Privacy Policy
Information on the processing of personal data of employees, job applicants, and members of the controller’s body
In accordance with Articles 13 and 14 of Regulation (EU) 2016/679 (GDPR), OBRETA spol. s r.o., Company ID: 26360331, registered office Plzeň, Malická 434/15, 32300, registered in the Commercial Register kept by the Regional Court in Plzeň, Section C, Insert 15344 (the “controller” or “employer”), hereby informs job applicants/candidates for office, current employees/members of the controller’s body, and former employees/members (collectively “data subjects”) about the processing of personal data provided to the controller.
I. Basic Provisions
OBRETA spol. s r.o. is the controller per Art. 4(7) GDPR.
Controller’s contact details: Malická 434/15, 323 00 Plzeň; email: obreta@obreta.cz; phone: 371526300
Personal data per Art. 4(1) GDPR means any information about an identified or identifiable natural person…
The controller has not appointed a Data Protection Officer.
The controller processes personal data provided by the data subject or obtained in connection with performance of the employment contract. The controller also processes personal data obtained from public registers… scope: name, surname, ID, registered office, trade licences, enforced executions, insolvency proceedings, office in legal entities.
The controller may amend these conditions…
For avoidance of doubt… “employment contract” includes…
II. Reason, Purpose, and Retention Period
Employees and former employees:
a) compliance with legal obligations… Art. 6(1)(c) GDPR … required for concluding and performing the employment contract … retained for statutory periods (e.g., payroll records up to 30 years following the year concerned)
b) performance of employment contract … Art. 6(1)(b) GDPR … for the duration of employment
c) controller’s legitimate interest to enforce claims … Art. 6(1)(f) GDPR … for the duration and 10 years after termination
Job applicants:
a) recruitment process and potential conclusion of employment contract … Art. 6(1)(b) GDPR … for the duration of the selection process
b) compliance with legal obligations … Art. 6(1)(c) GDPR … for the duration of the selection process
c) controller’s legitimate interest to keep unsuccessful candidates in an internal pool for future offers … Art. 6(1)(f) GDPR … for 2 years after the selection process
No automated decision-making per Art. 22 GDPR.
After retention expires, personal data are erased.
III. Recipients of Personal Data
The controller and authorised employees; also entities authorised by law and processors. Up-to-date list available upon request.
No transfers to third countries or international organisations.
IV. Data Subject Rights
Rights per GDPR: access (Art. 15), rectification (Art. 16), restriction (Art. 18), erasure (Art. 17), objection (Art. 21), portability (Art. 20).
Rights may be exercised via the form “Request – exercising data subject rights,” available in paper form at the controller’s registered office and electronically at http://www.obreta.cz/cs/ochrana-osobnich-udaju.
Right to lodge a complaint with the Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Prague.
V. Security Conditions
The controller declares it has taken appropriate technical and organisational measures… Only authorised persons have access.
In Plzeň on 25 May 2018
Information on the processing of personal data obtained through a CCTV system with recording
… (translation of full section preserved)
I. Basic Provisions
OBRETA is the controller per Art. 4(7) GDPR.
Contacts: Malická 434/15, 323 00 Plzeň; obreta@obreta.cz; +420 371 526 300
Personal data definition…
No DPO appointed.
Place of processing: facility at Tojice 14. CCTV covers outside and inside areas: main entrances, outdoor area, warehouse entrances, warehouses, reception, corridors (total 25 cameras, 2 with recording).
Data processed: appearance, movement, presence, actions and behaviour at a specific time.
The controller may amend these information notices…
II. Reason, Purpose, and Retention
Legitimate interest (Art. 6(1)(f) GDPR) to protect property and safety.
System operates continuously. Recordings are stored for up to 40 days, then overwritten.
Systems are designed not to endanger dignity… restrooms, changing rooms etc. are not monitored.
No automated decision-making.
III. Recipients – same as above. No third-country transfers.
IV. Rights – same as above (form available at http://www.obreta.cz/cs/ochrana-osobnich-udaju).
V. Security – measures in place; only authorised persons have access.
In Plzeň on 25 May 2018
Information on the processing of personal data of customers, buyers, suppliers, and contractual partners
… (full translation preserved)
I. Basic Provisions – controller, contacts, definition, no DPO, data sources incl. public registers (name, ID, VAT ID, registered office, business address, trade licences, executions, insolvency, corporate roles), amendments possible.
II. Reason, Purpose, and Retention
1.
a) compliance with legal obligations (tax, accounting) – Art. 6(1)(c) – required; retention: during the contract and then as per law (e.g., accounting documents 5 years after year-end)
b) contract negotiation, order processing, performance – Art. 6(1)(b) – required; retention: from provision of data to 4 years after contract ends
c) legitimate interest to enforce claims – Art. 6(1)(f) – required; retention: to 10 years after contract ends (objective limitation period under Civil Code §629(2))
d) legitimate interest in direct marketing (commercial communications, newsletters) – Art. 6(1)(f) – not required; retention: from provision of data to 2 years after contract ends
2. No automated decision-making.
3. Erasure after retention.
III. Recipients – controller, authorised employees, authorities, processors; no third-country transfers.
IV. Rights – as above (form link).
V. Security – measures in place; only authorised persons have access.
In Plzeň on 25 May 2018
