PERSONAL DATA PROCESSING POLICY
These Personal Data Processing and Protection Principles (“Principles”) set out the fundamental rules governing the collection and processing of personal data by PBS GROUP, a.s., Krakovská 583/9, 110 00 Prague 1, Company Registration No. 61057801 (“Company”) governing the collection and processing of personal data. These Principles elaborate upon the rights and obligations of the Company arising in particular from the following generally binding legal regulations:
- Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR“);
- Act No. 480/2004 Coll., on Certain Information Society Services and on Amendments to Certain Acts, as amended (“Act on Certain Information Society Services“);
- Act No. 127/2005 Coll., on Electronic Communications and on Amendments to Certain Related Acts, as amended (“Act on Electronic Communications“).
These Principles shall apply to all persons visiting the Company’s website www.pbs.cz, irrespective of whether they are in a contractual relationship with the Company. The processing of cookies and similar tracking technologies is governed by a separate document – the Cookie Policy (hereinafter “Cookie Policy“).
Article 1 – Identity and Contact Details of the Controller
The controller of personal data within the meaning of Article 4(7) GDPR is:
| Column 1 | Column 2 |
|---|---|
| Business Name | PBS GROUP, a.s. |
| Registered Office | Krakovská 583/9, 110 00 Prague 1, Czech Republic |
| IČO | 61057801 |
| gdpr@pbs.cz, info@pbs.cz | |
| Website | www.pbs.cz |
The controller has appointed a Data Protection Officer. For queries regarding the processing of personal data, please contact us at gdpr@pbs.cz.
Article 2 – Definition of Personal Data
Personal data shall mean, in accordance with the GDPR, any information relating to an identified or identifiable natural person (as opposed to a legal entity). In essence, personal data encompasses any information which, either alone or in combination with other information, can serve to identify a specific natural person (“Personal Data“).
Article 3 – Categories of Personal Data Processed by the Company
1. Personal Data Provided by You:
This category comprises data entered in forms on the Company’s website or communicated to the Company via e-mail, telephone, or other communication channels. The Company processes in particular:
Contact details: first name, surname, e-mail address, telephone number, job title;
- Address details: correspondence or delivery address;
- Professional details in the case of job applications: curriculum vitae, previous experience, qualifications.
Personal data of job applicants submitted via the Jobs.cz portal are primarily processed by ALMA Career s.r.o. as an independent controller. PBS GROUP, a.s. receives applicant data of those who apply for an advertised position, either directly or through recruitment tools utilised by the Company.
Personal data of job applicants may further be processed through the Recruitis recruitment system operated by Recruitis.io s.r.o., which the Company uses to manage recruitment procedures.
2. Personal Data Collected Automatically
Automatically collected data is divided into two groups depending on when the collection occurs:
(a) Without consent – technical data necessary for the operation of the website (collected at all times; legal basis: legitimate interest pursuant to Article 6(1)(f) GDPR):
- IP address – transmitted automatically upon each connection to the server;
- Browser type and version, time zone settings – part of standard HTTP headers;
- Basic server logs: URL of the visited page, access time, HTTP status code, loading errors.
(b) Only on the basis of your consent – analytical and behavioural data (activated only upon granting consent via the cookie banner):
- Detailed visit records: pages visited, duration of visit, traffic source (Google Analytics 4);
- Information on page interaction: scrolling, clicks, mouse movement, heatmaps (Microsoft Clarity).
The processing of cookies and tracking technologies is described in detail in the Cookie Policy available via the relevant link. Analytical and behavioural tools are deactivated until consent is granted via the cookie banner.
Article 4 – Purposes of Processing and Legal Bases
Personal data is processed exclusively on the basis of one of the legal grounds set out in Article 6 GDPR. An overview of purposes and corresponding legal bases is set out below:
| Purpose of Processing | Legal Basis | Data Categories |
|---|---|---|
| Provision of requested service, product, or information | Performance of contract – Art. 6(1)(b) GDPR | Name, e-mail, phone, country, company |
| Sending commercial communications to existing customers | Legitimate interest – Art. 6(1)(f) GDPR | E-mail, name |
| Sending commercial communications to new customers | Consent – Art. 6(1)(a) GDPR | E-mail, name |
| Assessment of job applications (including processing via recruitment systems) | Performance of contract / pre-contractual steps – Art. 6(1)(b) GDPR | CV, contact details |
| Recruitment process via Jobs.cz (ALMA Career) | Consent of the data subject granted on the Jobs.cz platform | CV, contact details – transferred from ALMA Career |
| Administration and improvement of the website | Legitimate interest – Art. 6(1)(f) GDPR | IP address, visit data |
| Analytical and marketing purposes (cookies) | Consent – Art. 6(1)(a) GDPR | IP address, device identifiers |
| Compliance with legal obligations | Legal obligation – Art. 6(1)(c) GDPR | As required by the applicable legislation |
Legitimate Interest (Art. 6(1)(f) GDPR): The Company’s legitimate interest consists in sending commercial communications to existing customers concerning products and services similar to those previously purchased, in accordance with Section 7(3) of the Act on Certain Information Society Services. The interests or fundamental rights of data subjects do not override this legitimate interest, as the communications are relevant, the frequency is proportionate, and the data subject has the right to opt out at any time.
Article 5 – Recipients and Processors of Personal Data
Personal data obtained by the Company may be transferred to third parties (processors) who assist the Company in fulfilling its contractual and statutory obligations. The Company transfers personal data exclusively to processors who provide sufficient security guarantees and process the data solely on the basis of a written data processing agreement in accordance with Article 28 GDPR.
Personal data may be transferred to the following categories of recipients:
- External associates and suppliers for the purpose of fulfilling the Company’s contractual obligations;
- Hosting service provider – Amazon Web Services EMEA SARL (AWS), Luxembourg branch, EU region – for the purpose of data storage and website operation; AWS processes data exclusively on the Company’s instructions under a data processing agreement pursuant to Article 28 GDPR;
- Website administrators and developers – for the purpose of technical administration and development of the website;
- Providers of analytical and marketing tools (see Article 6 – Transfers to Third Countries);
- Postal and delivery service providers;
- Public authorities, where required by generally binding legal regulations.
- ALMA Career s.r.o. (operator of Jobs.cz) – as the controller of personal data of job applicants within the framework of advertising and recruitment services; this company processes applicant data pursuant to its own privacy policy available at https://www.almacareer.legal/document/Uh2MAG.
- Recruitis.io s.r.o. – provider of the recruitment system used to manage recruitment processes and job applicants; within this system, personal data of applicants (in particular identification and contact details, professional data and CVs) is processed. This company acts as a data processor and processes data exclusively on the Company’s instructions under a concluded data processing agreement pursuant to Article 28 GDPR; https://recruitis.io/en/privacy-notice/
Article 6 – Transfers of Personal Data to Third Countries
In connection with the operation of the website and the use of analytical and marketing tools, personal data may be transferred to the United States of America and other countries outside the European Economic Area (EEA). Such transfers are carried out exclusively on the basis of legal mechanisms ensuring an adequate level of data protection.
| Provider (Country) | Transfer Mechanism | Verification |
|---|---|---|
| Google LLC (USA) | EU-US Data Privacy Framework (DPF) | dataprivacyframework.gov |
| Meta Platforms Ireland Inc. (Ireland / USA) | EU-US Data Privacy Framework (DPF) | dataprivacyframework.gov |
| Microsoft Corporation (USA) | EU-US Data Privacy Framework (DPF) | dataprivacyframework.gov |
| LinkedIn Ireland Unlimited Co. (Ireland / USA) | EU-US Data Privacy Framework (DPF) | linkedin.com/legal/privacy-policy |
| Amazon Web Services EMEA SARL (Luxembourg, EU) | Not required – hosting in EU region (Frankfurt/Dublin) | aws.amazon.com/compliance/gdpr-center/ |
| Seznam.cz, a.s. (Czech Republic, EU) | Not required – processing within the EU | — |
| Recruitis.io s.r.o. (Czech Republic, EU) | Not required – processing within the EU | — |
| ALMA Career s.r.o. (Czech Republic, EU) | Not required – processing within the EU | https://www.almacareer.legal/document/Uh2MAG |
The EU-US Data Privacy Framework (DPF) was adopted by the European Commission on 10 July 2023 as an adequacy decision pursuant to Article 45 GDPR. The validity of the certification of individual providers may be verified at www.dataprivacyframework.gov. The Company regularly monitors the validity of certifications held by its providers.
Article 7 – Profiling and Automated Processing
On the website www.pbs.cz, profiling within the meaning of Article 4(4) GDPR takes place on the basis of your consent, i.e. automated processing of personal data for the purpose of evaluating or predicting your preferences, interests, or behaviour. Profiling is carried out through the following tools:
- Google Analytics 4 – website traffic and user behaviour analysis;
- Google Ads – creation of advertising audiences and conversion measurement;
- Meta Pixel – creation of Custom Audiences and tracking of interactions within the Meta network;
- LinkedIn Insight Tag – conversion tracking and creation of advertising audiences on LinkedIn;
- Microsoft Clarity – interaction analysis (heatmaps, session recording).
Profiling takes place exclusively on the basis of your consent granted via the cookie banner. Profiling is not carried out for the purpose of making automated decisions with legal or similarly significant effects within the meaning of Article 22 GDPR. You have the right to withdraw your consent at any time and to object to profiling pursuant to Article 21 GDPR.
Article 8 – Security and Protection of Personal Data
In order to protect Personal Data and minimise the risk of unauthorised access thereto, the Company has implemented the following organisational and technical measures:
- Organisational restrictions limiting the circle of persons authorised to handle personal data;
- Technical security of servers and the website against unauthorised interference;
- Encryption of data transmissions (HTTPS/TLS);
- Regular security reviews and employee training.
All persons who handle Personal Data are duly instructed on data protection principles and are bound by a duty of confidentiality.
In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, the Company shall notify you without undue delay in accordance with Article 34 GDPR.
Means of Personal Data Protection
In order to protect Personal Data and minimise the risk of unauthorised access thereto, the Company has implemented organisational and technical measures.These measures include:
- Organisational restrictions limiting the circle of persons authorised to handle Personal Data; and
- Technical security of the Company’s servers and website against unauthorised interference.
All persons who handle Personal Data are duly instructed on data protection principles and are bound by a duty of confidentiality in the course of such processing.
Article 9 – Retention Periods for Personal Data
The Company retains Personal Data only for the period strictly necessary to fulfil the purpose for which it was collected and for the period stipulated by applicable legislation. An overview of specific retention periods is set out below:
| Category of Personal Data | Retention Period | Reason / Legal Basis |
|---|---|---|
| Contractual documentation and invoicing | 10 years from contract termination | Act No. 563/1991 Coll. (Accounting Act) |
| Business correspondence | 3 years from last communication | Legitimate interest of the controller – protection of legal claims pursuant to § 629 of Act No. 89/2012 Coll., Civil Code |
| Marketing consent (new customers) | Until withdrawal, max. 2 years | Art. 7(3) GDPR – withdrawal of consent |
| Commercial communications – existing customers | Duration of the business relationship + 3 years from last communication | Legitimate interest |
| CVs and HR documentation (including data stored in recruitment systems, e.g. Recruitis.io) | 6 months from conclusion of recruitment procedure + 3 years from grant of consent | Legitimate interest, Labour Code, Art. 6(1)(b) GDPR – pre-contractual steps |
| Cookie consent records | 3 years | Art. 7(1) GDPR – demonstrating consent |
| IP addresses and website logs | 12 months | Legitimate interest – website security |
Upon expiry of the applicable retention period, Personal Data shall be securely destroyed or anonymised in a manner that prevents its attribution to a specific natural person.
Duration of Retention of Personal Data
The Company retains Personal Data only for the period strictly necessary to fulfil its contractual obligations and to comply with the obligations imposed on the Company by applicable legislation. Personal Data processed on the basis of your consent is retained only for the duration of the purpose for which such consent was given.Upon the cessation of the legal ground on the basis of which your Personal Data is processed, the Company shall destroy such Personal Data and all existing copies thereof.
Article 10 – Sources of Personal Data
The Company processes Personal Data exclusively from the following sources:
- Directly from you – via forms on the website, e-mail, or telephone communication;
- Automatically – from technical records generated upon visiting the website (IP address, cookies subject to consent);
- From publicly available sources – the Commercial Register, the Trade Licensing Register (in the context of business cooperation).
Article 11 – Rights of Data Subjects
In connection with the processing of your Personal Data by the Company, you are entitled to the following rights guaranteed by data protection legislation:
- The right to withdraw consent to the processing of Personal Data, where processing is based on consent;
- The right to request access to Personal Data and to information as to which of your Personal Data is being processed by the Company;
- The right to rectification of inaccurate Personal Data and, where necessary, to completion of incomplete Personal Data;
- The right to erasure of processed Personal Data;
- The right to restriction of the processing of Personal Data;
- The right to receive Personal Data provided to the Company in a structured, commonly used and machine-readable format, and the right to transmit those data to another controller (right to data portability);
- The right to be informed of a Personal Data breach;
- The right to object to the processing of Personal Data; and
- The right to lodge a complaint with the supervisory authority, namely the Office for Personal Data Protection, at the address Pplk. Sochora 27, 170 00 Prague 7, or via its data mailbox at address qkbaa2n.
You may exercise your rights in writing at the Company’s registered office address or by e-mail at gdpr@pbs.cz. The Company shall respond to your request without undue delay, and in any event within one month of receipt. In complex or repeated cases, this period may be extended by a further two months, of which you shall be informed in advance.
The above rights and any complaints may be exercised with the Company as the data controller in writing at the address set out below or by e-mail at gdpr@pbs.cz.PBS GROUP, a.s.Krakovská 583/9, 110 00 Prague 1
These Principles are valid and effective as of 1 April 2026.