This statement sets out Mautilus, s.r.o. company policy regarding your personal data. After reading it you should be able to understand what information we collect and process, why and for how long we archive it. It gives you also the information about your rights in this area.
It applies to all the services offered by Mautilus, s.r.o. excluding services that have separate privacy policies (typically the applications operated by our clients where we do not act as controller or processor of the personal data).
By personal data we mean „any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person“ (GDPR chapter1, art.4).
By processing the personal data we mean „any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction“ (GDPR chapter1, art.4).
What information do we collect and process?
If you are our client or business partner, we collect, process and store only your identification and contact information. It serves to clearly identify the client company representatives and to enable the communication with the customers. It can be first and last name, title, address of permanent residence etc. Identification information can be found typically in the Framework contract/ Statement of Works/Purchase order/NDA/email communication/business cards provided or any information we obtain during our cooperation. Your information is basically stored for accounting, BD and marketing purposes.
If you are our former or current employee, we collect, process and store the following data:
* Identification information (it serves to clearly identify the employee - first and last name, title, birth registration number if allocated, date and place of birth, address of permanent residence, number of a personal identification document – personal identity card, passport or another similar document). Identification information can be found at CV’s or personal questionnaires of our employees.
* Contact information (especially the contact address, phone number, email address and other similar information provided by the employee). This information can be found at personal questionnaires of our employees.
* Information connected to your employment contract – parallel employment contract, Registration number at ČSSZ and other information contained in the personal questionnaire.
* Bank account number (it is used for salary agenda and can be found in the personal questionnaires of our employees).
* Online identifiers (every laptop that belongs to the company has its own specific online identifier such as IP address. Their list can be found on our INTRANET).
* Photos - they can be stored:
o on the application profiles where you voluntarily upload them like for example your internal communication app, SW development tools etc. The photo is not required but is strongly recommended. The main reason is to allow your colleagues to recognize you and to make the internal communication easier.
o On Mautilus social networks where it can be used for PR and BD purposes (for example photos from conferences, competitions, social events etc.). Mautilus declares that none of the photos published is of an inappropriate content and that each photo will be erased immediately from the relevant communication channel if you ask us to do so.
* Sensitive data
o We can collect information about our employee’s children such as first and last name, birth registration number and the kid’s disability. We use this information for filling out anf archiving the Declaration of the taxpayer liable to personal income tax.
o We also may have health condition information of some of our employees if the subject provides the information voluntarily.
Who has the access to your personal data?
Mautilus, s.r.o. acts mostly as the collector and also the processor of your data. In this case there is a defined group of employees responsible for certain personal data. For certain agendas we rely on external data processors, who are individuals, legal entities, public authorities or other subjects who process personal data for our company and are responsible for data protection. They are:
Name of the company What personal data Why
ProfiDaně, s.r.o. Identification information Contact information Bank account number Sensitive data HR and accounting purposes HR and accounting purposes Salary payment Tax purposes
The important part of our clients’, business partners’ and employees’ data Is stored, processed and obtained by the SW services that are operated under their own Privacy Policies. The reasons for using such tools can be:
* Customer communication (Atlassian, Survey Monkey, MailChimp, Microsoft Office, Google)
* Personal and salary agenda (Timr- Troii, POHODA-Stormware)
* Hiring and HR (HR portals – Randstat, Manpower, Perspektiva CZ, CPL Jobs, TTP Consulting)
The HR agencies in this case act as the data administrators with their own responsibility for the data protection nevertheless Mautilus may have the contract covering the conditions under which the data is handed over.
The third group is formed by the so-called data recipients. Who are everybody to whom the data is provided to.
Name of the company What personal data Why
Czech social security office Identification information Contact information Sensitive data Tax purposes Tax purposes Tax purposes
Health insurance Identification information Contact information Sensitive data Tax purposes Tax purposes Tax purposes
HR agencies Work contract Fulfillment of the subject of a contract – employee seeking
Subsidy providers Identification information Contact information Bank account number Work contract Working sheets Fulfillment of the subject of a contract and the subsidy requirements
We retain and process the personal data only for specific reasons and in the minimal extent with focus on the security and risk avoidance.
These reasons can be the following ones:
* it is necessary for the performance of our contract or in order to enter into it;
o these are typically your company and/orcompany representatives’ information contained in the Framework contract/Statement of works/Purchase order/NDA or the data provided via electronic communication tools during our cooperation.
o for our former and current employees it also represents the data from the “personal questionnaire” and employment contract. The data is stored and archived for the term defined by law (10 years). If the information is required by another authorities (for example in connection with the subsidies), the terms are prolonged in accordance to the subsidy provider’s terms. Our current employees can find all the information on the INTRANET after signing in.
* it is necessary for compliance with a legal obligation;
* it is necessary in order to protect your vital interests or of another natural person;
* it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
* it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
* You simply gave us your consent to do so for some purpose that could be for example to improve our services, to send you periodic emails, surveys or to give us feedback;
o As the consent was given by your free will you can withdraw it at any time by contacting us directly or simply by making a click on an “opt-out/unsubscribe” bottom in the email or marketing communications.
For how long do we archive the data?
* Your personal data is processed and stored generally throughout the duration of our mutual contract.
* In some cases, we process the data for a longer time:
o if required by the law (accounting purposes) or any other specific terms (e.g. subsidies);
o it may serve to make a claim arising from our previous cooperation (payment clearing, NDA etc.)
o to follow up with you after correspondence, to ask for ratings, to improve customer service or to inform you about the new products and services.
* Our company collects and stores the personal data in minimal extend and for the shortest period possible. In connection with the personal, accounting and salary agenda the terms are defined by law that requires the employer to store the data for at least 10 years. Regarding the data required by the subsidy provider (Ministry of Industry and Trade), the minimal terms are 10 years after the end of the project (expected 30th November 2018).
How do we ensure the security and risk avoidance?
We at Mautilus are aware of the importance of the data security. Our company uses SVN Tortoise as a cloud system. This system allows Mautilus to give the access and rights to update only to the relevant persons and reduces the risk of data abuse to minimum. Some personal information can be saved in a mailbox in case the information was provided via e-mail.
Our employees are aware of the basic security rules such as using antivirus and recent version of operating system, strong passwords to access their profiles/laptops/emails etc.
We choose only the suppliers and partners who declare meeting the GDPR requirements and we who do all our data processing in EU-based cloud centers to be sure that all data is handled within the European Union.
In terms of software security, we rely on the strong partners with established infrastructure and procedures to ensure the data security at any time.
Mautilus has, based on an analysis, taken measures to establish various procedures of data collection and processing. Our company is also ready to report the appropriate authorities in case we suspect that the safety regulations should be broken.
What are your rights?
The rights of the data subjects are enumerated in the GDPR regulation, Chapter 3 Art- 12-23. They are:
* Transparent information, communication and modalities for the exercise of the rights of the data subject;
* Information to be provided where personal data are collected from the data subject;
* Information to be provided where personal data have not been obtained from the data; subject;
* Right of access by the data subject;
* Right to rectification;
* Right to erasure (‘right to be forgotten’);
* Right to restriction of processing;
* Notification obligation regarding rectification or erasure of personal data or restriction of processing;
* Right to data portability;
* Right to object;
* Automated individual decision-making, including profiling;
* Right to be informed when the data security should be broken ;
* Right to make a claim to The Office for Personal Data Protection via www.uoou.cz.
What information do we obtain from our applications and products?
In connection with the products and applications we develop (HbbTV/OTT/mobile etc.) and their operation Mautilus does not systematically process any personal or specific personal data about the end users of the applications that could lead to their identification so in this sense Mautilus is neither the controller nor processor of the personal data. The applications and their operation require from the end users some information such as login, email address, IP address etc. (or they collect them automatically in anonymous and encrypted way), but this data is ensured by the application provider.
For statistical purposes we do not save any user or device identification. We rely on aggregated data only. Device’s IP address and User-agent header are saved temporarily server’s into log file – it is used for developing/debugging purpose and the information is automatically deleted after some time.
When the HENMAN is used for saving data from questionnaires we keep the device’s IP address and User-agent header saved permanently in the database.
If enabled, the device’s IP address is used for geo-location. This feature is currently unused.
How can you contact us?
If you have any question, request, update, claim or hesitation you can contact us at info[a]mautilus.com or by post (Mautilus, s.r.o., U vodárny 3032/2a, Královo Pole, 61600 Brno, Czech Republic).