Personal Data Processing Policy

ITIS Holding a.s., ID No.: 079 61 774, with its registered office at Argentinská 1610/4, Holešovice, 170 00 Prague 7, Czech Republic, registered in the Commercial Register maintained by the Municipal Court in Prague, Section B, File 24258 (hereinafter referred to as "ITIS") hereby, in accordance with Article 12 et seq. of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as "GDPR"), hereby informs data subjects and other persons about the processing of personal data[1] carried out by ITIS Holding and the principles of protection of processed personal data that are observed.

1 What is the purpose of this Personal Data Processing Policy?

ITIS places great emphasis on the protection of personal data collected and further processed. As proof of this, ITIS informs data subjects and other persons in this Personal Data Processing Policy (hereinafter referred to as the "Policy") about what personal data it collects in the course of its activities and how it handles it. This Policy applies to all data subjects anywhere in the world.

For the purposes of this Policy, a data subject is a natural person whose personal data is processed by ITIS. 

2 What personal data does ITIS process?

ITIS processes the personal data of suppliers, customers, and intra-group clients, job applicants, employees, and visitors to websites operated by the company.

3 What are the principles and procedures for processing personal data?

When processing personal data, ITIS always follows the principles and procedures set out below:

• Personal data is processed lawfully, fairly, and transparently.
• Personal data is collected only for specific and legitimate purposes and is not processed in a manner incompatible with those purposes.
• Personal data is always adequate and relevant in relation to the purpose for which it is processed.
• Personal data is accurate.
• Personal data is stored in a form that allows the data subject to be identified only for as long as is necessary for the purposes for which it is processed.
• The integrity and confidentiality of all personal data processed is always ensured.

3.1 Processing of personal data of ITIS suppliers or customers

Categories of personal data processed:

In order to ensure the performance of business activities and the implementation of normal operational activities, ITIS processes:

• identification, address, and contact details of suppliers and their contact persons;
• identification, address, and contact details of ITIS customers and their contact persons.

Legal grounds for processing personal data:

ITIS processes the personal data of suppliers and customers on the basis of the following legal grounds:

• performance of a contract concluded with the customer or supplier;
• fulfillment of obligations stipulated by law (in particular legal regulations governing accounting and taxes);
• consent of data subjects.

Purpose of personal data processing:

The purpose of processing is, in particular:

• proper provision of specific performance either by ITIS or for the benefit of ITIS (personal data necessary for the successful execution of a given transaction or provision of a service is required or collected);
• sending commercial communications and carrying out other marketing activities, including the implementation of future transactions.

Storage period:

The personal data of these suppliers and customers is processed and stored by ITIS only for the necessary period of time. The time limit for the processing of personal data is the moment when the last of the following events occurs:

• termination of the contract with the supplier/customer;
• expiry of the limitation period for the possible enforcement of claims by the contracting parties;
• expiry of the mandatory period for archiving documents containing personal data in accordance with applicable legal regulations;
• withdrawal of consent to the processing of personal data, or expiry of the period for which consent was given.

After the expiry of the personal data retention period, ITIS will delete or physically destroy the personal data concerned.

Personal data processors:

ITIS does not transfer this personal data for further processing.

3.2 Processing of personal data of intra-group clients

ITIS is the direct or indirect owner of the providers of comprehensive electronic toll collection system services CzechToll s.r.o. and SkyToll, a. s., the technology company TollNet a.s. and the supplier of machine vision for transport systems and automation, VITRONIC Machine Vision GmbH. The functioning of the "ITIS Holding" business group requires, among other things, close cooperation across these companies. ITIS has technical and human resources at its disposal, on the basis of which it provides professional services within its group for the purpose of further improving and developing the group's business activities. For this purpose, it processes other categories of personal data.

Categories of personal data processed:

In order to ensure the functioning of the group, ITIS also processes the personal data of intra-group clients:

• identification, address, and contact details of intra-group clients;
• personal data of group employees and job applicants (see Articles 3.4 and 3.5 of these Principles below).

Legal grounds for processing personal data:

ITIS processes the personal data of intra-group clients on the basis of the following legal grounds:

• performance of a contract concluded with the data subject, or actions aimed at concluding a contract with the data subject;
• fulfillment of obligations stipulated by law (in particular, legal regulations governing accounting and taxes);
• legitimate interest of ITIS in the effective management of the group;
• consent of the data subject.

Purpose of personal data processing:

The purpose of processing is, in particular:

• proper provision of specific services in relation to intra-group clients;
• ITIS's interest in the organizational, personnel, and financial management of the group;
• communication across the "ITIS Holding" business group

Storage period:

Personal data collected from intra-group clients is processed and stored by ITIS only for as long as is strictly necessary. The time limit for the processing of personal data is the moment when the last of the following events occurs:

• termination of the contract with intra-group clients;
• expiry of the limitation period for the possible enforcement of claims by the contracting parties;
• expiry of the mandatory period for archiving documents containing personal data in accordance with applicable legal regulations;
• withdrawal of consent to the processing of personal data, or expiry of the period for which consent was given.

After the expiry of the personal data retention period, ITIS will delete or physically destroy the personal data concerned.

Personal data processors:

• ITIS does not transfer this personal data for further processing.

3.3 Processing of personal data of ITIS employees

In the area of labor law, ITIS processes the personal data of its employees, as well as other persons acting on behalf of or in the interest of ITIS, including employees of employment agencies or employees of other employers temporarily assigned to work at ITIS, or contact persons of ITIS employees.

Categories of personal data processed:

Specifically, these are the following categories of personal data:

• personal data contained in a CV;
• first and last name;
• maiden name;
• permanent address, contact address;
• date and place of birth;
• birth number;
• nationality;
• ID number;
• telephone number;
• e-mail address;
• highest level of education completed;
• health status;
• information about receiving a retirement pension;
• marital status and dependents;
• job position;
• previous employer;
• work permit;
• travel documents;
• photographs;
• IT identifiers;
• remuneration for work, deductions from income, reimbursement of expenses, and compensation for property damage and non-property damage in accordance with the Labor Code;
• vehicle registration number;
• bank account number;
• third contact person.

Legal grounds for processing personal data:

Personal data collected in the context of labor law is processed by ITIS on the basis of the following legal grounds:

• performance of contracts with ITIS employees;
• fulfillment of legal obligations arising from legal regulations, in particular Act No. 262/2006 Coll., the Labor Code, as amended;
• consent of data subjects;
• legitimate interest of ITIS as an employer or former employer.

Purpose of personal data processing:

The purpose of personal data processing is to manage labor law and related matters, including the processing of personal data for payroll purposes.

Storage period:

Personal data in the area of labor law is processed and stored by ITIS only for the necessary period of time. The time limit for the processing of personal data is the moment when the last of the following events occurs:

• termination of the employment (or other similar) relationship of a specific employee;
• expiry of the limitation period for the possible enforcement of claims by the contracting parties;
• expiry of the mandatory period for archiving documents containing personal data in accordance with applicable legal regulations;
• withdrawal of consent to the processing of personal data, or expiry of the period for which consent was given.

After the expiry of the personal data retention period, ITIS will delete or physically destroy the personal data concerned.

Personal data processors:

• FINPAM s.r.o., ID No.: 03497461, with its registered office at Revoluční 1082/8, 110 00 Prague 1

ITIS has concluded personal data processing agreements with all processors that meet the requirements set out in the legal order (GDPR) and set the same level of personal data protection as is standard at ITIS.

3.4 Processing of personal data of job applicants

Categories of personal data processed:

As part of its activities in the field of labor law, ITIS processes the following personal data of job applicants:

• personal data contained in the CV;
• first and last name;
• permanent address, contact address;
• date and place of birth;
• telephone number;
• e-mail
• highest level of education completed.

Legal grounds for processing personal data:

Personal data is processed for the purposes of a specific selection procedure on the basis of consent to processing provided by the data subject and for the fulfillment of pre-contractual obligations. The data subject may also have given consent to the parent company of ITIS, PPF a.s., ID No.: 25099345, with its registered office at Evropská 2690/17, Dejvice, 160 00 Prague, which maintains the PPF recruitment database – a database of suitable candidates for use within the PPF Group. After the selection process has been completed, ITIS processes personal data for the purposes of its legitimate interest, namely for the possible need to prove that the selection process was conducted properly and transparently and for the purposes of determining, defending, and enforcing the rights of ITIS. Furthermore, if an unsuccessful candidate has given their consent to the processing of their personal data in the event of a suitable job vacancy in the future, their personal data may be further processed for a period of 4 years from the provision of the personal data.

Purpose of personal data processing:

The purposes of processing are as follows:

• processing of personal data for the purposes of the selection process;
• communication regarding the selection process by an employee of the human resources department for the purpose of introducing the company to which the applicant is applying through the selection process, or for conducting the first round of the selection process by telephone;
• sending an SMS notification about the date and place of the selection procedure;
• determining and paying remuneration to the recruitment agency in cases where the employee took up the position through the recommendation of the recruitment agency.

Storage period:

Personal data in the area of selection procedures is processed and stored by ITIS only for the necessary period of time. The time limit for the processing of personal data is the moment when the last of the following events occurs:

• the end of the selection process;
• expiry of the limitation period for the possible assertion of claims by the job applicant;
• expiry of one year from the provision of personal data by an unsuccessful applicant and retention in the database for the purpose of possible future vacancies;
• withdrawal of consent to the processing of personal data, or expiry of the period for which consent was given.

After the expiry of the personal data retention period, ITIS will delete the personal data concerned.

Personal data processors:

For the purposes of a specific selection procedure, the personal data controller may be, together with ITIS, another company within the "ITIS Holding" business group, provided that the subject of the specific selection procedure is a job position within that company. Furthermore, personal data may also be transferred to a recruitment agency with which ITIS has concluded a service agreement and which is not part of the "ITIS Holding" business group but participates in the selection procedure in question.

ITIS cooperates in the area of recruitment primarily with the following companies.

HR agencies:

• learn2grow s.r.o., ID No.: 26733765, with its registered office at Osnice 181, 252 42 Jesenice, Prague, Czech Republic;
• R4U s.r.o., ID No.: 27567656, with its registered office at Na Kozačce 1289/7, 120 00 Prague 2, Czech Republic;
• Pedersen & Partners s.r.o., ID No.: 62913956, with its registered office at 28. října 767/12, Nové Město, 110 00 Prague 1, Czech Republic;
• GIT Consult Czech s.r.o., ID No.: 26421585, with its registered office at Fugnerovo náměstí 1808/3, 120 00 Prague 2, Czech Republic;
• Neutral Freight Academy B.V., ID No.: 73115541, with its registered office at 1437 EP. ROZENBURG NH on Changiweg 1, Netherlands;
• People for You Company s.r.o., ID No.: 06442005, with its registered office at Grafická 1/7a, 153 00 Prague 5, Czech Republic;
• Rychetsky & Partners s.r.o., ID No.: 28207572, with its registered office at Soborská 1338/24, Dejvice, 160 00 Prague 6, Czech Republic;
• DRILL Management spol. s r.o., ID No.: 27384462, with its registered office at Kaprova 42/14, Staré Město, 110 00 Prague 1, Czech Republic.

Recruitment platforms:

• Nelisa s.r.o., ID No.: 099 50 311, VAT No. CZ09950311, with its registered office at Menclova 2538/2, Libeň, 180 00 Prague 8, Czech Republic;
• Alma Career Czechia s.r.o., ID No.: 26441381, with its registered office at Dock in Five
  Menclova 2538/2, 180 00 Prague 8, Czech Republic.

ITIS has concluded personal data processing agreements with all processors that meet the requirements set out in the legal framework (GDPR) and set the same level of personal data protection as is standard at ITIS.

3.5 Processing of personal data of visitors to websites operated by ITIS

ITIS currently manages the following domains:

• www.itisholding.com
• https://www.tollandmore.com/

Categories of personal data processed:

On these domains, ITIS uses cookies[2] and other related technologies (e.g., scripts[3] , web beacons[4] ; for convenience, all technologies are referred to as "cookies"). Cookies are also placed by third parties that ITIS has engaged.

ITIS uses the following categories of cookies:

• Technical or functional cookies:

Technical and functional cookies ensure that certain parts of the website function properly and that user preferences remain known. Their use is necessary for the basic functions of the website, such as the correct display of all content. The placement of functional cookies also facilitates visits to the ITIS website, for example by displaying the language version of the website according to the user's location. As a result of the use of functional cookies, the user does not have to repeatedly enter the same information when visiting the website, such as the user's identification and contact details.

These cookies are used without the user's consent, and the user cannot refuse their use.

• Marketing cookies:

Marketing cookies are cookies or any other form of local storage that are used to create user profiles for the purpose of displaying personalized advertising.

Marketing cookies are only used with the user's consent, expressed in the cookie bar displayed when viewing the ITIS website.

• Analytical cookies

Analytical cookies are used to track and subsequently analyze user behavior on our website. Based on information from analytical cookies, it is possible to track and analyze which content is most visited, how long users stay on a particular web page, and when they leave. This information can be used to improve the user experience.

Analytical cookies are only used with the user's consent, which is expressed in the cookie bar displayed when viewing our website.

Legal grounds for processing personal data:

Personal data collected on the ITIS website is processed in accordance with the following legal grounds:

• consent of the data subject;
• legitimate interest of ITIS in ensuring the optimal functioning of the website.

Purpose of personal data processing:

The purpose of processing is, in particular:

• improving the content of the website, measuring its traffic, targeting advertising, and customizing the display of the website to specific visitors.

ITIS does not use the personal data collected and processed in the operation of the website for any other purposes and does not process it in any other way than in accordance with the specific consent granted.

Storage period:

Cookies may be stored on your computer for varying lengths of time (see below). Some types of cookies are limited to the duration of the session, i.e., they only exist until the web browser is closed and are then automatically deleted. Other types of cookies remain in the web browser even after it is closed, until a specified date or until they are manually deleted by the user (these cookies can be used to identify the user's computer when the web browser is restarted). After the retention period for personal data has expired, ITIS will delete the personal data concerned.
Enabling/disabling and deleting cookies in your browser:

Users can automatically or manually delete cookies using their internet browser. Users can also specify that certain cookies may not be placed. Another option is to change the settings of the internet browser so that a message is displayed to the user each time a cookie is saved. Users can find more information about these options in their browser's Help section.

Users should note that the ITIS website may not function properly if all cookies are disabled. If users delete cookies in their browser, they will be placed again after their consent when they visit the ITIS website again.

This Policy has been synchronized with cookiedatabase.org for the area of cookies.

Personal data processors:

• Google Analytics services provided by Google LLC, registered in California, USA, under number C3066175, with its registered office at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

4 How is personal data processed?

Personal data collected for the purposes specified in this Policy is processed by ITIS both automatically and manually, but no profiling of data subjects takes place. The processing of personal data for the purposes described above takes place primarily in the form of collecting and recording personal data, storing and structuring personal data, searching for, using, and deleting personal data.

5 How does ITIS protect the personal data it processes?

When processing personal data, ITIS always complies with the requirements of applicable laws, in particular the GDPR and Act No. 110/2019 Coll. on the processing of personal data, as amended. All personal data collected and further processed is protected against accidental or unauthorized destruction, loss, alteration, or disclosure to third parties. We have implemented and adhere to appropriate technical and organizational measures to protect the personal data we process. In particular, all ITIS employees and contractual partners of ITIS who are involved in the processing of personal data are bound by a duty of confidentiality. ITIS has internal processes in place to ensure the ongoing confidentiality, integrity, availability, and resilience of our systems. Only authorized persons have access to personal data. We regularly update our measures to protect the personal data we process. 

6 To whom may personal data be transferred?

ITIS may transfer processed personal data to the following categories of recipients:

• state authorities, in cases specified by law;
• entities within the "ITIS Holding" business group;
• our processors (see above for individual types of personal data);
• other controllers or joint controllers, if necessary to fulfill the purpose of personal data processing and if the legal title allows such transfer. ITIS does not transfer personal data processed for the purposes set out in this Policy to any international organization. Transfer to a third country is only possible within the "ITIS Holding" business group for the purposes described above. ITIS has concluded personal data processing agreements with all processors of the "ITIS Holding" business group that meet the requirements set out in the legal order (GDPR) and set the same level of personal data protection as is standard at ITIS.

7 How can you exercise your rights guaranteed by the GDPR?

Under the legal framework (GDPR), every data subject is entitled to exercise the following rights with ITIS as the personal data controller:

 7.1 The right to withdraw consent to the processing of personal data

The data subject may revoke their previously given consent to the processing of personal data by ITIS (e.g., the use of cookies on the ITIS website) and request the deletion of their personal data processed on this basis.

7.2 Right of access to personal data

The data subject has the right to obtain confirmation from ITIS as to whether or not their personal data is being processed and, if so, has the right to access their personal data and the following information:

• the purposes of the processing of personal data;
• categories of personal data processed;
• the recipients or categories of recipients to whom the personal data have been or will be disclosed;
• the planned period for which the personal data will be stored, or, if this cannot be determined, the criteria used to determine this period;
• the existence of the right to request from ITIS the rectification or erasure of personal data or restriction of processing or to object to such processing.

The data subject has the right to obtain a copy of the personal data processed by ITIS. ITIS may charge a reasonable fee based on administrative costs for additional copies. If the data subject submits a request in electronic form, the information will be provided in a commonly used electronic form, unless the data subject requests otherwise.

7.3 Right to rectification

The data subject has the right to request that ITIS correct inaccurate personal data concerning the data subject without undue delay. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

7.4 Right to erasure of personal data

The data subject has the right to request that ITIS erase personal data without undue delay if one of the following reasons applies:

• the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
• the data subject has objected to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or has objected to the processing pursuant to Article 21(2) of the GDPR;
• the personal data has been processed unlawfully;
• the personal data must be erased to comply with a legal obligation under European Union or Member State law to which ITIS is subject.

The right to erasure does not apply if the processing of personal data is necessary:

• for exercising the right of freedom of expression and information;
• for compliance with a legal obligation which requires processing under European Union law or the law of a Member State to which ITIS is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in ITIS;
• for reasons of public interest in the area of public health;
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR;
• for the establishment, exercise, or defense of legal claims.

ITIS will immediately inform the data subject of any refusal to erase personal data, including the reasons for such a decision.

7.5 Right to restriction of processing

The data subject has the right to request that ITIS restrict processing in any of the following cases:

• the data subject disputes the accuracy of the personal data, for a period enabling ITIS to verify the accuracy of the personal data;
• the processing is unlawful and the data subject refuses to have the personal data erased and requests only that its use be restricted;
• ITIS no longer needs the personal data for the purposes of the processing for which it was originally collected, but the data subject requires it for the establishment, exercise, or defense of legal claims;
• if the data subject has objected to processing pursuant to Article 21(1) of the GDPR, pending verification whether the legitimate grounds of ITIS override those of the data subject.

Where processing has been restricted pursuant to this Article, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defense of legal claims, for the protection of the rights of another natural or legal person, or for reasons of important public interest of the European Union or of a Member State.

7.6 Right to object to the processing of personal data

The data subject has the right to object at any time to the processing of personal data on the basis of Article 6(1)(f) of the GDPR – the legitimate interest of ITIS, including profiling based on these provisions. ITIS will no longer process personal data unless it demonstrates compelling legitimate grounds for further processing that override the interests or rights and freedoms of the data subject, or demonstrates the necessity of further processing for the establishment, exercise, or defense of legal claims.

7.7 Right to data portability

The data subject has the right to obtain personal data concerning him or her and which he or she has provided to ITIS in a structured, commonly used and machine-readable format, and the right to transmit those data to another controller, under the conditions set out in the GDPR. When exercising their right to data portability under the previous sentence, the data subject has the right to have the personal data transferred directly by ITIS to the new controller, unless this is technically feasible.

7.8 Right not to be subject to automated individual decision-making, including profiling

The data subject has the right not to be subject to any decision based solely on automated processing, including profiling, which has legal effects on the data subject or significantly affects him or her in a similar manner. This does not apply if the decision is:

• necessary for entering into, or performance of, a contract between the data subject and ITIS;
• authorized by European Union or Member State law to which ITIS is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests;
• based on the explicit consent of the data subject.

The processing of personal data by the controller (ITIS) does not involve automated individual decision-making or profiling of data subjects.

7.9 Right to lodge a complaint with a supervisory authority

If the data subject believes that the processing of personal data by ITIS has violated legal regulations, they may lodge a complaint with the Office for Personal Data Protection, located at pplk. Sochora 27, 170 00 Prague 7.

8 Where can data subjects exercise their rights?

Data subjects can exercise their rights guaranteed by the GDPR at ITIS in the following ways:

• by submitting a paper form with the applicant's handwritten, officially certified signature delivered to the following address: ITIS Holding a.s., Data Protection Officer, Argentinská 1610/4, 170 00 Prague 7;
• by submitting a request in electronic form with the applicant's certified electronic signature delivered to the email address compliance@itisholding.com ;
• by submitting it in electronic form delivered to the data box of ITIS Holding a.s., data box ID pawxuhw.

9 What are the obligations of the data subject?

Each data subject must acknowledge that they are responsible for the personal data they provide and make available to ITIS within the meaning of this Policy, and must ensure that it is relevant, truthful, accurate, and not misleading. The data subject is obliged to notify ITIS (or the business partner of ITIS with whom the data subject has a contractual relationship) of any change in personal data without delay.

10 Data Protection Officer

ITIS has appointed a data protection officer. If you have any questions about the processing of personal data by ITIS, please contact the officer at the following contact details:

JUDr. Veronika Petrová, LL.M., MBA

Data Protection Officer

mailing address:

ITIS Holding a.s.

Argentinská 1610/4

170 00 Prague 7

e-mail: compliance@itisholding.com

11 Conclusion

These Principles are valid and effective from January 1, 2025. They may be amended or updated on an ongoing basis. Any changes shall become effective upon publication of the updated version on the website www.itisholding.com. Data subjects shall be informed of any significant changes well in advance of the effective date of such changes.

ITIS Holding a.s.

[1] Personal data means any information relating to an identified or identifiable natural person; An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

[2] A cookie is a small, simple file that is sent along with web pages and stored by your browser on your computer's hard drive or other device. The information stored in cookies may be returned to ITIS servers or the servers of relevant third parties during a subsequent visit.

[3] A script is a piece of program code that is used to make ITIS websites work properly and interactively. This code is run on the ITIS server or on your device.

[4] A web beacon (or pixel tag) is a small, invisible piece of text or image on a website that is used to track traffic on the website. For this purpose, various data about you is stored using web beacons.