Information

CONTROLLER'S STATEMENT ON PERSONAL DATA PROCESSING

This section provides information on the processing and protection of personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation - GDPR), as well as Act No. 18/2018 Coll. on the Protection of Personal Data and on Amendments to Certain Acts (hereinafter referred to as the "Personal Data Protection Act").

The controller, KJG a. s., with its registered office at Malinovského 800/131, Company ID: 31439951 (hereinafter referred to as the "controller"), has implemented appropriate technical and organizational measures to ensure the protection of the rights of data subjects, thereby ensuring the lawful processing of personal data. The controller has also introduced a transparent system for recording security incidents and addressing any inquiries from data subjects and other parties.

Controller

KJG a. s.

Malinovského 800/131

916 21 Čachtice

Company ID: 31439951

We process your data for our own purposes as the Controller. This means that we determine the purpose for which we collect your personal data, define the means of processing, and are responsible for their proper execution.

Processors

In certain cases, the controller may process personal data of data subjects through processors, who are authorized to process personal data in accordance with Article 28 of the GDPR.

Processors process personal data on behalf of the Controller. The processing of personal data by a processor does not negatively impact the exercise and enforcement of the data subject's rights. The controller engages only those processors that provide adequate technical, organizational, and other measures to ensure that processing complies with GDPR requirements and fully safeguards the rights of the data subject.

The controller uses the following categories of processors when processing personal data:

• Suppliers providing technical solutions, web hosting services, system maintenance, and IT support used by the Controller.

Categories of Recipients of Personal Data: Individuals acting under the Controller's authorization, legal representatives, auditors, state and public authorities responsible for oversight and supervision.

Purpose of Personal Data Processing

As the Controller, we process personal data only on a legitimate legal basis and exclusively for the following purposes:

• Processing of job applicants' personal data: If you express interest in a job at KJG a.s., your personal data will be processed based on your consent under Article 6(1)(a) GDPR. You can withdraw your consent at any time.

• Processing of employees' personal data: Personal data necessary for fulfilling employment obligations, payroll, and tax duties are processed under Article 6(1)(b) and (c) GDPR.

• Processing of client and business partner data: For service provision, order fulfillment, and contractual relationships, processing is based on Article 6(1)(b) GDPR (contract performance) and Article 6(1)(f) GDPR (legitimate interest of the Controller).

• Responding to inquiries, suggestions, and questions: Processing of personal data from inquiries and suggestions is based on Article 6(1)(f) GDPR (legitimate interest of the Controller). As a data subject, you have the right to object to such processing.

• Compliance with legal obligations: Processing is also necessary for fulfilling legal obligations, such as tax and accounting regulations, occupational health and safety, and other statutory requirements. The legal basis is Article 6(1)(c) GDPR.

• Maintaining a database of representatives or employees of suppliers and customers: To fulfill work-related, service, and functional obligations and ensure smooth supplier-customer relationships. The legal basis is Section 78(3) of the Personal Data Protection Act in conjunction with Article 6(1)(f) GDPR – the legitimate interest of the Controller. As a data subject, you have the right to object to such processing at any time.

Scope of Processed Personal Data

The personal data processed for each purpose include:

• Identification data (name, surname, title, date of birth)

• Contact details (phone number, email, address)

• Work-related data (position, employer, personnel number)

• Billing details (for clients and business partners)

• Data necessary for fulfilling contractual and legal obligations

Categories of Data Subjects

The processing of personal data applies to:

• Job applicants at KJG a.s.

• Employees of KJG a.s.

• Clients and business partners

• Individuals communicating with KJG a.s. via web, email, or phone

Processing and Retention Period of Your Personal Data

Your personal data, which we have processed or are processing in accordance with Article 6(1)(b) of the GDPR – for the fulfillment of the controller's obligations, are also processed for the purpose of meeting our legal obligations related to taxes and accounting. These obligations arise from legally binding regulations, such as Act No. 431/2002 Coll. on Accounting, as amended, or Act No. 595/2003 Coll. on Income Tax and Act No. 563/2009 Coll. on Tax Administration. We must retain these data for the period stipulated by these legal regulations. We adhere to the principle of data minimization in accordance with Article 5(1)(e) of the GDPR, and therefore, your personal data that is not subject to archiving under specific legal provisions will be erased or anonymized.

Personal data processed based on consent pursuant to Article 6(1)(a) of the GDPR, such as for including the data subject in the job applicant registry or for sending current marketing updates, will be processed for a period of 3 years or until the consent is withdrawn. If the end of the data processing period is approaching, we will contact the data subject with the option to renew and extend consent for further processing. If the data subject does not provide consent or does not respond to the contact, we will cease processing their personal data – automatically removing them from the registry, securely deleting electronic data from the systems, and shredding physical documents.

Personal data processed based on legitimate interest under Article 6(1)(f) of the GDPR, which was obtained in response to an inquiry, suggestion, or question for the purpose of providing feedback to the data subject, will be immediately deleted after processing, unless they have been subsequently forwarded to a pre-contractual or contractual relationship.

As the Data Controller, we will ensure the deletion of personal data without undue delay once:

• All contractual relationships between you and us as the controller have ended; and/or

• All your obligations towards the controller have ceased; and/or

• All your complaints and requests have been resolved; and/or

• All other rights and obligations between you and us as the controller have been settled; and/or

• All processing purposes defined by legal regulations or purposes for which you granted consent have been fulfilled, if processing was based on consent; and/or

• The period for which consent was given has expired, or the data subject has withdrawn consent; and/or

• The data subject's request for the erasure of personal data has been fulfilled and one of the reasons justifying the request for erasure has been met; and/or

• A decisive legal event for the termination of the processing purpose has occurred and the retention period for data defined in accordance with the principle of minimization of data retention has expired; and

• At the same time, the legitimate interest of the controller no longer exists, all obligations imposed by legally binding regulations requiring the retention of the data subject's personal data have ceased (especially for archiving purposes, tax audits, etc.), or failure to retain such data would prevent compliance with those obligations.

Any personal data obtained by accident will not be processed systematically for any purpose defined by us. If possible, we will inform the data subject to whom the accidentally obtained personal data belongs about its accidental acquisition and, depending on the case, will provide the necessary assistance to restore control over their personal data. Immediately after these necessary steps to resolve the situation, all accidentally obtained personal data will be securely disposed of.

If you require further information regarding the specific retention period of your personal data, please contact us using the provided contact details.

Disclosure of Data

Our company does not disclose any personal data obtained voluntarily.

Cross-border Transfer and Profiling of Personal Data

No cross-border transfer of data outside the EU or profiling of personal data is carried out, nor is it intended for the future.

Rights and Obligations of the Data Subject

The data subject is obligated to provide complete and truthful information. The data subject agrees to update their data in case of changes, at the latest before the first order placed after the change occurs. The data subject agrees that if they provide personal data of a third party (name, surname, phone number), they do so only with their consent, and the data subject is aware of the procedures, rights, and obligations described on this page. As a data subject, you have the right to control the processing of your personal data within the prescribed scope. You can exercise these rights in person at the Controller’s office or by phone – in writing (by mail/email).

We will respond to your request as soon as possible, but no later than 30 days from the receipt of your request.