top of page

Privacy Policy




1. Introduction


The Company declares that it carries out its data management activities - by adopting the appropriate internal rules, technical and organizational measures - in such a way that it complies with all circumstances.  REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46 ( General Data Protection Regulation, hereinafter: the Regulation) - as well as Act CXII of 2011 on the right to information self-determination and freedom of information. (hereinafter: Info Act).  


2. Purpose of the Regulations  


1. The purpose of the Regulations is to establish the internal rules and to establish measures that ensure that the Company's data management activities comply with the Decree and the Info tv. provisions of this Regulation.


2. The purpose of the Code is also to certify the Company's compliance with the Regulation and the principles governing the processing of personal data set out therein (Article 5).  


3. Scope of the Regulations


(1) The scope of these Regulations extends to the processing of personal data concerning a natural person by the Company.


(2)  Self-employed persons, sole proprietorships, primary producers, customers and suppliers shall be considered natural persons for the purposes of these regulations.  


(3) The Regulations do not apply to the processing of personal data concerning legal persons, including the name and form of the legal person and data on the contact details of the legal person. (GDPR (14))


4. Definitions


Definitions for the purposes of these Regulations are set out in Article 4 of the Regulation. Accordingly, we highlight the main concepts:

1. "personal data" shall mean any information relating to an identified or identifiable natural person ("data subject"); identifies a natural person who, directly or indirectly, in particular by an identifier such as name, number, location, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person identifiable;

2. "processing" means any operation or set of operations on personal data or files, whether automated or non-automated, such as collection, recording, systematisation, sorting, storage, transformation or alteration, retrieval, consultation, use, communication, transmission or dissemination; by other means of access, coordination or interconnection, restriction, deletion or destruction;

3. "restriction of data processing" means the marking of stored personal data with the aim of limiting their future processing;

4. "profiling" means any form of automated processing of personal data in which personal data are evaluated in order to assess certain personal characteristics of a natural person, in particular his performance, economic situation, state of health, personal preferences, interests, reliability, behavior, location or used to analyze or predict motion-related characteristics;

5. "pseudonymisation" means the processing of personal data in such a way that it is no longer possible to determine to which specific natural person the personal data relate without the use of additional information, provided that such additional information is stored separately and technically and organisationally. measures are taken to ensure that this personal data cannot be linked to identified or identifiable natural persons;

6. "registration system" means a set of personal data which is accessible in any way, whether centralized, decentralized or functional or geographical, on the basis of defined criteria;

7. "controller" means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the designation of the controller may also be determined by Union or Member State law;

8. "processor" means any natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

9. "recipient" means a natural or legal person, public authority, agency or any other body to whom personal data are disclosed, whether a third party or not. Public authorities that may have access to personal data in the framework of an individual investigation in accordance with Union or Member State law shall not be considered as recipients; the processing of such data by these public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing;

10. "third party" means any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct control of the controller or the processor, have been authorized to deal with it;

11. "data subject's consent" means the voluntary, specific and duly informed and unambiguous statement of the data subject's intention to give his or her consent to the processing of personal data concerning him or her by means of a statement or unambiguous statement of consent;

12. "data protection incident" means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data which have been transmitted, stored or otherwise handled.





5. Data management with the consent of the data subject  


(1)  In the case of consent-based data processing, the data subject's consent to the processing of his or her personal data is1. shall be requested on the data request form in accordance with Annex.  


(2) Consent shall also be deemed to be consent if the data subject checks a box to this effect when making a visit to the Company's website, makes technical adjustments to it when using information society services, and makes any other statement or action in that context. clearly indicates the data subject's consent to the intended processing of his or her personal data. Listening, a pre-ticked box, or inaction do not therefore constitute consent.  


3. The consent shall cover all data processing activities carried out for the same purpose or purposes. If the data management serves several purposes at the same time, the consent must be given for all data management purposes.  


(4) If the data subject gives his / her consent in the form of a written statement which also applies to other matters - e.g. conclusion of a sales or service contract - the request for consent must be made in a way that is clearly distinguishable from these other matters, in a comprehensible and easily accessible form, in clear and simple language. Any part of such a statement containing the data subject's consent which infringes the Regulation shall not be binding.


(5) The Company may not enter into the conclusion or performance of a contract for the purpose of giving consent to the processing of personal data which is not necessary for the performance of the contract.


(6) Withdrawal of consent should be as simple as giving it. 

(7) If the personal data has been collected with the consent of the data subject, the data controller may, unless otherwise provided by law, process the collected data without further separate consent and after the withdrawal of the data subject's consent.


(8) The Company shall make its general data management information in accordance with Annex 2 available to interested parties in the footer on its website. The purpose of this prospectus is to inform data subjects clearly and in detail in all publicly available forms before and during the processing of all facts relating to the processing of their data, in particular the purpose and legal basis of the processing, the data subject and the duration of the processing. , if the personal data of the data subject are processed by the data controller in accordance with Infotv.  § 6 (5) and who can get acquainted with the data. The information should also cover the data subject's rights and remedies. This data management information must be made available for each of the most important data management steps by means of a separate link (for example, in the case of a registration before registration, during the registration process, etc.). Stakeholders should be informed of the availability of this prospectus.  


(9) Data processing based on the title of fulfillment of a legal obligation is independent of the consent of the data subject, as the data processing is defined by law. In this case, the data subject shall be informed before the start of the processing that the processing is obligatory and shall be clearly and in detail informed of all facts concerning the processing, in particular the purpose and legal basis of the processing, the data subject and the data subject, the duration of the data processing, whether the personal data of the data subject are processed by the data controller on the basis of the legal obligation applicable to him or her, and who can get acquainted with the data. The information should also cover the data subject's rights and remedies. In the case of mandatory data management, the information may also be provided by publishing a reference to the legal provisions containing the former information.






6. Labor and personnel records


(1)  Workers may only be required to keep and record data and to carry out occupational medical examinations which are necessary for the establishment, maintenance and termination of employment and the provision of social welfare benefits and which do not infringe the worker's personal rights.

(2) The Company manages the following data of the employee for the purpose of establishing, fulfilling or terminating an employment relationship in order to enforce the legitimate interests of the employer (Article 6 (1) (f) of the Decree):

Name 1

2. birth name,

3. date of birth, 

4. mother's name,

Address 5, 

6. nationality, 

7. tax identification mark, 

8. TAJ number,

9. pensioner registration number (in case of a retired employee), 

10.  phone number,

11.  e-mail address,

12. identity card number,

13. official identity card number,

14. bank account number,

15. start and end dates of entering employment,

16.  position,

17. a copy of a document certifying education and professional qualifications,

Photo 18,

19. curriculum vitae,

20.  the amount of your salary, data on wages and salaries, other benefits,

21.  the debt to be deducted from the employee's salary on the basis of a final decision or legislation or his written consent, or the right to deduct it, 

22. method of termination of employment, reasons,

23. Moral certificate depending on position

24. a summary of the aptitude tests, 

25. in the case of membership of a private pension fund and a voluntary mutual insurance fund, the name of the fund, the identification number and the membership number of the employee,

26. data recorded in accident records of an employee;

27. the camera system used by the Company for security and property protection purposes,

and data recorded by positioning systems.  


(3) The employer shall process data on illness and trade union membership only for the purpose of fulfilling the right or obligation specified in the Labor Code.  


(4) Recipients of personal data: the head of the employer, the exercise of the employer's authority, the employees of the Company performing labor tasks and the data processors.


(5) Only the personal data of senior employees may be transferred to the owners of the Company.  


(6) Duration of storage of personal data: 3 years after termination of employment.  


(7) The data subject shall be informed before the commencement of data processing that the data processing is based on the Labor Code and the enforcement of the legitimate interests of the employer. 

(8) Simultaneously with the conclusion of the employment contract, the employer shall inform the employee about the handling of his / her personal data and the rights attached to him / her by submitting the Information Sheet in accordance with Annex 3 to these Regulations.


7. Data management related to aptitude tests


(1) An aptitude test may be applied to an employee only if it is prescribed by the rules of employment or which is necessary in order to exercise the right or fulfill the obligation specified in the rules of employment. Prior to the examination, the employees must be informed in detail, among other things, about the skills and abilities aimed at assessing the aptitude test, and the means and method of the examination. If the inspection is required by law, employees must also be informed of the title of the legislation and the exact location of the legislation. A sample of the data management information related to this Information is provided in Annex 4 to these Regulations.


(2) The employer may fill in the test forms for work suitability and readiness both with the employees before the establishment of the employment relationship and during the existence of the employment relationship.


(3) In order to clearly perform and organize work processes that are clearly related to the employment relationship, a test form suitable for researching psychological or personality traits with a larger group of employees can only be completed if the data revealed during the analysis cannot be linked to individual employees, ie anonymously. data processing.


(4) The range of personal data that can be processed: the fact of suitability for the job and the necessary conditions for this.  


(5) Legal basis for data processing: legitimate interest of the employer.  


(6) The purpose of the processing of personal data: the establishment and maintenance of an employment relationship, the filling of a job.  


(7) Recipients and categories of recipients of personal data: The results of the investigation may be disclosed to the employees examined or to the expert performing the investigation. The employer can only receive information on whether the person being examined is suitable for the job or not, and what conditions must be provided for this. However, the details of the test and its complete documentation cannot be known to the employer.


(8) Duration of the processing of personal data: 3 years after the termination of employment. 

8. Management of data of employees applying for hiring, applications, CVs  


(1) The scope of personal data that can be processed: name, date of birth, place, mother's name, home address, qualification data, photo, telephone number, e-mail address, employer's record of the applicant (if any).  


(2) The purpose of the processing of personal data: application, assessment of the application, conclusion of an employment contract with the selected person. The person concerned must be informed if the employer has not chosen him for the job.


(3) Legal basis for data processing: consent of the data subject.


(4) Recipients of personal data and categories of recipients: senior employees performing employment duties at the Company who are entitled to exercise their employer's rights.  


(5) Duration of storage of personal data: Until the application is considered. The personal data of non-selected candidates must be deleted. The data of the person who withdrew his / her application must also be deleted.  


(6) The employer may retain applications only with the express, explicit and voluntary consent of the data subject, provided that their retention is necessary to achieve the purpose of data processing in accordance with the law.  This consent must be requested from applicants once the recruitment procedure has been completed.


9. E-mail account usage control data management


(1) If the Company provides an e-mail account to the employee, this e-mail address and account may be used by the employee only for the purpose of his / her job duties, in order for the employees to keep in touch with each other or to correspond with clients on behalf of the employer. , with other people, organizations.

(2) The employee may not use the e-mail account for personal purposes, nor may he store personal letters in the account. 

(3) The employer is entitled to check the entire content and use of the e-mail account on a regular basis - every 3 months, during which the legal basis of data management is the legitimate interest of the employer. The purpose of the audit is to verify compliance with the employer's provision regarding the use of the e-mail account, as well as to verify the employee's obligations (§ 8, § 52 of the Civil Code).

(4) The head of the employer or the exerciser of the employer's rights is entitled to inspect. 

5. If the circumstances of the inspection do not preclude this, it must be ensured that the worker is present during the inspection. 

(6) Before inspection  the employee must be informed of the employer's interest in the inspection, who can carry out the inspection on the part of the employer, - the rules according to which the inspection may take place (compliance with the principle of gradation) and the procedure, data management associated with checking your email account.

(7) The principle of gradation must be applied during the inspection, so it must be established primarily from the e-mail address and subject matter that it is related to the employee's job task and not for personal purposes. The content of non-personal emails can be reviewed by the employer without restriction. 

(8) If, contrary to the provisions of these regulations, it can be established that the employee has used the e-mail account for personal purposes, the employee shall be instructed to delete the personal data immediately. In the absence of the employee or in the absence of cooperation, the personal data will be deleted by the employer during the inspection. Use of the e-mail account in violation of these policies may result in employment sanctions being imposed on the employee by the employer. 

(9) The employee may exercise the rights described in the chapter on the rights of the data subject in connection with the management of data related to the control of the e-mail account.  


10. Data management related to computer, laptop, tablet control


(1) Computers, laptops and tablets provided by the Company to the employee for the purpose of work may be used by the employee only for the performance of his / her job duties, their private use is prohibited by the Company, the employee may not handle or store any personal data or correspondence on these devices.  The employer can check the data stored on these devices.  The provisions of § 9 above shall otherwise apply to the control of these devices by the employer and to the legal consequences thereof.  


11. Data management related to the control of Internet use at work  


(1) The employee may only view websites related to his / her job duties, the use of the Internet for personal purposes at work is prohibited by the employer. 

(2) The Company is the owner of the internet registrations performed on behalf of the Company as a job task, the identifier and password referring to the company shall be used during the registration. If the provision of personal data is also required for registration, the Company is obliged to initiate the deletion of such data upon termination of employment.

(3) The employee's use of the Internet at work may be controlled by the employer, which and its legal consequences are governed by the provisions of Section 9.


12. Data management related to the control of the use of a business mobile phone


1. The employer shall not authorize the private use of a business mobile telephone, the mobile telephone may only be used for work-related purposes and the employer may verify the number and details of all outgoing calls and the data stored on the mobile telephone.

(2) The employee is obliged to notify the employer if he has used the company mobile phone for private purposes. In this case, the check can be carried out by the employer requesting a call detail from the telephone company and asking the employee to put the called numbers on the document for private calls.

unrecognizable. The employer may require that the costs of private calls be borne by the employee.

(3) In other respects, the provisions of § 9 shall apply to the inspection and legal consequences. 

bottom of page