“Time is Ltd. s.r.o.” (Controller), registerred address: Kafkova 346/14, Dejvice, Prague 6, 160 00, the Czech Republic, registered in the Commercial Register kept by the Municipal Court in Prague, section C, insert 263767, ID: 05446872, Tax Registration Number: CZ05446872
means a controller or data controller (as defined in the Data Protection Legislation)
means a data processor or processor (as defined in the Data Protection Legislation).
“Data Protection Legislation” means the following legislation to the extent applicable from time to time: (a) national laws implementing the GDPR, in particular Act no. 110/2019 Coll., on Data Processing, as later amended, (b) the Directive on Privacy and Electronic Communications (2002/58/EC) and national laws implementing it; (c) the GDPR; and (d) any other similar national privacy law
means the General Data Protection Regulation (EU) (2016/679).
“Personal Data” means any personal data (as defined in the Data Protection Legislation) Processed in connection with or as part of the Services provided to our clients or in relation of the contractual relationships with our vendors or sub-contractors or as necessary for activities that are part of our standard business operations.
“Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed (as further defined in the Data Protection Legislation).
Purpose of the Personal Data Processing
The Personal Data provided by the Time is Ltd s.r.o. clients(“clients”), suppliers (“vendors”) or subcontractors on a project by project basis (“subcontractors”) or obtained directly from their staff members and representatives are Processed by Time is Ltd s.r.o., an entity that is in contractual relationship with the respective client, vendor and/or subcontractor, for the purpose of, or in connection with the following:
1. provision of the services/receipt of the services as agreed in the respective contract with the client, vendor or subcontractor;
2. compliance with the applicable legal, regulatory or professional requirements;
3. addressing requests and communications from competent authorities;
4. contract administration, financial accounting, internal compliance and risk analysis, and client, subcontractor or vendor relationship purposes;
5. general client, vendor or sub-contractor relationship purposes (including the feedback and complaints, as well as assessment and development of business opportunities);
6. utilization of systems applications (hosted or internal) for information technology and information system services (e-mail/archiving and similar) – this may also include cloud hosted applications provided that the data security and data transfer obligations as set by the applicable Data Protection Legislation are met.
7. as another Controller, subject to the agreement between each client, vendor or sub-contractor as a Controller and Time is Ltd. as another controller and for the period of the duration of the legitimate interest of Time is Ltd., for the statistical, future business operations and benchmarking purposes, provided that such Personal Data being in an aggregate format (anonymized) and the results and any outcomes thereof being used by Time is Ltd. for the purpose of its future business operations without any restrictions, including for business purposes.
The Personal Data may include data regarding the client’s, vendor’s or subcontractor’s representatives, personnel, project team members, suppliers and contractors(“Personal Data subjects”), as well as the Personal Data included in the information obtained in relation to the contract.
Please note that this Information on Processing of Personal Data in client, vendor and subcontractor relationships does not include the information on Processing of Personal Data for the purposes of marketing, direct mailing and recruitment. The Processing of Personal Data for such purposes is described in the specific privacy statements that may be also part of an individual consent with such Personal Data Processing (where relevant). Time is Ltd s.r.o. does not Process the Personal Data for direct mailing and marketing purposes without an explicit consent. However, we may ask you for such consent in the course of Personal Data Processing for the Purposes.
Personal data categories
(a) basic identification data – name, surname, job position;
(b) contact information –work or home address, telephone number and e-mail address;
(c) invoicing and transaction data – this primarily means information that appears on invoices, about invoicing conditions agreed upon and about accepted payments;
(d) Personal data of Time is Ltd s.r.o. clients’, vendors’ and subcontractors’ employees;
(e) Personal data of Time is Ltd s.r.o. clients’, vendors’ and subcontractors’ customers, suppliers, and trading partners;
(f) history and details of clients’ vendors’ and subcontractors’ business contacts with Time is Ltd s.r.o.
(g) IP address;
(h) CCTV images and other information we collect when you access our premises (the specific and customized information on this Personal Data Processing is available in the respective Time is Ltd s.r.o. premise if applicable – the CCTV images may be also Processed by the building owner or the authorized third party);
(i) bank account number (incase that our client/ vendor and sub-contractor is a natural person).
Legal basis for your data Processing:
Time is Ltd s.r.o. Processes Personal Data only when the Processing is necessary in the following cases:
- to administer the contract, we have with you personally or to take steps to enter into the contract with you;
- for compliance with a legal obligation we are subject to;
- for the Purposes of our legitimate interest which might be:
◉ to execute and fulfil contracts with our clients, vendors or sub-contractors,
◉ to protect our business interests (including to conduct our risk and quality assessments);
◉ to ensure that the complaints or requests delivered to us are properly addressed.
The Controller is primarily Time is Ltd. s.r.o.
For the Purposes indicated above, the Personal Data may be disclosed/transferred to and Processed by the following Recipients of Personal Data:
Time is Ltd. group of entities: Time is Ltd Limited, Time is Ltd Inc.
In line with the Purposes specified here-above and to the extent necessary for the performance of Services, the Personal Data may be disclosed to another Controller within the corporate group of companies i.e.:
Time is Ltd Limited, Time is Ltd Inc.
If the transfer of Personal Data across country borders (including the territories outside of the European Union) is also required as another Controller, then the transfer will take place only in the case that the obligations as stipulated by the Data Protection Legislation for such transfers are fulfilled.
The following Processors process the Personal Data on behalf of the Controller in line with the Purposes:
Subcontractors (approved by the client in the contract or otherwise)
EU and Non-EU based service suppliers:
Our main subcontractors used for creation, operation and implementation of our Product – Time Analytics Platform (the “Product”) that may become Personal Data Processors and/or subprocessor in some cases are:
● Microsoft Ireland Operations Limited, 70 Sir Rogerson’s Quay, Dublin 2, Ireland, Microsoft Privacy
● Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, Google Privacy Terms
● Google LLC, 1600 Amphitheatre Parkway, MountainView, CA 94043, USA, Google Privacy Terms
● MIXPANEL, Inc., One Front Street, 28th Floor, San Francisco, CA 94111, USA, Privacy Program
● Salesforce.com Inc., Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, California 94105, USA, Privacy Overview (CRM solution)
● Elasticsearch Inc. 800 W. El Camino Real, Suite 350, Mountain View, CA 940 40, USA, Privacy Statement
The personal data controller(s) and data processor(s) are required to provide technical, physical, organisational and procedural safeguards in compliance with industry standards to prevent unauthorised access to, breach of confidentiality, breach of security, loss, unauthorised destruction or alteration of the processed Personal Data (“security incident”), all in accordance with the Controller’s instructions and internal policies and the applicable data protection laws.
The processing of Personal Data is necessary for the provision of services under the contract.
Period of the processing period for the Personal Data
Personal Data will be processed as long as it is necessary for the above-mentioned purposes (i.e. for the duration of the contract or as long as the Controller’s legal obligation exists, i.e. for 10 years after the expiration of the contract).
After this period expires, all data will be irreversibly destroyed. The Controller will retain Personal Data to the extent necessary to demonstrate its compliance with the applicable legislation or for the Time is Ltd s.r.o. legitimate interest.
The rights of Personal Data Subjects
The Controller takes all steps needed to ensure that the processing of your data is performed properly and above all securely. You are guaranteed the rights described in this article, which you can exercise towards the Controller.
The Controller will provide all communications and statements concerning the rights you exercise free of charge. If, however, your request should show itself to be manifestly unfounded or excessive, in particular due to its being a repeated request, the Controller may charge a reasonable fee based on administrative costs connected with the provision of the information. In the case of repeated application of a request for the provision of a copy of the Personal Data being processed, the Controller reserves the right to charge a reasonable fee for administrative costs for this reason.
The Controller will generally provide you with the statement and any eventual information on measures accepted as soon as possible, but within one month at the latest. However, the Controller is entitled to extend this deadline by two months when needed and with a view to the complexity and quantity of your requests. The Controller will inform you of this extension, including a listing of the reasons for it.
The right to information on the processing of your Personal Data
You are entitled to request from the Controller information on whether or not your Personal Data is being Processed. If your Personal Data is being Processed, you have the right to request from the Controller information on, in particular, the Controller’s identity and contact information and their representatives and employees responsible for Personal Data protection, on the Purposes of the Processing, on the categories of the Processed Personal Data, on the Recipients or categories of Recipients of Personal Data, on the authorized Controllers, on the list of your rights, on your options for turning to the Czech Office for Personal Data Protection, on the source of the Processed Personal Data and on automated decision-making and profiling.
If the Controller intends to Process your Personal Data for a purpose other than that for which it was acquired, the Controller will provide you with information on this further purpose and other relevant information before such further Processing. Information offered to you in the framework of the exercise of this right is contained in this Privacy Notice; this does not, however, prevent you from requesting it again.
The right to access your Personal Data
You are entitled to request from the Controller information on whether or not your Personal Data is being Processed, and, if it is being Processed, you have access to information on the Purposes of this Processing and the categories of Personal Data in question, on the data’s Recipients or categories of Recipients, its retention period, information on your rights (the right to request from the Controller a rectification or erasure; restriction of Processing; the right to raise an objection to this Processing), on the right to lodge a complaint to the Czech Office for Personal Data Protection, information on the source of the Personal Data, information on whether or not automated decision-making and profiling is taking place and information concerning the procedure used, as well as the significance and expected consequences of such Processing for you, and information and guarantees in the case of the transfer of Personal Data to a third country or international organization. You have the right to be provided with a copy of the Processed Personal Data. However, your right to acquire this copy may not adversely affect other persons’ rights and freedoms.
The right to rectification
If, on your part, there has been for example a change of residence, telephone number or other fact that can be considered Personal Data, you have the right to request from the Controller a rectification of your Personal Data. You further have the right to have incomplete Personal Data completed, including by means of providing a supplementary statement.
The right to erasure (the right to be forgotten)
In certain specifically defined cases, you have the right to request that the Controller erase your Personal Data. These cases include for example the case where the processed data is no longer needed for the purposes listed above. The Personal Data Controller deletes data after the expiration of its period of necessity automatically; however, you can turn to the Controller with your request at any time. Your request is then subject to individual evaluation (even despite your right to erasure, the Controller may have obligations or legitimate interests in retaining your Personal Data), and you will be informed in detail on the handling of your request.
The right to restriction of Processing
The Controller processes your Personal Data only to the extent strictly necessary. If, however, you should feel that the Controller e.g. is acting beyond the above-defined purposes for which the Personal Data are processed, you can submit a request for your Personal Data to be processed solely for the most essential of legal reasons, or for these data to be blocked. Your request is then subject to individual evaluation, and you will be informed in detail on the handing of your request.
The right to data portability
If you wish for the Controller to provide your Personal Data to another Controller, or to another company, the Controller will transmit the data in an appropriate format to the entity that you define, if no legal or other significant barriers prevent the Controller from doing so.
The right to object and automated individual decision-making
If you have determined, or believe, that the Controller is processing your Personal Data in conflict with the protection of your privacy and personal life or in conflict with legislation (upon the assumption that your Personal Data is processed by the Controller on the basis of a public or legitimate interest or is processed for the purposes of direct marketing, including profiling, or for statistical purposes or purposes of scientific or historical interest), you can turn to the Controller and request that they provide an explanation or you can also raise an objection directly towards automated decision-making and profiling itself.
The right to lodge a complaint to the Czech Office for Personal Data Protection
At any time, you can turn to the supervisory authority with any initiative or complaint you may have concerning Personal Data processing; the Czech Office for Personal Data Protection is this authority, and it has its headquarters at Pplk. Sochora 27, 170 00 Prague 7, Czech Republic, and its website at https://www.uoou.cz/.
All of these rights may be exercised via email at the address: firstname.lastname@example.org.
You have the right to turn to the department responsible for Personal Data protection within Time is Ltd by writing to email@example.com and, likewise, the right to submit a complaint to the relevant supervisory authority (the Czech Office for Personal Data Protection).
All rights and duties arising from and related to the processing of the Personal Data are governed by the Czech law, regardless from where the access there to was made. Any dispute will be resolved by the courts in the Czech Republic having jurisdiction in accordance with the Time is Ltd registered address.