Personal Data Processing Policy

entered into pursuant to Article 28 General Data Protection Regulation (“Agreement” or “Policy”)

INTRODUCTORY PROVISIONS

(A) LMC (as defined below) issues this personal data processing policy in the form of an Amendment to the General Terms and Conditions for Businesses (“GTC”) laying down the contractual relations between business persons and LMC entered into in connection with the use of LMC’s electronic systems.

(B) The provider of LMC Electronic Systems in the countries listed below and a party to this Agreement is the relevant company of the LMC business group determined as follows (“LMC”):

 a) LMC s.r.o., with its registered office at Praha 7, Jankovcova 1569/2c, Postcode 170 00, the Czech Republic, ID No. 264 41 381, entered in the Commercial Register maintained by the Municipal Court in Prague, Section C, Insert 82484, in the case of a service contract (the “Service Contract”) concluded with this company.

 b) LMC S.R.O. (SPÓŁKA Z OGRANICZONA ODPOWIEDZIALNOSCIA) ODDZIAŁ W POLSCE, with its registered office at BL Astoria, Przeskok 2, 00-032 Warsaw, the Republic of Poland, Numer KRS 0000714295, REGON: 369317811, in the case of the Service Contract concluded with this branch.

 c) LMC s.r.o., with its registered office at Bratislava - Staré Mesto, Pribinova 19, Postcode 811 09, the Slovak Republic, ID No. 53 302 257, entered in the Commercial Register maintained by the District Court Bratislava I, Section Sro, Insert 147535/B, in the case of the Service Contract concluded with this company.

(C) The GTC are available at:

 a) https://www.lmc.eu/cs/vseobecne-obchodni-podminky, if the Service Contract was concluded with LMC with its registered office in the Czech Republic.

 b) https://www.lmc.eu/pl/ogolne-warunki-handlowe, if the Service Contract was concluded with the LMC branch with its registered office in the Republic of Poland.

 c) https://www.lmc.eu/sk/vseobecne-obchodne-podmienky, if the Service Contract was concluded with LMC with its registered office in the Slovak Republic.

(D) An informative English translation of the GTC is available at https://www.lmc.eu/en/general-terms-conditions. In case of discrepancies between the English version and the language version under letter (C) of the Introductory Provisions hereof, the relevant language version under letter (C) of the Introductory Provisions hereof shall prevail.

(E) This Agreement lays down the rights and obligations of LMC (as defined above) as the Processor and the Client as the Data Controller (jointly referred to as the “Parties”) in relation to the processing of personal data by LMC’s electronic systems based on the GTC and the Service Contract.

(F) The services provided under the Service Contract include activities during which personal data may be processed by the Processor for the Controller within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the “Regulation”), directly applicable as of 25 May 2018.

(G) The purpose of the Policy is to duly stipulate all obligations of the Parties arising out of (i) the Regulation, and (ii) the act (the “Personal Data Protection Act”):

 a) No. 110/2019 Sb., on Personal Data Processing, if the Service Contract was concluded with LMC with its registered office in the Czech Republic.

 b) dated 10 May 2020 on Personal Data Protection (Collection of Laws of 2018, item 1000, as amended), if the Service Contract was concluded with the LMC branch with its registered office in the Republic of Poland.

 c) No. 18/2018 Coll. on Personal Data Protection, if the Service Contract was concluded with LMC with its registered office in the Slovak Republic.

(H) Under Article 28 of the Regulation, the Controller is obliged to enter into a written agreement with the Processor concerning the processing of personal data, in which the Processor will, inter alia, provide sufficient guarantees to implement appropriate technical and organisational measures to ensure the protection of personal data; this Policy fulfils the purpose of the written personal data processing agreement.

1. PURPOSE OF THE AGREEMENT

1.1 The Processor will, within the meaning of Article 4 point (2) of the Regulation as applicable, process for the Controller personal data which the Controller has acquired or will acquire in connection with its business activities or which the Processor itself will acquire for the Controller for this purpose (“Personal Data”), in the course of performance by the Processor of its obligations arising out of the Service Contract.

1.2 The purpose of this Agreement is to define the scope of obligations of the Processor related in particular to ensuring the protection of the Personal Data during their processing. This Policy provides for the rights and obligations of the Parties in the provision of services pursuant to Article 3.1, even individually under the concluded Service Contract.

2. SUBJECT MATTER OF THE AGREEMENT

2.1 The subject matter of this Agreement is the specification of mutual rights and obligations of the Parties in respect of the processing of Personal Data within the meaning of Article 1.1 of this Agreement.

2.2 This Agreement also defines the scope of the Personal Data to be processed, the purpose of their processing, and the conditions and guarantees to be provided by the Processor to implement appropriate technical and organisational measures to ensure the protection of Personal Data.

3. PURPOSE AND SCOPE OF PERSONAL DATA PROCESSING

3.1 The Processor will process Personal Data for the Controller to the extent necessary for the fulfilment of Processor’s obligations under the Service Contract and for the purpose of their use by the Controller in the course of the Controller’s business, in particular for:

 a) the management and record keeping of the personal data of job candidates at the Controller and the Controller’s employees in the management of the recruitment process (especially the services Teamio, Jobs.cz, Práce.cz, Jobote, Práce za rohem, or any of them) or the training of the Controller’s employees through the service Seduo, if the Service Contract was concluded with LMC with its registered office in the Czech Republic;

 b) the management and record keeping of the personal data of job candidates at the Controller and the Controller’s employees in the management of the recruitment process through the service Praca za rogiem, if the Service Contract was concluded with the LMC branch with its registered office in the Republic of Poland; and/or

 c) the training of the Controller’s employees through the service Seduo, if the Service Contract was concluded with LMC with its registered office in the Slovak Republic.

3.2 Under this Agreement, the Processor will process Personal Data of the following persons (“Data Subjects”):

 a) job candidates and/or the Controller’s employees, if the Service Contract was concluded with LMC with its registered office in the Czech Republic, to the extent of: identification information, contact information, work position, data concerning the outcomes of job interviews or references from previous employments, all information contained in the job applicant’s CV, or any other data that the Controller decides to attribute to the Data Subjects or that the Data Subjects themselves have provided;

 b) job candidates and/or the Controller’s employees, if the Service Contract was concluded with the LMC branch with its registered office in the Republic of Poland, to the extent of: identification information, contact information, work position, data concerning the outcomes of job interviews or references from previous employments, all information contained in the job applicant’s CV, or any other data that the Controller decides to attribute to the Data Subjects or that the Data Subjects themselves have provided;

 c) job candidates and/or the Controller’s employees, if the Service Contract was concluded with LMC with its registered office in the Slovak Republic, to the extent of: basic identification and contact information (name, surname, e-mail address, and/or telephone number).

The scope of the data processed depends on the functionality of the product offered by the Controller and may be altered pursuant to the terms specified in Article 9.4 hereof. Processed Personal Data may also comprise information and data gathered when operating a specific LMC’s product as a result of the Data Subjects’ activity (e.g. position data in mobile applications or data on the use of electronic systems).

3.3 If the Controller provides to the Processor, or if in connection with the Processor’s activities performed for the Controller, the Processor otherwise gains access to, any other Personal Data of Data Subjects or if Personal Data of other data subjects are provided to the Processor, the Processor is obliged to also process and protect those Personal Data in compliance with the requirements of (i) the Regulation, (ii) the Personal Data Protection Act, and (iii) this Agreement.

3.4 The Processor will process the Personal Data of Data Subjects for a period of time which will not exceed the term of this Agreement unless otherwise provided for by special legal regulations.

4. FEE FOR PROCESSOR’S SERVICES

4.1 The Parties have agreed that for the processing of Personal Data under this Agreement, the Processor will not be entitled to any separate fee, i.e. the fee is already included in the remuneration for the activities conducted under the Service Contract.

5. PROCESSOR’S RIGHTS AND DUTIES

5.1 While processing Personal Data, the Processor is obliged to proceed with due professional care so as not to do anything that could constitute a violation of the Regulation and/or the Personal Data Protection Act.

5.2 If the Processor ascertains that the Controller has breached or breaches any of the Controller’s obligations under the Regulation, the Processor shall – under Article 28 point (h) of the second subparagraph of the Regulation as applicable – notify without undue delay the Controller to this effect.

5.3 The Processor is obliged, while processing Personal Data under this Agreement, to adhere to documented instructions from the Controller. The instructions shall be given in accordance with this Agreement (mostly via particular features of the products/services) and the shall comprise updating, deleting, amending or other handling of Personal Data, excluding any instructions broadening the technical and organisational measures not included within the scope of this Agreement. The Processor shall inform the Controller about inappropriateness of an instruction if the Processor, using its due professional care, could ascertain the inappropriate nature of the instruction(s). In such case, the Processor is required to act upon such instructions only at the Controller’s written request.

5.4 The Processor ensures that no Data Subject will suffer any damage to their rights, in particular the right to human dignity, and is also required to take protective measures against unauthorised interference with the private and personal lives of Data Subjects.

5.5 The Processor undertakes to fulfil the information obligation in accordance with Article 13 of the Regulation. If the Data Subject requests information regarding the processing of his/her data in accordance with Article 15 of the Regulation, the Processor will inform the Data Subject of his/her duty to exercise the right towards the Controller. The Processor will further proceed in accordance with the Controller’s written guidelines.

5.6 When the purpose of the processing of Personal Data no longer exists, or the Data Subject makes a request under Article 17 of the Regulation, the Processor is obliged on the basis of and in accordance with the Controller’s instructions, to destroy the Personal Data concerned or transfer them to the Controller.

5.7 If any Data Subject believes that the Controller or the Processor processes that Data Subject’s Personal Data in violation of the protection of the Data Subject’s private or personal life or with the law, especially if the Personal Data are inaccurate with regard to the purpose of their processing, and the Data Subject asks the Processor to provide an explanation or remedy the situation, the Processor agrees to inform the Controller to this effect without undue delay.

5.8 The Processor is obliged to notify the Controller of any investigation initiated by the respective data protection authority, insofar as the investigation concerns Personal Data processed for the Controller, or parameters of the service provided by the Processor to the Controller and if it is anticipated that conducting such investigation may affect such parameters. For the avoidance of doubt, the investigation does not mean any requests from the competent authorities concerning the processing of personal data which do not lead to the initiation of proceedings – control or administrative.

5.9 The Controller is obliged to notify the Processor of any investigation initiated by the respective data protection authority, insofar as the investigation concerns Personal Data processed by the Processor for the Controller, or parameters of the service provided by the Processor to the Controller and if it is anticipated that conducting such investigation may affect such parameters. For the avoidance of doubt, the investigation does not mean any requests from the competent authorities concerning the processing of personal data which do not lead to the initiation of proceedings – control or administrative.

5.10 The Processor shall inform the Controller about any Personal Data loss or leak (“Personal Data Breach”) without undue delay. The Processor, after informing the Controller, continues providing assistance in dealing with the Personal Data Breach and/or in adopting measures to mitigate any potential adverse effects and to prevent similar occurrences in the future.

5.11 The information under Article 5.10 above includes at least:

 (a) a description of the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;

 (b) a description of the likely consequences of the Personal Data Breach;

 (c) a description of the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

5.12 The Processor agrees to allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. The Controller acknowledges that carrying out such an audit may not affect third parties’ rights (e.g. other controllers or data subjects), in particular with respect to ensuring confidentiality of personal data. The Controller also acknowledges that carrying out such an audit would be subject to a special agreement upon costs incurred by the Processor and to be paid by the Controller.

5.13 The Processor agrees to assist the Controller in fulfilling the Controller’s obligation to respond to requests for the exercise of the rights of Data Subjects, especially to requests for access to, rectification or erasure of Personal Data, restriction of processing or portability of Personal Data; if it possible to fulfil such obligations via respective features of particular products or services, the Controller may not request unsubstantiated Processor’s cooperation.

6. GUARANTEES OF TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE PROTECTION OF PERSONAL DATA

6.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor agrees under Article 32 of the Regulation as applicable, to implement all appropriate technical and organisational measures to ensure protection of Personal Data in the manner described in the Regulation, or other legal regulations in order to exclude the possibility of unauthorised or accidental access to Personal Data, their alteration, destruction or loss, unauthorised transfers, unauthorised processing, or any other misuse of Personal Data.

6.2 The Processor agrees, in particular, to implement the following organisational and technical measures:

 (a) without prejudice to Article 6.3 of this Agreement, if Personal Data are processed by the Processor’s own employees, the Processor will entrust this activity strictly to its selected employees who will be duly advised of their confidentiality duty with regard to Personal Data as well as other obligations they are required to comply with so as not to infringe the Regulation, or this Agreement;

 (b) without prejudice to Articles 6.3 and 6.4, not to authorise any third person without prior written authorisation of the Controller to process Personal Data;

 (c) to use adequate technical equipment and programmes to exclude unauthorised or accidental access to Personal Data by any persons other than the Processor’s authorised employees;

 (d) to store Personal Data in duly secured buildings and rooms;

 (e) to store hard-copy documents containing Personal Data at a safe place, and to keep due records regarding any movements of such documents;

 (f) to store Personal Data in electronic form on secure servers or data carriers (storages), access to which will only be granted to authorised persons on the basis of access codes or passwords, and to periodically back up the Personal Data;

 (g) to ensure that remote transfers of Personal Data will only be carried out by means of a non-public network or by secure transfer via public networks, in particular via network security communication protocol. Taking into account the nature, scope, context and the risks of varying likelihood and severity some of the Personal Data may be transmitted via e-mails;

(h) by appropriate technical means, to ensure the ability to restore the availability of and access to Personal Data in a timely manner in the event of a physical or technical incident in accordance to the parameters for the particular service agreed upon in the Service Contract;

 (i) to ensure a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing; and

 (j) upon discontinuation of the processing of Personal Data, the Processor will ensure, as agreed with the Controller, physical destruction of Personal Data, or will transfer the Personal Data to the Controller.

6.3 The Processor may engage another processor (“Other Processor”) to process Personal Data. The Processor, via a bulletin board (“Bulletin Board”) available at

 (a) https://www.lmc.eu/cs/seznam-dodavatelu, if the Service Contract was concluded with LMC with its registered office in the Czech Republic;

 (b) https://www.lmc.eu/pl/lista-dostawcow, if the Service Contract was concluded with the LMC branch with its registered office in the Republic of Poland;

 (c) https://www.lmc.eu/sk/zoznam-dodavatelov, if the Service Contract was concluded with LMC with its registered office in the Slovak Republic;

 (d) https://www.lmc.eu/en/supplier-list representing an informative English translation of the Bulletin Board (in case of discrepancies, the relevant language version under letters (a) to (c) above shall prevail),

and further by e-mail sent to the e-mail address of the Controller in accordance with Article 8.1 hereof, informs the Controller of any and all Other Processors the Processor intends to engage for the processing of Personal Data, of any intended changes concerning the addition or replacement of Other Processors, thereby giving the Controller the opportunity to object to the addition of such Other Processors under the conditions of the Service Contract (see Article 17(3) of the GTC). If the Controller disagrees with the engagement of Other Processor against whom the Controller has filled written objections and if in the opinion of the Processor the Other Processor is necessary for the performance of this Agreement, the Controller may terminate this Agreement in accordance with Article 7.2 of this Agreement. The current list of Other Processors is available at the Bulletin Board.

6.4 If the Processor engages Other Processor for carrying out specific processing activities, the same data protection obligations as set out in this Agreement must be imposed on that Other Processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Regulation.

6.5 The Controller acknowledges that services provided by Other Processors listed at the Bulletin Board may include transferring of Personal Data outside of the EU to countries without adequate level of protection of personal data; such information are stated at the Bulletin Board. To this end, the Processor guaranties that only those Other Processors that implement appropriate safeguard for legitimising personal data transfer by virtue of Articles 44 to 49 of the Regulation are authorised by the Processor for processing Personal Data. To the extent that the appropriate safeguards referred to in previous sentence is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, and the Processor immediately seeks in good faith a suitable alternate safeguard for processing of Personal Data abroad, the Controller waives his right to invoke contractual breach of rules contained in this Article 6.5.

6.6 The Processor is obliged to adopt and document the adopted and implemented technical and organisational measures to secure Personal Data in accordance with the Act and other legal regulations.

7. TERM AND TERMINATION OF THE AGREEMENT

7.1 This Agreement enters into force and effect on the signing/execution date of the Service Contract, and will expire on or after the termination of the Service Contract. If the Parties have entered, or will at any time in the future enter, into another agreement under which Personal Data can be processed, this Agreement will expire simultaneously with the expiry of that other agreement or, as the case may be, simultaneously with the expiry of the last of such agreements.

7.2 The Controller may terminate this Agreement by notice with a notice period of three (3) days in the event that the Processor breaches any of its obligations under the Regulation or the Personal Data Protection Act , and fails to remedy that breach within fifteen (15) days of a written request from the Controller or if the Controller objects to engaging Other Processor in written and such Other Processor is, under fully discretionary representation of the Processor, necessary for the performance of the Service Contract.

7.3 The Processor may terminate this Agreement by notice with a notice period of three (3) days in the event that the Controller breaches its obligations under the Regulation or the Personal Data Protection Act, and the Controller fails to remedy that breach within fifteen (15) days of the Processor’s notification under Article 5.2 of this Agreement or if the Controller objects to engaging Other Processor in written and such Other Processor is, under fully discretionary representation of the Processor, necessary for the performance of the Service Contract.

7.4 Either of the Parties may terminate this Agreement by notice for convenience with a notice period of three (3) months running from the first day of the month after the month in which the notice was delivered to the other Party.

7.5 Upon termination under Articles 7.2 to 7.4 of this Agreement, the Processor will be obliged, at a written request delivered to the Controller no later than on the date of termination of this Agreement, to return all the processed Personal Data to the Controller or to destroy them in accordance with Article 5.6 of this Agreement. If the request referred to in the previous sentence is not made by the Controller, the Processor will destroy the Personal Data of the Data Subject on the day of termination of this Agreement or of the Service Contract, if no other agreement is concluded.

7.6 Upon termination of this Agreement, the Processor is obliged to comply with all the obligations stemming from the Regulation and/or the Personal Data Protection Act aimed in particular at preventing any unauthorised processing of Personal Data until their transfer by the Processor to the Controller in accordance with the Controller’s instructions or until their safe destruction by the Processor.

7.7 Termination of this Agreement constitutes a circumstance that renders impossible all or any of the specific types of activities carried out by the Processor for the Controller on the basis of the Service Contract which also entail the processing of Personal Data.

7.8 The obligation to maintain confidentiality of Personal Data will survive termination of this Agreement.

8. Contact details

8.1 All notifications including those on the fulfilment of the information obligation under Articles 5.10 and 5.11 of the Agreement shall be deemed to have been duly served if delivered in person or by post to the address of the other Party’s headquarters or e-mail:

Controller’s e-mail: contact e-mail of the employee authorised by the Controller notified to LMC for communication purposes under this Article 8

Processor’s e-mail: dpo@lmc.eu

8.2 The Controller may request a change of the address for the delivery of notifications pursuant to Article 8.1 of this Agreement via an e-mail sent to dpo@lmc.eu.

9. FINAL PROVISIONS

9.1 Legal relations, obligations, rights and duties arising from this Agreement, including amendments hereto, will be governed by and interpreted in accordance with the law of:

 a) the Czech Republic, in particular by the Act No. 89/2012 Coll., the Civil Code, as amended (the “Civil Code”), if the Service Contract was concluded with LMC with its registered office in the Czech Republic.

 b) the Republic of Poland, if the Service Contract was concluded with the LMC branch with its registered office in the Republic of Poland.

 c) the Slovak Republic, in particular by Act No. 513/1991 Coll, the Commercial Code, as amended, if the Service Contract was concluded with LMC with its registered office in the Slovak Republic.

9.2 If any provision of this Agreement is held by a court of competent jurisdiction or any other authority to be invalid, ineffective, putative or unenforceable, such provision will be deemed to be deleted from this Agreement and the remaining provisions of this Agreement will continue in full force and effect, unless it can be assumed from the nature or content of that provision or the circumstances under which it was concluded that it cannot be severed from the rest of this Agreement. In such case, the Parties will execute such amendments to this Agreement to achieve the same or, if not possible, the closest possible effect to the effect of the original invalid, ineffective, putative or unenforceable provision.

9.3 The Parties agree to settle any dispute that may arise out of or in connection with the performance of this Agreement amicably. If the Parties fail to settle a dispute amicably within thirty (30) days, either of the Parties can refer the dispute to the competent Czech court of law in accordance with applicable legal regulations.

9.4 Any supplements to or modifications of this Agreement may be made solely in the form of written amendments, numbered in ascending order, signed by authorised representatives of both Parties. The scope of personal data processed, as laid down in Article 3.2 hereof, may be extended or otherwise modified depending on the functionality of the product concerned without the need to execute an amendment to this Agreement or to the GTC.

9.5 For purposes of execution of this Agreement, the Parties have agreed that the Agreement is entered into only if there is full concurrence of the expressions of will of the Parties.

9.6 The lapse of a grace period determined for the event of delay shall not result in an automatic rescission of this Agreement.

9.7 The terms not specified in detail herein have the meaning defined in the GTC or the Service Agreement.

9.8 This Policy is binding upon the Parties pursuant to the rules laid down in the GTC.

9.9 This Policy becomes valid and effective from

 (a) 1 February 2021, if the Service Contract was concluded with LMC with its registered office in the Czech Republic.

 (b) 1 February 2021, if the Service Contract was concluded with the LMC branch with its registered office in the Republic of Poland.

 (c) 14 December 2020, if the Service Contract was concluded with LMC with its registered office in the Slovak Republic.

LMC

LMC.eu uses Cookies to provide web services to our customers. By continuing to use this website, you agree to their use. You can learn more about Cookies in our Privacy Policy.