DATA PROCESSING AND DATA PROTECTION POLICY
This Privacy and Data Protection Policy (the "Policy") explains how we handle your personal data when we provide education and training in accordance with the laws of the Czech Republic, provide services as part of our complementary activities, or when you visit our website.
This policy describes how we collect, use and process your personal data and how we comply with our legal obligations to you. Your privacy is important to us. We consider the protection of your personal data and related rights to be one of our priorities.
In order to comply with the requirements of the applicable legislation governing the protection of personal data (including but not limited to the General Data Protection Regulation (EU) 2016/679), hereinafter referred to as "GDPR" and Act 110/2019 Coll., we hereby state that the organization responsible for the handling of your personal data (hereinafter referred to as the "Controller") is the nursery.
Kindergarten Bambíno s.r.o.
České družiny 1671/9, 160 00 Prague 6
File No.: C 156315 registered at the Municipal Court in Prague
Date of registration in the Commercial Register: 23 September 2009
Data box: xtcxngd
Data Protection Officer: email@example.com
- General Data Protection Regulation (GDPR) - a legislative instrument of the European Union aimed at harmonising European data protection laws. This regulation is effective from 25 May 2018 and any reference to it must be interpreted with reference to the national legislation in which it is or will be implemented.
- Personal data -any information about an identified or identifiable natural person (hereinafter referred to as "data subject"); an identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier (e.g. name, address, date of birth, birth number...).
- Personal data of a special category (sensitive data) - personal data of a nature that may in itself be harmful to the data subject in society, employment, school or cause discrimination. It is data relating to the national, racial or ethnic origin, political opinions, trade union membership, religion or philosophical beliefs, health or sex life of the data subject and genetic data of the data subject; such data shall also include biometric data which permits direct identification or authentication of the data subject.
- Processing of personal data - any operation on personal data, such as collection, recording, storage, alteration, consultation, use, dissemination, restriction, erasure, etc.
- Controller - the legal or natural person (in this case the nursery) who determines the purposes and means of processing personal data.
- Processor - the natural or legal person or entity that processes personal data for the controller.
- Data Controller - a person who assesses the controller's or processor's activities for compliance with applicable law, informs them, advises them, makes recommendations. The head teacher of the nursery designates/appoints the data protection officer in accordance with Article 37 of the Regulation. He/she shall enter into an employment relationship or a contractual relationship with him/her in accordance with Act No. 89/2012 Coll., Civil Code, as amended.
- Job applicants- are persons applying for positions offered by the Controller, including full-time, part-time and temporary positions or hired to perform certain roles, as well as persons who have speculatively sent their CVs to the Controller without reference to a specific job.
- Employees - This category includes employees and internal staff who are directly involved in the Administrator's activities. The "employees" category does not include independent contractors and consultants providing services to the Administrator, which may be defined as "contractors" for purposes of this Policy.
- Educational Applicants - a category of persons who enroll, apply for admission, transfer, or otherwise express their intent to benefit from the educational and training activities of the Administrator.
- Children/students - this category is apparently unambiguous in its meaning. It includes persons to whom the Administrator provides educational services in accordance with its charter.
- Suppliers - are partners, companies and e.g. independent contractors or self-employed persons who provide services to the Administrator. In this sense, contractors are independent contractors, self-employed persons or employees of contractors and may be considered as processors from a data protection perspective. Please note that in this sense, the Controller requires that suppliers make their employees aware of the relevant sections of the Policy.
- Other persons who may be contacted by the Administrator - this category may include emergency contacts by the Administrator's staff, persons confirming references of applicants and persons authorised by legal guardians to collect the child/student. We will only use these contacts when necessary.
- Website Users - all persons who open/enter the Administrator's website.
- Visitor - any person who physically enters the external or internal premises of the Manager.
Legal basis for processing your personal data
Performance of a legal obligation (by law)
We process some personal data about you because it is necessary to comply with a legal obligation to which we are subject. This includes, in particular, the maintenance of mandatory documentation and the data contained therein. We must process this personal data and we do not need your consent to do so, nor can you prohibit us from doing so. Which data is involved in such processing is explained below.
We are required to obtain your consent to process your personal data in certain circumstances.
Confirmation of consent is "any free, specific, informed and unambiguous indication of the data subject's wishes by which he or she gives his or her consent to the processing of his or her personal data by means of a declaration or other manifest affirmation." In ordinary language, this means:
- that you must give us your consent freely, without us exerting any pressure on you,
- that you must know what you are giving your consent for, so we must provide you with sufficient information,
- that you should have control over what processing you do and do not consent to,
- that you should explicitly and affirmatively express your consent - usually by ticking the YES/NO box to ensure that this requirement is clearly and unambiguously met.
Such cases of processing of personal data on the basis of consent are, in particular, the processing of the bank account of the guest, taking photographs and other audiovisual recordings for the case of promotion and presentation of the Administrator, etc.
This is where we may process your data where it is "necessary for the purposes of the legitimate interests of the Controller or a third party, except where those interests are overridden by your interests or fundamental rights and freedoms requiring the protection of personal data." These cases include, for example, taking CCTV footage for a legitimate interest in the form of protecting health and property, or requiring a criminal record extract from THP staff, particularly to protect the health and life of children/pupils.
Performance of a contract or contract negotiations
The processing is necessary for the performance of a contract to which you are a party or for the implementation of measures taken prior to the conclusion of the contract at your request. This includes, for example, the processing of data for the preparation of a contract with a prospective tenant, for boarding, for an employment relationship, etc.
Protection of vital interests
Should there be an accident, accident or other situation where your health or other vital interest may be at risk, we may process your personal data.
Bringing, pursuing and defending legal claims
The processing of personal data in accordance with local legislation and other requirements, including sensitive personal data, may sometimes be necessary in our view in connection with the assertion or defence of our legal claims. Legislation allows us to do so where such processing is "necessary for the establishment, exercise or defence of legal claims or where the courts are acting within their jurisdiction". Such a situation may arise, for example, if we need legal advice in the context of legal proceedings or if legislation requires us to retain or provide certain information in the context of legal proceedings.
What data we process:
Data about job applicants
We consider it reasonable that if you are applying for a job or have posted your professional CV on a job portal or professional contact page, you will not mind if we collect and use your personal data to offer you the best job opportunity for your requirements. We only ask for the information we really need, such as:
- name and surname
- your age
- contact details
- your education details
- professional experience
- emergency contacts
It is up to you what personal information you provide us with in a personal meeting or on your CV. We process this personal data in our legitimate interest.
We collect information about you mainly because of a legal obligation under Czech law:
- name and surname
- date and place of birth (for pension registration sheets sent to the Social Security Office)
- all former surnames (For pension insurance registration sheets sent to the Social Insurance Institution)
- birth number (For pension registration forms sent to the Social Insurance Institution)
- place of permanent residence (For pension registration forms sent to the Social Security Agency)
- the name and address of the foreign insurance carrier and the foreign insurance number - if the employee has been participating in pension insurance abroad and the employer is the employee's first employer after termination of pension insurance abroad (For pension registration forms sent to the Social Security Institution)
- education and previous experience (For the correct calculation of wages)
- the type of pension received (For the correct calculation of monthly tax advances)
- number of children - for women (To determine the exact date of entitlement to retirement pension)
- disability (To meet the compulsory proportion of disabled persons in the total number of employees)
- data on health status (For compliance with the obligations under Act No 373/2011 Coll. on specific health services)
- health insurance company (For payment of health insurance or in the event of an accident)
- nationality (For the purpose of reporting the employment of foreigners)
- Surname and name of spouse, name and address of employer (Income taxpayer's declaration - if the employee claims tax benefits and the spouse is employed)
- the name, surname and birth number of the child (Income taxpayer's declaration - if the employee claims the benefit for a dependent child)
- a criminal record statement (required by the Data Controller in the legitimate interest of protecting the health and life of children/pupils and the property of the Data Controller)
- bank account number (In case of concluding an agreement pursuant to Section 143 of Act No. 262/2006 Coll., the Labour Code)
- other data for the fulfilment of legal obligations under special laws
Data on children
We need to collect certain information about the children who attend our nursery in order to provide them with education and training in accordance with the Education Act. According to Section 28 of Act No. 561/2004 Coll., the Education Act, we process the following data about them:
- name and surname
- birth number
- date of birth (if no birth number has been assigned to the child/student)
- place of birth
- place of permanent residence
- place of residence in the Czech Republic or place of residence abroad (depending on the type of residence of the foreigner)
- details of previous education, including the level of education attained
- date of commencement of attendance at the kindergarten
- data on the child's handicap as referred to in Section 16 of the Education Act, data on exceptional aptitude, data on the support measures provided to the child by the nursery in accordance with Section 16 of the Education Act and the conclusions of the examination referred to in the recommendation of the school advisory facility
- information on the child's fitness for education and on any health problems which might affect the course of education
- the date of termination of attendance at the kindergarten
- the health insurance company (only in the case of an accident)
Data on legal representatives of children/pupils
We process this data about you because of the legal obligation imposed on us by Section 28 of Act No. 561/2004 Coll., the Education Act, to ensure the smooth and safe execution of attendance, in particular for better information:
- name and surname
- place of permanent residence or domicile, if he/she is not permanently resident in the Czech Republic
- address for the delivery of documents
- telephone number
- address of the data box, if one has been set up
- e-mail address, if provided
- Data on boarders
In the event that a child of our kindergarten uses the boarding services, we are obliged to process the following information about them on the basis of Section 28 of Act No. 561/2004 Coll., the Education Act:
- name and surname
- birth number
- date of birth (if no birth number has been assigned to the child/student)
- place of permanent residence
- place of residence in the Czech Republic or place of residence abroad if the child/pupil does not reside in the Czech Republic (depending on the type of residence of the foreigner)
- information on medical capacity or, where applicable, on health problems that could affect the provision of the service or education
- data on the child's/pupil's handicap as referred to in § 16, data on exceptional aptitude, data on support measures provided to the child or by the educational establishment in accordance with § 16 and on the conclusions of the examination referred to in the recommendation of the educational advisory establishment
If you use the school meals service and you are an employee or a third party, we process personal data about you that are necessary for the conclusion and performance of the meals contract.
If you use a bank account for the purpose of paying for meals, we will only process your account number on the basis of your consent.
In order to ensure a smooth cooperation, we also need to know a few things about our suppliers. These include the contact details of important people in your organisation with whom we will communicate. These are names, phone numbers and email addresses. We process this data for legitimate interest. We also need other information, such as your bank account details, so that we can send you payments for services you provide to us (where these are part of a contract we have entered into with you). We then process such information because it is necessary for the performance of the contract.
Other persons who may be contacted by the Controller
If a job applicant lists you as a person confirming references, we will use your personal data to contact you specifically to confirm the references. This is part of our quality assurance procedures which we consider necessary as an organisation and as a legitimate interest in our employment.
If a member of staff or child/student identifies you as an emergency contact and provides us with your contact details, we will contact you in the event of an injury or accident. We would certainly agree that this is a key element and fully consistent with our legitimate interests.
If you have been authorised by the child's legal guardian to collect the child from nursery, we process personal data about you to the extent that:
- name and surname
- date of birth
- place of residence
We use this personal data to verify the identity of the person picking up the child and process it in the legitimate interest of the child and his/her legal representative.
Users of the website
We collect a limited amount of data about website users to help us improve the usability of our website and to better manage the display of important information about us. This category includes information about the ways in which you use our website, the frequency of your visits to the site, and the periods during which our site is most popular.
Any person who enters the interior or exterior of the nursery must expect to be filmed by our CCTV system. We operate our CCTV system in accordance with the law and by filming the nursery premises we are pursuing our legitimate interest in protecting property and in particular the health of children and pupils. Surely we agree that by not filming areas where privacy may be invaded, our interest is sufficiently justified.
Who do we provide personal data to?
Depending on the circumstances and in accordance with applicable legislation and other requirements, we may disclose your personal data to the following categories of persons in different ways and for different reasons:
- To tax, audit and other authorities if we believe that we are obliged to provide such data by applicable law (e.g. upon request from the tax office, ČSSZ, Police of the Czech Republic, OSPOD, Labour Inspectorate or in connection with planned legal proceedings, etc.).
- To third parties who perform some of our functions as external service providers (including external consultants, business partners and professional advisors such as lawyers, accountants, technical support staff and IT consultants).
- Third parties who provide us with IT services or who store our documents and with whom we have entered into a relevant data processing agreement (or similar agreement).
- To third parties such as the Ministry of Education and the CSI, to whom we transfer personal data on the basis of a legal obligation referred to in particular in §28, paragraph 5 and §174 of Act No. 561/2004 Coll., the Education Act.
- To third parties such as the NIDV and other organisations providing DVPP that process personal data of teachers pursuant to §29 of Act No. 563/2004 Coll., the Teaching Staff Act, or other organisations providing further training pursuant to §230 of Act No. 262/2006 Coll., the Labour Code.
How do we protect personal data?
We care about the protection of your data. We are therefore committed to taking all reasonable and appropriate measures to protect the personal data we manage from misuse, loss or unauthorised access. We ensure this protection through a range of appropriate technical and organisational solutions. These measures to deal with potential threats to data security are contained both in the Data Processing Directive and in the records of personal data processing activities. However, these documents are non-public precisely for the purpose of enhancing the protection and security of personal data.
How long do we keep personal data?
We retain personal data as part of documents in accordance with applicable legislation. In particular, Act No. 499/2004 Coll. on archiving and filing services and on amendments to certain acts and the nursery's filing and archiving regulations.
How do you access the personal data you have provided, how can you change it, how can you withdraw your consent to its use and what rights do you have?
One of the main aims of the GDPR is to protect and clarify the rights of citizens in terms of data protection. This means that there are certain rights associated with your data even after you provide it to us. A detailed description of these rights is set out below.
There are various rights attached to the personal data you have already provided to us. We will deal with all your requests without undue delay and in all circumstances in accordance with applicable law. Please note that we record our communications with you to ensure that any issues you raise are dealt with smoothly.
Right to object
If we use your data because we consider it necessary to ensure:
- Our legitimate interests,
- a vital interest,
- it is necessary for the performance of a contract,
- a legal obligation
and you do not agree with this use of your data, you have the right to object to it. We will respond to your request within 30 days (in certain cases we are entitled to extend this period and this extension will always be justified to you).
Right to withdraw consent to the use of personal data
You may withdraw your consent to the processing of personal data for certain activities, for certain purposes (e.g. for the purpose of presenting a photograph on the Controller's website) at any time and we will terminate the specific activity you have previously consented to. The exception to this is where we believe that there is an alternative reason for continuing to process your data for that purpose (e.g. where a voluntary data becomes mandatory by a change in the law), a circumstance of which we will inform you.
Withdrawal of consent does not affect the lawfulness of processing based on consent given prior to withdrawal.
Requirements for access to personal data
You are of course entitled to ask us at any time for information about what data we hold about you. You can also ask us to modify, update or delete your data. We may comply with your request, or we may ask you to verify your identity and provide further information about your request, and we may refuse your request in accordance with the law, for which we will always provide you with appropriate justification. Any access to the data we hold about you will not incur a fee unless it is "manifestly unreasonable or unauthorised". Requests for further copies of such data from us may be subject to the payment of a reasonable administrative fee. We may also refuse your request in similar cases in accordance with applicable law. If this happens, we will always tell you our reasons.
Right to erasure
You have the right to request the erasure of your personal data in certain circumstances. One of the following criteria must apply to the data in question:
- The data is no longer necessary for the purpose for which it was originally collected and/or processed,
- you have subsequently withdrawn your previously given consent to our processing and there is no valid reason for further processing,
- the data has been processed in violation of applicable law (e.g. in a manner that is not in accordance with the GDPR),
- the data must be erased in order for us to comply with our legal obligations as data controller; or
- we are processing the data because we believe that we are pursuing our legitimate interests in doing so, you object to the processing and we cannot demonstrate that there are legitimate overriding reasons for further processing.
If we comply with a valid request for erasure, we will take reasonable and practicable steps to erase the relevant data.
Right to data portability
If we process your data on the basis of your consent or the performance of a contract to which you are a party, you have the right to request the transfer of your personal data to another data controller. In this case, we will transfer your data directly or provide you with a copy of your data in a machine-readable format, if technically feasible.
Right to restriction of processing
In certain circumstances, you have the right to request that we restrict the processing of your personal data. In such cases, we may only continue to store your data and may not carry out further processing unless you consent or for the establishment, exercise or defence of legal claims, for the protection of the rights of another natural or legal person or for reasons of important public interest. The circumstances in which you are entitled to request limited processing of your personal data include:
- Cases where you dispute the accuracy of your personal data that we process. If this circumstance applies, we will restrict the processing of your personal data until we have verified its accuracy
- Where you object to our processing of your personal data to further our legitimate interests. If this circumstance applies, you may request limited processing of your data until we have verified our reasons for processing it
- If our processing of your data is unlawful and you request limited processing instead of erasure
- If we no longer need to process your personal data but there is a need on your part to use the data to establish, exercise and defend a legal claim.
- If we have provided your data to third parties in these circumstances, we will inform these parties of your request for limited processing. The exceptions are where it would be impossible or would require a disproportionate effort to do so. We will of course inform you of any revocation of the limited processing of your personal data.
Right to rectification
You also have the right to request the rectification of any inaccurate or incomplete personal data we hold about you. If we have provided your data to third parties in such circumstances, we will inform those parties of your request for rectification. The exceptions to this are where it would be impossible or would require a disproportionate effort to do so. Where appropriate, we will also tell you which third parties we have provided inaccurate or incomplete personal data to. If we believe that it is not desirable for us to comply with your request, we will provide you with the reasons for such a decision.
Right to lodge a complaint with a supervisory authority
You also have the right to lodge a complaint with the local supervisory authority.
Data Protection Authority
Phone: (+420) 234 665 111
Postal address: the Office for Personal Data Protection, Pplk. Sochor 27, Prague 7, 170 00
What are cookies and how do we use them?
Cookies are small files stored on your computer's hard drive. Almost all websites use them and they do not pose any danger to your computer. They give us an idea of your activity and help us to make your visit to our website as pleasant as possible. Based on the information from the cookies, we can offer you options tailored to your needs on each subsequent visit. Cookies are also used to track website traffic and for advertising purposes. If you wish to review or modify the types of cookies you agree to use, you can typically do so in your browser settings.
- To track how you use our website. This allows us to understand the individual requirements of users grouped into larger groups and allows us to develop and improve our website so that the services it provides meet the expectations and needs of visitors.
Cookies can be divided into several categories
- Session cookies: cookies that are stored on your computer during your browser session and are automatically deleted when you close your browser. They are usually stored under an anonymous session ID that allows you to browse the site without having to log in on each page. These cookies do not obtain any information from your computer.
- Persistent cookies: cookies that are stored as files on your computer and remain on your computer after you close your web browser. The websites that create these cookies will reload them each time you visit the site. We use persistent cookies for the purposes of Google Analytics.
- Necessary cookies: these cookies ensure the effective use of the website. Without them, our website would not be able to provide you with the relevant services. These cookies do not collect any information that could be used for marketing purposes or to track your activity online.
- Performance cookies: these cookies allow us to monitor and improve the performance of our website. For example, they allow us to count visits to the site, identify sources of traffic to the site, and determine which sections of the site are most popular.
- Functionality cookies: these cookies allow our website to remember the options you choose (such as your username) and offer you better features. We may also use them to see what text size or font type you prefer or to further customize specific sections of the site. They are also used to provide services according to your requirements, such as watching videos or posting comments. The data collected by these cookies is usually anonymous.
If you do not wish to allow cookies whose use is not strictly necessary to provide the basic functions of our website, you can disable their use in your browser settings. Most web browsers allow cookies, but if this method of data collection bothers you for any reason, you can disable cookies in your browser's privacy settings. However, if you disable all cookies, you may not be able to use all of the features of our website. Individual browsers vary, so please refer to the Help section for all the information you need to adjust your cookie settings.
For more information about cookies, including how to disable them, please visit aboutcookies.org. You can also find out how to delete cookies from your computer on that page.