PRIVACY POLICY

BigBrainHunt s.r.o.

This Privacy Policy (hereinafter the “Policy”) informs you of how BigBrainHunt s.r.o., Company ID No.: 14221900, with its registered office at Plzeňská 155/113, Košíře, 150 00 Prague, registered in the Commercial Register maintained by the Municipal Court in Prague, Section C, File No. 42592 (hereinafter the “Company”), obtains, stores and further processes the personal data of its clients, business partners and other persons.

This Policy describes the purposes of personal data processing, the methods of such processing, informs about the individual categories of processed personal data, possible recipients of personal data, the period for which personal data is retained, and your rights in relation to the protection of personal data.

This Policy also applies to the website https://www.bigbrainhunt.eu/ (hereinafter the “Website”), which is operated by the Company.

The Company protects all processed personal data as strictly confidential and handles it in accordance with valid and effective legal regulations in the field of personal data protection. The security of personal data is a priority for the Company.

General Provisions

This Privacy Policy applies to:

• the processing of personal data of visitors to the Website carried out by the Company during a visit to the Website;

• the processing of personal data of clients and suppliers of the Company;

• the processing of personal data in fulfilling the legal obligations of the Company;

• the processing of personal data necessary for the purposes of protecting the legitimate interests of the Company;

• the processing of personal data on the basis of consent granted to the Company.

The aim of this Policy, issued by the Company in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as amended (hereinafter the “GDPR”), is to provide information about which personal data the Company, as the data controller, processes regarding natural persons in the course of supplying goods and providing services, for what purposes and for how long the Company processes such personal data in accordance with applicable legal regulations, to whom and for what reason it may transfer such data, and also to inform natural persons of the rights they have in connection with the processing of their personal data and how they may exercise these rights.

This Policy revises the Company’s information document and is effective from 5 December 2024 and is issued in accordance with the GDPR for the purpose of fulfilling the Company’s information obligation as a controller pursuant to Articles 13 and 14 of the GDPR.

Controller of Personal Data

The Company is the controller of personal data within the meaning of Article 4(7) of the GDPR. The Company therefore collects, stores and uses (and otherwise processes) personal data for the performance of its business activities (the individual purposes for which personal data are processed are defined in more detail below).

All data is protected against unauthorised access, backed up and archived for the duration of the business relationship with the customer in accordance with the Terms and Conditions or the Framework Agreement. Data backup takes place on an ongoing basis, and data is preserved even in the event of an unexpected interruption of work on questionnaires or tests during their completion for any reason.

We protect users’ personal data using modern standards. Communication between our web tools and the user is secured using SSL/TLS encryption.

The Company, as the controller of personal data, may be contacted in writing at the following address:

BigBrainHunt s.r.o.

Plzeňská 155/113

Košíře, 150 00 Prague

Or via data box: prhbyr2.

Personal Data Processed by the Company

Pursuant to Article 4(1) of the GDPR, personal data means any information relating to an identified or identifiable natural person. In this case, the identified persons are:

• visitors to the Website;

• clients, customers and business partners of the Company;

• candidates seeking job positions;

• applicants for employment with the Company.

An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

In connection with the provision of services by the Company, the following personal data may be processed.

Basic personal identification data

• first name and surname;

• date of birth;

• address of residence, registered office or place of business;

• Company ID No. (IČO), Tax ID No. (DIČ).

Contact details

• email;

• telephone number;

• data box ID;

• delivery address.

Payment details

• bank account number;

• information about payments made.

Other data stated in a CV

• information about education;

• academic title achieved;

• information about work experience;

• information about personal interests;

• other information stated and disclosed in the CV.

Purpose, Duration and Legal Grounds for Processing the Personal Data of Customers and Website Visitors

During the Company’s business activities and during visits to the Website, the personal data of customers and visitors to the Website is processed.

When visiting the Website, cookies are processed. For more detailed information about which cookies the Company processes and how, please visit the Cookies section on the website https://www.bigbrainhunt.eu/.

Personal data of customers may be processed by the Company on the following legal grounds:

Processing of personal data in the performance of a contractual obligation

The Company enters into various types of contracts with its business partners. From the perspective of fulfilling contractual obligations, the Company therefore processes the personal data of business partners primarily in order to meet its contractual obligations towards its business partners.

For the purpose of fulfilling contractual obligations, the Company processes basic personal identification data, contact details, payment details and personal data contained in written communications with business partners (see Article 3 of the Policy).

The personal data of business partners is retained for the duration of the contractual relationship between the Company and the relevant business partner, and for a further period of five years following its termination.

The Company also processes the personal data of applicants for the purposes of preparing the employment contract and other related documents necessary for a proper employment relationship.

For these purposes, personal data is processed to the extent of basic personal identification data, contact details, bank account numbers, and other data necessary for the preparation of the relevant contract. Personal data contained in the record of written communication between the Company and the applicants may also be processed for the preparation of contractual documentation.

Additional information on the retention of personal data within the framework of the employment relationship between the Company and its employees may be set out in an internal directive on the processing of personal data, with which all employees of the Company are familiarised immediately upon commencing employment.

Processing of personal data in fulfilling a legal obligation

The Company processes personal data in cases where it is necessary to fulfil the legal obligations imposed on the Company by relevant legal regulations. In particular, this concerns personal data through which the Company can demonstrate that it complies with the obligations imposed by the GDPR. For example, the Company retains data demonstrating that applicants for employment with the Company have given their consent to the processing of their personal data.

Processing of personal data on the basis of the legitimate interests of the Company

The Company may process personal data for the purpose of evaluating potential security risks and removing them, in order to maintain the highest security standard of the Website. The Company takes care to prevent, detect and counteract fraud and other unlawful or unauthorised activities in the use of the Website.

The Company also processes personal data for the purposes of its defence in the event of legal proceedings. For this purpose, the Company is entitled to retain personal data for the limitation period under Act No. 89/2012 Coll., the Civil Code, as amended (hereinafter the “Civil Code”).

Processing of personal data on the basis of consent

On the basis of express consent, the Company processes the personal data of candidates for employment who have provided the Company with their personal data by completing a form on the website or by sending a CV to the Company’s email addresses.

For these purposes, personal data is processed to the extent of basic personal identification data, contact details, and other data listed in Article 3.4.

The processing of personal data will take place for a period of 3 years, unless this consent to the processing of personal data is revoked earlier.

The Company may further process necessary personal data on the basis of the data subject’s consent to receive commercial communications.

Transfer of Personal Data to Third Parties

In the course of its business activities, the Company makes use of professional services provided by third parties. If these third parties process personal data transferred by the Company, they have the status of personal data processors and process the personal data only in accordance with the instructions given to them by the Company and must not use it otherwise.

These are:

• the provider of the Datacruit software – Datacruit s.r.o., with registered office at Václavské nám. 1, Prague 1, 110 00, Company ID No.: 03545652;

• external provider of tax advisory and accounting services – MEDICALTAXES s.r.o., Company ID No.: 07417756, with registered office at Srnčí 930/2b, Petřkovice, 725 29 Ostrava;

• external providers of legal services;

• providers of other software (e.g. Pohoda);

• external providers of cloud services – Microsoft OneDrive;

• external providers of IT systems, computer network and hardware administration services.

The Company has concluded personal data processing agreements with the processors of personal data referred to in the preceding paragraph, which guarantee at least the same level of protection of personal data as this Policy.

Furthermore, in fulfilling its legal obligations, the Company transfers personal data to administrative authorities and other public authorities if such an obligation is imposed on the Company by the relevant legal regulations. In particular, the Company may transfer any personal data listed in this Policy to bodies active in criminal proceedings if they request it in accordance with the legal regulations governing criminal proceedings.

The Company does not transfer personal data outside the EU or to international organisations, nor does it carry out automated individual decision-making.

Security of Personal Data

The Company has implemented and maintains the necessary technical and organisational measures, internal control processes and measures to ensure information security in accordance with the best care for its customers, corresponding to the possible risk to data subjects. At the same time, the Company takes into account the state of technological development in order to protect personal data against accidental loss, destruction, alteration, unauthorised disclosure or access. These measures may include, in particular:

• taking reasonable steps to ensure the accountability of employees and members of the Company’s bodies and of entities cooperating with the Company who have access to personal data;

• training of the Company’s employees;

• regular data backup;

• implementation of data recovery procedures;

• establishment of procedures for security incidents;

• physical protection of equipment on which personal data is stored;

• software protection of equipment on which personal data is stored.

Employees and members of the Company’s bodies and entities cooperating with the Company are bound by an obligation of confidentiality regarding all facts of which they become aware while performing activities for the Company, even after the termination of their employment, membership in the Company’s bodies, or cooperation with the Company. A signed declaration of confidentiality is an integral part of the employment contract of each Company employee, as well as of the contracts concluded with members of the Company’s bodies and cooperating entities.

Rights to Personal Data

If you exercise any of the rights set out below in this Policy, or guaranteed to you by the relevant valid and effective legal regulations, the Company will subsequently inform you of the measures taken, or, where applicable, of the deletion of your personal data or the restriction of the processing of your personal data, if that was the subject of your request. The Company will also notify each recipient of personal data to whom your personal data has been provided under this Policy, if such notification is possible and/or does not require disproportionate effort.

Rights may be exercised and/or relevant information obtained:

• via email: nela.jursova@bigbrainhunt.eu;

• via data box: prhbyr2;

• in writing to the Company’s registered office address.

If you exercise your rights, the Company is entitled to require you to provide certain identification data that you have previously provided to the Company. The provision of such data is necessary to verify whether the relevant request was actually sent by the person whose personal data the Company processes.

The Company undertakes to send a reply or statement no later than within one month of receipt of your request. In justified cases, the Company reserves the right to extend this period by up to two further months.

Right of access to personal data

Pursuant to Article 15 of the GDPR, you have the right of access to your personal data, which includes, in particular, the right to obtain from the Company:

• confirmation as to whether it processes your personal data;

• information about the purposes of processing your personal data;

• information about the categories of personal data processed;

• information about the recipients to whom your personal data has been or will be disclosed;

• information about the planned period for processing your personal data;

• information about the existence of the right to request from the Company the rectification or erasure of your personal data, or the restriction of its processing, or to object to such processing;

• information about the right to lodge a complaint with a supervisory authority;

• information about the source of the personal data if it has not been obtained from you;

• information as to whether you are the subject of a decision by the Company based solely on automated processing of your personal data, including automated profiling based on your personal data;

• information about appropriate safeguards in the event of the transfer of your personal data outside the EU.

The Company will always provide the first copy of personal data free of charge.

In the event of repeated requests, the Company is entitled to charge a reasonable fee for a copy of the personal data.

Right to rectification or completion of inaccurate personal data

Pursuant to Article 16 of the GDPR, you have the right to the rectification of inaccurate personal data that the Company processes about you. Taking into account the purposes of processing, you also have the right to have incomplete personal data that the Company processes about you completed. The Company will carry out the rectification or completion without undue delay, but always with regard to its technical capabilities.

Right to erasure of personal data (the “right to be forgotten”)

Pursuant to Article 17 of the GDPR, you have the right to the erasure of your personal data, unless the Company can demonstrate legitimate grounds for processing such personal data. The Company declares that it has mechanisms in place to ensure the automatic anonymisation or erasure of personal data in cases where it is no longer needed for the purpose for which it was processed, or where the period of processing of personal data set by this Policy or by legal regulations has elapsed.

Right to restriction of processing of personal data

Pursuant to Article 18 of the GDPR, if you contest the accuracy of your personal data, the grounds for its processing, or if you object to its processing under Article 21(1) of the GDPR, you have the right to restriction of the processing of your personal data by the Company, for the period necessary to verify the legitimacy of your initiative or objection.

Right to portability of personal data

Pursuant to Article 20 of the GDPR, you have the right to the portability of your personal data that you have provided to the Company, in a structured, commonly used and machine-readable format. At the same time, you have the right in this context to ask the Company to transfer your personal data to another controller.

If exercising this right could adversely affect the rights and freedoms of third parties, your request cannot be granted.

Right to object to the processing of personal data

Pursuant to Article 21 of the GDPR, you have the right to object to the processing of your personal data by the Company.

If the Company does not demonstrate that there are compelling legitimate grounds for processing your personal data which override your interests or rights and freedoms, the Company will, on the basis of your objection, cease processing your personal data without undue delay.

Right to withdraw consent to the processing of personal data

If consent has been granted to the Company for the processing of personal data (e.g. consent to receive commercial communications), it may be withdrawn at any time.

Withdrawal of consent must be made by an express, comprehensible and unambiguous declaration of will, either in writing to our contact address, via the email address nela.jursova@bigbrainhunt.eu, or in the manner specified in the consent granted.

Right to contact the Office for Personal Data Protection

Data subjects have the right to lodge a complaint regarding the processing of their personal data by the Company with the following administrative authority:

Office for Personal Data Protection

Pplk. Sochora 727/27

170 00 Prague 7

Website of the Office: www.uoou.cz

Updates to the Policy

The Company hereby points out that it is entitled to amend or update this Policy. Any changes to this Policy will become effective upon their publication on the Website.