BDA GDPR - Effective Pay Cost Management

INFORMATION ON THE PROCESSING OF PERSONAL DATA

according to Article 13

REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (EU)

2016/679

of 27 April 2016

on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation)

This document serves to ensure full and transparent information about the processing of personal data of employees, partners and other cooperating entities, including special categories of personal data, by the data controller.

Contact details of the administrator:

BD Advisory s.r.o.

Contact details for exercising the Rights of Data Subjects:

Address of the mailroom: Maiselova 15, Praha 1, 110 00, Czech Republic

Purposes of processing and legal basis for processing:
1. Performance of tasks and objectives arising from the activities of the company - Administrator
2. Processing of personal data based on
  1. Consent
  2. Performance of a contract
  3. Protection of the vital interests of the Data Subject
  4. Legitimate interests of the Administrator
Principles of processing and collecting personal data:
1. BD Advisory s.r.o. processes personal data in a lawful, fair, and transparent manner.
2. The processing of personal data is subject to prior assessment based on the principle of purpose limitation. Before each processing, its purpose and the legal basis for processing are determined. Except for archiving in the public interest or for statistical purposes, personal data is not processed for any other purpose than for which it was collected.
3. The scope of personal data is minimized to the extent necessary, based on the purpose and legal basis for processing. The processing of personal data is preceded by their validation with the data subject if they are obtained directly from them or from records that are freely accessible. If it is not possible to verify the accuracy of personal data at the time of collection, it is verified at the earliest possible opportunity.
4. Personal data is processed for the period necessary to fulfil the purpose of processing.
5. The process of processing personal data is set up to ensure the proper security of personal data against unauthorized or accidental access:
  1. disclosure or provision of personal data (breach of confidentiality),
  2. loss of access or destruction of personal data (breach of availability) and
  3. alteration of personal data (breach of integrity).
6. Obtaining personal data based on the consent of the data subject is not, under any circumstances, conditioned upon the use or acquisition of services.
Legitimate Interests of BD Advisory s.r.o.
1. BD Advisory s.r.o., as the data controller, processes personal data to ensure the operation of the company and in compliance with legislation, or based on the consent of the data subject, to provide additional services or promote the company's activities.
2. If the processing is carried out based on Article 6(1)(f) of the General Data Protection Regulation, BD Advisory s.r.o. pursues interests in protecting property and information, as well as protecting the life and health of individuals (e.g., through the operation of camera systems with recording, access control systems, or similar technical measures, and property records). Before commencing processing, a careful assessment is always made to determine whether the legitimate interests of the company or third parties override the interests or fundamental rights and freedoms of the data subject, particularly if the data subject is a child.
Information provided to the public and data subjects
1. BD Advisory s.r.o. takes appropriate measures to provide the data subject with all the information required by Articles 13 and 14 of the General Data Protection Regulation in a concise, transparent, easily accessible, and understandable manner, using clear and plain language. It also makes all communications related to processing, as per Articles 15 to 22 and 34 of the General Data Protection Regulation, available through its website.
Exercise of data subject rights
1. Data subjects have the rights related to their personal data as declared by the General Data Protection Regulation.
2. When a data subject provides consent for the processing of their personal data, BD Advisory s.r.o. ensures that the consent and its terms are expressed in an easily understandable manner, and the data subject is informed in the same way. The request for consent must make it clear that it is provided voluntarily without undue conditions and that providing personal data is not a legal or contractual requirement for fulfilling a legal obligation or entering into a contract. Furthermore, the data subject is informed that withdrawing consent for further processing of personal data is their right and will have no legal or other consequences, as the legal basis for processing this personal data is not based on any reason other than their consent. Written consent is required, and oral consent is only sought in circumstances where written consent cannot be obtained, with it being clear that orally given consent meets all the requirements of the General Data Protection Regulation.
3. BD Advisory s.r.o. has established methodologies for assessing the level of risk in the processing of personal data and incident management plans for cases where there has been or could be a breach of personal data protection.
Transfer of personal data to third countries or international organization
1. BD Advisory s.r.o. does not transfer personal data to third countries.
Security and protection of personal data
1. Technical and organizational measures
  1. In order to secure personal data, respective measures are implemented to increase the protection of personal data in the area of physical, personnel and administrative security, incl. information protection in information systems.
  2. All measures are based on a regularly performed risk analysis
2. Personnel Measures
  1. All employees are subject to regular training and knowledge testing in the field of personal data protection according to a pre-approved training plan.
  2. All employees are obliged to comply with the general directive for the protection of personal data, which BD Advisory s.r.o. accepted.
  3. Employees are bound by a duty of confidentiality that continues even after the termination of their employment contract. The obligation of confidentiality can only be breached on the basis of a legal regulation or with the consent of the data subject.
  4. Employees are obliged to immediately report any breach of personal data security to their superiors.
3. Physical Security Measures
  1. Physical security is an integral part of technical and organizational measures to protect personal data.
  2. Access to non-public areas is governed by an internal regulation that sets out the rights and obligations of employees and the conditions for allowing visitors to enter.
  3. On the basis of risk analysis, selected objects and areas are protected by technical protection systems, especially camera systems, alarm security and emergency systems or access control systems. Documentation and internal regulations for their operation are prepared for each system. The systems are subject to regular revisions.
4. Data Protection in Information Systems
  1. Special attention is paid to the protection of information in information systems, as information systems contain personal data, where a violation of availability or confidentiality may represent a high risk for data subjects.
  2. BD Advisory s.r.o. takes measures that prevent unauthorized persons from accessing information systems and prevents unauthorized processing. Authorized persons are assigned access rights according to their roles, based on job content or internal regulations. Individual approaches are recorded in information systems for possible control and review.
  3. Data containing personal data that are stored on computers are secured against free access by unauthorized persons, against change, destruction, loss, unauthorized transmission, other unauthorized processing, as well as other misuse of personal data. Users of information systems are obliged to use access passwords, the use, creation and measures against misuse of which are governed by internal regulations.
Archiving
1. Archiving of documents is carried out on the basis of file, archive and shredding regulations, which are adopted in accordance with the legal regulations governing archiving and file service (Act No. 499/2004 Coll., on archiving and file service and on the amendment of certain laws).
2. If the time limits for storage are not established by the law of the Union or the Czech Republic, the storage period is set for the absolutely necessary time during which personal data must be processed.
Testing, assessment, and evaluation of the effectiveness of implemented technical and organizational measures to ensure data processing security
1. BD Advisory s.r.o. conducts regular testing of technical measures through functional tests to verify compliance with technical requirements for specific devices and the adequacy of personal data protection. Internal or external auditors may be involved in fulfilling these tasks.
2. Given the dynamically evolving information systems, technical penetration tests are carried out to uncover potential vulnerabilities in the information system and adopt appropriate security measures to strengthen the protection of personal data processing.
3. Organizational measures implemented through internal regulations undergo regular reviews and assessments, triggered by security incidents, changes in legal regulations, or internal conditions within BD Advisory s.r.o., and if no such events occur, then at least once a year. The effectiveness of the adopted organizational measures is tested through simulated sociotechnical attacks.
4. Responsible individuals maintain records of the tests, reviews, and assessments performed.

Datum poslední aktualizace: 6. 11. 2023