GIRITON Systems s.r.o.

Dear Madams and Sirs,

We would like to hereby inform you of the principles and procedures in the processing of personal data and protecting user privacy, being conducted in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the “GDPR”).

The definition of the terms “Client”, “Application”, “Agreement” and “My Account” is set out in the General Terms and Conditions of the Use of the ATTENDANCE GIRITON System, which are available here: . The “Participant” means the partner in accordance with affiliate programme of GIRITOM available at:  The “Agreement” according to these Personal Data Protection Rules means also an agreement concluded between Provider and Partner within GIRITON affiliate programme. 

This Privacy Policy describes how GIRITON Systems s.r.o. collects, uses, shares and secures the personal data of the users of the Application. If you have questions or complaints regarding our Privacy Policy or practices, please contact us at


Controller’s identification and contact information: GIRITON Systems s.r.o., identification number (IČ) 28652240, with registered office at Havířov - Prostřední Suchá, Hornosušská 1399/4b, 73564, contact address: Trnita 500/9, Brno, 60200, a company registered in the Commercial Register with the Regional Court in Ostrava, section C, file 37041 (hereinafter also referred to as the “Provider”), contact email:

Data protection officer: The Provider has not appointed a data protection officer.  

Transfer of personal data to a third country or international organization: The Provider transfers personal data to third countries only to companies that ensure an adequate level of personal data protection. These companies act only in the position of processors of personal data.

Automated individual decision-making: The Provider does not conduct automated individual decision-making or profiling.

Information on the nature of the provision of data: If personal data are being processed for the purpose of the fulfillment of an agreement or the fulfillment of legal obligations, the provision of data is a statutory requirement. If personal data are being processed on the basis of the consent of the data subject, the provision of data is a contractual requirement. 

Supervisory authority: The supervisory authority in the state of main establishment of Provider is the Office for Personal Data Protection with registered office at Pplk. Sochora 27, 170 00 Praha 7, e-mail:, tel.: +420 234 665 125.


The Provider acts as a personal data controller in relation to the personal data of Clients, Partners and individuals who visit the website

2.1 Purpose of processing

For the purpose of the fulfillment of an agreement or the fulfillment of legal obligations, the Provider processes in particular: name, surname, title, date of birth, identification number, place of residence/address, telephone, e-mail, bank account number.

The Provider also processes data obtained from the Clients,Partners and other natural persons by using the Application or visiting the website IP address or other online identifiers.

In the event that the Provider intends to process personal data other than those specified in this article, or for other purposes, this can only be done with the valid consent for processing personal data. The consent for processing of personal data may be granted by the data subject on a separate document.

2.2 Duration of data processing

The Provider processes the personal data of Clients for the duration of the contractual relationship and for a maximum of 1 year after the termination of the contractual relationship. Personal data processed to fulfill obligations arising from specific legal regulations are processed for the duration specified by these legal regulations. In the event of the need to use personal data for the protection of the Provider's legitimate interests, the Provider processes personal data for the period necessary to exercise these rights.

2.3 Sources of personal data 

The Provider obtains personal data directly from data subjects during negotiations for concluding the Contract. The Provider always informs data subjects which personal data must be provided for the purposes of fulfilling the Agreement.


The Provider provides the Client with data space for the purposes of storing data operated within the scope of the Application, on the Provider’s servers, or within a hosting center. The Client’s data may also include personal data of natural persons. In relation to the personal data that the Client stores on the Provider’s servers, or within a hosting center, the Provider acts in the position of a personal data processor. The controller of such personal data is the Client.

3.1 Notice for end users

The Application is intended, among other things, for use in companies or by natural persons doing business in the position of a Client. The utilization of the Application may be subject to the principles and rules of the given Client, if such principles exist. If the Client processes personal data of natural persons with the use of the Application, data subjects must address inquiries regarding personal data protection to the Client, as the Client is in the position of a personal data controller. The Provider is not liable for personal data protection principles or security procedures used by the Client, which may differ from these Personal Data Protection Rules.

3.2 Purpose of processing and handling of data

The Provider does not carry out any operations upon the Client’s data, including personal data, with the exception of the storage thereof on the Provider’s servers, or within a hosting center, and in particular, it does not interfere in them, does not modify them, does not disclose or transfer them to third parties (with the exception of disclosure thereof to government authorities in accordance with the law), unless the contracting parties agree otherwise. The only purpose of handling such personal data is their storage and the option of access to the Client. 

3.3 Type of personal data being processed

Name, surname, information pertaining to arrival time to work and departure time from work, location data stored for the attendance record, finger print image in a form from which the print cannot be restored, location data in the course of an entire business trip, photographs, birth number (personal identification number), job position, type of employment contract, residence address, telephone, email, bank account number, hourly or monthly remuneration, etc. The Provider does not process personal data pertaining to judgments in criminal matters and criminal acts. The Provider does not process any personal data of a special category according to Art. 9 of the GDPR with the exception of those as stated above. 

3.3.1 Location data. The Application may collect and use end-user location data even when the Application is not running in the foreground on a mobile phone, depending on functions that the end-user has activated in the Application on a mobile phone. This happens if one of the following functions is activated in the Application:

  1. "Automatic Geofence Attendance", where the mobile device processes the user's location even when the Application does not run in foreground. At the moment of entering or leaving premises (geofence perimeter) specified by the Client, the mobile phone sends one-time information about such entering or exiting, along with location data of the device at the moment. Continuous location data are not stored nor sent from the mobile phone in order to maximize user’s privacy protection;
  2. "GPS", where each attendance record being entered into the GIRITON system is supplemented with the current location data recorded at the time of entering attendance. Continuous location data are not processed, stored, nor sent from the mobile phone in order to maximize user’s privacy protection;
  3. "GPS" while manually running the "Business trip" activity from the mobile application, where the end user's location is recorded for the entire time the activity “Business trip” is running. Live location data from the business trip is continuously sent to the GIRITON Attendance System. The application displays a notification informing about the ongoing location logging for the entire time the activity is running and continuously sending the end user's location, even if the Application is not running in the foreground.

The location data is used exclusively for the above purposes, is available only to the end user and the Client and is not shared with third parties.

Categories of data subjects whose personal data will be processed: The Client’s employees and other natural persons with whom the Client is in a contractual relationship.

Duration of processing of personal data: The Provider processes personal data for the duration of the Agreement. After the elapse of 30 days from the termination of the Agreement, the Provider will erase (delete) all of the Client’s data stored on the Provider’s servers (or within hosting centers) or on other data carriers as of the date of termination. 


The Provider does not transfer personal data to any other controllers. 

Processors of personal data are: 

Area of cooperation - Processor Identification 

Microsoft Azure - Cloud services 

Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland. VAT: IE8256796U

Fakturoid - Invoicing and accounting 

Fakturoid s.r.o., V pláni 532/7, 142 00 Praha - Lhotka, Czech Republic. IČ: 04656679

Google - Emailing: Incoming and outgoing communication 

Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland.

Helpscout - Emailing a Chat: Incoming and outgoing communication 

Help Scout PBC, 100 City Hall Plaza, 5th Floor,
Boston, MA 02108, Massachusetts, USA

Mailchimp - Emailing: Newsletters

The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA

SendGrid - Emailing: Emails sent from Attendance GIRITON

Twilio Inc., 375 Beale Street, Suite 300, San Francisco, CA 94105, USA

Cloudtalk - Phone communication

CloudTalk, s.r.o., Západný rad 31, 811 04 Bratislava, Slovakia

Digisign - Electronic signing of documents in HR module of GIRITON system

Digital Solutions, s.r.o., 17. listopadu 203, 530 02 Pardubice, Czech Republic

ConvertAPI - Conversion from DOCX to PDF in module HR system GIRITON

ConvertAPI, UAB, Lauksargio g. 111, Vilnius LT-10105, Lithuania. ID 304461332

Processing of personal data may be conducted for the Provider by processors exclusively on the basis of a personal data processing agreement, i.e. with guarantees of the organizational and technical security of such data with a definition of the purpose of processing, whereby processors cannot use the data for other purposes. 

Personal data may under certain conditions be disclosed to government authorities (courts, police, notaries, financial authorities, etc., within the scope of the exercise of their statutory powers) or the Provider may disclose them directly to other entities within the scope as set out in a special law.


For the purpose of the security of the Client’s data against their unauthorized or accidental disclosure, the Provider applies reasonable and appropriate technical and organizational measures that are continuously updated. Technical measures consisting in the application of technologies preventing unauthorized access by third parties to the Client’s data. For the purpose of maximum protection, the Provider uses encryption for the Client’s data, particularly of passwords for logging into the Application and all data stored on the Provider’s servers. Organizational measures are a set of rules of behavior for the Provider’s employees and are a part of the Provider’s internal rules, and are considered by the Provider to be confidential on grounds of security. If the Provider’s servers are located in a data center operated by a third party, the Provider takes care to ensure that the technical and organizational measures are implemented within such a Provider as well.

The Provider places all data only on servers located within the European Union or in countries ensuring personal data protection in a manner equivalent to the protection ensured by the legal regulations of the Czech Republic.


The Provider utilizes third party payment gates for certain types of payments (e.g. credit card payment). If the Client utilizes payment by way of credit card or debit card through PayPal or another payment method, then, in all cases, payment card numbers or other sensitive data for payment are processed by the third party payment gate. The Provider does not store payment card numbers or other sensitive payment data, nor does it have access to them.


The data subject has:

  1. the right to access to personal data: The data subject has the right to obtain a confirmation from the Provider as to whether personal data pertaining to the data subject are or are not being processed, and if so, the data subject has the right to obtain access to such personal data and to the following information: a) the purpose of processing; b) the category of affected personal data; c) the recipients to which personal data have been or will be disclosed; d) the planned time period for which personal data will be stored; e) the existence of the right to require the correction or erasure of personal data from the controller or a restriction of the processing thereof, or to raise an objection to such processing; f) the right to lodge a complaint with supervisory authority; g) all available information on the source of the personal data, if they are not obtained from the data subject; h) the fact that automated decision-making is occurring, including profiling. The data subject also has the right to obtain a copy of the personal data being processed.
  2. the right to the correction of personal data: The data subject has the right for the Provider to correct inaccurate personal data pertaining to the data subject without undue delay, or to supplement incomplete personal data.
  3. the right to the erasure of personal data: The data subject has the right for the Provider to erase the data subject’s personal data pertaining to him/her without undue delay, in the event that: a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; b) the data subject withdraws the consent on the basis of which the data were processed, and there is no other legal reason for processing; c) the data subject raises objections to processing and there are no overriding legitimate reasons for processing; d) the personal data were processed unlawfully; e) the personal data must be erased in order to fulfill a legal obligation set out within the law of the Union or of the Czech Republic; f) the personal data were collected in connection with an offer of information society services. The right to erasure shall not apply if the processing is necessary in order to fulfill legal obligations, for the establishment, exercise or defense of legal claims, and in other cases as set out within the GDPR.
  4. the right to the restriction of processing: The data subject has the right for the Provider to restrict processing, in any of the following cases: a) the data subject contests the accuracy of the personal data, for the time necessary for the Provider to verify the accuracy of the personal data; b) processing is unlawful and the data subject opposes the erasure of the personal data and, instead, requests a restriction of their use; c) the Provider no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defense of legal claims; d) the data subject has raised an objection to processing, until it is verified whether the Provider’s legitimate reasons override the legitimate reasons of the data subject. 
  5. the right to object to processing: The data subject has, on grounds pertaining to the data subject’s specific situation, the right to raise an objection at any time to the processing of personal data pertaining to him/her and which the Provider is processing on grounds of its legitimate interest. In such a case, the Provider does not process the personal data further, unless it proves serious legitimate reasons for processing that override the interests or rights and freedoms of the data subject, or for the establishment, exercise or defense of legal claims.
  6. the right to data portability: The data subject has the right to obtain personal data pertaining to him/her that the data subject has provided to the Provider, in a structured, commonly used and machine-readable format, and the right to transfer such data to another controller, without the Provider preventing it, in the event that: a) processing is based upon consent and b) processing is being conducted by automated means. When exercising his/her right to data portability, the data subject has the right for personal data to be transferred directly by one controller to another controller, if this is technically feasible.
  7. the right to lodge a complaint with a supervisory authority: If the data subject believes that the Provider is not processing his/her personal data in a lawful manner, the data subject has the right to lodge a complaint with a supervisory authority, in particular in the member state of his or her habitual residence, place of work or place of the alleged infringement of personal data regulation. 
  8. the right to information regarding the correction or erasure of personal data or a restriction of processing: The Provider is obligated to notify individual recipients to whom personal data have been disclosed of all corrections or erasures of personal data or restrictions on processing, with the exception of cases where this is found to be impossible or it requires a disproportionate effort. If the data subject requests it, the Provider informs the data subject of such recipients.
  9. the right to be informed in the event of a breach of personal data security: If it is likely that a certain case of personal data security breach will result in a high risk to the rights and freedoms of natural persons, the Provider shall notify the data subject of such breach without undue delay.
  10. the right to withdraw consent to the processing of personal data: If the Provider processes any personal data on the basis of consent, the data subject has the right to withdraw its consent to the processing of personal data at any time in writing, by sending a non-consent to the processing of personal data to the email address


The Provider uses cookie files, small text files that identify the user of the website and record the user’s user activities. The text of a cookie file often consists of a series of numbers and letters that uniquely identify the user’s computer, but do not provide any specific personal data regarding the user. 

The website automatically identifies the user’s IP address. The IP address is the number automatically assigned to the user’s computer upon connecting to the internet. All such information is recorded in the activity file by the server, which enables the subsequent processing of data.

Purpose of using cookie files: The Provider uses cookie files and similar technologies for several purposes, which include:

  • Logging in and authentication. As soon as the Client uses the “remember Application log-in” function, an encrypted cookie file is stored on the Client’s device, which enables the Client to move between the website’s pages without the need to log in repeatedly.
  • Security. The Provides uses cookie files in order to reveal fraud and misuse of the website and of the Application.
  • Analysis. The provider uses cookie files and other identifiers for the purpose of collecting data on the use and performance of the website

Third party cookie files may also be located on the website For example, this may be so because the Provider has authorized a third party to, for example, conduct a site analysis. The Provider utilizes the following service providers: 

  • Google Analytics service – the company Google 
  • Smartsupp service – the company, s.r.o., identification number (IČ) 03668681, Milady Horákové 1957/13, Černá Pole, Brno 602 00, Czech Republic
  • service – the company IMPER CZ, s.r.o., identification number (IČ) 28547888, Viktora Huga 359/6, Praha 5, 15000, Czech Republic

Cookie setting: The majority of web browsers accept cookie files automatically. However, they provide controls that enable them to be blocked or removed. Users of the website are thus entitled to set their browser in such a way so that the use of cookie files on their computer is prevented. Instructions for blocking or removing cookie files in browsers may usually be found in the user documentation of individual browsers.


By entering into the Agreement, the Client confirms that it has acquainted itself with these Personal Data Protection Rules. 

These Personal Data Protection Rules will be updated by the Provider if necessary. The current updated version of the Personal Data Protection Rules will always be available at the website If a significant change occurs in these Personal Data Protection Rules in regard to the manners of handling of personal data, the Provider informs the Client by publishing a notice in a visible manner prior to the implementation of such changes. The Provider recommends that the Personal Data Protection Rules be inspected from time to time when utilizing the Application or the website