Legal information

GDPR & Privacy Notice

Information on the processing of personal data by Elvian Technologies s.r.o. — information duty under Article 13 of Regulation (EU) 2016/679 (GDPR) and Act No. 110/2019 Coll.

Effective from 14 May 2026 · Version 1.0
Contents
  1. Contact and complaints

1Introductory provisions and roles

This information memorandum (hereinafter the „Memorandum") fulfils the information duty of Elvian Technologies s.r.o. (hereinafter „Elvian") under Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data (hereinafter „GDPR") and under Act No. 110/2019 Coll., on Personal Data Processing (hereinafter the „Personal Data Processing Act").

Elvian processes personal data in two distinct roles, and this Memorandum applies to both:

  • Controller (Art. 4(7) GDPR) — in relation to its own employees, job applicants, suppliers, contractual partners, website visitors and client contact persons.
  • Processor (Art. 4(8) and Art. 28 GDPR) — in relation to personal data of clients' employees (controllers), which Elvian processes as part of payroll accounting and HR services on the client's instructions. In this role, the client (employer) is the controller and data subjects (employees) exercise their rights primarily with the client. The rules of processing in this role are set out in a separate Data Processing Agreement (DPA), see section 11.

2Controller and DPO identification

Company nameElvian Technologies s.r.o.
Registered officeNa Folimance 2155/15, 120 00 Prague 2, Czech Republic
IČO (Czech company ID)06641288
DIČ (VAT ID)CZ06641288
RegistrationCommercial Register kept by the Městský soud v Praze (Municipal Court in Prague)
Contact e-mailinfo@elvian.cz
E-mail for GDPR enquiriesgdpr@elvian.cz
Data Protection Officer (DPO)Jana Šmidílková · jana.smidilkova@elvian.cz · +420 731 462 048

The DPO has been appointed in accordance with Article 37 GDPR, having regard to the scope and nature of processing in the context of payroll and HR outsourcing (in particular, large-scale systematic processing of special categories of data under Article 9 GDPR).

3Categories of personal data processed

In both roles (controller / processor) we process the following categories of personal data. The actual scope is always governed by the purpose and the principle of data minimisation under Article 5(1)(c) GDPR:

  • Identification data — first name, surname, academic title, date and place of birth, personal identification number (rodné číslo), citizenship, identity document number and type.
  • Contact data — permanent address, delivery address, telephone, e-mail, data box ID.
  • Employment data — start and end date, job position, type of employment relationship, salary amount and components, working hours, place of work.
  • Payroll data — pay, tax contributions, salary deductions, attachments, sickness benefits, leave, attendance.
  • Education and qualifications — educational attainment, certificates, courses, medical examinations and mandatory training (occupational health and safety — BOZP).
  • Family member data — only where necessary for tax allowances, health insurance or statutory benefits (spouse, dependent children).
  • Bank data — bank account number for salary payment.
  • Special categories of data (Art. 9 GDPR):
    • Health data — to the extent necessary for occupational medical examinations, sickness benefits, disability pension, ZTP/P (severely disabled) status for tax allowances.
    • Trade union membership — only where the employee requests a deduction of union membership fees from salary.

4Purposes of processing

  • Fulfilment of statutory duties in payroll and HR — calculation and payment of wages, tax withholdings, social security and health insurance contributions, fulfilment of notification duties.
  • Fulfilment of reporting duties to public authorities — Czech Social Security Administration (ČSSZ), health insurance companies, tax office, labour office, Czech Statistical Office.
  • Keeping payroll and HR records to the extent required in particular by Act No. 262/2006 Coll., the Labour Code, Act No. 586/1992 Coll., on Income Tax, and Act No. 582/1991 Coll., on the Organisation and Administration of Social Security.
  • Operating the employee portal — providing employees with secure access to their own payslips, leave records and documents.
  • Document archiving — to the extent and for the period set by legislation (see section 8).
  • Keeping records of processing activities under Article 30 GDPR and fulfilling duties towards the Office for Personal Data Protection (Úřad pro ochranu osobních údajů).
  • Protecting Elvian's legitimate interests — enforcement of receivables, defence of legal claims, ensuring IT security (logging access).

5Legal bases for processing

Purpose Legal basis
Processing payroll and HR records on the client's instructions (Elvian as processor) Art. 28 GDPR in conjunction with Art. 6(1)(c) GDPR (legal obligation of the controller — the client)
Fulfilment of statutory duties (contributions, reporting, archiving) Art. 6(1)(c) GDPR — compliance with a legal obligation
Processing data of Elvian's own employees Art. 6(1)(b) GDPR (contract) + Art. 6(1)(c) GDPR
Employee portal and IT security (logs) Art. 6(1)(f) GDPR — legitimate interest
Special categories of data — health Art. 9(2)(b) GDPR (obligations in the field of labour law and social security) + Section 11 of the Personal Data Processing Act
Special categories of data — trade union membership Art. 9(2)(a) GDPR (explicit consent of the employee)
Marketing communications towards business partners Art. 6(1)(a) GDPR (consent) or Art. 6(1)(f) (legitimate interest)

6Recipients of personal data and sub-processors

We transfer personal data only to the following categories of recipients and always only to the extent strictly necessary to fulfil the specific purpose:

  • Client (employer) — in the BPO regime, the client is the controller of its employees' data and Elvian provides processing outputs to the client.
  • Public authorities — Czech Social Security Administration (ČSSZ), health insurance companies, tax office, labour office, courts and bodies active in criminal proceedings (within the scope of statutory notification duties or on request under the law).
  • Banks and payment service providers — for the payment of wages and contributions.
  • Professional advisers — auditors, tax advisers, attorneys (always under a statutory duty of confidentiality).
  • Insurance companies and bailiffs — to the extent required by law (salary deductions, enforcement of judgments).
  • Sub-processors — IT and cloud service providers — operators of payroll and HR software, hosting, e-mail, backup, cyber security. Sub-processors are bound by a processing contract under Article 28(4) GDPR. An up-to-date list of sub-processors is made available by Elvian to the client on request.

We do not sell personal data to third parties and we do not carry out automated decision-making with legal effects on data subjects within the meaning of Article 22 GDPR.

7Transfers outside the EU/EEA

We process personal data primarily within the European Union and the European Economic Area. Transfers to third countries take place only in exceptional and clearly justified cases, and always under the conditions set out in Chapter V of GDPR (Article 44 et seq.):

  • On the basis of a European Commission adequacy decision under Article 45 GDPR, or
  • Using standard contractual clauses adopted by the European Commission under Article 46(2)(c) GDPR, supplemented by additional safeguards where required by the circumstances, or
  • On the basis of another safeguard listed in Articles 46 and 47 GDPR (binding corporate rules, approved codes of conduct).
Information about transfers: If, in the context of a specific service, personal data are transferred outside the EU/EEA, Elvian informs the client in advance and, on request, provides a copy of the safeguards applied.

8Retention periods

Retention periods for individual categories of personal data correspond to the statutory archiving periods set in particular by the following legislation:

Category of dataPeriodLegal basis
Payroll sheets (mzdové listy) 30 years following the year to which they relate Section 35a(4) of Act No. 582/1991 Coll., on the Organisation and Administration of Social Security
Copies of pension insurance records (evidenční listy) 3 calendar years following the year to which they relate Section 38(4) of Act No. 582/1991 Coll.
Tax documents and VAT records 10 years from the end of the tax period Section 35 of Act No. 235/2004 Coll., on Value Added Tax
Accounting records and documents (including evidence of payroll costs) 5 years; payroll sheets and tax documents 10 years Section 31 of Act No. 563/1991 Coll., on Accounting
Payroll documents for income tax (certificates, declarations) 10 years after the end of the tax period Section 38n of Act No. 586/1992 Coll., on Income Tax, in conjunction with Section 148 of Act No. 280/2009 Coll., the Tax Code
Employee working time records For the duration of the employment relationship Section 96 of Act No. 262/2006 Coll., the Labour Code
Employment-law documentation (contracts, agreements, terminations) 10 years from the end of the employment relationship Contractual practice and limitation periods under Sections 629 and 636 of the Civil Code
Data on job applicants who were not hired 6 months from the end of the selection process (longer only with consent) Legitimate interest & Art. 6(1)(a) GDPR

After the retention period expires, paper personal data are securely shredded and electronic personal data are irreversibly deleted or anonymised.

9Data subject rights

Every data subject (employee, applicant, contact person) has the following rights in accordance with Chapter III of GDPR:

  • Right of access (Art. 15) — to obtain confirmation as to whether personal data are being processed and a copy of the data processed.
  • Right to rectification (Art. 16) — to correct inaccurate data or complete incomplete data.
  • Right to erasure (Art. 17, „right to be forgotten") — where processing is not necessary for compliance with a legal obligation or another legal basis.
  • Right to restriction of processing (Art. 18) — to pause processing in cases specified by law.
  • Right to portability (Art. 20) — to receive the data in a structured, machine-readable format where processing is based on consent or contract and is carried out by automated means.
  • Right to object (Art. 21) — to processing based on legitimate interest.
  • Right not to be subject to automated decision-making (Art. 22) — Elvian does not carry out such decision-making.
  • Right to withdraw consent (Art. 7(3)) — at any time, where processing is based on consent (withdrawal does not have retroactive effect).
  • Right to lodge a complaint with the supervisory authority — Úřad pro ochranu osobních údajů (Office for Personal Data Protection), Pplk. Sochora 27, 170 00 Prague 7, posta@uoou.cz.
Where to submit a request: Where Elvian is the controller (own employees, partners, the website), please address your request directly to us at gdpr@elvian.cz. Where Elvian processes data as processor (within BPO services for an employer), please address your request to your employer as the controller; Elvian will provide the necessary cooperation.

Elvian responds to requests without undue delay, no later than within 1 month of receipt. In complex cases the period may be extended by a further 2 months, of which we will inform the data subject in advance.

10Security and incident response procedure

Having regard to the nature, scope, context and purposes of processing and to the likelihood and severity of risks to the rights of data subjects, Elvian adopts appropriate technical and organisational measures under Article 32 GDPR, in particular:

  • Encrypted storage (data at rest) and encrypted transport (TLS 1.2+/HTTPS for the employee portal and all web applications).
  • Access management on a „need-to-know" and „least privilege" basis, multi-factor authentication (MFA) for administrator accounts.
  • Regular backups with tested restoration and geographic redundancy.
  • Access logging and detection of unauthorised or unusual operations.
  • Confidentiality of employees and subcontractors — contractually, at the level of an internal directive and through periodic training.
  • Regular training of employees in personal data protection and cyber security.
  • Records of processing activities under Article 30 GDPR.
  • Data Protection Impact Assessment (DPIA) under Article 35 GDPR for processing with a high risk to the rights of data subjects.

Incident response procedure: If a personal data breach within the meaning of Article 4(12) GDPR occurs, Elvian follows its internal incident response plan:

  • Where Elvian is the controller, it notifies the breach to the Office for Personal Data Protection without undue delay, no later than within 72 hours of becoming aware of it, under Article 33 GDPR. It informs data subjects under Article 34 GDPR where the risk to their rights is high.
  • Where Elvian is the processor, it notifies the breach to the controller (the client) without undue delay after becoming aware of it, typically within 24 hours, under Article 33(2) GDPR, and provides the necessary cooperation for the controller to fulfil its notification duties.

11Processor role and Data Processing Agreement (DPA)

In the provision of payroll accounting and HR services, Elvian typically acts as processor within the meaning of Article 28 GDPR. The controller remains the client (employer), who determines the purposes and means of processing and issues instructions to Elvian.

The rules of processing are set out in a separate Data Processing Agreement (DPA), which forms an annex to the main client Agreement and meets the requirements of Article 28(3) GDPR. The DPA covers in particular:

  • Subject-matter, duration, nature and purpose of processing, categories of data subjects and types of personal data.
  • The controller's documented instructions and the processor's duties.
  • Authorisation of further sub-processors (general authorisation with a duty of prior notification of changes).
  • Technical and organisational security measures.
  • Procedure for notifying personal data breaches to the controller.
  • Cooperation in the exercise of data subject rights, DPIA and audits.
  • Obligations on termination — return or deletion of personal data (at the controller's choice).

12Contact for GDPR enquiries and complaints

E-mail for GDPR: gdpr@elvian.cz
General contact: info@elvian.cz
Address: Elvian Technologies s.r.o., Na Folimance 2155/15, 120 00 Prague 2, Czech Republic
Data Protection Officer (DPO): Jana Šmidílková · jana.smidilkova@elvian.cz · +420 731 462 048

We respond no later than within 1 month of receiving a request. In complex cases the period may be extended by a further 2 months, of which we will inform you.

Supervisory authority: Úřad pro ochranu osobních údajů (Office for Personal Data Protection), Pplk. Sochora 27, 170 00 Prague 7, www.uoou.cz, posta@uoou.cz.