GDPR & Cookies

Privacy Policy

Introduction

This guideline is an internal regulation of VETTRONIC s.r.o., ID No.: 17531713, with its registered office at Vodní 2415/3, Předměstí, 746 01 Opava, Czech Republic, entered in the Commercial Register of the Regional Court in Ostrava, Section C, Insert 90412 (hereinafter the “Controller”), adopted to ensure the protection of personal data managed by the Controller. This guideline is adopted in connection with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as amended (hereinafter the “Regulation”), coming into force.

This guideline includes binding instructions, information, rules, procedures and advice for the Controller’s employees and any collaborators of the Controller who undertake to comply with the Regulation. The guideline is also binding for the company’s executive directors. For the purposes of this guideline, any legal entities obliged to comply with this guideline are hereinafter referred to as “Obliged Person(s)”.

This guideline aims to ensure an adequate standard of personal data protection. Compliance with this guideline will help reduce the risk of failure to meet the obligations imposed on the Controller by the Regulation, as well as other valid and effective legal regulations.

For the purposes of this document, “personal data” mean any information relating to an identified or identifiable natural person to whom the personal data relate. An identified or identifiable person is a natural person who can be identified, directly or indirectly, in particular by reference to a number, a code or one or more factors specific to that natural person’s physical, physiological, mental, economic, cultural or social identity. For the purposes of this guideline, “data subjects” mean, in particular, the customers, potential customers, suppliers and potential suppliers of the Controller and applicants for employment with the Controller.

“Processing of personal data” means any operation or set of operations that is performed on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, whether or not by automated means.

“Personal data carrier” is any material or device on which personal data are captured or recorded. This may include paper documentation, including folders and files, CDs, DVDs, external drives, software, computer drives, servers, etc.

The Controller processes personal data in connection with its business activities. The Controller processes personal data only to the necessary extent. Obliged Persons are not entitled to collect any other data about natural persons unrelated to the Controller’s activities. Furthermore, Obliged Persons are not entitled to handle processed personal data in violation of this guideline, concluded contracts or applicable legislation.

Basic Obligations of Obliged Persons

Obliged Persons are not entitled to use personal data for purposes other than those for which the data were collected.

All personal data are confidential, i.e. they are subject to confidentiality and Obliged Persons are not entitled to disclose or provide such information to third parties, except for the purpose for which the personal data were collected. Obliged Persons may not disclose personal data and related information, as well as information about personal data secured by the Controller, to co-workers, family members, close acquaintances, etc.

It is prohibited to aggregate personal data in any way or to create databases of personal data unless it is necessary for the purpose for which the personal data were collected and unless the Controller has granted its express consent to these activities.

Obliged Persons are not entitled to sell, lease or otherwise make the data available to third parties, whether for a remuneration or free of charge, or use the data for their own or any third party’s economic advantage.

Obliged Persons may not access personal data other than the data which are strictly necessary for the performance of their activities for the Controller. In particular, it is prohibited to try to access secured files entrusted to another Obliged Person and access the software and hardware entrusted to another Obliged Person without the express instruction from the Controller.

Obliged Persons undertake to notify the Controller of any security breach immediately after they become aware of it and provide details of the security breach.

Obliged Persons must conform to the principles of a “clean desk”, i.e. they are obliged to check whether all carriers containing personal data are properly secured in accordance with this guideline before leaving their workplace. Obliged Persons must not leave their workplace without performing this check, unless remaining in the workplace poses a greater risk of harm than could be caused by the damage, loss or theft of the personal data carrier.

Obliged Persons undertake to implement necessary measures to prevent any damage to, loss or theft of the personal data carrier.

Any notes or written records containing personal data must be shredded immediately they are no longer required.

Obligations in Individual Processing Activities

In individual processing activities, Obliged Persons must follow the following binding instructions:

Communication

Any e-mail communication must always take place only via the secure e-mail address provided to the Obliged Person by the Controller. Using personal e-mail addresses for communication containing personal data processed by the Controller is not allowed.

All communication must take place via devices entrusted to the Obliged Person by the Controller or via devices approved by the Controller for a given use.

Providing any personal data over the phone or via unsecured mail is prohibited.

If the Obliged Person has any doubt regarding the identity of the other person to whom the Obliged Person should disclose any personal data, the Obliged Person must maintain confidentiality until all such doubts are dispelled.

If, in the processing of any documentation, the Obliged Person discovers that the documentation includes a document intended only for the private purposes of the data subject, the Obliged Person is obliged to stop processing the personal data in this document immediately, secure the document against any accidental reading (e.g. by inserting it in an envelope) and submit it to the data subject or store it securely for later submission to the data subject.

Any delivery addressed to the name of a natural person (i.e. not to the Controller) is to be handed over to the addressee unopened as soon as possible. Other deliveries are opened and handed over to individual employees responsible for the given matter. Deliveries for the Controller must always be marked with the date of receipt. If such a marking could devalue the document, the date will be marked on the envelope in which the document arrived.

Recruitment

The executive directors are responsible for recruitment. No one else has access to applicants’ data.

When requesting new employees, the Obliged Person will reference the Privacy Policy adopted by the company so that the data subject is informed about how the Controller processes and handles data before providing any data to the Controller.

In the case of applicants with whom no employment relationship will arise due to their inadequate qualifications or other unsatisfactory circumstances, information about them must be disposed of immediately, i.e. any electronic copies of such information must be irreversibly erased, and any documents containing such personal data must be shredded.

In the case of applicants who have not been selected for a given position but are likely to be offered another job in the near future, their personal data may be processed after the position has been filled, but only for a reasonable period – i.e. for three months. After this period, the data subject is likely no longer interested in the job offer, and the Obliged Person will proceed to dispose of such personal data.

It is prohibited to provide job applicants with false or misleading information.

Collecting more information about job applicants than the Obliged Person needs to assess the candidate’s suitability is prohibited.

Employee Records

Upon recruitment, the Controller collects from the data subject only such information that the Controller needs for the performance of its statutory obligations and exercising the employer’s rights in connection with the employment relationship with employees, payroll accounting, payments of taxes, levies and mandatory contributions to social security, health insurance and, if applicable, accident insurance, attendance records, performance of obligations related to occupational health and safety, and records of business trips.

Obliged Persons are not entitled to collect any other personal data from employees in connection with processing.

Collected personal data are stored in employee files in a secure location in a locked office. Obliged Persons are entitled to make these files available only to the processors listed in Processing Record No. 3. Taking employee files out of the relevant office without the express instruction of the Controller is strictly prohibited. Employee files always include an employment contract or an agreement to complete a job or an agreement to perform work and, if applicable, an earnings statement, an entry questionnaire, a declaration of the taxpayer liable to personal income tax and a personal income tax statement. Employee files may contain other documents directly related to the employment relationship.

Obliged Persons are not entitled to provide other co-workers with more personal data than is necessary for the cooperation.

Obliged Persons must inform the data subject about the Privacy Policy adopted by the Controller immediately before the conclusion of the employment relationship. At the same time, the data subject will be provided with information on the processing of employees’ personal data.

Customer-Supplier Relationships

Only the Obliged Person designated by the Controller is entitled to communicate with customers and suppliers. Obliged Persons access the personal data of customers and suppliers only when necessary and to the necessary extent. Communication always takes place according to the rules set out in the “Communication” section above.

Obliged Persons must demonstrably inform every new customer or supplier about the Privacy Policy in place (by sending an e-mail notification).

The company’s executive director decides on the recovery of mature outstanding receivables. In that case, necessary data are disclosed to the provider of legal services.

Obliged Persons are obliged to keep confidential all facts they learn in connection with the Controller’s customer-supplier relationships.
Project information is stored in order folders, which are available in the Controller’s office. Order folders contain, among other things, technical data about the project and its progress. Obliged Persons are not entitled to insert any documents containing personal data into order folders unless it is strictly necessary. Obliged Persons can access order folders in connection with the implementation of projects. Obliged Persons shall only access the order folders of projects that have already been implemented when handling complaints or other claims arising from the implemented project.

Data Box

Access to the data box is only available to the company’s executive director or, as the case may be, an authorised employee delegated by the executive director to manage the data box and the contractually bound accounting service provider. However, persons authorised to access the data box are not entitled to make any submission without the knowledge and consent of the company’s executive director.

Login credentials to the data box are considered confidential, and the password must be subject to special protection since the data box can be used to perform a number of binding and enforceable acts.

Personal data may be disclosed to third parties via the data box in cases stipulated by law (submissions to the tax administration, health insurance companies, the Czech Social Security Administration, Kooperativa, an insurance company, etc.) or in cases where the Controller is required to do so by a court order or another decision of an administrative authority competent to supervise the Controller’s activities.

Marketing

The Controller is entitled to perform marketing activities and publish the presentation of the company, as well as its products, at www.vettronic.eu. In these presentations, the Controller may include the contact details of an Obliged Person if the disclosure of such contact details is consistent with the job description of the given position.

Obliged Persons are not entitled to change the information published on the website without the knowledge and explicit instruction of the company’s executive director.

The Controller has set up a Facebook user account to build the company’s presence. The person authorised to manage the account is not entitled to grant any third party access to the account. This person is not entitled to disclose any personal data through this account. The person responsible for managing the account may reply to users’ questions but cannot actively contact users.

Accounting

All accounting materials are gathered in a locked office and forwarded to the processor, i.e. the contractually bound accounting service provider. Accounting data are also transmitted through the Pohoda software, in which the authorised employee continuously records all sales.

All accounting records are kept using the Pohoda accounting software solution.

Obliged Persons may not grant any third party access to the Pohoda user account or disclose the password to the user account to any third party.

In all accounting-related matters, Obliged Persons are entitled to communicate only with a contractually bound accountant who has entered into a confidentiality agreement with the Controller.

Obliged Persons are not entitled to provide any accounting-related information to any third party without the Controller’s express instruction.

Hardware

Obliged Persons are obliged to use only the hardware equipment that has been provided to them by the Controller or that the Controller has approved for use in connection with the processing of personal data. Obliged Persons are not entitled to change the security settings of the entrusted hardware equipment.

Obliged Persons are not entitled to take the entrusted hardware equipment outside the premises designated by the Controller for the use of such equipment. This does not apply to mobile devices, the use of which outside the designated premises has been approved by the Controller.

If the hardware equipment is taken outside the designated premises with the Controller’s consent, the Obliged Person undertakes to keep the device in a safe location. When transported, the device must always be supervised by the Obliged Person. The Obliged Person is not entitled to make the device available to any third party.

If the Obliged Person is assigned a user account, the Obliged Person must secure it with an adequate and sufficiently strong password. The password must always contain upper and lower case letters, numbers and special characters, with a minimum of eight characters. Obliged Persons are not entitled to disclose their user account passwords to any third party and are fully responsible for access to personal data through their user accounts.

Placing any password information on hardware or in readily accessible and visible locations is prohibited.

Installing any software on the Controller’s hardware equipment without the knowledge and express consent of the Controller is prohibited.

Connecting the Controller’s hardware equipment or equipment containing personal data processed by the Controller to any unknown or unsecured networks is prohibited.

An automatic screen or display lock must be enabled on all computers and phones after a minimum of three minutes of inactivity so that unlocking the device requires entering a security password.

Office and Hardware Security

Obliged Persons who have received from the Controller a key or another means of access to any building used by the Controller must secure these means of access and protect them from damage, destruction and, in particular, loss or theft. If such a means of access is lost or stolen, the Obliged Person must immediately notify the Controller, who will take appropriate measures to prevent any leak, loss or theft of the data stored in the building (i.e., in particular, ensuring the immediate replacement of the lock, deactivating the access chip, etc.).

Obliged Persons may not leave means of access to the building in an unsecured location without supervision or at the disposal of any third party.

Obliged Persons who have received from the Controller any hardware equipment on which personal data processed by the Controller are stored must not leave the hardware equipment in an unsecured location without supervision or at the disposal of any third party. If the equipment is damaged, lost, destroyed or stolen, the Obliged Person must notify the Controller without undue delay. If the Obliged Person suspects that the entrusted hardware equipment could be subject to hacking, the Obliged Person must immediately notify the Controller and take all necessary steps to prevent the completion of the attack (i.e. immediately contact the IT administrator and follow any instructions given by the IT administrator).

Before leaving any protected lockable premises of the Controller, Obliged Persons are always obliged to ensure that all electrical equipment is adequately secured, windows well closed and doors properly locked. Obliged Persons are not entitled to leave premises connected to a security system without activating the security system first. The provisions of this paragraph shall not apply if another Obliged Person is still inside the premises.

The company’s archive is protected with a lockable door. Only executive directors and persons designated by them can access the archive. These persons are obliged to ensure that the archive door is always properly locked and all windows are closed. The Obliged Persons are not entitled to leave the archive without checking this is done.

Security incidents

A security incident means a personal data breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

If the Obliged Person discovers any security incident or a threat thereof, the Obliged Person must notify the Controller without undue delay.

In the event of a security incident, the Controller will notify the Office for Personal Data Protection of this incident without undue delay, preferably within 72 hours of becoming aware of the incident, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the Controller assesses the matter as minor, i.e. without any risk to the rights and freedoms of natural persons, the Controller will not notify the supervisory authority but will take measures to prevent the incident from recurring.

When assessing the risk associated with the security breach, the Controller considers the category of personal data affected by the security incident, the nature of the security breach and the number of data subjects affected. In particular, a higher risk is associated with special categories of data (i.e. health data) or data that may cause harm to the data subject or interfere with the data subject’s rights. The Controller will also consider whether the breach was intentional or negligent, where an intentional act significantly increases the risk of a security incident.

If the Controller concludes that the security incident could affect the rights and freedoms of natural persons, the Controller will provide the following information in the report:

  • identification of the Controller;
  • nature of the security breach;
  • measures taken;
  • likely consequences;
  • contact details of the authorised person.

If the incident poses a high risk to the rights and freedoms of a data subject, the Controller must inform the data subject about the incident as well. This does not apply if this obligation would require a disproportionate effort. In this case, however, all data subjects must be informed in an equally effective manner through a public notice.

Liability

The Controller has made the Obliged Persons aware that if they violate the confidentiality obligation with regard to personal data processed by the Controller, they may commit an offence pursuant to Sections 44 and 44a of Act No. 101/2000 Sb., on personal data protection.

The Controller has further warned Obliged Persons that if they handle personal data without authorisation, they may commit the crime of unauthorised handling of personal data pursuant to Section 180 of Act No. 40/2009 Sb., the Criminal Code, as amended.

In addition, the Controller is entitled to recover from Obliged Persons compensation for any damage that the Controller incurs due to their violations, up to the amount provided by the Labour Code or the Civil Code, as amended.

Documentation of Measures Taken

The person authorised by the Controller is obliged to keep a file containing the following documents:

  • Input datasheets for GDPR analysis processing
  • GAP analysis
  • Information on processing – partners
  • Information on processing – employees (model)
  • Amendment to the employment contract (model)
  • Non-disclosure agreements with processors
  • Privacy Policy
  • Cookies statement
  • Model consents used
  • Records of processing activities
  • This guideline
  • Any other documents related to personal data protection

Archiving and Shredding Rules

In order to unify the procedure for handling documents or other records originating from or held by the Controller in connection with its activities, the Controller has adopted the following binding rules. Responsibility for the proper management of the archive lies with the executive director, who ensures the systematic filing of the archives.

Materials stored in the archive must be stored in such a way as to prevent damage, destruction, loss or theft. The archives may only be loaned outside the archive with the knowledge of the company’s authorised executive director and in justified cases.

Documents are deposited in the Controller’s archive no later than 31st March of the year following the year of their processing. Before being deposited in the archive, documents must be marked with the document title, time stamp, shredding symbol and shredding deadline. Shredding symbols indicate the documentary value of individual types of documents:

  • A – the document has permanent documentary value and is to be kept for an indefinite period;
  • V – the document will be subject to selection proceedings to decide whether it should be stored permanently. The documentary value of the document will be assessed by the person responsible for managing the archive, i.e. the authorised executive director;
  • S – the document is to be destroyed after the expiry of the shredding deadline.

The archive serves mainly to store:

  • documents and records that the Controller does not need for its regular activities and that do not contain personal data;
  • accounting documents and other documents of an economic nature;
  • documents related to the Controller’s activities in the role of employer.

Only documents not belonging to the archive and unimportant documents intended for destruction will be shredded.

No documents may be handed over directly for waste collection; all documents to be shredded must be irretrievably destroyed so that they cannot be restored.

Shredding Deadlines

Document
Content
Shredding symbol
Shredding deadline (in years)
Instruments of incorporation
  • Memorandum of Association
  • Articles of Association
A
Internal regulations
  • Guidelines
  • Rules
S
10
Documents related to the General Meeting
  • Invitations
  • Minutes
  • Resolutions
  • Attendance sheets
A
Record of partners
  • List of partners
S
6
Contractual documentation
  • Contracts with customers
  • Contracts with suppliers
  • Records of transactions made
  • Supporting documents relating to the transactions made
S
10
Contractual documentation
  • Contractual documentation not affecting the assessment of VAT
S
5
Employee files
  • Personal questionnaires
  • Employment contracts
  • Agreements to complete a job
  • Agreements to perform work
  • Declaration of the taxpazer liable to personal income tax
  • Employees' cards
  • Personal income tax statements
  • Earnings statements
A
30
HR
  • Attendance sheets from training sessions
S
3
HR
  • Employee attendance sheets
S
3
Financial management
  • Financial statements – balance sheets, profit and loss statements, notes
  • Tax return
A
10
Financial management
  • Accounting documents
  • Books of accounts
  • Charts of accounts
A
5
Financial management
  • Documents related to the value added tax return and tax assessment
A
10
Assets
  • Purchase contracts for movable assets
  • Contracts for work
S
10
Assets
  • Purchase contracts for immovable assets
  • Contracts for work
A
Other
  • Miscellaneous
V
3

Terms of Use for Cookies at vettronic.eu

VETTRONIC s.r.o., ID no.: 17531713, with its registered office at Vodní 2415/3, Předměstí, 746 01 Opava, Czech Republic, entered in the Commercial Register maintained by the Regional Court in Ostrava, Section C, Insert 90412 (hereinafter the “Company” or the “Controller”), represents that it is the operator of the website www.vettronic.eu (hereinafter the “Website”).

In connection with the Website’s operation, the Company may use cookies, which are small files sent with the Website and stored by the browser on the hard drive of the user’s device. During the user’s subsequent visit to the Website, the information stored in cookies may be returned to the servers of the Controller or relevant third parties.

Using cookies is a legitimate interest of the Controller as they enable the proper functioning of the Website, provide the Controller with basic traffic information and allow the monitoring of user preferences to increase the appeal of the Website and the Company’s offer.

What Are Cookies?

We use cookies to analyse data about our visitors, improve our Website, display personalised content, and provide you with a great web experience.

Functional Cookies

These cookies are necessary for the Website to function properly and cannot be disabled. They are usually set in response to an action you take on the Website, such as setting up security, logging in and completing forms. You can set your browser to block cookies or send notifications about cookies. Remember that some pages will not work without cookies. These cookies do not store any personally identifiable information. These cookies may be set by us or third-party providers whose services we use on the Website. These cookies do not store any personally identifiable information.

fp_cookie

Domain
vettronic.eu
Description
This is a necessary cookie. It stores information on visitor's tracking consents, a list of tracking tools that a user agreed to and the date of the last update of the privacy policy page.
Expiration
Never expires
Processor
VETTRONIC s.r.o.

fp_current_session

Domain
vettronic.eu
Description
This is an optional cookie. It requires consent to tracking statistics. In the free version it does not hold any value and is only used to check if a new session has started.
Expiration
Expires when a visitor is inactive for 30 minutes
Processor
VETTRONIC s.r.o.

Marketing Cookies

These are used to track users’ website preferences to target advertising, i.e. to display marketing and advertising messages (including on third-party websites) that may be of interest to the website visitor in accordance with those preferences. Marketing cookies are used by third-party tools. These marketing cookies will only be used with your consent.

Personalisation Cookies

By enabling this setting, you allow advertising network operators to display personalised advertising. If you agree to this setting, no cookies will be stored on your browser. Information about your agreement or disagreement is transmitted through a data layer and further processed by the relevant advertising network operators.

Analytical Cookies

These cookies are used to improve the functioning of the Website. They allow us to determine and monitor the number of visitors and how they use the Website. They help us improve the website experience, for example, by enabling users to easily find what they are looking for. These cookies do not collect information that could identify you. We use these tools to analyse and continuously enhance the functionality of our Website. We can use the statistics obtained to improve user comfort and make your visit to our Website more interesting from a user point of view. These analytical cookies will only be used with your consent.

Google Analytics

Domain
vettronic.eu
Description
SGoogle Analytics collects pseudonymous information in the form of cookies about how many visitors use our Website and how. This information helps us improve our Website. You can find more detailed information about Google Analytics and privacy protection (including how you can control what information is sent to Google) here: Google Privacy Policy.
Expiration
1 year
Processor
Google

Third-Party Cookies

We use third-party cookies on our Website. These cookies will only be used with your consent.

YouTube

Category
marketing, personalisation
Domain
youtube.com
Description
We use YouTube to allow you to play videos on our Website. The YouTube video player collects data in the form of cookies. You can find more detailed information about privacy protection on the YouTube platform here: YouTube Privacy Policy.
Processor
YouTube

Information About Your Rights and Their Application

You can change cookie settings at any time by clicking on the cookies button in the bottom right corner or by changing your browser’s settings. Stored cookies can also be deleted from the browser on an ongoing basis.

In addition, website users as “data subjects” have the following rights:

  • Right of access: The data subject may ask the Controller, i.e. the website operator, at any time for information about the processing of personal data concerning the data subject. In that case, the Controller is obliged to provide this information to the data subject without undue delay;
  • Right to lodge a complaint: The data subject may lodge a complaint with the supervisory authority regarding an alleged infringement of applicable law; the supervisory authority means the Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Prague 7, Czech Republic (www.uoou.cz);
  • Right to rectification: The data subject may request the rectification of inaccurate data concerning the data subject;
  • Right to erasure: The data subject has the right to obtain from the Controller the erasure of personal data concerning the data subject without undue delay if the personal data are no longer necessary for the purpose for which they were collected and processed, if an objection to the processing has been raised, if there are no overriding reasons for the processing, if the personal data have been processed unlawfully or if they have to be erased for compliance with a legal obligation stipulated by the applicable law to which the Controller is subject;
  • Right to restriction of processing: If the data subject contests the accuracy of the data processed, the Controller is obliged to restrict the processing of the personal data concerned for a period enabling the Controller to verify the accuracy of the personal data;
  • Right to information: The data subject has the right to be informed about any rectification or erasure of personal data or restriction of processing applied by the Controller that concerns the data subject;
  • Right to object: The data subject has the right to object at any time to the processing of personal data that concern the data subject and that are processed because it is necessary for the performance of a task carried out in the public interest or because it is necessary due to the Controller’s legitimate interest;
  • Right to data portability: The data subject has the right to receive the personal data concerning the data subject, which the data subject has provided to the Controller, in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance from the existing Controller;
  • Right to withdrawal: The data subject has the right to withdraw the data subject’s consent to the processing of personal data at any time.

Participants may exercise their rights with the Company as the Controller through this e-mail address: info@vettronic.eu.

The use described above does not involve any transfer of personal data to third countries.

The processing described above does not involve automated decision-making, including profiling.

Our Company is not obliged to appoint a data protection officer and has not appointed one voluntarily.

About These Terms

This document becomes effective on 22nd August 2023. If necessary, VETTRONIC s.r.o. is entitled to update these terms. Always check the latest version of these terms when browsing our Website. Any new version becomes effective upon publication. It is always displayed on our Website to enable its archiving and reproduction.