Through this document we, as the personal data controller – ŠKODA AUTO a. s., registered office: tř. Václava Klementa 869, Mladá Boleslav II, post code: 293 01, Reg. No.: 00177041, registered in the Commercial Register kept by the Municipal Court in Prague under file ref. B 332, (hereinafter referred to as “ŠKODA AUTO”) – provide you with information about personal data processing and your rights related to the processing.
The processing occurs as part of the following activities:
Concern employees agenda administration
From the beginning to the end of your services to ŠKODA AUTO, we will work with information about you (your personal data). In some cases, the information is necessary for handling various matters within your stay at ŠA, so that we and you can comply with mutual obligations under contracts and internal regulations, we have to process certain personal data about you. Furthermore, if you come or arrive at the ŠA premises, we will work with information about you and your vehicle, e.g. as part of monitoring and recording visits. An overview of visits and their movement around the premises is necessary for us to ensure your and our safety We have prepared this document to give you a better idea of specific situations and reasons why we need to work with your data (processing purposes).
You are visiting ŠKODA AUTO premises:
You are using ŠKODA AUTO information and communication technology:
You provide services in the ŠKODA AUTO environment:
Were you involved in a security incident:
You are participating in educational course:
If you have any questions regarding our handling of your personal data, please contact the DP Office of ŠKODA AUTO or you can read the Personal Data Protection Principles on our website – the contact information and link are given on the last page.
Purpose of the processing:
Provision of asset security and protection (monitoring of site)
Description of the purpose of processing:
Processing and assessing records from camera systems on the site of ŠKODA AUTO where you may be situated.
Legal basis of the processing:
We have a legitimate interest to perform this processing. We want to ensure safety of our site and of all our employees as well as other persons moving around the site.
Categories of the personal data we process:
Records from CCTV systems
Processing and archiving period:
14 days from recording.
Categories of data processors or recipients to whom we may provide the personal data:
Upon request, your personal data can be provided to public authorities, in particular to courts, the Police of the Czech Republic and other law enforcement agencies to the necessary extent and within the boundaries of law.
Source of the personal data:
We receive the personal data directly from you.
Transfers of personal data to third countries or supranational organisations:
As part of the above-mentioned processing, your personal data will not be transferred to any third country or multinational company.
Automated decision-making based on the personal data:
During this personal data processing, automated decision-making based on the personal data does not occur.
Other information
Personal data may be archived in the public interest and used for scientific, historical or statistical research purposes. In well-founded cases, personal data can also be the subject of processing for the purposes of legal matters resolution, including the performance of obligations towards public administration bodies and monitoring and ongoing evaluation of legal risks.
Purpose of the processing:
Provision of asset security and protection (records on short-term and long-terms entries of persons)
Description of the purpose of processing:
As part of short-term and long-term access/entry, your data is entered in the records of persons entering and leaving on foot and by car, including the entry of natural persons into secure premises, with your personal data used for the permission to maintain records. In recording entries by car, the personal data of the drivers are also recorded.
Legal basis of the processing:
We have a legitimate interest to perform this processing. We want to ensure that only authorized persons enter ŠKODA AUTO site and premises.
Categories of the personal data we process:
Identification data Product Specifications (SPZ) Contact information Other identification and contact detail of the concern employee Records from Input Devices Data about people in the perimeter Photo / video
Processing and archiving period:
5 years from the event.
Categories of data processors or recipients to whom we may provide the personal data:
Upon request, your personal data can be provided to public authorities, in particular to courts, the Police of the Czech Republic and other law enforcement agencies to the necessary extent and within the boundaries of law.
Source of the personal data:
We receive the personal data directly from you.
Transfers of personal data to third countries or supranational organisations:
As part of the above-mentioned processing, your personal data will not be transferred to any third country or multinational company.
Automated decision-making based on the personal data:
During this personal data processing, automated decision-making based on the personal data does not occur.
Other information
Personal data may be archived in the public interest and used for scientific, historical or statistical research purposes. In well-founded cases, personal data can also be the subject of processing for the purposes of legal matters resolution, including the performance of obligations towards public administration bodies and monitoring and ongoing evaluation of legal risks.
Purpose of processing:
Ensuring the security of information and communication technologies (ICT), recording the use of ICT, data loss prevention
Description of the purpose of processing:
Your selected personal data may be stored within the standard operation of ICT systems and later used to solve ICT problems and investigate security events.
Authorisation to process:
We have a legitimate interest in carrying out this processing. Our ICT must meet basic security attributes (integrity, confidentiality, availability). We ensure the security of the ICT company and the data of our employees, customers and partners.
Categories of personal data that we process:
Processing period and archiving:
1 year since the recond was created.
Categories of processors or recipients to whom we may disclose personal data:
Upon request, your personal data may be provided to selected external ICT suppliers, group companies.
Source of personal data:
From the operation of ICT systems or directly from you.
Transfer of personal data to third countries or multinational companies:
As part of the above-mentioned processing, your personal data will not be transferred to any third country or multinational company.
Automated decision-making on the basis of personal data:
During this personal data processing, automated decision-making based on the personal data does not occur.
Other information
Personal data may be archived in the public interest and used for scientific, historical or statistical research purposes. In well-founded cases, personal data can also be the subject of processing for the purposes of legal matters resolution, including the performance of obligations towards public administration bodies and monitoring and ongoing evaluation of legal risks.
Purpose of processing:
Resolving requests, incidents and changes in IT
Description of the purpose of processing:
Your personal data is used for the system serving as a ticketing tool for provision, operation, administration and support of IT services (SkoNET, Application Management Support – AMS)
Authorisation to process:
We have a legitimate interest in carrying out this processing. We want to ensure that you are informed about the status and resolution of the ticket at ŠKODA AUTO
Categories of personal data that we process:
Processing period and archiving:
15 years after the record was created
Categories of processors or recipients to whom we may disclose personal data:
Upon request, your personal data may be provided to selected external ICT suppliers, WV Group companies.
Source of personal data:
We obtain the personal data directly from you.
Transfer of personal data to third countries or multinational companies:
As part of the aforementioned processing, your personal data will not be transmitted to third countries or multinational companies.
Automated decision-making on the basis of personal data:
This does not occur as part of this processing.
Other information
The personal data may be subject to archiving in the public interest and used for the purposes of scientific, historical or statistical research. In justified cases, personal data may be subject to processing in order to resolve legal matters, including the performance of duties towards public authorities, and monitoring and continuous evaluation of legal risks.
Purpose of processing:
Records of communication with Service Desk/Infoline
Description of the purpose of processing:
Your personal data are used for a system serving as a ticketing tool for the delivery of services, operation, administration and support of IT (Service Desk).
Authorisation to process:
We have a legitimate interest in carrying out this processing. We want to ensure that you are informed about the status and solution of your requirements at ŠKODA AUTO.
Categories of personal data that we process:
Audio recordings
Processing period and archiving:
3 years since the record was created.
Categories of processors or recipients to whom we may disclose personal data:
Upon request, your personal data may be provided to selected external ICT suppliers, group companies.
Source of personal data:
We obtain the personal data directly from you.
Transfer of personal data to third countries or multinational companies:
As part of the aforementioned processing, your personal data will not be transmitted to third countries or multinational companies.
Automated decision-making on the basis of personal data:
This does not occur as part of this processing.
Other information
The personal data may be subject to archiving in the public interest and used for the purposes of scientific, historical or statistical research. In justified cases, personal data may be subject to processing in order to resolve legal matters, including the performance of duties towards public authorities, and monitoring and continuous evaluation of legal risks.
Purpose of processing:
Records of applications and IT components
Description of the purpose of processing:
Records of applications and IT components together with the person responsible.
Authorisation to process:
We are authorised to process your data by your employment contract and the collective agreement or SLA.
Categories of personal data that we process:
Identification data Contact details
Processing period and archiving:
For the duration of the employment relationship and for 30 days after its termination
Categories of processors or recipients to whom we may disclose personal data:
VW Group companies
Your personal data may be provided on request to public authorities, in particular the courts, the Police of the Czech Republic and other institutions active in criminal proceedings, to the necessary extent and within the bounds of the law.
Source of personal data:
We obtain the personal data directly from you.
Transfer of personal data to third countries or multinational companies:
As part of the aforementioned processing, your personal data will not be transmitted to third countries or multinational companies. 2
Automated decision-making on the basis of personal data:
This does not occur as part of this processing.
Other information
The personal data may be subject to archiving in the public interest and used for the purposes of scientific, historical or statistical research. In justified cases, personal data may be subject to processing in order to resolve legal matters, including the performance of duties towards public authorities, and monitoring and continuous evaluation of legal risks.
Purpose of processing:
Internal verification of the compliance of an concern employee’s actions or conduct with internal rules and/or legal provisions
Description of the purpose of processing:
If necessary, we may process your personal data when conducting an internal audit, the subject of which may be to investigate the compliance of your actions or behaviour with ŠKODA AUTO’s internal regulations and generally binding legislation. Personal data may also be processed in special cases where we suspect a violation of the above regulations, also in connection with “whistleblowing”, i.e. specific notification of violations of applicable laws and/or internal regulations. Personal data is processed internally in connection with such a complaint, including the recording, identification and subsequent handling of illegitimate practices. We will provide you with further information about this processing if you are involved in any related investigation, either as the person initiating the investigation or as a witness or similarly situated person, where you will be asked to make a statement as part of the investigation. Should you yourself be the subject of an investigation, we will only provide you with further information about the investigation if this will not prevent or significantly impede the achievement of the objectives of the investigation.
Authorisation to process:
We have a legitimate interest in carrying out this processing. We have a legitimate interest in ensuring that concern employees act in accordance with ŠKODA AUTO’s internal regulations and generally binding legal provisions in the performance of their work. If we process your personal data for this purpose, our authorisation to do so is based on the necessity of the processing for the establishment, exercise or defence of legal claims.
Categories of personal data that we process:
For this purpose, we may process personal data to the extent necessary to achieve the purpose of the investigation. The specific categories of personal data depend on the circumstances of the investigation.
Processing period and archiving:
We process your personal data for this purpose for a period of 3 years after the completion of the audit.
Categories of processors or recipients to whom we may disclose personal data:
VW Group companies Your personal data may be provided on request to public authorities, in particular the courts, the Police of the Czech Republic and other institutions active in criminal proceedings, to the necessary extent and within the bounds of the law
Source of personal data:
We obtain personal data directly from you and from third parties.
Transfer of personal data to third countries or multinational companies:
As part of the aforementioned processing, your personal data will not be transmitted to third countries or multinational companies.
Automated decision-making on the basis of personal data:
This does not occur as part of this processing.
Other information
The personal data may be subject to archiving in the public interest and used for the purposes of scientific, historical or statistical research. In justified cases, personal data may be subject to processing in order to resolve legal matters, including the performance of duties towards public authorities, and monitoring and continuous evaluation of legal risks.
Purpose of processing:
Handling and recording of claims
Description of the purpose of processing:
We process your personal data to the extent necessary to resolve claims in relation to an insurance company or insurance intermediary. Your personal data are recorded in the record of the relevant claim and are handed over in particular to the insurance company or insurance intermediary. If the claim results in a failure or disruption of the power system, your data may also be transmitted by the energy supplier. The protocol includes, in particular, a record of a traffic accident, recognition of the obligation to compensate for damage or a photograph from the place of the damage event.
Authorisation to process:
We have a legitimate interest in carrying out this processing. We want to ensure the protection of our property and compensation for damages.
Categories of personal data that we process:
Identification data Contact details Product specifications Descriptive data Photo / video
Processing period and archiving:
10 years for damage not exceeding CZK 5,000,000, otherwise archived
Categories of processors or recipients to whom we may disclose personal data:
Your personal data may be provided on request to public authorities, in particular the courts, the Police of the Czech Republic and other institutions active in criminal proceedings, to the necessary extent and within the bounds of the law.
Source of personal data:
We obtain the personal data directly from you.
Transfer of personal data to third countries or multinational companies:
As part of the aforementioned processing, your personal data will not be transmitted to third countries or multinational companies.
Automated decision-making on the basis of personal data:
This does not occur as part of this processing.
Other information
The personal data may be subject to archiving in the public interest and used for the purposes of scientific, historical or statistical research. In justified cases, personal data may be subject to processing in order to resolve legal matters, including the performance of duties towards public authorities, and monitoring and continuous evaluation of legal risks.
Purpose of the processing:
Provision of asset security and protection (Resolution of security incidents)
Description of the purpose of processing:
Your personal data will be used in addressing security incidents, specifically in identifying and preparing reports, maintaining records on security incidents and performing breath tests. If you cause a security incident, you will be recorded in security incident records and, for a definite period of time, you will be denied access to the site of ŠKODA AUTO or prevented from cooperating with ŠKODA AUTO.
Legal basis of the processing:
We have a legitimate interest to perform this processing. We want to ensure safety of all our employees as well as other persons moving around the site.
Categories of the personal data we process:
Processing and archiving period:
20 years from recording
Categories of data processors or recipients to whom we may provide the personal data:
Hospitals Upon request, your personal data can be provided to public authorities, in particular to courts, the Police of the Czech Republic and other law enforcement agencies to the necessary extent and within the boundaries of law.
Source of the personal data:
We receive the personal data directly from you.
Transfers of personal data to third countries or supranational organisations:
As part of the above-mentioned processing, your personal data will not be transferred to any third country or multinational company.
Automated decision-making based on the personal data:
During this personal data processing, automated decision-making based on the personal data does not occur.
Other information
Personal data may be archived in the public interest and used for scientific, historical or statistical research purposes. In well-founded cases, personal data can also be the subject of processing for the purposes of legal matters resolution, including the performance of obligations towards public administration bodies and monitoring and ongoing evaluation of legal risks.
Purpose of the processing:
Provision of fire protection
Description of the purpose of processing:
We will process your personal data should an event transpire where their processing is necessary for ensuring fire protection in compliance with the applicable legislation.
Legal basis of the processing:
Fulfilling an important public interest under Union or Member State law.
Categories of the personal data we process:
Processing and archiving period:
10 years from the event.
Categories of data processors or recipients to whom we may provide the personal data:
Upon request, your personal data can be provided to public authorities, in particular to courts, the Police of the Czech Republic and other law enforcement agencies to the necessary extent and within the boundaries of law.
Source of the personal data:
We receive the personal data directly from you.
Transfers of personal data to third countries or supranational organisations:
As part of the above-mentioned processing, your personal data will not be transferred to any third country or multinational company.
Automated decision-making based on the personal data:
During this personal data processing, automated decision-making based on the personal data does not occur.
Other information
Personal data may be archived in the public interest and used for scientific, historical or statistical research purposes. In well-founded cases, personal data can also be the subject of processing for the purposes of legal matters resolution, including the performance of obligations towards public administration bodies and monitoring and ongoing evaluation of legal risks.
Purpose of processing:
Resolving information (cyber) security incidents
Description of the purpose of processing:
Your personal data may be used to deal with information (cyber) security incidents, namely for identifying and compiling logs, keeping records of security incidents and investigating security events. The processing concerns reporters of security incidents, witnesses, persons responsible for affected ICT systems and users of affected ICT systems.
Authorisation to process:
We have a legitimate interest in carrying out this processing. We ensure the security of the ICT company and the data of our employees, customers and partners.
Categories of personal data that we process:
Processing period and archiving:
5 years from the creation of the record.
Categories of processors or recipients to whom we may disclose personal data:
Your personal data may be provided on request to group company, to public authorities, in particular the courts, the Police of the Czech Republic and other institutions active in criminal proceedings, to the necessary extent and within the bounds of the law
Source of personal data:
We obtain personal data from the operation of ICT systems or directly from you.
Transfer of personal data to third countries or multinational companies:
As part of the aforementioned processing, your personal data will not be transmitted to third countries or multinational companies.
Automated decision-making on the basis of personal data:
This does not occur as part of this processing.
Other information
The personal data may be subject to archiving in the public interest and used for the purposes of scientific, historical or statistical research. In justified cases, personal data may be subject to processing in order to resolve legal matters, including the performance of duties towards public authorities, and monitoring and continuous evaluation of legal risks.
Purpose of the processing:
Performing education of concern persons
Description of the purpose of processing:
Personal data of persons registered for training are used to send an invitation, issue a report and perform course assessment.
Legal basis of the processing:
We have a legitimate interest to perform this processing. We want to meet our obligations pursuant to the contract with your employer or another entity that arranges your education.
Categories of the personal data we process:
Processing and archiving period:
10 years from the termination of the contract.
Categories of data processors or recipients to whom we may provide the personal data:
Upon request, your personal data may be provided to public authorities, in particular to courts, the Police of the Czech Republic and other law enforcement agencies to the necessary extent and within the boundaries of law.
Source of the personal data:
We obtain the personal data from third parties.
Transfers of personal data to third countries or supranational organisations:
As part of the above-mentioned processing, your personal data will not be transferred to any third country or multinational company.
Automated decision-making based on the personal data:
During this personal data processing, automated decision-making based on the personal data does not occur.
Other information
Personal data may be archived in the public interest and used for scientific, historical or statistical research purposes. In well-founded cases, personal data can also be the subject of processing for the purposes of legal matters resolution, including the performance of obligations towards public administration bodies and monitoring and ongoing evaluation of legal risks.