privacy policy

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as "GDPR") and Act No. 110/2019 Coll, on the processing of personal data, as amended, the following information is hereby provided to you, as data subjects, in particular on (i) what personal data we collect, (ii) how we handle such data, (iii) on what legal basis we process personal data and for what purposes we use the personal data, (iv) to whom we are entitled to disclose the personal data, (v) what your rights are in the area of data protection, and (vi) where you can obtain information about your personal data that we process.

We hereby request that you familiarize yourself with the contents of this Privacy Policy ("Policy"). We are ready to answer any questions you may have by contacting us at info@profid.cz or by writing to us at Modřínová 1432/75, 182 00, Prague 8. info@profid.cz

This Policy, which contains general principles of personal data processing, is addressed to all natural persons whose personal data is processed by our company, in particular clients, business partners, job applicants, users of our company's website, etc.

a. general information

Identity of the controller:

Hub by profid s.r.o.

("company" or "controller")

Contact details of the Administrator:

Kontaktní adresa: Modřínová 1432/75, 182 00, Prague 8

Contact email: info@hub-by-profid.cz

Contact telephone: 724 333 893

b. information on the processing of personal data

The Company, as a personal data controller, handles your personal data in accordance with the applicable legislation and always in such a way as to ensure the security of your data (personal data) to the maximum extent possible. The Company complies with the principles of personal data processing set out in the applicable legislation and fully respects the highest standards of personal data protection.

The company does not have a data protection officer within the meaning of the GDPR.

Purposes of personal data processing. Legal basis for processing personal data:

The controller processes your personal data only to the extent necessary for the purpose and for the time necessary to fulfil the purpose. Once the relevant purpose has been fulfilled, the controller may process your personal data for purposes other than those for which it was collected; the controller will always inform you of these other purposes.

Processing of personal data without your consent:

The controller processes personal data without your consent for the following purposes and on the basis of the following legal grounds:

the fulfilment of the contractual obligations of the controller, including the fulfilment of the obligation to provide performance under the contract (storage period: for the duration of the contract; legal basis for processing: fulfilment of the contract),
the fulfilment of the legal obligations of the controller, including, for example, the maintenance and processing of the company's accounting records (storage period: personal data are processed for the period specified by the relevant legislation; legal basis for processing: fulfilment of a legal obligation),
the possibility of asserting and enforcing legal claims of the controller, authorised recipients or other relevant persons, or the protection of legal claims, including the enforcement of legal claims, the development and evolution of the products and services provided, the resolution of disputes, in particular for the purposes of conducting legal or other disputes (storage period: personal data are processed until the expiry of 1 year from the end of the relevant limitation period, or further for the necessary period for the purposes of implementing the protection of legal claims; legal basis for processing: legitimate interest of the controller or third parties),
the management and processing of the recruitment agenda of the controller (storage period of personal data: a) in the event that the candidate is successful in the selection procedure and becomes an employee: for the duration of the employee's employment relationship, b) for other purposes related to the recruitment agenda: until the expiry of 1 year from the end of the limitation period, or further for the necessary period for the purpose of exercising the protection of legal claims; legal basis: (i) performance of the contract (processing for the conclusion of the contract), (ii) legitimate interest of the controller),
the processing is necessary for the purposes of the legitimate interests of the controller or a third party (e.g. for the purposes of so-called direct marketing), except where the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data take precedence over those interests.

Categories of personal data:

For the purposes set out above, the Company processes your:

Identification data and contact data, i.e. e.g. name, surname, title, date of birth, telephone, e-mail address, address (home, delivery or other contact address), signature, in the case of a natural person entrepreneur also the company name, registered office and business ID number, data box, login data to the electronic system, etc.
other personal data, e.g. bank details (bank account number), IP address, etc,
personal data related to the recruitment agenda, i.e. e.g. identification and contact details, data on educational qualifications, data on language skills, data on previous employers, if applicable, as well as other personal data related to the recruitment agenda.

The legal basis for processing your personal data is (see above):

to comply with a legal obligation to which the controller is subject (Article 6(1)(c) of the GDPR)
the performance of an obligation under a contract with the subject as data subject (Article 6(1)(b) of the GDPR)
the legitimate interest of the controller or of a third party (Article 6(1)(f) of the GDPR)
consent to the processing of personal data, if given by the data subject (Article 6(1)(a) of the GDPR)

Your personal data may be processed manually or by automated means directly by the controller's authorised employees and by processors authorised by the controller on the basis of a data processing contract.

Source of personal data:

The Company, as the controller, obtains personal data of data subjects (i) from data subjects (e.g. (a) from requests and questionnaires from data subjects, (b) in the course of negotiations with the data subject regarding the conclusion of a contract, (c) from forms completed by the data subject or (d) in communications (personal or written) with data subjects, including communications by electronic means), (ii) from third parties (e.g. (a) from public authorities, (b) from cooperating third parties, (c) from third parties in the performance of the controller's legal obligations, (d) on the basis of specific legislation, (e) from third parties also where the data subject provides security for the controller's client's obligation) or (iii) from publicly available sources (e.g. public registers). Where the controller obtains personal data from data subjects, the controller shall inform data subjects whether the provision of personal data is a legal or contractual requirement and whether the data subject is under an obligation to provide personal data, as well as the possible consequences of not providing personal data.

Recipients, categories of recipients:

In particular, your personal data may be transferred to the following categories of recipients in justified cases:

public authorities and other entities to which the company is obliged to disclose your personal data or which are entitled to request your personal data from the company (e.g. tax authorities, customs administration, bailiffs, insolvency administrators, courts, law enforcement authorities, etc.),
third parties with whom the company has entered into a written contract for the processing of personal data, i.e. processors (e.g. IT and marketing service providers, accounting service providers, auditors, tax advisors, lawyers, etc.),
the company's business partners,
entities linked to the company by property,
other entities (e.g. insurance companies).

Alternatively, your personal data may be disclosed to third parties for other reasons in accordance with applicable law. The controller does not intend to transfer personal data to third countries outside the EU/EEA or to an international organisation.

Automated decision-making and profiling:

There is no automated decision-making or profiling in the processing of personal data.

Use of cookies:

temporary cookies (session cookies), which may be used to support certain functions of the add-ons in the case of the controller's website, and which are deleted immediately after closing the browser,
persistent cookies (permanent cookies), which will remain stored on the device until they reach a specified expiry date and time, but usually one year or until they are deleted by the user,
functional and technical cookies, which mainly ensure the correct functioning of the site, the storage of preferences set or the capture of information about the display of error messages,
analytical cookies, which are used for statistical purposes, in particular to collect information on the use of the website of the administrator (e.g. number, duration and temporal fluctuation of visits, number of pages viewed, proportion of new visits, etc.).

c. your rights related to the processing of personal data

Right of access to personal data (Article 15 of the GDPR):

As a data subject, you have the right to obtain confirmation from the controller as to whether or not personal data relating to you are being processed and, if so, to obtain access to such personal data and to the following information about:

(a) the purposes of the processing,

(b) the categories of personal data concerned,

(d) the intended period of time for which the personal data will be stored or, if that period cannot be determined, the criteria used to determine that period,

(e) the existence of a right to request the controller to rectify or erase the personal data, to restrict their processing or to object to such processing,

(f) the right to lodge a complaint with a supervisory authority (the Office for Personal Data Protection),

(g) any available information about the source of the personal data,

(h) whether automated decision-making, including proﬁling, takes place, the procedure used, as well as the significance and foreseeable consequences of such processing.

Where personal data are transferred to a third country outside the EU/EEA or an international organisation, you have the right to be informed of the appropriate safeguards that apply to the transfer.

The controller will provide you with a copy of the personal data processed. For further copies, the controller is entitled to charge a reasonable fee based on administrative costs. It applies that the right to obtain a copy must not adversely affect the rights and freedoms of other persons.

Right to rectification (Article 16 of the GDPR):

As a data subject, you have the right to have inaccurate personal data concerning you rectified by the controller without undue delay. Taking into account the purposes of the processing, you also have the right to have incomplete personal data completed, including by providing an additional declaration.

Right to erasure (Article 17 GDPR):

As a data subject, you have the right to have personal data concerning you erased by the controller without undue delay if one of the following grounds applies:

(a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed,

b) you have withdrawn the consent on the basis of which the data was processed and there is no further legal basis for the processing,

(c) the data subject has objected to the processing, if the objection is permissible under the GDPR, and there are no overriding legitimate grounds for the processing,

d) the personal data have been unlawfully processed,

e) the personal data must be erased to comply with a legal obligation,

f) the personal data has been collected in connection with the offer of information society services pursuant to Article 8(1) of the GDPR.

The right to erasure shall not apply where a lawful exception is given, in particular where the processing of personal data is necessary for (a) compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject, or (b) the establishment, exercise or defence of legal claims.

Right to restriction of processing (Article 18 GDPR):

As a data subject, you have the right to have the controller restrict processing in any of the following cases:

(a) you contest the accuracy of the personal data - in this case, the processing will be limited to the time necessary for the controller to verify the accuracy of the personal data,

b) the processing is unlawful, and you refuse to erase the personal data and request instead that the use of the personal data be restricted,

c) the controller no longer needs the personal data for the purposes of the processing, but you require the personal data for the establishment, exercise or defence of legal claims,

d) the data subject has objected to the processing pursuant to Article 21(1) of the GDPR - until it is verified that the legitimate grounds of the controller override the legitimate grounds of the data subject.

If the processing has been restricted, the personal data may, with the exception of storage, only be processed:

(a) with the data subject's consent,

(b) for the establishment, exercise or defence of legal claims,

(d) for reasons of important public interest of the European Union or of a Member State.

Right to data portability (Article 20 of the GDPR):

As a data subject, you have the right (subject to the conditions set out in Article 20 of the GDPR) to obtain personal data relating to you that you have provided to the controller on the basis of consent or for the performance of a contract. Upon your request, the controller will provide you with the data in a structured, commonly used and machine-readable format or, where technically feasible, to another clearly identified controller. The right to data portability does not apply to personal data that are not processed by automated means.

The exercise of the right to data portability must not adversely affect the rights and freedoms of other persons.

Right to object (Article 21 GDPR):

As a data subject, you have the right (under the conditions set out in Article 21 of the GDPR) to object at any time, on grounds relating to your particular situation, to processing of personal data concerning you that is processed on the basis of (by virtue of) the legitimate interest of the controller. Furthermore, the controller shall not process the personal data unless (i) it demonstrates compelling legitimate grounds for the processing which override your interests or rights and freedoms, or (ii) it is for the establishment, exercise or defence of legal claims of the controller.

If the personal data is processed for direct marketing purposes and you object to the processing, the controller will no longer process the personal data for these purposes.

Right to lodge a complaint with a supervisory authority (Article 77 of the GDPR):

If you believe that the processing of your personal data violates the GDPR legislation/regulations, you have the right to lodge a complaint about the controller's practices with a supervisory authority, the supervisory authority for the Czech Republic being the Office for Personal Data Protection, located at Pplk. Sochor 27, 170 00 Prague 7 (www.uoou.cz). This is without prejudice to any other administrative or judicial remedies provided for the protection of the data subject by applicable law.

Right to withdraw consent:

The data subject is not obliged to give consent to the company for the processing of his/her personal data. You have the right to withdraw your consent to the processing of your personal data given for the above purposes (or any of them) at any time. Withdrawal of consent does not affect the processing of your personal data prior to its withdrawal. You may withdraw your consent to the processing of personal data by (i) a signed written notice of withdrawal of consent sent in writing to the Company's contact address or (ii) a notice of withdrawal of consent sent by email to the Company's contact email address set out above in this Policy.

Please note that we may also process certain personal data for certain purposes without your consent. If you withdraw your consent, the Company will cease processing the relevant personal data for the purposes requiring your consent for which your consent was withdrawn, however, the Company may be entitled or even obliged to continue to process the same personal data on the basis of another legal basis (i.e. another legal ground for processing).

d. information on the processing of personal data of selected data subjects

Information on the processing of personal data of job applicants:

This information on the processing of personal data of job applicants is without prejudice to the other provisions of this Policy. The Controller processes personal data that have been transmitted to it by the job seeker, made available to it, or to which the job seeker has given consent (e.g. data contained in a CV or data made available on job seeker data sharing servers, etc.); the Controller may also process data obtained in the context of screening information from publicly available sources (e.g. LinkedIn). However, this is always necessary data which, to the extent appropriate under applicable law, is used for the purposes of vetting the job applicant, in particular for the purposes of vetting in relation to the data provided in the CV.

In addition to identification and address personal data, the administrator processes information on the applicant's language skills, educational qualifications, previous work experience, etc. However, the primary source of the personal data is the data subject.

Unless the applicant has given his/her consent, the applicant can only be contacted on the basis of data made available by the applicant for this purpose (i.e. personal data that the applicant has made public about himself/herself for this purpose). Applicants may only be included in the controller's databases on the basis of the applicant's consent. In the event that consent has not been given by the data subject, the controller will not further process the personal data of such data subject, and after a reasonable period of time during which the controller will have stored basic data concerning (i) under what circumstances and (ii) for what reasons the data subject was contacted, the destruction of such data will be carried out. Contacting reference contacts (references) of job applicants is permissible on the basis of the consent of the applicant concerned. The consent(s) given may be withdrawn at any time by the applicant/candidate at the above-mentioned contact address or contact e-mail of the controller.

The personal data of the job applicant is used by the administrator for the purpose of selecting a suitable candidate for the job. In the event that a candidate is successful in the selection procedure and a contract establishing an employment relationship between the administrator and the candidate is concluded with this job candidate, the personal data provided by the candidate (in particular his/her CV) will become part of his/her personnel file as an employee. At the end of the selection procedure, the administrator will ensure the destruction of the personal data of those job applicants who have not been selected/accepted for the job. The controller is entitled to use the communication (paper or e-mail) with the applicant regarding the selection procedure (i) for the purposes of its legitimate interests (protection of the controller's legal claims, or for IT security purposes - in particular for the controller's website and network), or (ii) for the purposes of fulfilling the controller's legal obligation (e.g. to prove the applicant's consent to the processing of personal data, etc.).

The legal grounds for processing personal data are:

performance of a contract (processing to conclude a contract) consent given by the data subject,
a legitimate interest of the controller or a third party,
the fulfilment of a legal obligation to which the controller is subject (including proof of obtaining consent).

Categories of recipients:

IT service providers (IT technical support services, provision of server services, provision of programming services, etc.),
providers of external recruitment services, providers of legal services, providers of accounting services, providers of economic services, providers of tax consultancy or audit services, if applicable,
public authorities.

In connection with the recruitment agenda (recruitment agenda), the processing of personal data occurs both on the basis of the consent given by the data subject and in connection with the "non-consent" agenda, i.e. in the case where the legal basis for the processing is determined by the title (i) the performance of a contract (or processing to conclude a contract), (ii) the fulfilment of a legal obligation of the controller, or (iii) the legitimate interests of the controller or a third party.

The provision of personal data for processing on the basis of consent (i.e. in particular for the purpose of inclusion of the candidate in a future (further) selection procedure) is entirely voluntary and the data subject is not obliged to give consent; however, without the provision of consent, it will not be possible to include the data subject (candidate) in a future (further) selection procedure.

Period of storage of personal data: for the purposes of the selection procedure (selection of a suitable candidate), the controller processes the personal data of candidates until 6 months have elapsed after the position has been filled or the selection procedure has been cancelled. In the event that a candidate is successful in the selection procedure (and becomes an employee), his/her CV (as part of the employee's personnel file) will be processed for the duration of the employee's employment. For other purposes related to the recruitment agenda, where the controller processes personal data on the basis of legitimate interest, the data will be stored until 1 year after the end of the limitation period, or for the necessary period of time for the purpose of exercising the protection of the controller's legal claims.

Further processing of the applicant's personal data for other/additional job offers at the controller is permissible on the basis of the data subject's consent.

In the event of any change to the data provided (whether in the form of a CV or otherwise), please notify the controller of the change at the contact address or contact email provided.

Information on the processing of personal data of contractual partners:

This information on the processing of personal data of contractual partners is without prejudice to the other provisions of this Policy.

The Controller processes the personal data of contractual partners (i) primarily for the purposes of concluding and executing the contract, or (ii) for the purposes of fulfilling a legal obligation (in particular to comply with the obligations set out in accounting and tax regulations, or data protection regulations), or (iii) on the basis of the legitimate interests of the Controller or a third party for the purpose of the possibility of asserting and enforcing legal claims of the Controller or a third party (debt recovery and protection of legal claims of the Controller and third parties), or for marketing and advertising purposes. Personal data may also be used by the controller for the administrative needs of the controller (including the creation of records and contact lists).

For potential contractual partners, the controller may process data available from public sources (e.g. public registers, websites, etc.) for the purposes of business contact. The controller may use such data for administrative purposes (including the creation of records and contact lists).

The legal basis for processing personal data is:

performance of a contract (processing for the purpose of concluding a contract) performance of a legal obligation to which the controller is subject
the legitimate interests of the controller or a third party,
the fulfilment of a legal obligation to which the controller is subject (including proof of obtaining consent).

Categories of recipients:

IT service providers (IT technical support services, provision of server services, provision of programming services, etc.),
providers of external marketing services, providers of legal services, providers of accounting services, providers of economic services, providers of tax consultancy or audit services,
public authorities,
other beneficiaries (e.g. insurance companies)

Personal data is processed by the controller both automatically and manually. However, most processing is automated (via computer systems), in particular in the controller's systems for accounting, invoicing, etc. At the same time, however, personal data may also be processed by the controller in filing systems, filing cabinets, etc. (including document filing/storage systems, business card filing systems, etc.).

Period of storage of personal data:

contact data for the purpose of offering information society services in accordance with the relevant legal regulation will be processed by the controller until the business partner consents to the further sending of commercial communications,
personal data for the purposes of contract performance will be processed by the controller for the duration of the contract (contracts will be kept for archiving purposes for 10 years after their performance/termination/termination),
personal data for the fulfilment of a legal obligation of the controller will be processed for the period specified by the relevant legislation,
personal data for the purposes of the legitimate interest of the controller or a third party will be processed by the controller until 1 year after the end of the limitation period, or further for the necessary period for the purpose of exercising the protection of legal claims.

For the purpose of updating personal data, the controller can be contacted at the contact address or contact e-mail provided.

Information on the processing of personal data of users of the company's website:

This information on the processing of personal data of website users is without prejudice to the other provisions of this Policy.

Users of the Controller's website may be both users who are/will be in a legal relationship with the Controller (e.g. a client of the Company) and users who are/will not be in a legal relationship with the Controller (i.e. a person who is merely "browsing" the website and does not ask/order/request anything). The Controller processes the personal data of website users for legitimate (legally permitted) purposes (e.g. for accounting/record-keeping purposes or for the purposes of contract performance).

The source of the personal data is the data subject's activity on the controller's website.

The legal basis for processing personal data is:

to comply with a legal obligation to which the controller is subject (e.g. to maintain an agenda/accounting records),
the performance of a contract (processing to conclude a contract); legitimate interest of the controller or a third party.

The controller processes the following personal data relating to the data subject's activity on the controller's website: IP address, date and time of access, etc.

The personal data is processed for the period of time specified by the relevant legislation.

Categories of recipients:

IT service providers (network administrator/IT technical support services, server service providers, programming service providers, etc.),
providers of external marketing services,
public authorities.

e. other information

Method of exercising the rights of the data subject:

As a personal data subject, you may exercise your rights in relation to the processing of personal data against the controller by contacting the controller at the contact address Modřínová 1432/75, 182 00, Prague 8, or at the contact e-mail address of the controller info@profid.cz

Provision of information by the controller:

The controller provides information in writing in paper form. However, if you contact the Controller electronically at the contact e-mail address of the Controller, the Controller will provide you with information electronically (in the form of an e-mail message), unless you request information in paper form. This is without prejudice to your right to data portability.

If we receive a request from you pursuant to Articles 15 to 22 of the GDPR, we will inform you of the measures taken without undue delay, at the latest we will inform you of the measures taken, refusal or extension of the deadline within one month after the request is received by us. Taking into account the complexity of the request or the number of requests, we may extend the deadline for informing you of the measures taken (and therefore for taking the relevant measures) by a further two months. We will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.

Information about the fact that the data subject has exercised his or her rights with the controller and how his or her request has been processed by the controller will be stored by the controller for a reasonable period of time (usually 3 years) for the purpose of (i) documenting this fact (exercise and processing of the request), (ii) for statistical purposes, or (iii) for the purpose of protecting the controller's rights.

Further information:

In cases where personal data is processed without your consent, its disclosure is required on the grounds that (i) it is necessary for the performance of contractual obligations, or (ii) its disclosure is required by law, or (iii) the legitimate interests of the controller or third parties. The consequence of not providing data for these purposes (any of them) may be the failure to conclude a contract or the impossibility of providing the requested performance, etc.

The sending of electronic commercial communications to customers within the meaning of the offer of information society services (so-called customer exemption) according to the relevant legal regulation can be cancelled via a link contained in each individual commercial communication.

In cases where personal data is processed on the basis of your consent, the provision of your personal data is not a legal or contractual condition (legal or contractual requirement) and therefore you do not have to provide consent. In such cases, you are therefore not obliged to provide the personal data in question for the purpose in question, nor to give your consent to its processing. Failure to provide consent may result in the Company being unable to apply certain procedures.

This Privacy Policy has been updated as of November 1, 2024.