.).

C. YOUR RIGHTS RELATED TO PERSONAL DATA PROCESSING:

Right of access to the personal data (article 15 of the GDPR Regulation):

As a data subject, you shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, you shall have the right to access to the personal data and the following information about:

a) the purposes of the processing;

b) the categories of personal data concerned;

c) the recipients or categories of recipients, to whom the personal data have been or will be disclosed;

d) the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

e) the existence of the right to request from the Controller rectification or erasure of personal data or restriction of processing of personal data or to object to such processing;

f) the right to lodge a complaint with a supervisory authority (Office for personal data protection);

g) any available information as to the personal data source;

h) whether there exists the automated decision-making or not, including profiling, information about the logic involved, as well as the significance and the envisaged consequences of such processing.

Where personal data are transferred to a third country or to an international organisation, you shall have the right to be informed of the appropriate safeguards relating to the transfer.

The Controller shall provide you with a copy of the personal data undergoing processing. For further copies requested, the Controller may charge a reasonable fee based on administrative costs. The right to obtain a copy shall not adversely affect the rights and freedoms of others.

Right to rectification (article 16 of the GDPR Regulation):

As a data subject, you shall have the right to obtain from the Controller, without undue delay, the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to erasure (right to be forgotten) (article 17 of the GDPR Regulation):

As a data subject, you shall have the right to obtain from the Controller, without undue delay, the erasure of personal data concerning you, where one of the following grounds applies:

a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b) you have withdrawn your consent on which the processing is based and there is no other legal ground for the processing;

c) the data subject objects to the processing, if the objection is admissible according to the GDPR Regulation, and there are no overriding legitimate grounds for the processing;

d) the personal data have been unlawfully processed;

e) the personal data have to be erased for compliance with a legal obligation;

f) the personal data have been collected in relation to the offer of information society services under the article 8 par. 1 of the GDPR Regulation.

The right to erasure shall not apply, if the legal exemption is given, mainly in a case if the personal data processing is necessary: a) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject, or b) for the establishment, exercise or defence of legal claims.

Right to restriction of processing (article 18 of the GDPR Regulation):

As the data subject, you shall have the right to obtain from the Controller restriction of processing where one of the following applies:

a) you contest the accuracy of the personal data – in such a case the processing is restricted for a period enabling the Controller to verify the accuracy of the personal data;

b) the processing is unlawful and you oppose the erasure of the personal data and you request the restriction of their use instead;

c) the Controller no longer needs the personal data for the purposes of the processing, but you require these personal data for the establishment, exercise or defence of legal claims;

d) the data subject has objected to processing pursuant to article 21 par. 1 of the GDPR Regulation pending the verification whether the legitimate grounds of the Controller override those of the data subject.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with

a) the data subject's consent,

b) for the establishment, exercise or defence of legal claims,

c) for the protection of the rights of another natural or legal person or,

d) for reasons of important public interest of the European Union or of a Member State.

Right to data portability (article 20 of the GDPR Regulation):

As the data subject, you shall have the right (under the conditions set out in the article 20 of the GDPR Regulation) to receive the personal data concerning you, and which you have provided to a Controller on the basis of the consent or for performance of the contract. The Controller shall, upon your request, provide you with the data in a structured, commonly used and machine-readable format or he shall, upon your request, transmit your data to another, clearly determined controller, where technically feasible. The right to data portability shall not apply to the personal data, not processed by automated means.

The right to data portability shall not adversely affect the rights and freedoms of others.

Right to object (article 21 of the GDPR Regulation):

As the data subject, you shall have the right (under the conditions set out in the article 21 of the GDPR Regulation) to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you, which is based on (due to) legitimate interest pursued by the Controller. The Controller shall no longer process the personal data unless the Controller (i) demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or (ii) unless it concerns the establishment, exercise or defence of legal claims of the Controller.

Right to lodge a complaint with a supervisory authority (article 77 of the GDPR Regulation):

You shall have the right to lodge a complaint with a supervisory authority concerning the Controller´s procedure, if you consider that the processing of personal data, relating to you, infringes the legislation/GDPR Regulation, while the supervisory authority for the Czech Republic shall be the Office for personal data protection, with the seat at Pplk. Sochora 27, 170 00 Prague 7 (www.uoou.cz).This is without prejudice to any other means of administrative or judicial protection designed to protect the data subject by the applicable legislation.

Right to withdraw the consent:

You are not obliged to give your consent to the personal data processing to our Company. You have the right to withdraw at any time the consent to the processing of personal data, given for the above-mentioned purposes (or to any of them). Withdrawal of consent is without prejudice to the processing of your personal data prior to its withdrawal. You can withdraw your consent to the personal data processing by (i) signed written notice of consent withdrawal, sent in writing to the contact address of the Company or(ii) notice of consent withdrawal in the form of an e-mail, sent to the contact e-mail of the Company stated above in this Information.

Please note, that we may process some personal data for certain purposes also without your consent. If you withdraw your consent, the Company terminates the processing of the respective personal data for purposes requiring your consent, to which the withdrawal applies, but the Company may be entitled, or even obliged, to continue processing these personal data by virtue of another legal basis (i.e. other legal ground for processing).

D. INFORMATION ON PERSONAL DATA PROCESSING OF SELECTED DATA SUBJECTS:

Information on processing of personal data of job-seekers:

This information on the processing of personal data of job-seekers is without prejudice to the other provisions of this Information.The Controller processes the personal data that have been transferred, disclosed to him by the job-seeker, respectively the job-seeker has given his consent for transfer the same (e.g. data contained in the CV or data disclosed within the servers for sharing the data of job-seekers, etc.); the Controller also processes data collected within the verification of information from publicly available sources (e.g. LinkedIn network). However, it is always necessary data, which to the extent appropriate under applicable legislation is used for the purpose of job-seeker verification, in particular the verification in relation to the data stated in the CV.

In addition to identification and address personal data, the Controller also processes information about the language skills, the job-seeker's achieved education, previous job experience of the job-seeker, and so on. But the data subject is the primary source of personal data.

If the job-seeker has not granted his consent, it is only possible to contact the job-seeker on the basis of the data disclosed by the job-seeker for this purpose (i.e. personal data that the job-seeker has published for that purpose about himself). The job-seeker can be included to the Controller´s database only on the basis of the consent given by the job-seeker. In the absence of consent by the data subject, the Controller shall not further process the personal data of such data subject, and after the expiry of the reasonable period of time, during which the Controller stores the basic data on (i) the circumstances under which (ii) due to which reasons the data subject was contacted, the destruction of such data shall be done. Contacting of job-seekers' reference contacts (references) is permissible on the basis of the consent of the job-seeker. Given consent(s) can be withdrawn by the job-seeker / candidate at any time at the above-mentioned contact address or Controller's contact e-mail.

The personal data of the job-seeker are used by the Controller for the purpose of selecting a suitable candidate for the job position. If the successful job-seeker succeeds and a contract, establishing a labour relationship between the Controller and the job-seeker shall be concluded, the personal data (in particular the CV) disclosed by the job-seeker shall become part of his personal file as an employee. At the end of the selection process, the Controller ensures, that the personal data of those job-seekers who have not been recruited / accepted for the job position, are destructed. The Controller is entitled to use the communication (written or e-mail) with the job-seeker, concerning the given recruitment process (i) for the purposes of his legitimate interests (protection of the legal claims of the Controller, or for IT security purposes - especially web and Controller networks) or (ii) for the purposes of compliance with the legal obligation of the Controller (e.g. to demonstrate that the consent of the job-seeker to the personal data processing was given and so on)

Legal ground of personal data processing is

  • performing of contract (processing to conclude the contract)
  • consent given by data subject
  • legitimate interest of Controller or third party
  • compliance with the legal obligation to which the Controller is subject (including demonstration of obtaining the consent);

Categories of recipients:

  • IT service providers (services of IT technical support, provision of server services, provision of programming services etc.)
  • providers of external recruitment services, legal service providers, accounting service providers, economic service providers, and also tax consultancy or audit service providers
  • public authorities

In connection with the recruitment agenda, personal data are processed, both on the basis of the consent given by the data subject, and in connection with the "non-consent"agenda, i.e., in the case where the legal basis of processing is given by (i) the performance of the contract (or processing to conclude the contract), (ii) compliance with the legal obligation of the Controller, or (iii) the legitimate interests of the Controller or third person.

The disclosure of personal data for processing based on the consent (i.e. in particular for the purposes of including the job-seeker in the future (next) selection process) is entirely voluntary and the data subject is not obliged to give its consent; without giving the consent, however, it will not be possible to include the data subject (candidate) in the future (next) selection process.

Storage period for personal data: for the purposes of the selection process (selection of a suitable candidate), the Controller shall process the personal data of the job-seekers until the expiry of the 6-month period from recruitment for a job position or cancellation of the respective selection process. If a job-seeker succeeds in the selection process (and becomes an employee), his CV (as part of the employee's personal file) shall be processed during the period of duration of the employee's labour relationship. For other purposes related to the recruitment agenda, when the Controller processes personal data under a legitimate interest, the data is stored until the expiration of one year from the end of the limitation period respectively longer for a period necessary for the purpose of Controller´s legal claim protection implementation.

Further processing of the job-seeker's personal data for offers of other / additional job positions at the Controller is admissible on the basis of the data subject´s consent.

In a case of any change in the data provided (either in the form of a CV or otherwise provided), please notify the Controller of such a change to the contact address or contact email provided.

Information on personal data processing of business partners:

This information on the processing of personal data of business partners is without prejudice to the other provisions of this Information.

The Controller processes the personal data of business partners (i) primarily for purposes of conclusion and performance of the contract, or (ii) for the purposes of compliance with the legal obligations (mainly compliance with the obligations under the accounting and tax legislation, respectively personal data protection legislation), or (iii) due to legitimate interests of the Controller or third party for the purpose of having possibility to exercise and enforce the Controller´s or third party´s legal claims (receivable enforcement and protection of Controller´s and third party´s legal claims), alternatively for marketing and advertisingpurposes. Personal data may also be used by the Controller for the Controller's administrative needs (including creation of records and list of contact persons).

When concerning the potential business partners, the Controller can process data available from public sources (e.g. public registers, websites, etc.) for business contact purposes. Such data may be used by the Controller for administrative purposes (including the creation of records and list of contact persons).

Legal ground for personal data processing is

  • performing of contract (processing to conclude the contract)
  • compliance with the legal obligation to which the Controller is subject
  • legitimate interests of Controller or third party

Categories of recipient:

  • IT service providers (services of IT technical support, provision of server services, provision of programming services etc.)
  • legal service providers, accounting service providers, economic service providers, and also tax consultancy or audit service providers
  • public authorities
  • other recipients (e.g. insurance companies)

Personal data are processed manually or by automated means by the Controller. Most of the processing takes place by automated means (via computer systems), especially in the Aquarius factoring system, in the Controller's systems for accounting, invoicing, and so on. At the same time, personal data may also be processed by the Controller within the records, card registers, etc. (including systems for records / storage of paper documents, business card registers and so on).

Storage period for personal data:

  • contact details for the purposes of information society services offers under the applicable legislation shall be processed by the Controller, unless the business partner expresses disapproval with further sending of business notifications
  • personal data for the purposes of performing the contract shall be processed by the Controller during the period of contract duration (contracts shall be recorded for the purpose of archiving during the period of 10 years from their performance / termination / or from when they ceased to exist)
  • personal data for compliance with the legal obligation of the Controller shall be processed during the period stated by the applicable legislation
  • personal data for the purposes of the Controller´s or third party´s legitimate interest shall be processed by the Controller until the expiration of one year from the end of the limitation period, respectively longer for the period necessary for the purposes of legal claim protection implementation

It is possible to contact the Controller at the mentioned contact address or contact e-mail, in order to update the personal data.

Information on personal data processing of the Company´s website users:

This information on the processing of personal data of website users is without prejudice to the other provisions of this Information.

Controller´s website users may be both users who are / will be in a legal relationship with the Controller (e.g. the client of the Company), as well as users who are not / will not be in a legal relationship with the Controller (i.e. the person who only "views" the website and does not ask for / order / require anything). The Controller processes the personal data of the website users for legitimate (permitted by law) purposes (e.g. for the purposes of management of accounting agenda/ records or for the purposes of performing the contract).

The source of personal data is the activity of the data subject on the Controller's website.

Legal ground for personal data processing is

  • compliance with the legal obligation to which the Controller is subject (e.g. management of accounting agenda / records);
  • performing of contract (processing to conclude the contract);
  • legitimate interests of Controller or third party;

The Controller processes the following personal data, concerning the activity of the data subjects on the Controller's website: IP address, date and time of access etc.

Personal data are processed within the period stated by applicable legislation.

Categories of recipients:

  • IT service providers (network administrator services / IT technical support services, providers of server services, providers of programming services etc.)
  • public authorities

E. FURTHER INFORMATION:

The manner of exercise of rights by data subject:

As a data subject, you can exercise your rights, concerning the processing of your personal data, against the Controller by contacting the Controller at the contact address Želetavská 1525/1, Michle, 140 00 Prague 4, or at the contact e-mail address of the Controller olga.pavlickova@unicreditfactoring.cz.

Provision of information by the Controller:

The Controller provides the information in writing, in paper form. However, if you contact the Controller by electronic means at the Controller's contact e-mail address, the Controller shall provide you with the information by electronic means (in a form of e-mail), unless you request the provision of information in a paper form. This is without prejudice to your right to data portability.

If we receive your request under the articles 15 to 22 of the GDPR Regulation, we shall inform you of the measures taken without undue delay, and we shall inform you of the measures taken, the refusal or the extension of the period at the latest within one month of receipt of the request. In view of the complexity of your request or the number of requests, we may extend the period for notification about the measures taken (and therefore taking the appropriate measures) for another two months. We shall inform you of such extension within one month of receipt of the request, together with the reasons for the delay.

The information that the data subject has exercised its rights with the Controller and how her / his request has been handled, is stored with the Controller for a reasonable period of time (usually for a period of 3 years) for the purposes of (i) demonstrating this fact (exercising and handling of the request), and (ii) for statistical purposes, or (iii) for the purpose of Controller´s rights protection.

Further information:

In cases where personal data are processed without your consent, their disclosure is required due to the reasons (i) that they are necessary for the compliance of contractual obligations, or (ii) that their disclosure is required by the law, or (iii) of the legitimate interests of the Controller or third parties. The result of non-disclosure of data for these purposes (one of them) may be non-conclusion of the contract, or impossibility to perform and so on.

Sending of e-commerce notifications to customers, within the meaning of information society services offers (so-called customer exemption), under the applicable legislation, may be cancelled via a link, included in each individual commerce notification.

In cases where personal data is processed on the basis of your consent, the disclosure of your personal data is not a legal or contractual condition (legal or contractual requirement) and therefore you do not have to give your consent. Therefore, in such cases, it is not your obligation to disclose the respective personal data for the purpose in question or to give consent to their processing. If you do not give your consent, this may be the reason why the Company will not be able to apply some procedures.

In a case if the Controller uses the personal data for purpose other than the one provided for in this Information, he shall immediately provide the data subject with information about that other purpose and other information provided in this Information.

UniCredit Factoring Czech Republic and Slovakia, a.s.