EMPLOYEES

INFORMATION MEMORANDUM ON THE PROCESSING OF EMPLOYEES' PERSONAL DATA

  1. PURPOSE OF THE DOCUMENT

This document is addressed to you, current and former employees of the GTH Group, and has been prepared to provide clear and understandable information about:

  • who are the companies of the GTH Group (see Chapter 2)
  • what principles we follow when processing personal data (see Chapter 3)
  • what personal data we collect (see Chapter 4)
  • why we process personal data and what entitles us to do so (see Chapter 5)
  • where we primarily obtain personal data (see Chapter 6)
  • where and for how long we store personal data (see Chapter 7)
  • how we ensure the protection of processed personal data (see Chapter 8)
  • to whom we disclose personal data (see Chapter 9)
  • what your rights are as a data subject and how you can exercise them (see Chapter 10)

The Information Memorandum is effective from 25.5.2018 and is issued in accordance with Regulation (EU) 2016/679, on the protection of natural persons with regard to the processing of personal data (GDPR).

If you do not find answers to your questions regarding the processing of personal data or if you want to explain any part in more detail, do not hesitate to contact us.

  1. OUR GROUP

The GTH Group (hereinafter referred to as the “Group”) within the Czech Republic consists of two companies which, in relation to the processing of their employees’ personal data, act as so-called data controllers, namely:

GTH catering a.s., ID 09342061 with its registered office at Tomíčkova 2144/1, Chodov, 148 00 Prague (hereinafter referred to as the "Parent") and GTH zařízení školního stravování, spol. s r.o., ID No. 25753487 with its registered office at Tomíčkova 2144/1, Chodov, 148 00 Prague (hereinafter referred to as the "Subsidiary").

  1. PRINCIPLES OF PERSONAL DATA PROCESSING

All processing of personal data in our Group respects the following principles:

  • any processing of personal data pursues a lawful and legitimate purpose and is carried out in a manner and means that are in accordance with the legislation on the protection of personal data
  • we do not process personal data without a legitimate legal title
  • we collect only the necessary personal data to fulfil the stated purpose
  • we endeavour to process only accurate and up-to-date personal data
  • we process personal data only for as long as necessary
  • we will inform you about the methods of personal data processing
  • we respect your rights as a data subject
  • we strictly protect personal data
  1. WHAT PERSONAL DATA WE PROCESS

We collect and process only the data that is necessary to enter into an employment relationship, to ensure the mutual fulfilment of the rights and obligations arising from this relationship, to comply with legal obligations affecting our Group, or to ensure the protection of our legitimate interests (for more details, see Chapter 5).

This includes the personal data listed below, the scope of which may vary in particular with regard to

your job title and the type of work you perform. When necessary, we also process information about your family members.

Common personal data of employees

Identification data:

  • name, surname, date of birth and place of birth, gender, birth number, ID/Travel/Driver's License number, employee number/employer identification card number

Contact details:

  • permanent address, delivery or other contact address, telephone number and email address

Data related to the basic employment relationship:

  • data on education and qualifications, experience and skills
  • the result of the initial medical examination, credit sheet, information on possible long-term unemployment
  • criminal record data, information on pregnancy and family circumstances, if this results from the nature of the work performed
  • the content of contracts establishing an employment relationship or agreements on work performed outside the employment relationship, or other agreements (on liability for entrusted values / for loss of entrusted items / on wage deductions / on the increase of qualifications
  • data on the agreed/determined/determined wage and type of work performed, other data provided by the employee for the purposes of annual tax settlement and the application of deductible items and tax discounts that are the content of the child's birth certificate, card ZTP/P, declaration of the employer of the other parent, statement of the income of the other parentspouse and his/her identity document, confirmation of study, confirmation of the operator of the preschool facility, etc.
  • the number of the bank account intended for sending wages, the name and number of the health insurance company, copies of the health card and residence permit for foreigners, copies of the identity card, or copies of the driver's license

Data generated in the course of the basic employment relationship:

  • data on wages and their deductions / mandatory contributions / financial assistance / compensation provided / receivables, results of mandatory occupational medical examinations, working hours, absences, business trips, incapacity for work, holidays, sick leave, results of training, performance of work tasks, employee evaluation, identified deficiencies, content and resolution of complaints, investigation of breaches of employee obligations, manner of termination of employment
  • access data (logins and passwords) to information systems and records of their use (logs), electronic identification data (IP address), data on the geographical location of the employee's company car, data on the telephone operation of the company telephone, data that are the content of internal and external communication

Special categories of personal data (sensitive data) of employees

  • data on accidents at work
  • data relating to infectious or other diseases which could endanger or harm the health of natural persons in the course of activities of epidemiological importance

Personal data of third parties

  • basic personal data of the spouse and/or children when applying for the tax advantage, in particular their identification data, employer, possession of a ZTP/P card
  • basic personal data of persons asserting claims against the employee's employer (e.g. heirs/survivors of a deceased employee)
  1. WHY WE PROCESS PERSONAL DATA AND WHAT ENTITLES US TO DO SO

We process your personal data and that of other persons (see Chapter 4) for the following purposes and on the legal basis set out below.

 PURPOSE OF PROCESSING

 

LEGAL BASIS FOR PROCESSING

 

Conclusion and performance of a contractual relationship with employees

Performance of the contract. Compliance with a legal obligation

Clearing and recording of wages and contributions for the purposes of employment, health insurance and social security contributions (i.e. sickness and pension insurance, contribution to employment policy)

Performance of the contract. Compliance with a legal obligation

Tax calculation and bookkeeping

Compliance with a legal obligation

Occupational health and safety

Compliance with a legal obligation. Legitimate interest of the Company

Prevention and other activities preventing damage to the health of natural persons by infectious or other diseases

Legitimate interest of the Company. Public interest in public health

Administration of courses, training, occupational medical examinations

Compliance with a legal obligation

Protection of property, including information systems and information, and other legitimate interests of the employer (see below for more details)

Legitimate interest of the Company

Performance of the contract – we process the personal data of employees if they are necessary for the conclusion and fulfilment of an employment contract or an agreement on work performed outside the employment relationship.

Compliance with legal obligations – companies from our Group, in the position of employers, are affected by a number of legal regulations that require the processing of employees' personal data. Such legislation includes:

  • Act No. 262/2006 Coll., the Labour Code
  • Act No. 435/2004 Coll., on Employment
  • Act No. 48/1997 Coll., on Public Health Insurance
  • Act No. 589/1992 Coll., on Social Security Contributions and Contributions to the State Employment Policy
  • Act No. 187/2006 Coll., on Sickness Insurance
  • Act No. 592/1992 Coll., on Public Health Insurance Premiums
  • Act No. 582/1991 Coll., on the Organization and Implementation of Social Security
  • Act No. 280/2009 Coll., the Tax Code
  • Act No. 563/1991 Coll., on Accounting
  • Act No. 586/1992 Coll., on Income Taxes
  • Act No. 258/2000 Coll., on the Protection of Public Health and on the Amendment of Certain Related laws
  • Act No. 133/1985 Coll., on Fire Protection

Legitimate interest – the GDPR also allows our Group companies to process personal data of employees where such processing is necessary to protect our legitimate interests (as controllers) or third parties (e.g. boarders).

Such legitimate interests include:

  • protection of property, including information systems and information
  • protection against the spread of infectious and mass-occurring diseases
  • ensuring internal and external communication, including setting up an e-mail containing the name and surname
  • employee or listing the employee's name and surname on the company's website pages
  • management of staff performance and careers, including the application of disciplinary measures
  • administration of employee benefits
  • proving the fulfilment of the conditions for the state contributions provided
  • approving competitive gainful activity of employees
  • evaluation of data on criminal integrity in justified cases
  • recording of loss events
  • recording of location data in the use of official vehicles and data on the telephone operation of business mobile phones
  • implementation of measures in the field of prevention and investigation of fraudulent conduct of employees
  • documenting payments to third parties
  • litigation - asserting claims, resolving disputes and enforcing negotiated agreements

You have the right to object to such processing, based on which we will stop the processing until we can prove that there are compelling legitimate reasons that override the interests or rights and freedoms of the employee, or the processing is necessary for the exercise or defence of legal claims.

Consent of the data subject – due to the unequal position between the employee and the employer, we avoid processing based on consent. If a situation arises where processing is not possible without your consent, we will offer you the opportunity to grant consent or refuse it without any consequences. You can then revoke your consent at any time. 

  1. WHERE WE OBTAIN PERSONAL DATA

The source of personal data that we process is primarily the employee himself and his activities in the performance of work in the basic employment relationship (e.g. handover of documents, use of computer technology, assigned mobile phone / company vehicle). We may also obtain personal data of employees from public records or from state authorities.

  1. WHERE AND FOR HOW LONG WE STORE PERSONAL DATA

Personal data collected within our Group is processed and stored in the Czech Republic, except for e-mail communications, which we process using the G Suite products of Google LLC, located outside the USA. According to the decision of the European Commission, this country belongs to the group of countries with adequate protection of personal data and a regime of free transfer of personal data.

Employees' personal data are usually stored for the duration of the basic employment relationship. After its termination, we will only retain selected personal data for the period stipulated by law (which may be up to 30 years, e.g. in the case of payroll and accounting records for pension insurance purposes) and/or for a reasonable period (subject to the statutory limitation period) that allows us to effectively protect the legitimate interests of our Group (e.g. in the context of potential legal proceedings).

  1. HOW WE PROTECT PERSONAL DATA

To ensure the protection of personal data, we have taken adequate technical and organizational measures to ensure their security, in particular:

  • we have established detailed rules for the collection and handling of personal data, which we strictly control
  • we have limited access to personal data to only the necessary number of responsible persons
  • we have bound the authorized persons to a duty of confidentiality
  • If we already have to involve other entities in the processing of personal data (so-called processors), we carefully assess whether they provide sufficient guarantees to ensure the safety of personal data.

If there is an unauthorized interference or leakage of personal data and such a situation poses a high risk to the data subject, we are obliged to notify the data subject and the Office for Personal Data Protection without undue delay.

  1. TO WHOM WE DISCLOSE PERSONAL DATA

Employee personal data is shared within our Group, in particular by Subsidiaries companies to the Parent Company. Your data may also be made available:

  • external suppliers who provide us with important services, in particular IT infrastructure, bookkeeping, legal advice, debt collection, etc.
  • relevant health insurance companies, tax authorities and the Czech Social Security Administration
  • other state authorities in the exercise of their powers based on applicable legislation, e.g. law enforcement authorities, insolvency administrators
  • labour Office, other supervisory and control authorities
  • courts and bailiffs for the purpose of enforcing negotiated agreements
  1. YOUR RIGHTS AND HOW TO EXERCISE THEM

In connection with the protection of your personal data, you have the right to request:

  • confirmation of whether our Company process personal data about you
  • information on the purposes of processing, the categories of personal data concerned, the recipients of the personal data, the planned period of processing, the rights of the data subject, the sources of personal data, the fact that automated decision-making, including profiling, takes place, and appropriate safeguards when data is transferred outside the EU
  • a free copy of the personal data, provided that the rights and freedoms of others are not adversely affected
  • rectification of their inaccurate personal data or their completion by providing additional declarations
  • revocation of your consent to the processing of your personal data
  • erasure of your personal data, restriction of their processing or objection to their processing

You also have the right to file a complaint with the Office for Personal Data Protection, by letter to Pplk. Sochora 27, 170 00 Prague 7, by e-mail posta@uoou.cz or by phone +420 234 665 111.

If you intend to exercise your rights, please contact the company's HR department via e-mail oznamto@gthcatering.cz.

We will provide you with information about the evaluation of your application and the measures taken without undue delay, no later than 30 days after the delivery of the application. In exceptional cases, we are entitled to extend this period by two months. We will also inform you about such an extension and its reasons. More detailed information on the rights of data subjects and the conditions for their exercise can be found in the Annex.

Back