INFORMATION ON PERSONAL DATA PROCESSING FOR JOB APPLICANTS

PPF a.s. is always your personal data controller as a job applicant (hereinafter referred to as the “Applicant”), company registration no.: 25099345, registered office: Evropská 2690/17, 160 41 Prague 6 (hereinafter referred to as “PPF a.s.”)

Personal data controller

For the purpose of a particular selection procedure, another company within the PPF Group or a company that has entered into a service provision contract with PPF a.s. and is not a part of the PPF Group may also be your personal data controller together with PPF a.s., though only provided the work position within this company is subject to this particular selection procedure.

The PPF Group in this documents means

Nadace PPF, Home Credit a.s., Home Credit International a.s. (včetně EmbedIT), Home Credit Slovakia a.s., PPF banka a.s., Air Bank a.s., SOTIO Biotech a.s., SOTIO Biotech AG, SCTbio a.s., Benxy s.r.o. (včetně Zonky), PPF Real Estate s.r.o., CETIN a.s., CzechToll s.r.o., ŠKODA TRANSPORTATION a.s., ŠKODA ELECTRIC a.s., ŠKODA VAGONKA a.s., ŠKODA PARS a.s., EKOVA ELECTRIC a.s., Bammer trade a.s., ŠKODA CITY SERVICE s.r.o., POLL, s.r.o., ŠKODA TVC s.r.o., ŠKODA TRANSTECH Oy, ŠKODA DIGITAL s.r.o., ŠKODA ICT s.r.o., TV Nova s.r.o., CME Services s.r.o.

Companies, which have entered into a service provision contract with PPF a.s. and are not a part of the PPF group, in this document mean

OPEN GATE gymnázium a základní škola, s.r.o., Nadace The Kellner Family Foundation, Pomáháme školám k úspěchu, o.p.s.

Personal data

Your personal data in this document only means those personal data you would provide to us by means of the PPF Group eRecruitment information system or which follow from related communication or in the implementation of the selection procedure itself, always in the scope required for the fulfilment of the particular purposes (i.e. always for the purposes of the particular selection procedure).

Legal grounds of processing

For the purpose of the particular selection procedure your personal data are processed under Article 6 par. 1, clause b) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing the Directive 95/46/EC (General Regulation on Personal Data Protection) (hereinafter referred to as “GDPR”) – contract fulfilment.

Following the completion of the selection procedure the Controller processes your personal data for the purpose of the legitimate interest of the controller, namely for the needs of proving that the selection procedure took place properly and transparently and to determine, defend and enforce the controller’s rights. The controller processes your personal data in compliance with valid and effective legislation in the area of personal data protection.

Purposes of personal data processing

1. Personal data processing for the needs of the selection procedure;
2. For the purposes of sending a text alert with the date, time and place where the selection procedure takes a place;
3. For the purpose of fixing and paying the remuneration for the employment agency in cases when I assumed a position through an employment agency recommendation;
4. In order to communicate more effectively in the selection procedure issue using a chatbot and personalised video (name and surname) for the purposes of introducing the company to which you have applied via the selection procedure.

Storage period

Your personal data will be processed throughout the selection procedure.

Following the completion of the selection procedure, your personal data will continue to be processed due to the legitimate interest of the controller, for a period of 12 months.

Personal data processor

With some applicants participating in the selection procedures for a job position, their data are forwarded to personal placement portals acting as processors.

Forwarding the personal data of applicants in this category of processors only takes place in cases where the applicant enlisted in the selection procedure through these personal placement portals.

The processor also is an entity administering IT systems and providing IT services for the purpose of the selection procedure administration and organisation. This entity is Just IT Pro, s.r.o., company registration no.: 037 50 281, with its registered office at Šlechtitelů 813/21, Holice, 779 00 Olomouc.

My personal data are then forwarded to the twillio.com processor, which ensures that text alerts are sent to an applicant with the date and place of the selection procedure taking place.

The entity providing the functionality and operation of the chatbot, and the entity providing the creation of personalised videos are also in the position of the processor that personal data are forwarded to.

Certain personal data the controller processes may be shared with state institutions or other third parties in the fulfilment of obligations complying with given legislation.

Contact details

PPF a.s. - human resources department,
address: Evropská 2690/17, 160 00 Prague 6, the Czech Republic,
email: recruitment@ppf.cz, www.ppf.eu

Principles and procedures of personal data processing

We would also like to inform you about principles and procedures during your personal data processing, in compliance with the provisions of Article 5 of the GDPR and with Act No. 110/2019 Sb. on Personal Data Processing.

Your personal data have been processed such that:

• The processing is lawful, correct and transparent;
• Personal data  are only collected for definite and legitimate purposes and are not processed in a way incompatible with these purposes;
• The processed personal data are always proportional and relevant in relation to the purpose for which they are processed;
• The processed personal data are accurate;
• Personal data are only stored in a form enabling the identification of the entity details for the period required for the given purposes for which they are processed;
• Their integrity and confidentiality are always guaranteed.

Data security

The controller has introduced and maintained reasonable technical and organisational measures, internal inspections and processes of the information security in compliance with the best business practice corresponding to the possible risk of a threat to you as a personal data protection subject. At the same time, the state of the technological development is taken into account with the aim of protecting your personal data against accidental loss, destruction, changes, unauthorised publication or access. These measures include inter alia taking appropriate steps to ensure the responsibility of respective employees who have access to your data, employee training, regular backup, procedures for data recovery and incident control and software protection of the equipment, on which data with personal data are stored.

Advice of rights under GDPR:

Under Article 13-14 of the GDPR:

• I have the right to the provision of the information where personal data are collected from the data subject as well as where personal data have not been obtained from data subject.

Under Article 15 of the GDPR – Right to access to My Personal Data:

• I have the right to obtain from the Controller confirmation as to whether or not My Personal Data are being processed and, if so access My Personal Data and the following information: a) the purposes of processing; b) categories of affected personal data c) recipients or the categories of recipients, to whom My Personal Data have been or will be disclosed, in particular recipients in third countries or international organisations; d) the planned period, during which My Personal Data will be stored or, if it is not possible to determine it, the criteria to determine this period e) the existence of the right to request from the Controller the rectification or erasure of My Personal Data or restriction of their processing and/or to object to this processing;
• I have the right to file a complaint with the supervisory authority;
• I have the right to obtain all available information on the source of My Personal Data if not acquired directly from me; the existence the automated decision-making occurs, including profiling, specified in the Article No. 22, par. 1 and 4 of the GDPR and at least in these cases the meaningful information related to the procedure used as well as the meaning and expected results of such processing for me.
• I have the right to the provision of the copy of My Personal Data processed by the Controller. The Controller may charge a reasonable fee for any further copies requested by me based on administrative costs. If I make the application in electronic form, the information will be provided in a commonly used electronic form, unless I request another method.

Under Article 16 of the GDPR – Right to rectification of My Personal Data:

• I have the right to rectification on the part of the Controller of inaccurate personal data concerning me without undue delay. Considering the processing purposes, I have the right for the completion of incomplete details even by providing a supplementary statement.

Under Article 17 of the GDPR – Right to erasure of My Personal Data:

• I have the right to erasure on the part of the Controller of My Personal Data without undue delay for one of the following reasons:

a) My Personal Data are no longer required for the purposes for which they have been collected or otherwise processed;
b) I have objected to the processing under Article 21, par. 1 of the GDPR, and there are no prevailing reasons for processing, or I have objected to the processing under Art. 21, par. 2 of the GDPR;
c) My Personal Data have been unlawfully processed;
d) My Personal Data have to be erased to comply with a legal obligation in the law of the European Union or a Member State to which the Controller is subject.

• what is specified under clause a) through d) of this section will not apply if the processing of My Personal Data is necessary:

a) for exercising the right to freedom of speech and information;
b) for compliance with the legal obligation that requires the processing by the law of the European Union or a Member State, to which the Controller is subject , or for the performance of the task carried out in the public interest or in the scope of a public authority if the Controller has been authorised by it;
c) for reasons of the public interest in the field of the public health;
d) for archiving purposes in the public interest, for the purpose of scientific or historical research or for statistical purposes in compliance with Art. 89, par. 1 of the GDPR; or
e) for the specification, performance or defence of legal claims.

Under Article 18 of the GDPR – Right to restriction of the processing of My Personal Data:

• I have the right to restriction on the part of the Controller of processing where one of the following applies:

a) If I contest the accuracy of My Personal Data for a period enabling the Controller to verify the accuracy of My Personal Data;
b) If processing is unlawful and I would oppose the erasure of My Personal Data and request the restriction of their use instead;
c) If the Controller no longer needs My Personal Data for the processing purposes, but I would require them for the establishment, exercise or defence of legal claims;
d) If I have objected to processing under Article 21, section 1 of the GDPR, pending the verification whether the legitimate grounds of the Controller prevail over mine.

• If the processing has been restricted under clauses a) through d) of this paragraph, My Personal Data, with the exception of their storage, may only be processed with my consent or due to the establishment, exercise or defence of legal claims, for the protection of rights of another individual or a legal entity or for reasons of important public interest of the European Union or of a Member States.

Under Article 19 of the GDPR – Notification obligation regarding rectification or erasure of My Personal Data or restriction of their processing:

• The Controller advises individual recipients to whom My Personal Data have been disclosed of any rectifications or erasure of My Personal Data or processing restrictions, unless this proves impossible or involves unreasonable effort. The Controller only informs me about these recipients if I request it.

Under Article 20 of the GDPR – Right to data portability:

• I have the right to obtain the personal data concerning me, which I have provided to the Controller, in a structured, commonly used and machine-readable format and I have the right to transfer these data to another controller without hindrance from Controller, provided their processing is carried out in by automated means. In exercising my right to portability under the previous sentence, I have the right to have My Personal Data transmitted directly from the Controller to another controller, where technically feasible.

Under Article 21 of the GDPR – Right to object:

• I have the right to object, on the grounds relating to my particular situation, at any time to the processing of My Personal Data, under Article 6, par. 1, clause f) of the GDPR – the Controller’s legitimate interest, including profiling based on these provisions. The Controller will no longer process My Personal Data unless the Controller demonstrates compelling legitimate reasons for the processing that outweigh my interests or rights and freedoms or for the establishment, exercise or defence of legal claims.
• I can exercise my right to object by automated means through technical specifications.

Under Article 22 of the GDPR – Automated individual decision-making, including profiling:

I have the right not to be subject to a decision based solely on automated processing, including profiling, which has legal impacts on me or affects me in a material way. This does not apply if the decision:

a) is necessary to enter into or perform a contract between me and the Controller;
b) is permitted by the law of the EU or a Member State applicable to which the Controller is subject and which also determines suitable measures to safeguard my rights and freedoms and legitimate interests;
c) based on may express consent.

Under Article 34 of the GDPR – Communication of a personal data breach

If it is likely that a specific instance of a security breach of My Personal Data will result in a considerable threat to my rights and freedoms, the Controller is required to report this breach to me without any undue delay.

 However, the reporting referred to in this paragraph is not required if any of the following conditions are met:

a) The Controller has introduced appropriate technical and organisational measures, and these measures have been applied to the personal data affected by the personal data breach, in particular measures that render these data unintelligible to anyone who is not authorised to access them, such as encryption;
b) The Controller has taken subsequent measures that ensure that no considerable threat to the rights and freedoms referred to in the first paragraph of this article is likely to materialise;

• It would involve unreasonable effort. In this case, you will be advised in an equally effective manner by a public notice or similar means. Filing a complaint with the Office for Personal Data Protection means that you have the right to file a complaint related to personal data processing by the Controller with the Office for Personal Data Protection with its registered office at Pplk. Sochora 27, 170 00 Praha 7. Website of the Office: www.uoou.cz.

Information on how the rights of a job applicant are exercised

A job applicant may exercise his/her rights directly with the Controller at the above address, namely:

• electronically via data box.
• electronically via email.

If a request is filed electronically, the Controller will provide the information also electronically, unless required otherwise by the job candidate. In case of a request filed electronically, the Controller must verify the identity of the person who filed the request to prevent the disclosure of information to unauthorised persons. To verify the identity, the Controller will contact the job applicant. The Controller provides the copy of processed personal data free of charge. A request filed repeatedly by the identical job applicant will be considered an obviously unreasonable request. In such a case, the Controller may charge a reasonable fee to process the applicant or deny the request.

Your obligations

Please acknowledge that you are responsible for the personal data you have provided and made available to the Controller and it is your duty to make sure they are relevant, truthful, exact and not misleading. You have the duty to make sure that the personal data provided do not contain material of an obscene and defamatory nature and/or are not in breach of the rights of a third person. Personal data provided must not contain malicious code.

If you provide personal data related to another person, e.g. an individual specified as your reference, you are obliged to inform this person thereof and to get his/her approval.

Document update

This document may be adjusted or updated on an ongoing basis. Any changes will become effective following the publication of the updated wording of this document at website www.ppf.eu. You will be informed of any material changes sufficiently in advance before these changes come into effect.