Principles of Personal Data Protection

May 23, 2018

Dear clients and visitors to our website!

Thank you for your interest in our company and the services we offer. We appreciate your trust and respect the privacy of your information. Rest assured that the protection of your privacy, including your personal data, is important to us.

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter the “GDPR”) came into effect on 25 May 2018.

The GDPR represents a legal framework for the protection of personal data valid throughout the EU that protects citizens against unauthorised handling of their data and personal data.

Under the GDPR, “Personal data” is understood to mean all information about an identified or identifiable natural person; an identifiable natural person is a natural person that can be directly or indirectly identified, in particular with reference to a certain identifier, for example, name, identification number, location data, network identifier or one or more special elements of the physical, physiological, genetic, mental, economic, cultural or social identity of such natural person.

Under the GDPR, “processing” is understood to mean any operation or set of operations with personal data or sets of personal data that is performed with or without the help of automatic procedures, such as gathering, recording, arranging, structuring, storing, adapting or altering, searching, viewing, using, disclosing by transfer, disseminating or any other disclosure, classifying or combining, restricting, deleting or destroying.

In accordance with the GDPR, personal data must be, in relation to a data subject:

  1. Processed correctly and in a lawful and transparent way;
  2. Gathered for certain, expressly stated and legitimate purposes—it cannot be further processed in a manner that is incompatible with such purposes;
  3. Reasonable, relevant and restricted to the necessary extent in relation to the purpose for which they are processed;
  4. Precise and, if necessary, up-to-date;
  5. Stored in a form enabling the identification of the data subjects for a period no longer than is necessary for purposes for which they are processed;
  6. Processed in a manner that ensures the appropriate security for personal data, including their protection with the help of suitable technical or organisational measures from unauthorised or unlawful processing and from random loss, destruction or damage.

We would therefore like to familiarise you with how we handle the personal data we obtain when providing our services to clients.

Trivi a.s., registered number: 28378440, registered office: Španělská 770/2, Vinohrady, 120 00 Prague 2, file reference: B 23166, registered with the Municipal Court in Prague (hereinafter “Trivi”), offers and provides its clients with services concerning accounting and tax, using automatic processing of accounts through its own technology in all accounting and tax processes.

Extent and Purpose of Processing

All lawful and fair processing of personal data can be performed only for certain, expressly stated and legitimate purposes and must be based on legal grounds specified in the GDPR.

With regard to the aforementioned principles of the GDPR and the services offered concerning accountancy and taxes, our company acts:

1) As a controller of personal data when performing the following activities:

  • Drafting tax returns;
  • Providing other tax advice;
  • Identifying clients in accordance with the AML Act;
  • Maintaining own accounts and tax records of an advisor;
  • File records;
  • Offering own related services to clients;

When performing these activities, we process the following categories of data subjects: clients, clients’ statutory representatives, third parties whose data are contained in source documents for the provision of tax advice provided by the client (e.g. family members or employees of the client); personal data categories: identification and contact data, data about economic transactions and other data necessary to determine a client’s tax liability; categories of recipients: financial and customs administration bodies, Czech Social Security Administration, health insurance companies, Czech Statistical Office and other entities determined by the client’s instructions; legal grounds of statutory processing: performance of a contract with the client; client’s legitimate interest; Trivi’s legitimate interest; performance of legal duty.

2) As a processor of personal data when performing the following activities:

  • Maintenance of the client’s accounts;
  • Processing of the client’s salary work;

Where processing of personal data takes place based on a contract on personal data processing concluded with the client, where the client is in the position of personal data controller.

When performing these activities, we process the following categories of personal data: employees and business partners of the client; employees of the client and their family members; categories of personal data: identification data and data about economic transactions, identification data, data about the performance of work and other data necessary for the calculation of salary, determining the amount of a tax liability and the amount of mandatory payments.

We process only personal data obtained from clients or from publicly available databases (e.g. the commercial register, the trades register).

Extent and Period of Processing

We only process data that are necessary, reasonable and relevant with regard to the purpose for which the data are processed, and only for the duration of this purpose.

We store the personal data that we obtain in connection with the provision of services to a client in file records for the purpose of protection of their legal claims for the period of provision of services to the client and also for a reasonable period after the end of the provision of services to the client with regard to the time bar for tax criminal offences and preclusive periods in tax proceedings, but for no more than 20 years.

We store the data necessary for performance of legal duties for the period required by legal regulations, in particular Act No. 563/1991 Coll., on accounts, as amended, Act No. 235/2004 Coll., on value added tax, as amended, and Act No. 253/2008 Coll., on some measures against money laundering and financing terrorism, as amended, but for no more than 10 years.

We do not use the data stored in file records for the protection of legal claims for other purposes.

Consent to Processing

We can process the data you provided to us also if you give us your voluntary and informed consent in accordance with Article 6(1)(a) of the GDPR. You can rescind your consent to personal data processing at any time using all ordinary communication channels, including the e-mail address gdpr@trivi.com.

Access to Personal Data

In order to ensure the appropriate security and protection of data against unauthorised or unlawful processing and against random loss, destruction or damage (both due to the external environment and due to our employees), we have adopted technical and organisational protective measures. All our employees and external co-workers are trained and contractually obligated to maintain confidentiality.

Additional Processors

We use additional processors (cloud service provider, IT administrator) for personal data processing. We conclude a contract with each processor on personal data processing and contractually oblige them to maintain confidentiality. We use processors that provide sufficient guarantees for personal data security and reasonably check that a processor meets this requirement even after the conclusion of a contract.

Clients’ Rights

We enable all clients whose data we process as the controller to exercise their rights under the GDPR, in particular the right to obtain a copy of personal data that are processed and the right to object to processing based on a legitimate interest.

We accept client requests and queries using all ordinary communication means, including the e-mail address gdpr@trivi.com. We deal with requests and queries to the full extent, properly and without undue delay, usually within 30 days of receiving them.

Clients are entitled to contact the Office for Personal Data Protection directly, www.uoou.cz.

Principles for Using Cookies

Trivi a.s. operates the website www.trivi.com and also the website www.trivi.cz (hereinafter a “Website” or the “Websites”).

  1. The Websites use cookies. A cookie is a simple text file (usually only a few kB) that a Website sends to your internet browser when you visit it. A cookie enables a Website to record information about your visit, for example the preferred language and also your individual settings. Your next visit to the Website can therefore be easier and more productive for you. Cookies are important. Browsing the internet would be much more complicated without them.
  2. Ordinarily, you can prohibit cookies by changing the settings in your internet browser. If you decide to prohibit cookies, you will lose some Website functions and functionalities. For example, you will not be able to maintain your language settings or you will not be able to mark any job offer as your “favourite”.
  3. Trivi fully respects the privacy of every individual that visits the Websites and all information gathered about users leads only to the improvement of services.
  4. The Websites also use anonymous Google Analytics cookies that are provided by Google Inc. (hereinafter “Google”) for the purpose of monitoring use and analysis of websites. Information generated by these cookies is transferred to Google, which uses them to analyse the use of the Websites and for the purpose of providing other services related to Website and internet activity. Google can share this information with third parties if required by the law or in cases where such parties process information on Google’s behalf. Google will not link the IP address to any other data processed by Google.
  5. Clicking on a link, such as on advertising banners, can take you to other websites whose rules for personal data protection may differ from Trivi’s Rules for Personal Data Processing. Trivi is not liable for such external websites, links or information provided or processed by the operators of such other websites.
  6. Please also read the General Terms and Conditions in order to learn what services the Company provides, how it is possible to use the Websites and what the Companies do to ensure the confidentiality and security of your personal data.

In the event you have any questions or need clarification, please do not hesitate to contact us.  Thank you for your trust and the opportunity to work with you.

Trivi a.s.