Personal data processing rules

Rules for client’s personal data processing and their employees

Xsec Ltd. (Expert security services, hereinafter also referred to as "Xsec") processes some personal data of its clients or their employees. These rules provide information about what personal data we collect, how we handle it, from what sources we obtain it, for what purposes we use it, to whom we may provide it and where you can get information about your personal data that we process.

Xsec, as the personal data administrator, follows the rules of personal data processing described below when processing the personal data of its clients and proceeds in accordance with valid legal regulations [Act No. 110/2019 Coll., On Personal Data Processing and General Regulation on Personal Data Protection - Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter also referred to as GDPR)].

Personal data are in particular:

• identification and descriptive data - personal data used to uniquely and unmistakably identify a person (name, surname, title, birth number, if assigned, otherwise the date of birth, permanent residence address, identity card number - identity card, passport number or another similar document, signature, photograph, image recording from the camera system);

• contact details - personal data enabling contact with a person (especially contact address, telephone number, e-mail address and other similar information);

• data processed in connection with the use of Xsec services (eg. data concerning communication between Xsec and clients, records of telephone calls, bank account number).

Xsec processes the personal data of its clients for some processing purposes without the special consent of its clients, for some purposes of processing with the separately granted consent of clients.

Due to the contractual nature of the relationship between Xsec and the client, the provision of personal data is completely voluntary. However, Xsec would not be able to enter into a contract with the client and fulfil the obligations arising from this contract if he was not provided with the personal data necessary for concluding a contract for the provision of services.

Xsec processes personal data for the following purposes without the client's consent:

• for the performance of a contract to which the data subject is a party or for the implementation of measures taken before the conclusion of the contract at the request of the data subject (in particular the preparation of a draft contract);

• for the protection of the rights and legally protected interests of oneself and the client, especially for the protection of the property of oneself and the client and the evaluation of possible risks.

With the client's consent, Xsec processes personal data for other purposes for which the client has given his consent (eg. marketing purposes).

Xsec obtains clients personal data directly from clients during negotiations on the conclusion of the contract and its subsequent performance, or from publicly accessible registers, lists and records (commercial register, trade register, insolvency register, etc.).

Xsec declares that the personal data it processes are under constant control and Xsec has mechanisms in place to protect the processed data against unauthorized access or transfer, against their loss or destruction, as well as against another possible misuse. All persons who come into contact with the client's personal data in the course of fulfilling their work or contractually assumed obligations are bound by a legal or contractual obligation of confidentiality. In the event that personal data is transferred to other entities (incl. transfer abroad), Xsec has entered into an appropriate agreement with the data processor, which guarantees compliance with the obligations relating to the personal data processing under Czech law.

Xsec transmits clients' personal data to the following entities:

• state authorities, respectively other entities within the framework of fulfilling legal obligations stipulated by special regulations - these are mainly financial authorities, other state administration bodies, courts, bodies active in criminal proceedings, executors, notaries - court commissioners, insolvency administrators, banks, insurance companies, etc .;

• other entities, if this is necessary for the protection of Xsec's rights, eg. insurance companies when claiming insurance claims, courts, bailiffs, etc .;

• specialized external entities (processors) that perform processing for Xsec on the basis of the relevant agreement on the personal data processing - in particular, IT service providers;

• with the client's consent or at his request, personal data may be provided to other entities.

All personal data processed by Xsec is processed for the time strictly necessary to fulfil the specified purpose. Information about what personal data Xsec processes on the client will be provided by Xsec to the client at his request without undue delay. For an unfounded and disproportionate request, Xsec has the right to charge a fee that takes into account the administrative costs associated with providing the requested information. The client has the right to access his personal data, has the right to correct or delete them. Furthermore, the client has the right to restrict the processing of his personal data, he has the right to the portability of his personal data. The client may object to the processing. Details are set out in the applicable legislation.

Xsec does not process their personal data for the purpose of profiling them without the client's consent. With his suggestions, the client can turn to the management of Xsec.

Personal data administrator:

Xsec Ltd., with its registered office at Lidická 700/19, 602 00 Brno, Email: info@xsec.cz

With his suggestions, the client can also contact the Office for Personal Data Protection (www.uoou.cz) directly.

Rules for employees personal data processing

Xsec Ltd. (Expert security services, hereinafter "Xsec") takes care of personal data security. These Personal Data Processing Rules apply to employees personal data processing, which Xsec, as the administrator of personal data in the employee's personal data processing follows, including, applicable legislation [Act No. 110/2019 Coll., On personal data processing and the General Regulation on personal data - Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter also referred to as GDPR)].

An employee also means a job seeker at Xsec who has provided Xsec with his personal data. If the employee did not provide Xsec with his personal data, Xsec would not be able to enter into an employment relationship with the employee and fulfil the obligations arising from it.

Personal data are in particular:

• contact details - personal data enabling contact with a person (especially contact address, e-mail address, telephone number and other similar information);

• data processed in connection with the employee's employment (especially data concerning the job position, method of employment, salary, health status, criminal records/integrity, health insurance company, bank account number).

Xsec processes employees personal data for some purposes of processing without the consent of employees, for some purposes of processing with the consent of employees.

Xsec processes personal data for the following purposes without the employee's consent:

• for the performance of a contract to which the data subject is a party or for the implementation of measures taken before the contract conclusion at the request of the data subject (in particular the conclusion of an employment relationship);

• for fulfilling the legal obligations of Xsec as an employer arising from legal regulations and contractual obligations towards employees (especially according to Act No. 262/2006 Coll., The Labor Code, Act No. 435/2004, on employment, the Sickness Insurance Act, the Pension Act insurance, and others);

• to protect their rights and legally protected interests, in particular, to protect their property and to assess possible risks.

With the employee's consent, Xsec processes personal data for other purposes for which the employee has given his consent (eg. marketing purposes).

Xsec declares that personal data is under constant control and Xsec has mechanisms in place to protect the processed data against unauthorized access or transfer, against their loss or destruction, as well as against another possible misuse. All persons who come into contact with the personal data of employees in the performance of their work or contractually assumed duties are bound by a legal or contractual duty of confidentiality. In the event that personal data is transferred to other entities (incl. transfer abroad), Xsec has entered into an appropriate agreement with the data processor, which guarantees compliance with the obligations relating to the processing of personal data under Czech law.

Xsec transmits employees’ personal data to the following entities:

• state authorities, resp. other entities within the framework of fulfilling legal obligations stipulated by special regulations - these are mainly financial authorities, health insurance companies, the Czech Social Security Administration, other state administration bodies, courts, bodies active in criminal proceedings, executors, notaries insurance companies, etc .;

• other entities, if necessary for the protection of Xsec's rights, eg insurance companies in claiming insurance claims, courts, bailiffs, clients, etc .;

• specialized external entities (processors) that perform processing for Xsec on the basis of the relevant agreement on the processing of personal data - in particular, IT service providers;

• With the employee's consent or at his request, personal data may be provided to other entities.

All personal data processed by Xsec is processed for the time strictly necessary to fulfil the specified purpose. Information on what personal data Xsec processes about the employee will be provided by Xsec to the employee at his request without undue delay. For an unfounded and disproportionate request, Xsec has the right to charge a fee that takes into account the administrative costs associated with providing the requested information. The employee has the right to access his personal data, has the right to correct or delete them. Furthermore, the employee has the right to restrict the processing of his personal data, he has the right to the portability of his personal data. The employee may object to the processing. Details are set out in the applicable legislation.

Xsec does not process their personal data for the purpose of profiling them without the consent of employees. With his suggestions, the employee can turn to the company's management or directly to the Office for Personal Data Protection (see below).

Personal data administrator:

Xsec Ltd., with its registered office at Lidická 700/19, 602 00 Brno, Email: info@xsec.cz

You can also contact the Office for Personal Data Protection (www.uoou.cz) directly with your suggestions.