Information on personal processing

Introduction

We would hereby like to provide information in a comprehensible and transparent manner as to the way we process the personal data of data subjects and what rights data subjects have in relation thereof; the overview of all fundamental information is therefore provided below.

We process and protect personal data in full compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – hereinafter also referred to as the GDPR) and the Czech Act on Personal Data Processing. We process personal data while adhering to the following essential principles:

We process personal data in a proper, lawful and transparent manner
We collect personal data for specific, explicitly expressed and legitimate purposes, and we do not process personal data in a way that would contradict such purposes
We process only such personal data which is reasonable, relevant and limited to the scope necessary for the purpose of processing
We process only personal data which is accurate (and updated if necessary)
We process personal data only for the duration necessary for the purpose of processing
We process personal data in such a manner so as to ensure its security including its protection using suitable technical or organizational means against unauthorised or unlawful processing and accidental loss, destruction or damage

Data controller

The data controller is BENEFITY a.s., registered office at Corso Karlín, Křižíkova 237/36a, postcode 186 00 Praha 8, Czech Republic, Company ID: 270 95 231, registered in the Commercial Register administered by the Municipal Court in Prague, file ID B 8967 (hereinafter referred to as the “Controller”). The Controller is responsible for personal data processing and data subjects may claim most of their rights specified below with this Controller.

The controller has not appointed a representative for personal data protection, but has designated a person responsible for this area and the overseeing of personal data processing and protection.

If data subjects have any queries related to personal data processing or wish to exercise their rights, they may contact the Controller in one of the following ways:

in person at the Controller’s address at Corso Karlín, Křižíkova 237/36a, postcode 186 00 Praha 8, Czech Republic
by registered letter delivered to the Controller’s address at Corso Karlín, Křižíkova 237/36a, postcode 186 00 Praha 8, Czech Republic
by email sent to the Controller’s email address gdpr@benefity.cz
by sending a message to the Controller's data box, ID bc6c4c7

Data processor

In certain cases BENEFITY a.s. acts only as a data processor. These are the cases when the data controller – i.e. the party determined by the purposes and means of processing your personal data – is another company (e.g. your employer as a client of BENEFITY a.s.) which authorised BENEFITY a.s. to process your personal data (or to carry out a specific processing operation), for instance in relation to offering and using employee benefits. In such cases BENEFITY a.s. acts while processing your personal data as instructed by the Controller and is not responsible for your personal data processing. This responsibility is always with the Controller. Obviously, BENEFITY a.s. complies with the GDPR and the above principles also in its capacity as the data processor. However, the questions below should in such a case be answered by the Controller, and it is also this Controller any rights, also shown below, should be exercised with.

As such, the following information concerns situations when BENEFITY a.s. is the Controller of your personal data.

What kind of personal data belonging to what persons do we process?

We process only such personal data which is essential to our ability to comply with our legal obligations, properly perform our contractual obligations and protect our legitimate interests, or else when we have been given consent by data subjects to personal data processing. For the above reasons we process personal data of the following persons:

Employees and representatives of our customers or potential customers
Employees and representatives of our suppliers or potential suppliers
Guests at our events (event participants)
Job applicants interested in working for us
Our employees
Members of our boards

We always process personal data solely within the scope necessary for the purpose of processing.

For what purposes do we need personal data?

We determine the purposes of personal data processing particularly with respect to contractual or other relations with data subjects or in relation to services we provide or legitimate interests we have.

What is the legal basis of our personal data processing?

We process personal data based on at least one of the legal grounds (bases). If this were not the case, we would be failing to comply with the rule of lawfulness as one of the essential GDPR principles.

Personal data processing is carried out based on the following legal grounds:

Compliance with a legal obligation which applies to us
Performance of a contract entered into with a data subject
Consent provided by data subjects for their personal data processing for one or more purposes
The existence of our legitimate interest – we rely on this legal basis only in cases when legitimate interests are overridden by the interests or fundamental rights and freedoms of the data subject which would require personal data protection

How long do we retain personal data?

We retain personal data for the period of time necessary for the purpose of processing. If we are required to process personal data by a legislative regulation, this regulation usually also stipulates the period of time for which we are supposed to do so. If personal data is processed in order for us to be able to perform a contract entered into with a data subject, such personal data must be processed for the entire duration of the contract. Personal data processed based on consent provided is retained for the period of time such consent was provided for, and obviously only until such consent is withdrawn. If personal data processing is necessary for the purposes of our legitimate interests, such personal data is processed for as long as such legitimate interests last.

Where do we obtain personal data from?

We obtain personal data primarily from data subjects directly or in relation to our contractual relations with data subjects. This allows data subjects to control which personal data they provide us with or not.

Some personal data may be obtained also from public sources such as one of the public registers or the Internet. In some cases we obtain personal data from other controllers as well; in this case, however, we have an obligation to inform the data subject.

Who do we share personal data with?

Personal data is available to our employees, who need it for their work. We forward personal data to parties outside of our company only when necessary, particularly in the following cases:

We are required to forward personal data by legislative regulations (it particularly concerns the forwarding of personal data to state agencies or authorities)
personal data forwarding is necessary in order for us to comply with our obligations stipulated in a contract between us and the data subject
personal data is forwarded to our processor – this kind of forwarding occurs when we have no capacity (or it would be to our disadvantage) to carry out a certain activity as part of personal data processing and as a result we have delegated it to another party, which acts under the GDPR as our processor; we have ascertained that such a party provides sufficient guarantee as to the implementation of suitable technical and organizational measures so as to comply with the GDPR requirements while processing personal data and safeguard the rights of data subjects; there is always a written contract in place between us and such a processor which stipulates the subject and duration of the processing, the nature and purpose of the processing, the type of personal data and the category of data subjects and our rights and obligations; such a processor also has some obligations stipulated directly by the GDPR; however, responsibility for personal data processing is always with us (not the processor)

What rights do data subjects have in relation to the processing of their personal data?

Data subjects have a wide range of rights related to the processing of their personal data. Data subjects have some of those rights independently of the legal basis for processing (right of access, right to rectification, right to erasure, right to restriction of processing), while some rights are granted to them only when processing occurs based on specific legal grounds:

Right to data portability – the legal grounds must be consent by the data subject or performance of a contract
Right to object – the legal grounds must be our legitimate interest
Right to withdraw consent – the legal grounds must be consent provided

Of course, data subjects also have the right to file a complaint with a supervisory authority.

More details regarding the exercise of rights of data subjects are provided here.

Where do data subjects find further information?

Job applicants can find more information on the processing of their personal data here.

Guests at our events may find more information on the processing of their personal data here.

Our customers and suppliers will find more information on the processing of their personal data here.

Information on processing personal data of potential customers and suppliers is here.

Conclusion

We firmly believe that the above information is easy to understand for data subjects. However, if data subjects still do not understand or are unsure about something, they can always get in touch with their inquiries. This will prevent many misunderstandings from happening.