INFORMATION ABOUT THE PROCESSING OF MY PERSONAL DATA BASED ON CONSENT TO THE PROCESSING OF PERSONAL DATA
- The data controller to whom I give my consent to the processing of my personal data is:
PPF a.s., a company organised and existing under the Czech Law, company registration no.: 25099345, registered office at: Evropská 2690/17, 160 00 Prague 6, Czech Republic (hereinafter referred to as the “Controller“)
Other data controllers are: (i) the companies in the PPF Group, which means: Home Credit a.s., Home Credit International a.s. (including EmbedIT), Home Credit Slovakia a.s., HC ITS, s.r.o., PPF Banka a.s., Air Bank a.s., SOTIO a.s., Benxy s.r.o. (including Zonky), PPF Real Estate s.r.o., CETIN a.s., CzechToll s.r.o., Škoda Transportation a.s., Škoda Electric a.s., Škoda Vagonka a.s., Pars Nova a.s., and (ii) the companies that have services contracts entered into with PPF a.s. and are not part of the PPF Group, which means: OPEN GATE gymnázium a základní škola, s.r.o., The Kellner Family Foundation, Pomáháme školám k úspěchu, o.p.s. (hereinafter referred to as the “Additional Controllers”).
(all hereinafter jointly referred to only as the “Joint Controllers”)
The Controller’s contact details: PPF – HR Department, telephone: +420 224 174 500, fax: +420 224 174 610, address: Evropská 2690/17, 160 00 Praha 6, Czech Republic, email: firstname.lastname@example.org, www.ppf.eu.
Controller’s data protection obligations are provided by:
- the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – the Regulation No. 2016/679 is hereinafter referred to only as the “GDPR“; and
- Act No. 110/2019 of the Collection of Laws of the Czech Republic, on the Processing of Personal Data, as amended (the “PDPA”).
- Specification of My Personal Data to the processing of which I give my consent:
(hereinafter jointly referred to only as “My Personal Data“).
- All of My Personal Data which I indicated in my curriculum vitae and in other materials which I disclosed to the Controller or Additional Controllers for the selection procedure or for the purposes of keeping me in the PPF Group eRecruitment database; and
- Other of My Personal Data that I otherwise disclosed or will disclose to the Controller or Additional Controllers, including but not limited to name and surname, academic titles, residence address, year (or date) of birth, or also information about the current age, information about previous jobs, education attained, qualification and skills, obtained certificates and diplomas, cover letter, third-party references, contact details; and
- Information when I disclosed My Personal Data by entering them into the Controller’s system;
- Information derived from my participation in selection procedures with the Controller / Additional Controllers, except for information under points 1 through 3 above, including (i) whether and when I had an interview and with what company, (ii) information indicated by me as information about previous jobs, education, practical experience, qualifications and skills, (iii) my requirements/ expectations concerning working conditions, including the amount of salary/remuneration, (iv) whether I was considered to be a suitable candidate for the particular job, or not, (v) whether or not I entered into employment or other contract with the Controller or Other Controller and when, (vi) when my employment was terminated (if terminated during trial period);
- If I was introduced to the Controller/ Additional Controller by a recruitment agency with which I was in contact, then except for the information under points 1 through 4 above, also: (i) information about me disclosed by the agency, such as a “candidate report”, and (ii) additional information disclosed by the agency during selection procedure, (iii) the agency’s identification;
- If I took up a position filled by the Controller/ Additional Controller on the recommendation of the recruitment agency with which I was in contact, then also: (i) when I started the job and with what company, (ii) what gross basic monthly salary was agreed, (iii) when my employment was terminated, if terminated after the trial period agreed between me and my employer;
- Under the Employment Act in force in the Czech Republic, when selecting employees, an employer may not request information concerning their nationality, racial or ethnic origin, political positions, membership in trade unions, religion, philosophical belief, sexual orientation of lifestyle, unless such information can be requested under special regulations, or information contradicting the principles of morality, or personal data that are not used for the performance of employer’s obligations provided by special regulations;
- Under the Labour Code in force in the Czech Republic, an employer may not request information from an employee that is not directly connected with the performance of work and employment, in particular information about pregnancy, family and financial situation, sexual orientation, origin, membership in trade unions, membership in political parties or movements, church or religious society membership, absence of a criminal record, unless an exception is applicable in a particular case.
- Period for which I grant my consent to the processing of My Personal Data:
4 years from the date this consent was granted - the “Agreed Period”.
- Purposes of processing My Personal Data for which I grant my consent:
- Keeping of the database of candidates for recruitment by the Joint Controllers;
- For the retention of My Personal Data by the Controller for the whole Agreed Period;
- For the adoption of the Controller’s/ Additional Controller’s decision whether, anytime during the Agreed Period, I will be included in any future selection procedure(s) to fill a certain position with the Controller or Additional Controller, and for the following decision about whether the Controller or Additional Controller will enter into an employment or other contract with me, or not;
- For the purpose of enabling the Controller / Additional Controller to offer me anytime during the Agreed Period a chance to take part in a selection procedure for a vacation to be filled with the Controller/ Additional Controller;
- For the purpose of enabling the Controller/ Additional Controller to offer me anytime during the Agreed Period a chance to take up an internship, professional practice or practical training while studying etc.
- For the purpose of being included in the group of job applicants in the group of Joint Controllers with a similar characteristics, based on (α) the employer in whose selection procedure I applied, (β) based on the profession or branch in which I want to work or in which I belong based on My Personal Data stored in the database;
- For the purpose of enabling users of the database where My Personal Data will be stored the option of fulltext search in said database;
- For the purpose of sending a text alert that a selection procedure in which the candidate applied is being held;
- For the purpose of determination and payment of the recruitment agency’s fee in the case that I took up the position based on the recruitment agency’s recommendation;
- For the purpose of more efficient communication concerning selection procedures using a chatbot;
- For the purpose of sending of a personalised (name and surname) video containing an introduction of the company to which you apply in the selection procedure.
- The way of processing of My Personal Data to which I grant my consent:
My Personal Data may be processed both in electronic and written form, based on the Controller’s decision. By granting my approval, I agree with putting My Personal Data into the Controller’s database containing information about candidates for jobs and candidates for internship, professional practice or practical training when studying, with the Controller and Additional Controllers. I am aware that the Joint Controllers and the Processor (as defined below in par. 6, the “Processor”) have access to this database during the whole Agreed Period. I am also aware that the Controller’s database containing My Personal Data is placed with a third party (the Processor).
My Personal Data will be transmitted to the Processors who will provide to the Controller the services of administration and maintenance of technical and software equipment on which My Personal Data will be stored, and they will also provide for the newsletter distribution. Upon the date I am granting this consent, the Processor is Just IT Pro, s.r.o., company registration no.: 037 50 281, with its registered office at Šlechtitelů 813/21, Holice, 779 00 Olomouc, Czech Republic (generally referred to as the “Processor”). The Processor’s data protection obligations are provided by the GDPR.
My personal data are then forwarded to the twillio.com processor, which ensures that text alerts are sent to an applicant with the date and place of the selection procedure taking place.
If I was introduced to the Controller or Additional Controller by a recruitment agency with which I was in contact, My Personal Data specified in point 2, par. 5 of this document can be shared also with the recruitment agency.
My Personal Data is transmitted also to the processors who maintain the chatbot functions and operation and to the processors who create personalised videos.
Certain personal data the controller processes may be shared with state institutions or other third parties in the fulfilment of obligations complying with given legislation.
- I am aware that the following persons may have access to My Personal Data:
- HR staff of the Controller or Additional Controllers;
- Managers of the Controller or Additional Controllers who have authority over the position to be filled, or an authorised representative of the Controller or Additional Controllers (executives, members of the board of directors etc.);
- Processor or persons working for the Processor, if their job is in the field of administration and management of technical and software equipment on which My Personal Data is stored;
- Relevant recruitment agency – if I was introduced to the Controller or Additional Controller by a recruitment agency with which I was in contact, in terms of My Personal Data specified in point 2, par. 5 of this document;
- I am aware that the legal ground for the processing of My Personal Data by the Controller, Processor and Additional Controllers is my consent.
- I am aware that the provision of My Personal Data to the Joint Controllers and the granting of this consent to the processing of My Personal Data are not my obligations, i.e. it is on a voluntary basis and subject to my consideration only.
- I acknowledge having received information concerning security of My Personal Data, in particular that:
- The Joint Controllers and each of the Processors adopted effective security measures to prevent unauthorised or accidental access to and unauthorised change, destruction or loss or other unauthorised processing of My Personal Data;
- A “data processing contract” was entered into between the Controller and each of the Processors, providing, among other things, what are the Processor’s data protection obligations;
- The Processor adopted a security guideline that sets out the responsibilities for the implementation of security measures;
- The Controller’s, Processor’s and Additional Controller’s staff are obliged to keep confidential about the personal data processed;
- Only the following persons have access to My Personal Data: (i) HR staff of the Joint Controllers; (ii) staff of the Joint Controllers who are or should be direct managers with the authority over the position subject to the selection procedure; and (iii) persons working for the Controller and the Processor, who were charged by the Controller with the administration and management of technical and software equipment by which My Personal Data is processed;
- The Controller adopted the data protection rules which are obligatory for the Additional Controllers as well. The Controller determined the rules of access to My Personal Data and the rules of data confidentiality and security for its staff and Additional Controllers which the Additional Controllers are obliged to observe.
- Controller’s legitimate interest
Based on the Controller’s legitimate interest, the Controller will send you written communications to your email on a regular basis, to notify you of (α) the chance and desirability of updating your personal data, and (β) current job vacancies in the PPF Group. This concerns only the use of your electronic address (email).
In each message, you will have an option to opt out of these communications.
- Principles and procedures of personal data processin
We would also like to inform you about principles and procedures during your personal data processing, in compliance with the provisions of Article 5 of the GDPR and in compliance with the PDPA.
Your personal data have been processed such that:
- The processing is lawful, correct and transparent;
- Personal data are only collected for definite and legitimate purposes and are not processed in a way incompatible with these purposes;
- The processed personal data are always proportional and relevant in relation to the purpose for which they are processed;
- The processed personal data are accurate;
- Personal data are only stored in a form enabling the identification of the entity details for the period required for the given purposes for which they are processed;
- Their integrity and confidentiality are always guaranteed.
- Data security
The controller has introduced and maintained reasonable technical and organisational measures, internal inspections and processes of the information security in compliance with the best business practice corresponding to the possible risk of a threat to you as a personal data protection subject. At the same time, the state of the technological development is taken into account with the aim of protecting your personal data against accidental loss, destruction, changes, unauthorised publication or access. These measures include inter alia taking appropriate steps to ensure the responsibility of respective employees who have access to your data, employee training, regular backup, procedures for data recovery and incident control and software protection of the equipment, on which data with personal data are stored.
- Information about rights under GDPR:
I confirm I have learned about my rights relating to the processing of My Personal Data, in accordance with the provisions of Articles 13-22 and 34 of the GDPR.
I am in particular aware of the following:
Under Article 7 (3) of the GDPR
- I have the right to withdraw my consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal
Under Article 13-14 of the GDPR:
- I have the right to the provision of the information where personal data are collected from the data subject as well as where personal data have not been obtained from data subject.
Under Article 15 of the GDPR – Right to access to My Personal Data:
- I have the right to obtain from the Controller confirmation as to whether or not My Personal Data are being processed, and, if so, access to My Personal Data and the following information: a) the purposes of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipients to whom My Personal Data have been or will be disclosed, in particular recipients in third countries or international organisations; d) where possible, the planned period for which My Personal Data will be stored, or, if it is not possible to determine it, the criteria used to determine it; e) the existence of the right to request from the Controller rectification or erasure of My Personal Data or restriction of processing of My Personal Data or to object to such processing;
- I have the right to lodge a complaint with a supervisory authority;
- I have the right to obtain all available information as to the source of My Personal Data if not acquired directly from me,; the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information about the procedure used, as well as the meaning and the expected consequences of such processing for me;
- I have the right to be provided with a copy of My Personal Data processed by the Controller. The Controller may charge a reasonable fee for any further copies requested by me based on administrative costs. If I make the application in electronic form, the information shall be provided in a commonly used electronic form, unless otherwise requested by me.
Under Article 16 of the GDPR – Right to rectification of My Personal Data:
- I have the right to rectification on the part of the Controller of inaccurate personal data concerning me without undue delay. Considering the processing purposes, I have the right to completion of incomplete personal data, even by providing a supplementary statement.
Under Article 17 of the GDPR – Right to erasure of My Personal Data:
- I have the right to erasure on the part of the Controller of My Personal Data without undue delay for one of the following reasons:
a) My Personal Data are no longer required for the purposes for which they have been collected or otherwise processed;
b) I have withdrawn my consent to the processing of My Personal Data, and there is no other legal grounds for the processing;
c) I have objected to the processing under Article 21, par. 1 of the GDPR, and there are no prevailing legitimate grounds for the processing, or I have objected to the processing under Article 21, par. 2 of the GDPR;
d) My Personal Data have been unlawfully processed;
e) My Personal Data have to be erased to comply with a legal obligation in the law of the European Union or a Member State to which the Controller is subject;
- what is specified under clauses (a) through (e) of this paragraph will not apply if the processing of My Personal Data is necessary:
a) for exercising the right to freedom of expression and information;
b) for compliance with a legal obligation that requires processing by the law of the European Union or a Member State to which the Controller is subject or for the performance of a task carried out in the public interest or in the scope of a public authority if the Controller has been authorised by it;
c) for reasons of public interest in the area of public health;
d) for archiving purposes in the public interest, for the purpose of scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR; or
e) for the establishment, exercise or defence of legal claims.
Under Article 18 of the GDPR – Right to restriction of processing of My Personal Data:
- I have the right to obtain from the Controller restriction of processing where one of the following applies:
a) If I contest the accuracy of My Personal Data for a period enabling the Controller to verify the accuracy of My Personal Data;
b) If the processing is unlawful and I oppose the erasure of My Personal Data and request the restriction of their use instead;
c) If the Controller no longer needs My Personal Data for processing purposes, but I would require them for the establishment, exercise or defence of legal claims;
d) I have objected to processing under Article 21, par. 1 of the GDPR pending the verification whether the legitimate grounds of the Controller prevail over mine.
- If the processing has been restricted under clauses a) through d) of this paragraph, My Personal Data, with the exception of storage, may only be processed with my consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.
Under Article 19 of the GDPR – Notification obligation regarding rectification or erasure of My Personal Data or restriction of their processing:
- The Controller advises individual recipients to whom My Personal Data have been disclosed of any rectification or erasure of My Personal Data or processing restrictions of , unless this proves impossible or involves unreasonable effort. The Controller informs me about these recipients only if I request it.
Under Article 20 of the GDPR – Right to data portability:
- I have the right to obtain the personal data concerning me, which I have provided to the Controller, in a structured, commonly used and machine-readable format and I have the right to transmit those data to another controller without hindrance from the Controller, provided that the processing is carried out by automated means. In exercising my right to data portability under the previous sentence, I have the right to have My Personal Data transmitted directly from the Controller to another controller, where technically feasible.
Under Article 21 of the GDPR – Right to object:
- I have the right to object, on grounds relating to my particular situation, at any time to the processing of My Personal Data under Art. 6(1)(f) of the GDPR – the Controller’s legitimate interest, including profiling based on those provisions. The Controller will no longer process My Personal Data unless the Controller demonstrates compelling legitimate grounds for the processing that outweigh my interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
- I can exercise my right to object by automated means using technical specifications.
Under Article 22 of the GDPR – Automated individual decision-making, including profiling:
I have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal impacts on me or similarly affects me in a material way. This does not apply if the decision:
a) is necessary to enter into, or perform, a contract between me and the Controller;
b) is permitted by the law of the European Union or a Member State to which the Controller is subject and which also determines suitable measures to safeguard my rights and freedoms and legitimate interests;
c) is based on my express consent.
Under Article 34 of the GDPR – Communication of a personal data breach
If it is likely that a specific instance of a security breach of My Personal Data will result in a considerable threat to my rights and freedoms, the Controller is required to report the breach to me without undue delay.
However, the reporting referred to in this paragraph is not required if any of the following conditions are met:
a) the Controller has introduced appropriate technical and organisational measures, and these measures have been applied to the personal data affected by the personal data breach, in particular measures that render the personal data unintelligible to anyone who is not authorised to access them, such as encryption;
b) the Controller has taken subsequent measures that ensure that no considerable threat to the rights and freedoms referred to in the first paragraph of this article is likely to materialise;
c) It would involve unreasonable effort. In this case, you will be advised in an equally effective manner by a public notice or similar means.
Information on how the rights of a job applicant are exercised
A job candidate may exercise his/her rights directly with the Controller at the above-mentioned address, either:
- in person at the building reception, where is registered office of the Controller (PPF GATE); or
- electronically via data box; or
- electronically via email.
If a request is filed electronically, the Controller will provide the information also electronically, unless required otherwise by the job candidate. In case of a request filed electronically, the Controller must verify the identity of the person who filed the request to prevent the disclosure of information to authorised persons. To verify the identity, the Controller will contact the candidate. The Controller provides a copy of the processed personal data for free. A request filed repeatedly by the same candidate will be considered an obviously unreasonable request. In such a case, the Controller may either charge a reasonable fee to process the applicant or deny the request.
Please acknowledge that you are responsible for the personal data you have provided and made available to the Controller and it is your duty to make sure they are relevant, truthful, exact and not misleading. You have the duty to make sure that the personal data provided do not contain material of an obscene and defamatory nature and/or are not in breach of the rights of a third person. Personal data provided must not contain malicious code.
If you provide personal data related to another person, e.g. an individual specified as your reference, you are obliged to inform this person thereof and to get his/her approval.
This document may be adjusted or updated on an ongoing basis. Any changes will become effective following the publication of the updated wording of this document at website www.ppf.eu. You will be informed of any material changes sufficiently in advance before these changes come into effect.