We’re hiring
Go back

Privacy terms.

Information on data processing for job applicants

1. Introduction and definitions

1. 1.

This document provides information on terms and conditions under which the company Second Foundation Tech a.s. (“Company”) processes personal data of job applicants after filling in the vacancy form on the Company’s website, sending a CV via the web form or via e-mail to the Company’s e-mail address and when participating in the selection procedure for the vacancy. The Company’s contact email for any matters connected to data processing is: gdpr@second-foundation.eu.

1.2.

Unless stated otherwise in this document, the terms shall have the following meaning:

  • Company” or “Controller” means the company Second Foundation Tech a.s., Company ID No. 14078601, seated at Na Florenci 2139/2, Nové Město, 110 00 Praha 1, registered under File No. B 26919 in the Commercial Register maintained by the Municipal Court in Prague;
  • Data subject” means a natural person to whom the processed Personal Data is related, particularly the Job applicant;
  • Job applicant” means a person applying for a position with the Company, whether in an employment or other labor law relationship with the Company or as a self-employed person working with the Company and/or providing services to the Company under a business contract;
  • GDPR” means General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council, in conjunction with Act No. 110/2019 Coll., on the processing of personal data as amended;
  • Personal data” means any information relating to Data subject;
  • processing” means any operation or set of operations which is performed on Personal data or on sets of Personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2. Information on Personal data processing

2. 1.

Overview. The Company informs Job applicants about their Personal data it processes, legal basis and purpose for such processing, period of such processing and Personal data storing, measures ensuring security of Personal data, whether and to whom the Personal data is made available or transmitted and about the rights of Job applicants in connection with the Personal data processing.

2. 2.

Controller identification. The Company determines the purposes and means of the processing of Personal data and is therefore their Controller. The Controller can also use various suppliers who processes Personal data as processors. The Company may transmit Personal data to state authorities or third parties if it has such statutory obligation or it is allowed to do so under statutory legal regulations or if all the GDPR requirements are met also to other companies in the Company’s group of companies.

2. 3.

No data protection officer. The Company is not a subject to the obligation to designate a data protection officer, as it does not fulfill any of the conditions set out in Article 37 of the GDPR. The Company did not even proceed to the voluntary designation of the data protection officer. Unless expressly stated or otherwise specified, the issue of personal data protection falls within the competence of the Administrative Board of the Company or a person authorized by it.

2. 4.

Type of processed personal data, purpose and reason for processing.

  • In connection with the negotiation of possible cooperation and conclusion of contract between the Company and the Job applicant, the Controller works with Personal data that the Data subjects provided (for example, first name, surname, CV) and made public about themself on social networks Facebook, Twitter, Instagram, LinkedIn, etc. (hereinafter referred to as “social networks“). Such processing is a pre-contractual measure and is in legitimate interest of Controller.
  • Based on the consent of the Job applicant granted to the Company for processing of Personal data for the purposes of record keeping of potential employees or associates of the Company, the Controller processes Personal data provided by Data subjects (such as first name, surname, email, CV) and those published about themselves on social networks. If Job applicant give the Company the consent with processing of his/her Personal data, the Company will keep the Personal data for the purposes of other potential job offers during 2 years following the day the consent was granted by the Job applicant. The Job applicant can of course withdraw the given consent any time sooner – in such a case the Company will erase the relevant Personal data immediately, unless there is other title stipulated by law obliging or entitling the Company to keep the relevant Personal data longer.

2. 5.

Retention period of Personal data. The Controller stores Personal data for the duration of the purpose for which specific Personal data is processed. Personal data is stored until the conclusion of an employment or other contract with the Job applicant or, if no contract is concluded with the Job applicant, until the end of the selection procedure for the position but no later than 6 months from the date of delivery of the Personal data to the Administrator. (unless there exist legal title under GDPR to store the Personal data longer to protect the justified interest of the Company).  In the event that the Job Seeker has given consent to the Administrator to process Personal data for the purpose of record keeping of potential employees or associates of the Company (i.e. including unsuccessful Job applicants and for the period after the end of the selection procedure for the position), the Personal data will be retained until the consent is withdrawn but no longer than 2 years from the date of delivery of the Personal data to the Administrator.

2. 6.

Means of Personal data processing and their security. Personal data is kept in paper and electronic form and their processing can be performed manually or automatically. Personal data recorded in paper form are stored in secure cabinets and are accessible only to workers who need them to perform their tasks. The same applies to data recorded in electronic form, the disclosure of which is subject to entry of unique access data. The Controller does not pass on Personal data to anyone else without consent, unless such an obligation arises from law, or it is a recipient bound by a duty of confidentiality or respective legal and contractual obligations and in the extent permitted by GDPR. If the Controller uses Personal data processors to fulfill its legal or contractual obligations or for any other reason, these are always those entities that provide sufficient guarantees for the implementation of appropriate technical and organizational measures to ensure proper and sufficient protection of Personal data. Some processors may work with the Personal data in another EU country or outside the EU. Outside the EU, the data will be transmitted under the conditions required by the GDPR (for more information, see the European Commission’s website). Upon request, the Controller will provide with information about specific processors. There is no automated decision-making, including profiling, when processing Personal data.

2. 7.

Rights of the Data subject. As the Data subject, the Job applicant have the following rights in accordance with the GDPR:

  • Right of access to Personal data: the right to obtain information on whether Personal data of Data Subject is processed and, if so, the right to access to this Personal data.
  • Right to rectification of inaccurate Personal data and the right to have incomplete Personal data completed: The right to rectification of inaccurate data and the right to have incomplete data completed; the rectification or completion takes place without undue delay, and always with regard to technical possibilities.
  • Right to erasure: the right to erase Personal data if (i) they are no longer necessary for the purposes for which they were collected or otherwise processed, (ii) the processing was unlawful, (iii) Data subject objected to the processing and there are no overriding legitimate grounds for processing of Personal data, or the law requires erasure, (iv) the Company as a Controller is required to erase data under its legal obligation, or (v) the Data subject withdrew the consent to the processing of Personal data.
  • Right to restriction of processing: if the Data subject requests to obtain restriction of processing, the Company is only allowed to store personal data, not further process it, with the exceptions set out in the GDPR. The right to restriction may be exercised in the following cases:
  • If the Data subject contests the accuracy of Personal data; in this case, the restrictions apply for the time necessary for the Company to verify the accuracy of the personal data.
  • If the Company processes Personal data unlawfully, but instead of erasure the Data subject requests only restriction of their use.
  • If the Company no longer needs Personal data for the above-mentioned purposes of processing, but the Data subject requests the data for the establishment, exercise or defense of legal claims.
  • If the Data subject objects to processing, the data processing is restricted pending the verification whether the legitimate interest of the Company override Data subject’s interest.
  • Right to data portability: if the Data subject wishes the Company to transmit Personal data to another controller, it may exercise its right to data portability, if technically feasible. In the event that the exercise of this right would adversely affect the rights and freedoms of other persons, the Company will not be able to comply with the request.
  • Right to object: the right to object to the processing of Personal data which are processed for the purpose of protecting the legitimate interests of the Company or for the purpose of fulfilling a task performed in the public interest or in the exercise of public power. If the Company does not prove that there is a justified legitimate reason for the processing which overrides the interest of the Data subject or rights and freedoms, it shall terminate the processing on the basis of the objection without undue delay.
  • Right to withdraw the consent. If the Company processes Personal data on the basis of the consent of the Data subject, such consent is voluntary and may be withdrawn. The consent may be withdrawn at any time, using the contact details provided in Articles 1.1 and 1.2 mentioned above. Following the withdrawal of the consent, the Company may no longer process such personal data, unless it has another legal reason for processing. Withdrawing the consent does not affect the legitimacy and lawfulness of processing of Personal data on the basis of consent before its withdrawal. The processing of Personal data on the basis of other legal reasons mentioned above (fulfillment of a legal obligation, fulfillment of a contract to which you are a party, legitimate interest of the Company) is not subject to consent, therefore it is not possible to request that the Company does not process such Personal data based on withdrawal of the consent.
  • Right to file a complaint with the Office for Personal Data Protection: the Data subject can file a complaint with the Office for Personal Data Protection if the Data subject claims that the processing of data violated his/her right to personal data protection during their processing or related legislation, including violating the above mentioned rights. The Office for Personal Data Protection is located at the address Pplk. Sochora 27, 170 00 Prague 7. More information about its activities is available on the website https://www.uoou.cz/.

3. Additional information

For further information, questions, requests and any complaints regarding the processing of Personal data, contact the Controller at the address of its seat or the above-mentioned contact e-mail address.

Second Foundation Tech a.s.

Information on Data Processing for Individuals Interacting with Second Foundation Group

This document outlines the terms and conditions under which companies within the Second Foundation Group process personal data of individuals who enter into legal or other relationships with our companies. For any matters related to data processing, you can contact the Company via email at: gdpr@second-foundation.eu.

Unless otherwise stated, the following terms apply:

  • Company” or “Controller” refers to either Second Foundation Tech a.s., ID: 14078601, registered at Na Florenci 2139/2, Nové Město, 110 00 Prague 1, File No. B 26919 in the Commercial Register or Second Foundation a.s., ID: 08561443, registered at the same address under File No. B 24741.
  • Data Subject” refers to any individual (natural person) whose personal data is being processed. This includes, but is not limited to, clients and their employees, suppliers and their employees, contractors and their employees, visitors to Company premises or events, and individuals communicating with the Company via email or phone.
  • GDPR” means General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council, in conjunction with Act No. 110/2019 Coll., on the processing of personal data;
  • Personal data” means any information related to a Data Subject.
  • Processing” means any operation or set of operations which is performed on Personal data or on sets of Personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.1   
Information on Personal Data Processing

The Company informs individuals who have a contractual or other relationship with the Company about the processing of their personal data, including the legal basis, purpose, retention period, security measures, whether and to whom personal data is disclosed, and their rights under the GDPR. This document does not cover Company employees, who are provided with separate privacy terms.

As outlined above, the Company determines the purposes and means of processing and is therefore the data controller. It may engage third-party processors (e.g., service providers) to process personal data on its behalf. The Company may also share data with public authorities or third parties if required or permitted by law.

1.2
No Data Protection Officer

The Company is not required to appoint a Data Protection Officer (DPO), as it does not meet the criteria under Article 37 of the GDPR. Data protection responsibilities are handled by the Company’s Administrative Board or its authorized representative.

1.3
Types of Personal Data Processed and Purpose

The Company processes personal data to fulfill its legal obligations or contractual obligations arising from contractual cooperation with Data Subjects or their employers or for the purpose of legitimate interests of the Company. This may include:

  • Identification data, such as names and contact information.
  • Reference-related data, such as qualifications and payment details.
  • Technical data, like IP addresses, for contract performance and legitimate interest purposes.
  • Metadata related to the email messages processed by the Company’s systems
  • Cookies necessary for the operation of the Company’s website.
  • Images of people captured by the Company’s CCTV system in the Company’s premises.

1.4
Legitimate Interests

The Company processes personal data to protect its legitimate interests, such as:

  • Managing internal communication
  • Handling disputes or providing evidence in legal matters.
  • Utilizing Data Loss Prevention (DLP) tools to safeguard against accidental or intentional data leaks (e.g., email monitoring, cloud services).
  • Protecting property, lives and health of the people in the Company’s premises and ensuring workplace safety.

1.5
Data Retention

Personal data is stored for as long as necessary to fulfill the purposes for which it was collected. Generally, data is retained for the duration of the contractual relationship and up to 3 years afterward, unless required by law or agreed otherwise. For accountancy and archiving legislation compliance purposes, this usually means 3 to 10 years, for handling disputes and legal matters evidence this means 4 years or until the final enforcement of the rights if any potential dispute emerges. CCTV data is retained for 10 days, and DLP-monitored data is stored for 3 months unless a longer retention period is justified and allowed by law.

1.6
Security Measures

Personal data is stored securely, both in paper and electronic form. Access to this data is restricted to authorized personnel, and additional cyber security measures are in place for electronic data in compliance with ISO 27001 requirements. The Company does not share personal data without consent, except when required by law or with confidentiality-bound processors as part of its legitimate reasons.

1.2
Data Subject Rights

As a Data Subject, you have the following rights under the GDPR:

  • Right of access: Obtain confirmation on whether your personal data is processed and access the data.
  • Right to rectification: Request correction of inaccurate or incomplete data.
  • Right to erasure: Request deletion of data under specific conditions (e.g., if no longer needed or processed unlawfully).
  • Right to restriction of processing: Request that the Company limits the processing of your data in certain circumstances.
  • Right to data portability: Request the transfer of your data to another controller, where technically feasible.
  • Right to object: Object to the processing of your data based on the Company’s legitimate interests.
  • Right to withdraw consent: If processing is based on your consent, you can withdraw it at any time, without affecting the lawfulness of prior processing.
  • Right to file a complaint: You may file a complaint with the Office for Personal Data Protection (Pplk. Sochora 27, 170 00 Prague 7; website: www.uoou.cz).

1.8
Additional Information

For further inquiries or complaints regarding personal data processing, you can contact either of the joint controllers (Second Foundation Tech a.s. and Second Foundation a.s.) using the contact details provided. As these joint controllers have an arrangement in place to ensure that data subjects’ rights are addressed efficiently, regardless of which controller is contacted Data subjects can exercise their GDPR rights with either of the controllers.