We are always looking for new talents.
To apply for a job with Grifinum, please send a cover letter together with your C.V. to hr[at]grifinum.com
1 INTRODUCTION
Grifinum is a global telecommunications provider focusing mainly on voice service and A2P messaging. We build our business primarily on professional approach, long-term experience, innovative technology and full dedication for our customers. Our major customer are Tier1s, large enterprises, global carriers, SMS aggregators, MVNOs but also smaller local retailers and niche providers. We are present at all important worldwide markets but our main focus are hard-to-reach destinations and emerging regions. We rely on latest state of the art technology, cooperating with leading providers and vendors. That enables us customer-oriented approach and flexibility to offer really tailor-made solutions focused on maximum effectivity. In our business “customer first” is not only usual quote but real aim and goal of our effort. This document provides information regarding the purpose and reason for personal data processing by our company, the manner in which we process personal data, and the categories of the data processed. You can also learn about the rights you have in connection with personal data processing and the ways of contacting us should you have any questions concerning the processing of your personal data or should you request rectification or erasure of your personal data.
2 WHO ARE WE AND HOW CAN YOU CONTACT US?
During and with regard to the provision of our services, we – Grifinum s.r.o., a company with its registered office at Zenklova 1545/39, Libeň, 180 00 Praha 8, Czech Republic, ID (Identification Number) 06861563, registered with the Municipal Court in Prague, Section C, File 290198 (hereinafter “we”, the “controller” or “Grifinum”) – collect and process your personal data as their controller. We process your personal data in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation; hereinafter the “GDPR”), and with Act No. 110/2019 Coll., on personal data processing. In personal data processing, we take care to ensure that your personal data are duly protected, in particular to prevent unauthorized handling of personal data or their other misuse. You may ask questions and exercise your rights in relation to personal data processing: – by e-mail at: privacy@grifinum.com; or – by presenting your inquiry in printed form at the address of our registered office. For more details on the various options for exercising your rights, see the section Procedure in filing a request concerning personal data protection. Before we respond to any request concerning personal data protection, we are authorised and simultaneously obliged to verify the identity of the one who files the request.
3 WHAT PERSONAL DATA DO WE PROCESS?
As a data controller, we process personal data in the categories listed below. Within these categories, we always process only selected personal data as required for attaining a specific purpose, and primarily so that we are able to provide you with the relevant services or to co-operate with you. We process the following categories of personal data: – Identification and authentication data (especially the name, surname, company name, date of birth, Id. No., login details including username and password, nickname, application ID) – Address and contact details (especially the e-mail address, telephone number, address, registered office) – Operating data (especially system data on the voice and SMS switch, data on login to the application and on the payment made, if appropriate, system data on messages sent, IP address, cookies, phone number) – Data on activities (especially personal data comprised in incoming e-mails or recordings of telephone calls received by the call center, and photo documentation or any other documents regarding our mutual communication) – Economic and billing data (especially CDRs, EDRs, amount of payment, bank account number, payment card number, billing address) – Biographical data (especially data contained in the professional curriculum vitae, education attained) The specific purposes of data processing and categories of personal data that we process for the individual purposes are described in the following part: Purposes and methods of personal data processing.
4 FOR HOW LONG DO WE PROCESS YOUR PERSONAL DATA?
In most cases, we will retain your personal data for the duration of the provider-customer relationship or other contractual relationship, i.e. especially during the existence of the contract and during transport of the traffic, and also until the end of any complaint periods, statutory limitation periods and, if applicable, archiving periods laid down by the legal regulations. In cases where processing of your personal data is based on your consent, we process your personal data only for the duration of this consent. For this purpose, we keep a database of consents granted. For more detailed information on the duration of personal data processing, see the following part: Purposes and methods of personal data processing.
5 PURPOSES AND METHODS OF PERSONAL DATA PROCESSING
5.1 Concluding and maintaining a contract with another telecommunications operator If you enter into or wish to enter into a contract with us in order for us to provide services consisting in transit of traffic from you (or some other similar service), we will process your personal data for the purposes specified in the table below. We obtain personal data for these purposes directly from you or from our own operations.
5.2 SMS & Voice transit operations In cases where we transit SMS or voice traffic from an originating operator (sender) to a terminating party, we process a personal data for the purposes specified in the table below as an independent controller. We obtain personal data for these purposes directly from the originating operator or from our own operations. We are solely responsible for the personal data from their receipt or creation with the originating operator (at interconnection point 1) to the place and time of handover of the operation to the terminating operator (to interconnection connection point 2).
5.3 OTHER TYPES OF DATA SUBJECTS AND POSSIBLE PROCESSING OF THEIR PERSONAL DATA In some cases, we may process your data even if we are not delivering a traffic directly from/to you or if you have not concluded a contract with us. In that case, we process your personal data for the purposes specified in the table below. We obtain personal data for these purposes directly from you, from third parties (e.g. your employers) or from our own operations.
7 PERSONAL DATA SECURITY
Grifinum has put in place appropriate security measures to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Authorized persons have only granted limited access to personal data to employees, agents, contractors and other third parties who have a business need for the personal data, who would only process a personal data on Grifinum’s instructions and are subject to a duty of confidentiality. We choose carefully our suppliers based on a prior completion of a vendor risk management questionnaire and a credibility assessment. We have concluded proper data processing contracts with all our personal data processors. Grifinum has in place procedures to deal with any suspected personal data breach and will issue notifications straight away to effected data subjects and any applicable regulator if legally required.
8 PROCESSORS
Access to your personal data is limited to properly trained persons on a need-to-know basis, and anyone having access to your personal data is bound to maintain confidentiality. Your personal data are controlled and processed primarily by Grifinum itself. In cases specified by the law and in cases where our legitimate interests need to be protected, we may transfer your personal data, e.g. to governmental authorities, courts, prosecuting bodies, etc. Entities having the position of data processors, with whom we have concluded a processing agreement, may also participate in the processing of your personal data to a certain extent. The processors we use include, for example, accounting companies, tax advisors, lawyers, payment service providers, developers and marketing specialists, as well as software and cloud solution providers. For these purposes, the companies entered in the following list are considered Grifinum´s most important data processors: – Provider of the SMS center incl. monitoring and billing: Alarislabs Pte Ltd., 9 Raffles Place #26-01, Republic Plaza, Singapore https://www.alarislabs.com/privacy-notes. ALARISLABS is a software developing company that provides a suite of products enabling voice wholesale and SMS hubbing business. ALARISLABS operate servers in the EEA area and do not transfer any Personal Data provided by our customers from their clients outside EEA area. – Provider of the voice switch incl. monitoring and billing: Linxa (Linksa Yazılım Geliştirme ve Ticaret A.Ş.) TU Ayazaga Yerleskesi, ARI 1-9, Maslak Sarıyer, Istanbul, Turkey, https://www.linxa.com/privacy-policy. Linxa is an innovative software provider focusing on the Telecoms Wholesale Business offering best of breed solutions to Tier 1 to Tier 4 Communication 10 Service Providers all over the world. Linxa operates servers in the EEA area and does not transfer any Personal Data provided by GRIFINUM outside EEA area. – Provider of the accounting & bookkeeping software “POHODA”: STORMWARE s.r.o., ZaPrachárnou 4962/45, 586 01 Jihlava, Czech Republic, https://www.stormware.cz/ochranaosobnich-udaju.aspx. POHODA process personal data only in the Czech Republic or in EU member states. POHODA do not transfer personal data to third countries outside the EU.
9 YOUR RIGHTS IN RELATION TO PERSONAL DATA PROTECTION
The following rights are guaranteed to you in the area of personal data processing, and you may exercise these rights vis-à-vis our company by e-mail or by submitting your request in printed form at the address of our registered office.
9.1 Right of access to personal data Based on the right of access to information, you have specifically the right to: – request confirmation as to whether or not we process your personal data; – obtain information on the processing of your personal data, including especially information on the purposes of processing; the categories of the personal data being processed; the recipients (to whom the personal data have been or will be disclosed); the envisaged period of processing; the source of the personal data (if not obtained from you); the existence of automated decisionmaking, including profiling; and appropriate safeguards in case of a transfer of data outside the EU; – request a copy of the personal data being processed; the first copy will be provided to you free of charge.
9.2 Right to rectification of personal data If your personal data that we process are incorrect, inaccurate or have changed, you can request that they be rectified or supplemented.
9.3 Right to erasure of personal data (right to be forgotten) If the purpose for which your personal data were processed ceases to exist or if you withdraw the consent on the basis of which we processed your personal data, we will erase your personal data without undue delay. We will also erase your personal data if you exercise your right to object to the processing of personal data that we process on the basis of our legitimate interests, and we determine that the legitimate interests that would authorise us to continue such processing have already ceased to exist. If you have any doubts as to the erasure or believe that your personal data have not been erased, you may exercise your right to erasure. In some cases, we are not required to erase your personal data or any of them. These are cases where we continue to need your personal data for a proper performance of our legal obligations or for the establishment, exercise or defence of legal claims.
9.4 Right to restriction of personal data processing You have the right to claim that we restrict the processing of your personal data, especially if you contest the accuracy of the personal data being processed or if you have objected to personal data processing, for the period necessary for the relevant assessment.
9.5 Right to data portability If this is suitable for you in terms of facilitating communication with another service provider, you have the right to be provided with your personal data in a structured, commonly used and machine-readable format, or to have these data transferred directly to another controller. It is necessary that the given processing be based on your consent or performance of a contract and, at the same time, that it takes place by automated means.
9.6 Right to withdraw consent to personal data processing If you have given us a consent to the processing of your personal data, you have the right to withdraw it at any time. Once you have withdrawn the consent, we will stop processing any personal data in respect of which we have no legal ground for processing other than your consent.
9.7 Right to object and automated individual decision-making If you wish that we do not continue with the processing of your personal data that are processed by us on the basis of our legitimate interest, you may raise an objection to this effect. The objection should be substantiated, and it should be clear from its formulation why you believe that the processing in question unfavorably interferes with your privacy or protection of your rights and legally protected interests. We will then evaluate whether our legitimate interest outweighs the impact on your rights. This does not apply to data processing for direct marketing, which will be terminated automatically once we receive your objection. However, we may contact you even after you have unsubscribed from marketing communication, in order to maintain and exercise our own rights and obligations. We do not carry out automated decision-making.
9.8 Right to lodge a complaint The exercise of the above rights does not prejudice your right to lodge an application, complaint or inquiry with the competent supervisory authority. You may exercise this right especially if you believe that we are processing your personal data illegitimately or at variance with the generally binding legal regulations. The supervisory authority in the Czech Republic is the Office for Personal Data Protection, seated at Pplk. Sochora 27, 170 00 Prague 7 (http://www.uoou.cz/).
10 PROCEDURE IN FILING A REQUEST CONCERNING PERSONAL DATA PROTECTION
10.1 Who has the right to file a request? You may submit a request concerning personal data protection to us if you are a data subject, the data subject’s legal representative or guardian, or a person authorised by the data subject by means of a power of attorney. 12
10.2 How can a request be filed? You can file a request concerning your personal data: – by e-mail at privacy@grifinum.com; or – by presenting your inquiry in printed form at the address of Grifinum’s registered office at Zenklova 1545/39, Libeň, 180 00 Praha 8, Czech Republic
10.3 What has to be stated in a request? Your request must include at least your identification details, its subject (description of the substance of the request and what you claim) and your signature (if submitted in printed form). We record a majority of personal data under your telephone number or e-mail address. You should therefore state in your request to which telephone number and e-mail address your request pertains. You can then be asked to prove that you actually use the given telephone number and e-mail address. If you do not provide information necessary for a quick resolution of your request in the way you want it to be resolved, we will ask you to supplement the information. In that case, the time we have for the resolution of the request will be extended by the time you need to supplement it. Unless you ask for general information (e.g. concerning the types of personal data and the duration of their processing), your request will only be processed if we are able to verify your identity. Anonymous requests will be disregarded.
10.4 By when and how will your request be resolved? Once you have submitted your request, you will be notified that the request has been accepted for resolution. The initial notice may include references to publicly available parts of the documentation concerning personal data processing. The request will be dealt with based on a proper review of the relevant issues, and we will inform you how the request has been resolved in view of its contents. We will resolve your request without undue delay, but not later than within 30 days of the date of its proper delivery, or of the delivery of all the necessary information. If this is impossible in view of the nature of the request because of its complexity, time demands or technical difficulties or due to the number of requests filed, the above time limit for processing a request may be extended by up to sixty (60) days. We will inform you of any such extension and the reasons for doing so.
10.5 Is any fee charged for submitting a request? Requests are usually resolved free of charge. In some cases, we may charge a reasonable fee, e.g. when you request information in printed form, on a CD/DVD or on some other technical data carrier.
10.6 In what cases may a request be rejected? A request may be rejected in the following cases: – unreasonable repetition of the request (third and further requests for information or communication that are identical in terms of contents, filed over a period of six months of the first request); – the request is not justified; or 13 – the data subject fails to supplement the request in spite of being asked twice to do so or refuses to pay the fee charge by us, if no other agreement is reached.
A request may be considered unjustified in view of our other legal obligations (e.g. if you require erasure of certain personal data that we are required to process based on legal regulations). In that case, we will not satisfy the request. Furthermore, a request will also be rejected if we need to verify your identity and you do not allow us to do so. Similarly, a request cannot be satisfied if it does not contain all the information necessary for its resolution, although we have asked you to supplement it. In the refusal of your request, we will advise you about the right to lodge a complaint with the Office for Personal Data Protection or to apply for judicial remedy.
11 CONCLUSION
We present this information on personal data processing to you on the basis of Articles 12 to 14 of the GDPR and of the Personal Data Processing Act. This information is permanently available at: www.grifinum.com. The information is intended for external data subjects co-operating with Grifinum s.r.o. or using its services.