GDPR
1. Personal data controller
The company TLC Trainings and Languages, s.r.o., ID No.: 27252973, registered office at Pražákova 69, 639 00 Brno, represented by Tatiana Tomášková, Director, registered in the Commercial Register maintained by the Regional Court in Brno, under file number C 51914.
The company TLC Grow, s.r.o., ID No.: 11746971, registered office at Pražákova 69, 639 00 Brno, represented by Tatiana Tomášková, Director, registered in the Commercial Register maintained by the Regional Court in Brno, under file number C 51914.
The company TLC Holding, s.r.o., ID No.: 17375029, registered office at Pražákova 69, 639 00 Brno, represented by Tatiana Tomášková, Director, registered in the Commercial Register maintained by the Regional Court in Brno, under file number C 51914.
The company TLC Kids, s.r.o., ID No.: 07936575, registered office at Pražákova 69, 639 00 Brno, represented by Tatiana Tomášková, Director, registered in the Commercial Register maintained by the Regional Court in Brno, under file number C 51914.
2. Legality
The processing of personal data is necessary for the performance of a contract or order, whereby the contracting party is understood to be an employee, customer or supplier, or other persons who have a contractual relationship with the controller or an interest in entering into a contractual relationship.
3. Scope of processing of personal data
Personal data are processed to the extent that the relevant subject has provided them to the controller, in connection with the conclusion of a contractual or other legal relationship with the controller, or which the controller has otherwise collected and processes in accordance with applicable law or to fulfil the controller's legal obligations.
4. Sources of personal data
The source of personal data is information provided directly by the data subjects, through the contractual relationship between the controller and the customer, through CCTV, publicly accessible registers and lists, information from the internet and the media.
5. Processing of personal data on employees
5.1 The processing of personal data is necessary to comply with legal obligations and for the purposes of the legitimate interests of the controller. In this case, it is the processing of personal data of natural persons on the basis of an obligation laid down by another legal regulation - it concerns data on employees.
5.2 This data is also processed and archived for the purpose of retrospective checks by the tax office or the employment office, the MSSZ or health insurance companies.
5.3. The controller needs to work with a category of data: name, surname, maiden name, birth number, date of birth, place of birth, marital status, nationality, permanent residence, health insurance details, social security number assigned, ID card number, passport number, driving licence details, data on medical fitness for work, data on deductions from wages, data on the employee's annual wage statement, data on any pension received, data on children and family members, data on education, work experience, contact details, job position.
5.4 The processing of personal data is necessary for the purposes of entering into an employment contract or other contractual relationship and the subsequent performance of the contractual obligations arising from the contractual relationship, as some personal data occurs in the context of communication. This includes, in particular, the name and surname.
6. Processing of personal data on persons subject to obligations under the VAT Act or the Accounting Act.
6.1 The processing of personal data is necessary to comply with legal obligations and for the purposes of the legitimate interests of the controller. In this case, it is the processing of personal data of natural persons authorized to conduct business on the basis of an issued trade license.
6.2 These data are also processed and archived for the purpose of retrospective control by the tax office.
6.3 The controller needs to work with the following categories of data: name of the subject, first name, surname, registered office address, registration number, tax identification number, bank details, contact details, data on education and work experience.
6.4 In the context of the marketing and business activities of the controller, the controller provides basic personal data about the data subject to its business partners or publishes certain information on the Internet. This primarily includes name, surname, company e-mail and company telephone number and photograph, education and work experience data.
6.5 The processing of personal data is necessary for the purpose of entering into a contractual relationship and the subsequent performance of obligations arising from the contractual relationship.
7. Processing of personal data of the customer, the customer's employees
7.1 The processing of personal data of the customer, the customer's employees is necessary for the purposes of the legitimate interests of the controller, as there is a relevant and adequate relationship between the data subject (customer) and the controller. In order to provide its services, the controller needs to work with the following categories of data: name, surname, e-mail address, telephone number, personal number and job title, date and place of birth, if applicable.
7.2 The processing of personal data is necessary for the purpose of including the Customer's employee in the training activity, communicating with him/her, recording his/her presence at the training activity, recording his/her tests, reporting his/her progress to the employer, issuing a certificate for the Customer's employee.
8. Processing of personal data of the supplier, the supplier's employees
8.1 The processing of the personal data of the Supplier, the Supplier's employees is necessary for the purposes of the legitimate interests of the Controller as there is a relevant and adequate relationship between the data subject (the Supplier) and the Controller.
8.2 For the purposes of the proper conclusion of the contractual relationship and subsequent billing, the controller needs to work with the following categories of data: name of the subject, first name, surname, registered office, registration number, bank account, telephone contact, e-mail address.
9. Processing of personal data of job applicants
When processing personal data of job applicants in the context of job vacancy selection procedures and for the purpose of job offers, the controller works with the following categories of data: name, surname, e-mail address, residence, education, work experience, if applicable.
10. Minimalizace údajů
The controller undertakes to process only personal data that are relevant, adequate and, in terms of scope, strictly necessary for the purpose of processing. Once this purpose has passed, the data will be archived at regular intervals and shredded or deleted at the end of the archiving period.
11. Processing method
The processing of personal data is carried out by the controller. The processing is carried out by individual authorised employees of the controller or by the processor. The processing is carried out by means of computer technology, i.e. electronically or, where appropriate, manually by means of documents. In both cases, all security principles for the management and processing of personal data are observed. To this end, the controller has taken technical and organisational measures to ensure the protection of personal data, in particular measures to prevent unauthorised or accidental access to, alteration, destruction or loss of personal data, unauthorised transmission, unauthorised processing or other misuse of personal data. All entities to whom personal data may be disclosed shall respect the right of data subjects to privacy and shall comply with applicable data protection laws.
12. Data security
TLC ensures data security by contracting vendors, as it uses only cloud-based applications and software. Access is secured through user password authentication or two-factor authentication. Only competent persons who need personal data to perform their jobs are authorized to access the information system.
13. Period of processing of personal data - Archiving
The administrator shall archive documents and information in accordance with the table below or in accordance with the relevant legislation. This is always the time necessary to ensure the rights and obligations arising from the contractual relationship as well as from the relevant legislation.
Document type | Archiving time |
Financial statements and annual reports | 10 let |
Accounting documents, ledgers, depreciation schedules, inventory lists, chart of accounts, summaries | 5 years |
Accounting records | 5 years |
Documents from persons liable for value added tax | 10 let |
Copies of registration sheets | 3 years |
Payroll | 30 years |
Data required for the determination and payment of insurance premiums | 10 let |
Vnitřní předpisy, interní směrnice | 10 let |
14. Poučení
The controller processes data with the consent of the data subject, except in cases provided by law where the processing of personal data does not require the consent of the data subject. In accordance with Article 6(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as "GDPR"), the controller may process the following data without the data subject's consent:
- The data subject has given consent for one or more specific purposes.
- The processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of measures taken prior to the conclusion of the contract at the request of the data subject.
- The processing is necessary for compliance with a legal obligation to which the controller is subject.
- The processing is necessary to protect the vital interests of the data subject or another natural person.
- The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Zpracování je nezbytné pro účely oprávněných zájmů příslušného správce či třetí strany, kromě případů, kdy před těmito zájmy mají přednost zájmy nebo základní práva a svobody subjektu údajů vyžadující ochranu osobních údajů.
15. Rights of data subjects
15.1 In accordance with Article 12 of the GDPR, the controller shall inform the data subject of the right of access to personal data and the following information upon request:
- The purpose of the processing.
- The category of personal data concerned.
- Recipients to whom personal data have been or will be disclosed.
- The planned period for which the personal data will be stored.
- Any available information about the source of the personal data, unless obtained from the data subject.
15.2. Any data subject who becomes aware or believes that the controller or processor is carrying out processing of his or her personal data which is contrary to the protection of the data subject's private and personal life or contrary to law, in particular where the personal data are inaccurate with regard to the purpose of the processing, may:
- Ask the administrator for an explanation.
- Require the administrator to remedy the condition thus created. In particular, this may involve blocking, rectifying, supplementing or erasing personal data.
- If the data subject's request pursuant to paragraph 1 is found to be justified, the controller shall rectify the defective situation without delay.
- If the controller does not comply with the data subject's request pursuant to paragraph 1, the data subject shall have the right to apply directly to the supervisory authority, i.e. the Office for Personal Data Protection.
- The procedure referred to in paragraph 1 shall not preclude the data subject from submitting his or her complaint directly to the supervisory authority.
- The controller shall have the right to request a reasonable fee for the provision of the information, not exceeding the costs necessary to provide the information.
This Internal Directive replaces the previous Internal Directive in its entirety and is publicly available on the Administrator's website.
In Brno on 1.1.2024
Tat'ána Tomášková, Director