Download Personal Data Policy

TABLE OF CONTENTS

CHAPTER I. Aim of the Personal Data Policy

CHAPTER II. Scope and amendment of the Personal Data Protection Policy

CHAPTER III. Principles relating to processing of personal data

Article 1. Correctness and lawfulness

Article 2. Restriction to a specific purpose

Article 3. Transparency

Article 4. Data minimization and data economy

Article 5. Erasure

Article 6. Data accuracy and their maintenance up to date

Article 7. Data confidentiality and security

CHAPTER IV. Data processing reliability

Article 1. Customers’ and partners’ data

Article 1.1 Data processing for contractual relationship purposes

Article 1.2. Data processing for advertisement purposes

Article 1.3 Consent for data processing

Article 1.4 Data processing on grounds of a legitimate interest

Article 1.5 Sensitive data processing

Article 1.6 Automatic individual decisions

Article 1.7 Users’ data and the Internet

Article 2. Employee’s data

Article 2.1 Data processing for employment purposes

Article 2.2. Data processing on the basis of a legitimate interest

Article 2.3 Sensitive data processing

Article 2.4 Automatic decisions

Article 2.5 Telecommunications and the Internet

CHAPTER V. Personal data transmission

CHAPTER VI. Data processing in relation to agreements

CHAPTER VII. Rights of the data subject

CHAPTER VIII. Processing confidentiality

CHAPTER IX. Processing security

CHAPTER X. Data protection control

CHAPTER XI. Data protection incidents

CHAPTER XII. Responsibilities and penalties

CHAPTER XIII. Personal data protection officer

CHAPTER XIV. Definitions

 

 

 

 

CHAPTER I. Aim of the Personal Data Policy

As part of its social responsibility, Electroalfa is committed to comply with the national and international data protection laws. This Data Protection Policy is applicable to all Electroalfa Group companies and it is based on accepted data protection principles at European and international level. Ensuring data protection represents the foundation of our group’s business relationships and reputation.

The Data Protection Policy provides the necessary framework requirements for ensuring the adequate data protection level provided by the Regulation (EU) no. 679 of 27 April 2016.

 

CHAPTER II. Scope and amendment of the Policy

This Data Protection Policy is applicable to all Electroalfa Group companies: Electro-Alfa International, Electro Alfa CM, Electro Alfa Management, Alfa Land Rezidential Park, Alfa Land and EAG Cantina Service, as well as to their employees.

The Data Protection Policy covers all personal data processing. The anonymized data, where available, used e.g. for statistical assessments or other surveys, are not subject to this Data Protection Policy. The Policy is reviewed annually, and the latest version approved by the Chief Executive Officer shall be available for being notified to the employees, customers and business partners as soon as possible.

 

CHAPTER III. Principles relating to processing of personal data

Article 1. Correctness and lawfulness

When processing personal data, the individual rights of the data subjects must be protected. Personal data must be lawfully and correctly collected and processed.

Article 2. Restriction to a specific purpose

The personal data may be processed only for the purpose defined before collecting the data and notified to the data subject. The subsequent changes to the purpose are possible only to a limited extent and require a solid justification.

Article 3. Transparency

The data subject must be notified regarding the method used for handling his/her data. In general, the personal data must be collected directly from the data subject. When the data are collected, the data subject must already be aware of or be notified regarding the Identity of the Processor (the data collection company), the purpose of the data processing, Third Parties or categories of third parties to which the data may be transmitted.

Article 4. Data reduction and data minimization

Before processing personal data, it must be decided whether and to what extent the personal data processing is necessary in order to achieve the purpose for which it is performed. When the purpose allows it and when the costs involved are proportionate to the objective, anonymous data must be used. The personal data may not be collected in advance and stored for future potential purposes, unless this is required or allowed by the national regulations.

Article 5. Erasure

The personal data that are no longer necessary after the expiry of the legal or business process must be erased. There may be circumstances in which the legal interests require the maintenance of these data on pre-defined terms. In this case, the data must remain in the files until the expiry of the legal obligations.

Article 6. Data accuracy and their maintenance up to date

The personal data collected must be accurate, complete and, if necessary, updated. Actions must be permanently taken for ensuring that inaccurate or incomplete data are erased, corrected, supplemented or updated.

Article 7. Data confidentiality and security

Within Electroalfa Group, the personal data are deemed confidential information and they are protected by appropriate organizational and technical measures in order to prevent unauthorized access to, processing, or unlawful distribution as well as accidental loss, alteration or destruction of these data.

 

CHAPTER IV. Data processing reliability

Personal data collection, processing and use is also allowed on the basis of the following required legal grounds if the purpose of the personal data collection, processing and use must be altered compared to the initial purpose.

Article 1. Customers’ and partners’ data

Article 1.1. Data processing for contractual relationship purposes

The personal data of prospective customers, existing clients, and partners may be processed in order to conclude, perform and complete an agreement. It also includes consulting services for the partner if this is related to the contractual purpose. Prior to an agreement, during its initiation stage – the personal data may be processed in order to prepare tenders or other documents meeting various future requests related to the conclusion of the agreement. The individuals may be contacted during the agreement preparation process using the personal information they have provided. Any restrictions required by the prospective customers must be complied with. For advertisement purposes, please read Article 1.2 of Chapter IV below.

Article 1.2. Data processing for advertisement purposes

If the data subject contacts a company within Electroalfa Group in order to request information (e.g. to receive product information materials), the data processing for answering to this request is allowed. Advertisement-related actions are subject to additional legal requirements. The personal data may be processed for advertisement, market and public opinion research purposes provided that such processing is carried out in accordance with the purpose for which the data were initially collected. The subject (data subject) holding the data must be notified regarding the use of his/her data for advertisement purposes. If the data are collected for advertisement purposes only, the disclosure from the data subject is voluntary. The data subject must be notified that the provision of personal data for processing for advertisement purposes is voluntary and that the consent must be obtained from the data subject in order to process the data for advertisement purposes. When the consent is given, the data subject should have the opportunity to choose between the available forms, such as default printed forms, transmission of the consent by e-mail and by telephone (Consent, see Chapter IV Article 1.3). If the data subject refuses the use of his/her data for advertisement purposes, the data may no longer be used for such purposes and must be blocked for use for such purposes.

Article 1.3. Consent for data processing

Data may be processed in accordance with the consent of the data subject. Before giving his/her consent, the data subject must be notified in accordance with the provisions of Chapter III Article 3 on this Data Protection Policy. The approval statement – consent must be obtained in writing or in electronic format and kept for documentation purposes. In certain cases, such as phone conversations, the consent may be given orally. The granting of such consent must be documented.

Article 1.4. Data processing on the basis of a legitimate interest

The personal data may also be processed on the basis of a legitimate interest of Electroalfa Group. In general, the legitimate interests are of a legal nature (for example, collection of unpaid receivables) or of a commercial nature (e.g., avoiding breaches of contract). Personal data may not be processed for legitimate interest purposes if, in individual cases, there is evidence that the interests of the data subject require protection and that it has priority. Before processing the data, it is necessary to determine whether there is such a case. Article 1.5. Sensitive data processing

The very sensitive personal data may only be processed if the law requires it or if the data subject had expressly given his/her consent. Such data may also be processed only if it is mandatory for the performance, exercise or defense of legal claims related to the data subject. If there is an intention to process sensitive data, the personal data protection officer must be notified in advance.

Article 1.6. Automatic individual decisions

The automatic processing of personal data, which is used to assess certain issues, may not be the only basis for decisions having negative legal consequences or which could significantly affect the data subject. The data subject must be notified regarding the facts and results of the automatic individual decisions and has the opportunity to respond. In order to avoid making the wrong decisions, an employee must carry out a test and a plausibility check.

Article 1.7. Users’ data and the Internet

If personal data are collected, processed and used on websites or in applications, the data subjects must be notified about this in an Information Notice and, if necessary, information about cookies. The Information Notice and any cookie information must be integrated so that it is easily identifiable, directly accessible and constantly available to the data subjects. If use (tracking) profiles are created for evaluating the use of the websites and applications, the data subjects must always be appropriately informed in the Information Notice. If the websites or applications can access personal data in an area restricted to registered users, the identification and authentication of the data subject must provide sufficient protection during access.

Article 2. Employee’s data

Article 2.1. Data processing for employment purposes

In the employment relationships, the personal data may be processed, if necessary, to initiate, perform, and terminate the employment contract. When initiating an employment relationship, the personal data of the applicants may be processed. When the candidate is rejected, his/her data must be erased (in accordance with the required retention period), unless the applicant has agreed that his/her data remain in the file for a future selection process. It is also necessary to give consent for using the data when it is desired to continue the application processes or before sharing the data with other companies of the Group. In the existing employment relationship, the purpose of the data processing must always be correlated with the purpose of the employment contract if none of the following circumstances exist for the processing of authorized data. If it is necessary to collect information about an applicant from a third party during the application procedure, the corresponding legal requirements must also be complied with.

Article 2.2. Data processing on the basis of a legitimate interest

The personal data may also be processed if it is necessary to support a legitimate interest of Electroalfa Group. In general, the legitimate interests are of a legal nature (for example, filing, enforcing or defending against legal complaints, debt recovery, etc.). The control measures requiring employee data processing may only be taken if there is a legal obligation to do this or there is a legitimate reason. Even if there is a legitimate reason, the proportionality of the control measure must always be reviewed. The justified interests of the company for implementing control measures (for example, compliance with legal provisions and company’s internal rules and regulations) must be weighed against any interests of the employee that must be protected so that the control measures are adequate.

Article 2.3. Sensitive data processing

The sensitive personal data may be processed only under certain conditions. These are data regarding the racial and ethnic origin, political beliefs, religious or philosophical beliefs, as well as regarding the health and sexual orientation of the data subject or the data related to the criminal record. Such data may be processed when there are legal obligations or when the data subject had given his/her express consent.  Article 2.4. Automatic decisions

If, at any time, the personal data are automatically processed as part of the employment relationships and certain specific personal data are automatically assessed (for example, during the selection of staff or the assessment of competence profiles), this automatic processing may not be the only basis for making decisions that could have a negative impact on the employee concerned. In order to avoid making the wrong decisions, the automatic process must be assisted by a natural person assessing the content of the case, and this assessment shall represent the basis for making the decision. The data subject must also be notified regarding the facts and results of the automatic individual decisions and the possibility to respond.

Article 2.5. Telecommunications and the Internet

The phone equipment, e-mail addresses, Intranet, and the Internet, together with the internal applications, are provided by the company primarily for work-related tasks. They represent a tool and a resource of the company. They can be used within the applicable legal regulations and the company’s internal policies. In the case of authorized use for personal purposes, the provisions of the internal regulation and procedures and specific legislation on telecommunication shall be taken into consideration. There shall be no general monitoring of phone and e-mail communications or of the Intranet/Internet use. In order to protect us against attacks on IT infrastructure or individual users, protective measures may be implemented for the network connections of Electroalfa Group blocking harmful content from technical point of view or analyzing attack patterns. For security reasons, the use of phone equipment, e-mail addresses, Intranet/Internet and internal applications for a temporary period may be monitored. The assessment of these data regarding a particular individual may be carried out only in a concrete case justified by suspicion of violation of the laws or of the policies and procedures of Electroalfa Group.

The assessments may be carried out only by the investigation commission, while ensuring the compliance with the principle of proportionality. The relevant national legislation must be complied with in the same way as the Group’s regulations.

 

CHAPTER V. Personal data transmission

The personal data transmission to recipients outside or within Electroalfa Group is subject to the authorization requirements for the processing of personal data in accordance with this policy. The data beneficiary shall use the data only for the defined purposes. If the data are sent to a recipient outside Electroalfa Group, to third party country, this country must agree to maintain a level of protection of personal data equivalent to this data protection policy and in accordance with the provisions of the EU GDPR 679/2016. If the data are sent by a third party to a company within Electroalfa Group, we must make sure that the data are used only for the intended purpose.

 

CHAPTER VI. Data processing in relation to agreements

Processing the data through a service provider being employed to process personal data means that it shall comply with the Regulation 679/2016 and this Policy without undertaking the responsibility for related business processes. In such cases, an agreement must be concluded regarding the processing of personal data. The provider may process personal data only in accordance with the customer’s instructions. Upon conclusion of the agreement, the following requirements must be met, and the department sending the order must ensure that they are met:

  1. The provider must be selected on the basis of its ability to provide the necessary technical and organizational protection measures.
  2. The processing order must be sent in writing. The instructions regarding the data processing and the customer’s and provider’s responsibilities must be documented.
  3. The contractual standards for the protection of personal data provided by the company’s personal data protection officer must be taken into consideration.
  4. Before starting the data processing, the customer must be confident that the provider shall fulfill its obligations. A provider may document the compliance with data security requirements, in particular by providing an appropriate certification. Depending on the data processing risk, the revisions of the certifications must be repeated regularly during the term of the agreement.
  5. In the case of cross-border processing of the data from the agreements, the requirements of the Regulation EU 679/2016 and the relevant national regulations on the disclosure of personal data abroad must be met. In particular, the personal data from the European Economic Area (EEA) may be processed in a third party country outside the EEA only if the provider can prove that it has a data protection standard that is equivalent to this data protection policy.

 

The adequate tools may be:

  1. The agreement regarding the standard EU contractual terms for processing the data from agreements in third party countries with the provider and with any subcontractors.
  2. The provider’s participation in an EU accredited certification system in order to ensure an adequate level of data protection.
  3. Acknowledgement of the provider’s mandatory corporate rules in order to create an adequate level of data protection by the supervisory authorities being responsible for data protection.

 

CHAPTER VII. Rights of the data subject

Each data subject has the rights below, and their statement must be immediately handled by the personal data protection officer and it cannot represent a disadvantage for the data subject.  Article 1. The data subject may request information on the personal data regarding him/her were stored, the method used for collecting the data and the purpose of this collection. If there are additional rights for viewing the employer’s documents (for example, the personnel file) in the case of employment relationships in accordance with relevant employment laws, they shall not be affected.

Article 2. If the personal data are sent to third parties, information on the identity of the recipient or categories of recipients must be provided.

Article 3. If the personal data are inaccurate or incomplete, the data subject may request their rectification or completion.

Article 4. The data subject may object to the processing of his data for advertisement purposes or market research or opinion survey purposes. The data must be blocked for these types of use.  Article 5. The data subject may request the erasure of his/her data if the processing of such data has no legal basis or if the legal basis has ceased to apply. The same applies if the purpose of the data processing expired or ceased to be applicable for other reasons. Attention shall be paid to the retention periods and possible conflicts of interest.

Article 6. The data subject has the right to oppose the processing of his data and this must be taken into account if the protection of his interests takes precedence over the interest of the data controller following a specific personal situation. This does not apply if there is a legal provision requiring the processing of the data.

 

CHAPTER VIII. Processing confidentiality.

The personal data are deemed confidential. The unauthorized collection, processing or use of these data by the employees is prohibited. Any data processing carried out by an employee who was not authorized to carry it out as part of his/her legitimate duties is unauthorized. The “need to know” principle shall apply. The employees may access the personal data only as appropriate for the type and purpose of the relevant job task. This requires a careful breakdown and separation, as well as the implementation of the roles and responsibilities. The employees are prohibited from using personal data for private or commercial purposes, disclosing them to unauthorized persons, or otherwise making them available. The department managers and Human Resources Department have to inform their employees at the beginning of the employment relationship regarding the obligation to protect the confidentiality of the personal data and information. This obligation shall remain in force even after the cessation of the employment term.

 

CHAPTER IX. Processing security

The personal data must be protected against unauthorized access and unlawful processing or disclosure, as well as against accidental loss, alteration or destruction. This is applicable regardless of whether the data are processed in electronic format or on paper. Before introducing the new data processing methods, in particular the new IT systems, technical and organizational measures for protecting the personal data must be defined and implemented. These measures must be based on the state of the art, the processing risks and the need to protect the data (determined during the information classification process).

In special cases, the responsible department can consult with the information security officer. The technical and organizational measures for the protection of personal data are part of the company’s information security management and must be continuously adapted to the technical developments and organizational changes.

 

CHAPTER X. Data protection control

The compliance with data protection policy and applicable data protection laws is regularly checked through data protection audits and other inspections. The performance of these inspections represents the responsibility of the Personal Data Protection Officer and other entities having auditing rights within the company or external auditors employed. The results of the data protection inspections must be reported to the Chief Executive Officer of Electroalfa Group.

On demand, the results of the data protection inspections shall be made available to the supervisory authority being responsible for data protection. The authority being responsible for data protection may carry out its own inspections in accordance with the national law.

 

CHAPTER XI. Data protection incidents

All employees must immediately notify the department manager or the data protection officer regarding breaches of this Data Protection Policy or other personal data protection regulations (data protection incidents). In case of:

  • inappropriate transmission of personal data to third parties,
  • inadequate access of third parties to personal data, or
  • loss of personal data, the reports required by the company through the reporting and information security incident management procedures must be made immediately, so as all reporting obligations in accordance with national law can be complied with.

 

CHAPTER XII. Responsibilities and penalties

The executive positions (division managers/department managers) within the group are responsible for the data processing in their area of responsibility. Therefore, they must ensure that the legal requirements on data protection and those comprised in the personal data protection policy are met. The managing staff is responsible for ensuring the organizational, technical and human resources-related measures so as any data processing is performed in accordance with the data protection. The compliance with these requirements is the responsibility of each relevant employee.  If the Supervisory Authority carries out a data protection audit, the Personal Data Protection Officer must be immediately notified. The personal data protection officer is the contact person displayed on the website for data protection relations. He/she can perform checks and familiarize the employees with the content of the data protection policies.

A relevant management is required for supporting the Personal Data Protection Officer in his/her efforts.

The departments being responsible for the business processes and projects must notify the Personal Data Protection Officer in due time regarding a new personal data processing. In order to process data that may pose special risks to the individual rights of the data subjects, the Personal Data Protection Officer must be notified before starting the processing. This is especially true for highly sensitive personal data. The inappropriate personal data processing or other breaches of the data protection laws leads to the enforcement of the penalties provided by the internal regulations, Regulation EU no. 679/2016 and the legislation in force.

 

CHAPTER XIII. Personal data protection officer

The personal data protection officer, being internally independent of professional subordination, carries out its activity aiming the compliance with the national and international data protection regulations. He/she is responsible for the data protection policy and oversees its observance. The personal data protection officer is appointed by the management of Electroalfa Group.

The department managers must promptly notify the Personal Data Protection Officer regarding any occurrence of any risks related to the personal data protection.

Any person may contact the Personal Data Protection Officer at any time for asking questions, requesting information, or filing complaints regarding the data protection or personal data security issues. If there are requests, the complaints shall be handled confidentially. If the Personal Data Protection Officer concerned cannot settle a complaint or remedy a breach of the data protection policy, he/she shall request the advice of the Supervisory Authority.

The decisions made by the Personal Data Protection Officer in order to remedy the data protection violations must be supported by the management of the company. The investigations and audits performed by the Supervisory Authority must always be reported to the company’s management.

 

CHAPTER XIV. Definitions

The data are anonymous if the personal identity can never be tracked by anyone or if the personal identity could only be recreated with an unreasonable time, expense and work.

The consent is the voluntary agreement, expressed unequivocally and expressly, legally binding, for the data processing.

The data protection incidents are any events in which there are reasonable grounds for suspicion that the personal data are unlawfully captured, collected, modified, copied, transmitted or used. This refers to the actions of third parties or of the employees.

Under this this data protection policy, the data subject is any natural person whose data can be processed.

The European Economic Area (EEA) is an economic region associated with the EU and it includes Norway, Iceland and Liechtenstein.

The highly sensitive data are the data on the racial and ethnic origin, political opinions, religious or philosophical beliefs, organizations membership, data on the criminal record or on the health and sexual orientation of the data subject.

The personal data represent all information on a particular natural person that can lead to his/her identification.

The personal data processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

The personal data processing is necessary if the permitted purpose or justified interest could not be achieved without the personal data or only with exceptionally high expenses.

The Processor of the Data Controller is the legally independent company of Electroalfa Group, whose activity initiates the relevant processing measures.

Within the framework of the personal data protection policy, third party countries represent all nations outside the European Union/EEA. This does not include the countries with a level of data protection deemed adequate by the European Commission.

Third parties represent any person other than the data subject and the data controller.

The transmission means a disclosure of the personal data protected by the responsible entity to third parties.