1. Definitions of Basic Terms

Website means the website (including all subdomains) operated by group zenith.
Controller means group zenith, as the entity that determines the purposes and means of processing personal data.
Privacy Policy means this Privacy Policy document.
Regulation means Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
Processor means a person or entity entrusted by the Controller with processing personal data on the Controller’s behalf, as defined in the Regulation.
Data Protection Officer (DPO) means the person who provides advice to the Controller in the field of personal data protection, as defined in the Regulation.
Representative means a person who provides advice to the Controller in the field of personal data protection, as defined in the Regulation.
Affected Person / Data Subject means any natural person whose personal data is processed by the Controller, as defined in the Regulation.
Personal Data Protection Act means Act No. 18/2018 Coll. on the protection of personal data, as amended.

2. Initial Provisions

The Controller’s priority is to process personal data lawfully, fairly, and correctly. Protecting your personal data is one of the standards of group zenith.

This Privacy Policy explains why and how your personal data may be processed, the legal grounds for such processing, and the rights you may exercise in relation to your personal data.

If anything in this document is unclear, we will be happy to explain. You may contact group zenith via email at: info@group-zenith.com.

3. Processing of Personal Data

The Controller may process personal data in different ways and situations depending on whether the Data Subject is a visitor to the Website, an employee of the Controller, or a statutory body and/or employee of a business partner. The Controller may also process personal data about visitors depending on how the visitor chooses to communicate with the Controller.

Regardless of the above, the Controller undertakes not to sell, commercialize, or use personal data in violation of the Regulation or other applicable data protection regulations.

The Controller respects the privacy of Data Subjects whether personal data is processed directly by the Controller or on behalf of other parties. The Controller undertakes to implement appropriate measures to protect personal data and information relating to Data Subjects in accordance with the Regulation and applicable laws.

The Controller may, in accordance with applicable law, entrust processing of personal data to a Processor. A Processor is entitled to process personal data only to the extent and under the conditions agreed with the Controller in a written contract or written authorization.

4. Rights of Each Data Subject

Each Data Subject has the following rights under the Regulation:

• Right of access to personal data

• Right to rectification

• Right to erasure (“right to be forgotten”)

• Right to restriction of processing

• Right to object and rights related to automated decision-making

• Right to data portability

• Right to object or lodge a complaint with the supervisory authority

Right of access: You have the right to confirm whether your personal data is being processed. If it is, you have the right to access information about the purpose of processing, categories of personal data, recipients, retention period, your rights, whether automated decision-making/profiling is used, and safeguards where data is transferred to third countries or international organizations. You also have the right to obtain a copy of processed personal data.

Right to rectification: If your personal data is inaccurate or outdated, please inform us and we will correct or update it.

Right to erasure: In certain cases, we must erase your personal data upon request. Each request is assessed individually, as the Controller may have a legal obligation or overriding legitimate interest to retain the data.

Right to restriction: You may request that we restrict processing of your personal data in circumstances provided by law (for example, where you contest accuracy or object to processing).

Right to object and automated decision-making: If you believe the processing of your personal data is contrary to law or interferes with your privacy, you may contact us and request an explanation or remedy. You may also object to automated decision-making. Where personal data is processed for direct marketing, you have the right to object at any time, including to profiling related to such marketing. If you object, your personal data will no longer be processed for direct marketing purposes.

Right to data portability: Where applicable, you may request that we provide your personal data in a structured, commonly used format, or transmit it to another controller, unless legal or significant obstacles prevent this.

Right to lodge a complaint: You may lodge a complaint with the relevant supervisory authority, including the Office for Personal Data Protection of the Czech Republic (OPDP), The Office of the Government of the Czech Republic, nábřeží Edvarda Beneše 4, 118 01 Praha 1 – Malá Strana, Czech Republic, organization ID: 00006599.

5. Processing of Personal Data of Job Applicants

If you apply for employment with the Controller, this section applies to you as a candidate. This section explains how the Controller uses personal data obtained from you and/or third parties during recruitment.

The Controller may obtain, for example:

• Contact details (name, address, email, telephone)

• CV information (employment history, education, skills, language skills, and any additional information you choose to include)

• Cover letter content

• Information necessary to confirm legal eligibility to work

• Declaration of integrity (where relevant), such as an extract from the criminal record

Depending on the position, the Controller may also obtain information from third parties, such as:

• Internal applications: information from your personnel file if you are an existing employee applying internally

• Assessments: evaluations of abilities/personality/cognitive skills performed via third-party tools or providers (you will receive additional details before an assessment is conducted)

• References: contacts supplied by you, or where you are an employee, references from managers/associates (where permitted)

The Controller processes candidate personal data for recruitment on the basis of the Controller’s legitimate interest in selecting suitable candidates.

The Controller may share candidate personal data with third parties where necessary, including service providers acting on the Controller’s behalf (e.g., selection agencies or contracted service providers). Such parties may process personal data only for the stated purposes and in accordance with the Controller’s instructions.

Only authorized employees will have access to candidate personal data and only as necessary for the stated purposes.

The Controller retains candidate data for the duration of the selection process and deletes it when no longer needed, unless:

• the candidate is hired (in which case data becomes part of the employment file); or

• the candidate provides consent for longer retention for a specified purpose.

Candidates have the rights listed in Section 4 of this Privacy Policy.

6. Privacy Policy for Persons Whose Personal Information Is Published on the Website

This section applies to processing of personal data of individuals referenced in articles, promotional messages, and similar content published on the Website.

The Controller processes such personal data only where a legal basis exists. The Controller may process personal data under applicable law where the legitimate interest is to inform the professional public about conferences, seminars, and related matters, unless such processing violates the data subject’s rights or is prohibited by special regulation or an international agreement binding on the Czech Republic.

Personal data is not transferred from the Controller’s databases to another country for processing; however, information may be accessible in other countries via the online version of the Website.

The Controller retains personal data for as long as necessary to fulfill the processing purpose and any applicable legal requirements, including defense against legal claims and archival needs.

The Controller does not use such personal data for automated decision-making or profiling.

The data subject has all rights listed in Section 4 of this Privacy Policy.

7. Who May Access Your Personal Data

The Controller may obtain personal data from:

• you directly (during contract formation and performance, and during the exercise of rights and obligations);

• publicly available registers and sources (e.g., commercial/trade registers and publicly available social networks); and

• third parties legally entitled to process and provide such data.

Your personal data may be accessed by the Controller, its employees, contractual agents, and external service providers. Categories of service providers may include: system administrators, IT service providers, accounting and bookkeeping service providers, tax advisors, and marketing agencies.

The Controller enters into appropriate data processing agreements with Processors and requires strict compliance with data protection obligations.

In legally defined cases, the Controller may be required to provide personal data to public authorities and entities authorized under applicable law (e.g., courts or law enforcement).

If you participate in an event (as a speaker, delegate, sponsor, etc.), other participants may have access to certain personal data where necessary to perform the relevant contract and operate the event.

8. Processing Based on Consent for Marketing Purposes

If you grant consent, the Controller may process your personal data for marketing purposes. Marketing may include offers of products and services and offers of partners. With consent, we may send such offers by email, SMS, postal mail, mobile applications (if applicable), or telephone, and may use automated processing to tailor offers to your preferences. We may also conduct market and satisfaction surveys.

You may withdraw consent at any time by email. If you withdraw consent, we will stop processing your personal data for marketing purposes to the extent required by law.

Where your consent is tied to a contractual relationship, marketing processing may continue for the duration of the contractual relationship and for five (5) years afterward, unless you withdraw consent earlier. Where there is no contract and consent is provided only for marketing, consent may be valid for three (3) years from the date granted, unless withdrawn earlier.

9. Cookie Policy

When you visit the Website, the Website may store cookies on your computer or mobile device. Cookies help the Website operate efficiently, remember your preferences, and improve your experience.

The Controller may use cookies and similar technologies to analyze traffic and improve services, including via analytics and advertising/measurement tools and the Controller’s internal systems. Where cookie data identifies a visitor, it may constitute personal data and will be processed only on a valid legal basis (such as consent or legitimate interest, as applicable).

Cookies may include:

• Session cookies (temporary; deleted when you leave the Website)

• Persistent cookies (remain stored after you leave; help recognize returning visitors)

Cookies can generally be grouped into:

• Necessary cookies (essential for core functionality)

• Operational cookies (analytics and performance; generally anonymous)

• Functional cookies (remember preferences and enhance usability)

• Advertising cookies (support advertising/measurement)

You can manage or delete cookies through your browser settings. If you disable cookies, some Website functions may not work properly.

If processing is based on your consent, you may withdraw your consent at any time.

10. How Long We Retain Personal Data

The Controller applies the data minimization principle. After the retention period ends, personal data may be anonymized within the Controller’s systems.

We retain personal data for the duration of your contractual relationship with us to provide services and fulfill contractual obligations.

Where marketing consent applies:

• if you entered into a contract and consented to marketing, consent may apply during the contractual period and for five (5) years afterward (unless withdrawn earlier);

• if there is no contract and you consented only to marketing, consent may apply for three (3) years (unless withdrawn earlier).

11. Anti-Spam Policy

The Controller maintains an anti-spam policy. (If an anti-spam policy document is provided separately, it forms part of the Controller’s compliance approach.)

12. Complaints and Contact

If you wish to contact the Controller or lodge a complaint regarding personal data processing, you may contact the DPO via email at: info@group-zenith.com.

We will respond as soon as possible and no later than one (1) month after receiving your request. This period may be extended by up to two (2) months where necessary due to complexity and the number of requests. If extended, we will inform you of the extension and the reasons.

If you are not satisfied with the response or believe your personal data is processed unlawfully, you may lodge a complaint with the relevant supervisory authority, including the OPDP. More information is available at dataprotection.gov.cz.

13. Final Provisions

The Controller may update this Privacy Policy at any time. Users of the Website acknowledge that changes will be communicated by publishing the updated Privacy Policy on the Website.

If any provision of this Privacy Policy becomes invalid, ineffective, or unenforceable, the remaining provisions remain in full force and effect. The Controller will replace any affected provision with a valid provision that most closely reflects the original purpose and meaning.