PRIVACY POLICY

OF THE COMPANY 

GIRITON Systems s.r.o.

Dear Madams and Sirs,

We would like to hereby inform you of the principles and procedures in the processing of personal data and protecting user privacy, being conducted in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the “GDPR”).

The definition of the terms “Client”, “Application”, “Agreement” and “My Account” is set out in the General Terms and Conditions of the Use of the GIRITON System, which are available here: https://static.giriton.com/terms-en.pdf . The “Participant” means the partner in accordance with affiliate programme of GIRITOM available at: https://giriton.com/en/affiliate.  The “Agreement” according to these Personal Data Protection Rules means also an agreement concluded between Provider and Partner within GIRITON affiliate programme. 

This Privacy Policy describes how GIRITON Systems s.r.o. collects, uses, shares and secures the personal data of the users of the Application. If you have questions or complaints regarding our Privacy Policy or practices, please contact us at info@giriton.com.

  1. BASIC INFORMATION 

Controller’s identification and contact information: GIRITON Systems s.r.o., identification number (IČ) 28652240, with registered office at Havířov - Prostřední Suchá, Hornosušská 1399/4b, 73564, contact address: Trnita 500/9, Brno, 60200, a company registered in the Commercial Register with the Regional Court in Ostrava, section C, file 37041 (hereinafter also referred to as the “Provider”), contact email: info@giriton.com.

Data protection officer: The Provider has not appointed a data protection officer.  

Transfer of personal data to a third country or international organization: The Provider transfers personal data to third countries only to companies that ensure an adequate level of personal data protection. These companies act only in the position of processors of personal data.

Automated individual decision-making: The Provider does not conduct automated individual decision-making or profiling.

Information on the nature of the provision of data: If personal data are being processed for the purpose of the fulfillment of an agreement or the fulfillment of legal obligations, the provision of data is a statutory requirement. If personal data are being processed on the basis of the consent of the data subject, the provision of data is a contractual requirement. 

Supervisory authority: The supervisory authority in the state of main establishment of Provider is the Office for Personal Data Protection with registered office at Pplk. Sochora 27, 170 00 Praha 7, e-mail: posta@uoou.cz, tel.: +420 234 665 125.

  1. PROVIDER AS PERSONAL DATA CONTROLLER

The Provider acts as a personal data controller in relation to the personal data of Clients, Partners and individuals who visit the website www.giriton.com.

2.1 Purpose of processing

For the purpose of the fulfillment of an agreement or the fulfillment of legal obligations, the Provider processes in particular: name, surname, title, date of birth, identification number, place of residence/address, telephone, e-mail, bank account number.

The Provider also processes data obtained from the Clients,Partners and other natural persons by using the Application or visiting the website www.giriton.com: IP address or other online identifiers.

In the event that the Provider intends to process personal data other than those specified in this article, or for other purposes, this can only be done with the valid consent for processing personal data. The consent for processing of personal data may be granted by the data subject on a separate document.

2.2 Duration of data processing

The Provider processes the personal data of Clients for the duration of the contractual relationship and for a maximum of 1 year after the termination of the contractual relationship. Personal data processed to fulfill obligations arising from specific legal regulations are processed for the duration specified by these legal regulations. In the event of the need to use personal data for the protection of the Provider's legitimate interests, the Provider processes personal data for the period necessary to exercise these rights.

2.3 Sources of personal data 

The Provider obtains personal data directly from data subjects during negotiations for concluding the Contract. The Provider always informs data subjects which personal data must be provided for the purposes of fulfilling the Agreement.

  1. PROVIDER AS PERSONAL DATA PROCESSOR

The Provider provides the Client with data space for the purposes of storing data operated within the scope of the Application, on the Provider’s servers, or within a hosting center. The Client’s data may also include personal data of natural persons. In relation to the personal data that the Client stores on the Provider’s servers, or within a hosting center, the Provider acts in the position of a personal data processor. The controller of such personal data is the Client.

3.1 Notice for end users

The Application is intended, among other things, for use in companies or by natural persons doing business in the position of a Client. The utilization of the Application may be subject to the principles and rules of the given Client, if such principles exist. If the Client processes personal data of natural persons with the use of the Application, data subjects must address inquiries regarding personal data protection to the Client, as the Client is in the position of a personal data controller. The Provider is not liable for personal data protection principles or security procedures used by the Client, which may differ from these Personal Data Protection Rules.

3.2 Purpose of processing and handling of data

The Provider does not carry out any operations upon the Client’s data, including personal data, with the exception of the storage thereof on the Provider’s servers, or within a hosting center, and in particular, it does not interfere in them, does not modify them, does not disclose or transfer them to third parties (with the exception of disclosure thereof to government authorities in accordance with the law), unless the contracting parties agree otherwise. The only purpose of handling such personal data is their storage and the option of access to the Client. 

3.3 Type of personal data being processed

Name, surname, information pertaining to arrival time to work and departure time from work, location data stored for the attendance record, finger print image in a form from which the print cannot be restored, location data in the course of an entire business trip, photographs, birth number (personal identification number), job position, type of employment contract, residence address, telephone, email, bank account number, hourly or monthly remuneration, etc. The Provider does not process personal data pertaining to judgments in criminal matters and criminal acts. The Provider does not process any personal data of a special category according to Art. 9 of the GDPR with the exception of those as stated above. 

3.3.1 Location data. The Application may collect and use end-user location data even when the Application is not running in the foreground on a mobile phone, depending on functions that the end-user has activated in the Application on a mobile phone. This happens if one of the following functions is activated in the Application:

  1. "Automatic Geofence Attendance", where the mobile device processes the user's location even when the Application does not run in foreground. At the moment of entering or leaving premises (geofence perimeter) specified by the Client, the mobile phone sends one-time information about such entering or exiting, along with location data of the device at the moment. Continuous location data are not stored nor sent from the mobile phone in order to maximize user’s privacy protection;
  2. "GPS", where each attendance record being entered into the GIRITON system is supplemented with the current location data recorded at the time of entering attendance. Continuous location data are not processed, stored, nor sent from the mobile phone in order to maximize user’s privacy protection;
  3. "GPS" while manually running the "Business trip" activity from the mobile application, where the end user's location is recorded for the entire time the activity “Business trip” is running. Live location data from the business trip is continuously sent to the GIRITON Attendance System. The application displays a notification informing about the ongoing location logging for the entire time the activity is running and continuously sending the end user's location, even if the Application is not running in the foreground.

The location data is used exclusively for the above purposes, is available only to the end user and the Client and is not shared with third parties.

Categories of data subjects whose personal data will be processed: The Client’s employees and other natural persons with whom the Client is in a contractual relationship.

Duration of processing of personal data: The Provider processes personal data for the duration of the Agreement. After the elapse of 30 days from the termination of the Agreement, the Provider will erase (delete) all of the Client’s data stored on the Provider’s servers (or within hosting centers) or on other data carriers as of the date of termination. 

  1. RECIPIENTS OF PERSONAL DATA

The Provider does not transfer personal data to any other controllers. 

Processors of personal data are: 

Area of cooperation - Processor Identification 

Microsoft Azure - Cloud services 

Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland. VAT: IE8256796U

Fakturoid - Invoicing and accounting 

Fakturoid s.r.o., V pláni 532/7, 142 00 Praha - Lhotka, Czech Republic. IČ: 04656679

Google - Emailing: Incoming and outgoing communication 

Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland.

Helpscout - Emailing a Chat: Incoming and outgoing communication 

Help Scout PBC, 100 City Hall Plaza, 5th Floor,
Boston, MA 02108, Massachusetts, USA

Mailchimp - Emailing: Newsletters

The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA

SendGrid - Emailing: Emails sent from Attendance GIRITON

Twilio Inc., 375 Beale Street, Suite 300, San Francisco, CA 94105, USA

Cloudtalk - Phone communication

CloudTalk, s.r.o., Západný rad 31, 811 04 Bratislava, Slovakia

Digisign - Electronic signing of documents in HR module of GIRITON system

Digital Solutions, s.r.o., 17. listopadu 203, 530 02 Pardubice, Czech Republic

ConvertAPI - Conversion from DOCX to PDF in module HR system GIRITON

ConvertAPI, UAB, Lauksargio g. 111, Vilnius LT-10105, Lithuania. ID 304461332

Processing of personal data may be conducted for the Provider by processors exclusively on the basis of a personal data processing agreement, i.e. with guarantees of the organizational and technical security of such data with a definition of the purpose of processing, whereby processors cannot use the data for other purposes. 

Personal data may under certain conditions be disclosed to government authorities (courts, police, notaries, financial authorities, etc., within the scope of the exercise of their statutory powers) or the Provider may disclose them directly to other entities within the scope as set out in a special law.

If the Provider transfers personal data to countries outside the European Union, it always ensures compliance with Article 44 et seq. of the GDPR and requires compliance from personal data processors. The Provider shall only transfer data to countries outside the European Union that are able to ensure the level of protection under the GDPR. 

The Provider does not transfer personal data to third countries or international organisations, except for the transfer of personal data to these processors:

  • Help Scout PBC, 100 City Hall Plaza, 5th Floor, Boston, MA 02108, Massachusetts, USA, which operates Helpscout, an Emailing and Chat tool: Communications Received and Sent. This processor ensures an adequate level of security of personal data in compliance with the GDPR, see https://docs.helpscout.com/article/1263-security-at-help-scout
  • The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA, which operates the MailChimp service - a bulk emailing tool. This processor ensures an adequate level of security of personal data in compliance with the GDPR, see https://mailchimp.com/gdpr/. In addition, the processor is a certified company under the Data Privacy Framework.
  • Twilio Inc., 375 Beale Street, Suite 300, San Francisco, CA 94105, USA, which operates SendGrid, a service for Emailing: Emails sent from the GIRITON system. This processor ensures an adequate level of security of personal data in compliance with the GDPR, https://sendgrid.com/en-us/resource/general-data-protection-regulation-2. In addition, the processor is a certified company under the Data Privacy Framework

  1. TECHNICAL SECURITY OF DATA

For the purpose of the security of the Client’s data against their unauthorized or accidental disclosure, the Provider applies reasonable and appropriate technical and organizational measures that are continuously updated. Technical measures consisting in the application of technologies preventing unauthorized access by third parties to the Client’s data. For the purpose of maximum protection, the Provider uses encryption for the Client’s data, particularly of passwords for logging into the Application and all data stored on the Provider’s servers. Organizational measures are a set of rules of behavior for the Provider’s employees and are a part of the Provider’s internal rules, and are considered by the Provider to be confidential on grounds of security. If the Provider’s servers are located in a data center operated by a third party, the Provider takes care to ensure that the technical and organizational measures are implemented within such a Provider as well.

The Provider places all data only on servers located within the European Union or in countries ensuring personal data protection in a manner equivalent to the protection ensured by the legal regulations of the Czech Republic.

  1. PAYMENT GATES 

The Provider utilizes third party payment gates for certain types of payments (e.g. credit card payment). If the Client utilizes payment by way of credit card or debit card through PayPal or another payment method, then, in all cases, payment card numbers or other sensitive data for payment are processed by the third party payment gate. The Provider does not store payment card numbers or other sensitive payment data, nor does it have access to them.

  1. RIGHTS OF DATA SUBJECTS 

The data subject has:

  1. the right to access to personal data: The data subject has the right to obtain a confirmation from the Provider as to whether personal data pertaining to the data subject are or are not being processed, and if so, the data subject has the right to obtain access to such personal data and to the following information: a) the purpose of processing; b) the category of affected personal data; c) the recipients to which personal data have been or will be disclosed; d) the planned time period for which personal data will be stored; e) the existence of the right to require the correction or erasure of personal data from the controller or a restriction of the processing thereof, or to raise an objection to such processing; f) the right to lodge a complaint with supervisory authority; g) all available information on the source of the personal data, if they are not obtained from the data subject; h) the fact that automated decision-making is occurring, including profiling. The data subject also has the right to obtain a copy of the personal data being processed.
  2. the right to the correction of personal data: The data subject has the right for the Provider to correct inaccurate personal data pertaining to the data subject without undue delay, or to supplement incomplete personal data.
  3. the right to the erasure of personal data: The data subject has the right for the Provider to erase the data subject’s personal data pertaining to him/her without undue delay, in the event that: a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; b) the data subject withdraws the consent on the basis of which the data were processed, and there is no other legal reason for processing; c) the data subject raises objections to processing and there are no overriding legitimate reasons for processing; d) the personal data were processed unlawfully; e) the personal data must be erased in order to fulfill a legal obligation set out within the law of the Union or of the Czech Republic; f) the personal data were collected in connection with an offer of information society services. The right to erasure shall not apply if the processing is necessary in order to fulfill legal obligations, for the establishment, exercise or defense of legal claims, and in other cases as set out within the GDPR.
  4. the right to the restriction of processing: The data subject has the right for the Provider to restrict processing, in any of the following cases: a) the data subject contests the accuracy of the personal data, for the time necessary for the Provider to verify the accuracy of the personal data; b) processing is unlawful and the data subject opposes the erasure of the personal data and, instead, requests a restriction of their use; c) the Provider no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defense of legal claims; d) the data subject has raised an objection to processing, until it is verified whether the Provider’s legitimate reasons override the legitimate reasons of the data subject. 
  5. the right to object to processing: The data subject has, on grounds pertaining to the data subject’s specific situation, the right to raise an objection at any time to the processing of personal data pertaining to him/her and which the Provider is processing on grounds of its legitimate interest. In such a case, the Provider does not process the personal data further, unless it proves serious legitimate reasons for processing that override the interests or rights and freedoms of the data subject, or for the establishment, exercise or defense of legal claims.
  6. the right to data portability: The data subject has the right to obtain personal data pertaining to him/her that the data subject has provided to the Provider, in a structured, commonly used and machine-readable format, and the right to transfer such data to another controller, without the Provider preventing it, in the event that: a) processing is based upon consent and b) processing is being conducted by automated means. When exercising his/her right to data portability, the data subject has the right for personal data to be transferred directly by one controller to another controller, if this is technically feasible.
  7. the right to lodge a complaint with a supervisory authority: If the data subject believes that the Provider is not processing his/her personal data in a lawful manner, the data subject has the right to lodge a complaint with a supervisory authority, in particular in the member state of his or her habitual residence, place of work or place of the alleged infringement of personal data regulation. 
  8. the right to information regarding the correction or erasure of personal data or a restriction of processing: The Provider is obligated to notify individual recipients to whom personal data have been disclosed of all corrections or erasures of personal data or restrictions on processing, with the exception of cases where this is found to be impossible or it requires a disproportionate effort. If the data subject requests it, the Provider informs the data subject of such recipients.
  9. the right to be informed in the event of a breach of personal data security: If it is likely that a certain case of personal data security breach will result in a high risk to the rights and freedoms of natural persons, the Provider shall notify the data subject of such breach without undue delay.
  10. the right to withdraw consent to the processing of personal data: If the Provider processes any personal data on the basis of consent, the data subject has the right to withdraw its consent to the processing of personal data at any time in writing, by sending a non-consent to the processing of personal data to the email address info@giriton.com.

  1. COOKIE FILES

The Provider uses cookie files, small text files that identify the user of the website www.giriton.com and record the user’s user activities. The text of a cookie file often consists of a series of numbers and letters that uniquely identify the user’s computer, but do not provide any specific personal data regarding the user. 

The website www.giriton.com automatically identifies the user’s IP address. The IP address is the number automatically assigned to the user’s computer upon connecting to the internet. All such information is recorded in the activity file by the server, which enables the subsequent processing of data.

Types of cookies

Technical cookies: For its own legitimate purpose, the Provider uses technically necessary cookies that are necessary for the operation of the website and to ensure its functionality. These may be permanent or one-off cookies. A permanent cookie remains on your hard drive even after you close your browser. Permanent cookies may be used by the browser on subsequent visits to the Provider's website. Permanent cookies can be deleted. One-time cookies are temporary and are deleted once the browser is closed. Data contained therein is used by the Provider to operate the website, in particular to identify and resolve errors, to determine the use of the website and to make adjustments or improvements. These are uses for which the Provider has a legitimate interest in the processing of the data pursuant to Article 6(1)(f) GDPR.

You can set your browser to block these cookies. The Provider warns that in this case some parts of the website will not work.

With your consent, the Provider uses additional cookies:

Analytical cookies: these cookies help the Provider analyse how you use the website. They are used to measure and improve the performance of the website. For example, these cookies allow us to see how you came to the website, whether directly, through a search engine or via a link on a social network. In addition, the Provider learns how long you stay on the site and what links you click on.

These cookies are only stored on your device if you give your consent when you first visit the website (according to Article 6(1)(a) GDPR). Analytical cookies can be refused at any time by simply making a change in the detailed cookie settings.

Advertising cookies: these cookies us to display advertising based on your preferences. For example, they may be used by the Provider to create a profile of your interests and display relevant advertisements to you.

These cookies are only set on your device if you give your consent you first visit the website (according to Article 6(1)(a) GDPR). Advertising cookies can be refused at any time by simply making a change in the detailed cookie settings. If you do not give your consent, you will not receive content and advertisements tailored to your interests.

Third party cookies may also be placed on the Provider's website. The Provider uses the following cookies:

GIRITON Systems s.r.o. , Autologin, SSO and client identification, Technological cookies, Duration of processing 60 days

GIRITON Systems s.r.o., Affil identification, Identification of  a partner network, Duration of processing 60 days

Google Ireland Limited, Google Analytics, Analytics, Duration of processing 400 days

IMPER CZ, s.r.o., Leady.cz, Analytics, Duration of processing 130 days

Help Scout PBC, Chat, Chat window, Duration of processing 400 days

Meta, Meta Pixel, Analytics, Duration of processing 400 days

LinkedIn, LinkedIn analytics, Analytics, Duration of processing 300 days

Cookie setting: The majority of web browsers accept cookie files automatically. However, they provide controls that enable them to be blocked or removed. Users of the website www.giriton.com are thus entitled to set their browser in such a way so that the use of cookie files on their computer is prevented. Instructions for blocking or removing cookie files in browsers may usually be found in the user documentation of individual browsers.

  1. FINAL PROVISIONS 

By entering into the Agreement, the Client confirms that it has acquainted itself with these Personal Data Protection Rules. 

These Personal Data Protection Rules will be updated by the Provider if necessary. The current updated version of the Personal Data Protection Rules will always be available at the website www.giriton.com. If a significant change occurs in these Personal Data Protection Rules in regard to the manners of handling of personal data, the Provider informs the Client by publishing a notice in a visible manner prior to the implementation of such changes. The Provider recommends that the Personal Data Protection Rules be inspected from time to time when utilizing the Application or the website www.giriton.com.