PRIVACY POLICY

PRINCIPLES OF PROCESSING AND PROTECTION OF PERSONAL DATA
by JK Education, s.r.o.
as of September 1st, 2025


JK Education, s.r.o.
with its registered office at Svatoslavova 333/4, Nusle, 140 00 Praha 4
Company Reg. No.: 015 55 804
Data box identifier: c9tti7i
File number C 280537, Municipal court in Prague
tel: +420 703 141 151
e-mail: info@jkeducation.cz  


The Controller processes your personal data through its authorized employees or associates and also through verified processors, provided that these persons:

a) are carefully selected and vetted, are of integrity and competent to ensure proper protection of your personal data,
b) are bound by confidentiality obligations under strict sanctions,
c) are bound by strict processing rules and are also required to maintain all security standards set by the Controller, which are regularly monitored,
d) always process only such scope of your personal data as is necessary for the performance of a particular processing act, and only for the strictly necessary period of time,
e) always process your personal data only within the secure environment of the Controller’s information system on secured IT equipment,
f) always process your personal data only by the Controller or by an associate providing you with intermediary/service activities, i.e., only by those who personally participate in a given business case, as well as by authorized employees of the Controller’s business partners who ensure the performance of certain administrative or other processes for the Controller’s business partners, and always only to the extent necessary for their work,
g) are obliged to consistently record all personal data processing activities,
h) are subject to regular and continuous control of compliance with obligations in personal data processing and compliance with the Controller’s security standards.

1. Legal framework for processing your personal data
The Controller always processes your personal data exclusively in accordance with applicable legislation, i.e. Act No. 110/2019 Coll., on the Processing of Personal Data, as amended, and Regulation (EU) No. 2016/679 of the European Parliament and of the Council (hereinafter referred to as “GDPR”), and legal regulations supplementing or replacing them. The Controller places particular emphasis on the security of processing and the protection of your personal data; the protection of your personal data is an absolute priority.
In addition to Act No. 110/2019 Coll. and the GDPR, the Controller is also obliged, in the course of its business activities, to comply in particular with the following legal regulations, which also set obligations with relevance to the processing of personal data and are binding on the Controller:

a) Act No. 89/2012 Coll., Civil Code, as amended,
b) Act No. 262/2006 Coll., Labour Code, as amended,
c) Act No. 373/2011 Coll., on Specific Health Services, as amended,
d) Act No. 187/2006 Coll., on Sickness Insurance, as amended,
e) Act No. 155/1995 Coll., on Pension Insurance, as amended,
f) Act No. 48/1997 Coll., on Public Health Insurance and on Amendments to Certain Related Acts, as amended,
g) Act No. 582/1991 Coll., on the Organization and Implementation of Social Security, as amended,
h) Act No. 589/1992 Coll., on Social Security Contributions and Contributions to the State Employment Policy,
i) Act No. 563/1991 Coll., on Accounting, as amended,
j)  Act No. 280/2009 Coll., Tax Code, as amended,
k) Act No. 280/2009 Coll., Tax Code, as amended,
l)  Act No. 253/2004 Coll., on Value Added Tax, as amended,
m)  Act No. 480/2004 Coll., on Certain Information Society Services and on Amendments to Certain Acts, as amended,
n)  Act No. 133/2000 Coll., on Population Registration and Birth Identification Numbers and on Amendments to Certain Acts, as amended,
o) and any other legislation supplementing, amending, or replacing the above.

The Controller is subject to supervision by the Office for Personal Data Protection of the Czech Republic, where you can file a complaint in case you are not satisfied with the Controller’s procedures when exercising your rights or when processing your personal data.

Office for Personal Data Protection
Pplk. Sochora 27
170 00 Prague 7    
    
2. What personal data does the Controller process
In accordance with the relevant legal regulations, the Controller processes exclusively such data as required by the applicable legal regulation and such data as are necessary for the Controller’s dealings and those of its business partners with due professional care. The Controller also processes the personal data of its employees, associates, and third parties, which are necessary for the proper fulfilment of obligations under the relevant legal regulations and specific contracts (employment contracts, education provision contracts, etc.). For this purpose, the Controller processes the following categories of data:

i. Identification data – personal data serving to identify you (first name, surname, birth surname, title, date of birth, identity document number, Company ID, etc.),
ii. Contact details – personal data serving to ensure contact with you (permanent residence address, correspondence address, telephone number, e-mail address),
iii. Data necessary for fulfilling an employment contract,
iv. Data necessary for providing education,
v. Data required by law for proper bookkeeping, payroll administration, and organization of sickness, social, and health insurance,
vi. Certain data on health status, if necessary in fulfilling the employer’s statutory obligations (e.g. information on employee pregnancy, information on employee incapacity for work, work injuries and related occupational health examinations – entry and periodic),
vii. Personal data stated in a job applicant’s CV – before conducting a recruitment procedure, these are processed in connection with measures aimed at fulfilling the employment contract; after the recruitment procedure, in the case of successful applicants, in connection with fulfilling the employment contract,

The Controller is obliged, or entitled, to process the above personal data even without your consent, since such processing is required by the relevant legislation or the Controller is entitled to process such data in connection with the fulfilment of contractual obligations or on the basis of legitimate interest (see below). Nevertheless, it remains solely up to you whether you provide the Controller with your personal data or not. However, if you fail to provide personal data to the required extent, the Controller is entitled not to conclude a contract, not to provide a service, or not to establish cooperation.

viii. Personal data for the Controller’s marketing activities – personal data processed by the Controller for marketing purposes, in particular sending commercial communications or advertising (name, surname, telephone number, e-mail address, correspondence address),
ix. Photographs/videos – photographs/videos from events or meetings, the creation of which requires separate consent; such photographs and videos may be used as part of the Controller’s marketing promotion, by publishing them on social networks, in the Controller’s online presentations, in leaflets, newsletters, etc.

The personal data listed under points viii. and ix. may be processed by the Controller only with your consent, and always only for the strictly necessary period, but no longer than the duration of such consent. Granting consent to processing is entirely voluntary and does not affect the continuation of further cooperation.

The Controller always processes personal data only to the extent necessary to fulfil the given purpose. Personal data obtained for one purpose must not be used for another purpose unless these purposes are mutually compatible.

As a rule, the Controller processes only such personal data as you have provided. In some exceptional cases, the Controller also obtains personal data from publicly available sources or from public authorities (courts, bailiffs, supervisory authorities, etc.), or from other controllers or its processors.

The Controller may also obtain personal data from a processor, who processes personal data for the Controller on the basis of written authorization.

Your personal data may be transferred to foreign partner schools, including schools located in the United States of America, Canada, and the United Kingdom, for the purpose of arranging studies and entering into contractual relationships with these institutions. When transferring personal data outside the European Economic Area (EEA), we ensure that an adequate level of protection is always guaranteed in accordance with Article 44 et seq. of the GDPR.

3. For what purpose does the Controller process personal data
The Controller processes your personal data for the following purposes:
a) performance of its own activities,
b) fulfilment of legal obligations,
c) fulfilment of contractual obligations,
d) protection of persons, property, data, trade secrets, and legitimate interests of individuals, including proper identification and authentication of acting persons,
e) establishment, exercise, and defence of the Controller’s legal claims.
For the purposes listed under points a) to e), the Controller is entitled to process your personal data even without your consent.

f) Marketing activities and promotional activities of the Controller – sending marketing offers, advertisements, events aimed at increasing brand awareness, promotion in the online environment,
g) Other purposes where applicable.
For the purposes listed under points f) and g), the Controller processes personal data solely with your consent.

4. On what legal basis and for how long does the Controller process personal data

The Controller processes personal data within the meaning of Article 6, and where applicable Article 9, of the GDPR on the following legal bases:
a) Consent of the data subject – personal data are processed on this legal basis when no other legal basis exists (or can be applied). Such processing always lasts for the duration of the purpose for which the personal data were obtained, but no longer than until consent is withdrawn. In these cases, you always have the right to withdraw your consent (methods of withdrawal are specified below). This typically applies to processing photographs, etc.,
b) Performance of a contractual obligation – where a contract has been concluded between you and the Controller, the Controller is entitled to process personal data obtained in the course of fulfilling the contract, or those necessary for the exercise of rights and obligations arising from the contract, for the duration of the contract,
c) Compliance with a legal obligation – the Controller is obliged to process selected personal data if required by the relevant legal regulation, for the period specified by that regulation,
d) Legitimate interest of the Controller – in such cases, the Controller processes personal data for the duration of its legitimate interest (typically for the protection of persons and property). If you lodge an objection to such processing, justified by your individual situation, and the Controller accepts the objection after due consideration, the Controller is obliged to terminate such processing.

The Controller’s legitimate interests include, in particular:
i. the conduct of its business activities as its main profit-making activity, which is the source of the Controller’s income,
ii. ensuring the basic organizational and functional processes of the Controller,
iii. establishing, exercising, and defending the Controller’s legal claims,
iv. protecting persons, property, data, trade secrets, and legitimate interests of individuals, including the interest in proper identification and authentication of acting persons.
Each personal data item may be processed on the basis of multiple legal grounds. A personal data item may be processed as long as at least one legal ground exists for its processing. Once the last legal ground for processing a given personal data item ceases, the personal data must be duly disposed of.

5. To whom personal data may be disclosed

Depending on the circumstances and in accordance with applicable legislation and other requirements, we may provide your personal data in various ways and for various reasons to the following categories of recipients:
• Public authorities and other entities in fulfilment of statutory obligations under the relevant legal regulations (e.g. Act No. 187/2006 Coll., on Sickness Insurance, as amended; Act No. 155/1995 Coll., on Pension Insurance, as amended; Act No. 582/1991 Coll., on the Organization and Implementation of Social Security, as amended, etc.),
• Processors of personal data on the basis of a written data processing agreement and upon provision of sufficient technical and organizational safeguards for the protection of personal data (e.g. IT service providers, accountants, etc.),
• Employees or other persons in a similar contractual relationship with the Controller for the purpose of performing their work duties on behalf of the Controller,
• Other entities, where necessary for the establishment, exercise, or defence of the Controller’s legal claims (e.g. courts, bailiffs, attorneys, etc.),
• Third parties such as the National Institute for Further Education (NIDV) and other organizations providing continuing education of teaching staff (DVPP), which process teachers’ personal data pursuant to §29 of Act No. 563/2004 Coll., the Teaching Staff Act, or other organizations providing professional development under §230 of Act No. 262/2006 Coll., the Labour Code,
• Foreign partner schools and institutions located outside the European Economic Area (in particular in the USA, Canada, and the United Kingdom), for the purpose of facilitating study opportunities and entering into contractual relationships with these institutions,
• Other persons with your consent.
In all cases, it applies that personal data are provided to the above recipients only to the extent necessary for the specified purpose and for the necessary period of time.

6. Personal data security principles

The Controller strictly ensures compliance with all security and organizational measures introduced for the purpose of protecting personal data.
The Controller regularly and thoroughly monitors compliance with security and organizational measures to ensure the protection of personal data, regularly evaluates the findings, and updates its security and organizational measures as necessary.
Personal data are processed exclusively by authorized persons, who are thoroughly vetted by the Controller both before starting processing and throughout its duration. All persons who have access to personal data are bound by confidentiality obligations under strict sanctions.


7. What rights do you have and how can you excercise them

Articles 15–22 of the GDPR define the rights that you may exercise in relation to the Controller.
You may exercise the following rights at your discretion:
a) Right of access to personal data – the Controller will provide you with a statement (confirmation) of the personal data processed about you, to the extent defined in Article 15 of the GDPR, upon a request bearing your officially verified signature,
b) Right to rectification of inaccurate personal data – if you find that the Controller processes inaccurate or outdated personal data about you, the Controller is obliged, without undue delay after being informed, to correct such inaccurate personal data. Rectification is carried out on the basis of a written request,
c) Right to erasure – in cases defined in Article 17 of the GDPR, the Controller will erase the processed personal data (this applies in particular when you withdraw your consent to processing and no other legal basis exists, when you object to processing and no overriding legitimate interests of the Controller exist, or when the personal data are no longer needed for the given purposes, etc.). Erasure is carried out on the basis of a written request or automatically if the personal data are no longer required for the processing purpose,
d) Right to restriction of processing – for the period during which the Controller assesses the justification of your objection to processing, or until the Controller verifies the accuracy of personal data where you contest their accuracy, or if the processing is unlawful and you oppose erasure and instead request restriction of use, the Controller will temporarily restrict the processing of personal data. This is carried out on the basis of a written request if you request restriction, or automatically in case of exercising the right to object or to rectification,
e) Right to data portability – where the processing of specific personal data is based on consent or on a contract and is carried out by automated means, you have the right to obtain and transfer to another controller the personal data concerning you. This is carried out on the basis of a written request with your officially verified signature,
f) Right to lodge an individual objection – if the processing is based on the Controller’s legitimate interest, you have the right to object, on grounds relating to your particular situation, to such processing. The objection will be thoroughly assessed by the Controller. The objection will be upheld if your individual interest outweighs the Controller’s legitimate interests. This is carried out on the basis of a written request,
g) Right to lodge an absolute objection to direct marketing – where personal data are processed for direct marketing purposes, you may lodge an absolute objection. Unlike the individual objection under point f) of this section, this objection is not assessed, but automatically results in termination of processing for these purposes. This is carried out on the basis of a written request or by clicking the link provided directly in the specific electronic marketing message,
h) Right to withdraw consent to processing – consent to the processing of your personal data can be withdrawn either in full or for individual purposes of processing. The Controller will no longer process the personal data for which consent has been withdrawn, unless another legal basis for processing exists. Consent may be withdrawn on the basis of a written request,
i) Right not to be subject to any decision based solely on automated processing, including profiling, which would have legal effects concerning you or would similarly significantly affect you – this right does not apply, as the Controller does not carry out any automated decision-making that would have legal or similar effects for you.

In all the above cases, the Controller will provide you with information on how your request has been resolved without undue delay, but no later than within one month of receiving your request. This period may be extended by a further 2 months, considering the complexity and number of requests.
In cases where requests are manifestly unfounded or excessive, particularly due to their repetitive character, the Controller may refuse to comply with the request or may impose an administrative fee for processing the request, reflecting the costs associated with providing the information.
The Controller has appointed a Data Protection Officer (DPO) to ensure the protection of personal data and to maintain quality and security standards in the processing of personnel data. You may contact the DPO in case of any ambiguities, questions, or complaints in the area of personal data protection.

Data Protection Officer:
Tomáš Netopil
Žalkovice 85, 768 23
netopil@consiliumeurope.com

8. Cookies 

Cookies are small files stored on your computer’s hard drive. Almost all websites use them, and they do not pose any danger to your computer. They allow us to understand your activity and make your visit to our website as pleasant as possible. Based on the information from cookies, we can offer you options tailored to your needs during each visit. Cookies are also used to monitor website traffic and for advertising purposes. If you want to check or adjust the types of cookies you agree to, you can usually do so in your browser settings.

We use cookies to monitor how you use our website. This helps us understand the individual needs of users grouped into larger segments and allows us to further develop and improve our website so that the services it provides meet the expectations and needs of visitors.


Cookies can be divided into several categories:
• Session cookies: These cookies are stored on your computer during a browser session and are automatically deleted once you close the browser. They are usually stored under an anonymous session ID, which allows you to browse the website without having to log in on every page. These cookies do not collect any information from your computer.
• Persistent cookies: These cookies are stored as files on your computer and remain there even after you close your web browser. The websites that created these cookies can read them again each time you return. We use persistent cookies for the purposes of Google Analytics.
• Essential cookies: These cookies ensure the effective use of our website. Without them, our site would not be able to provide you with the relevant services. They do not collect any information that could be used for marketing purposes or to track your activity on the internet.
• Performance cookies: These cookies allow us to monitor and improve the performance of our website. For example, they enable us to count website visits, identify traffic sources, and determine which sections of the website are the most popular.
• Functional cookies: These cookies allow our website to remember the choices you make (e.g., your username) and provide you with enhanced features. They can also be used to remember your preferred text size or font type, or to further customize specific sections of the website. Additionally, they enable services according to your requests, such as watching videos or posting comments. The data collected by these cookies is usually anonymous.

If you do not wish to allow cookies that are not strictly necessary to ensure the basic functions of our website, you can disable their use in your browser settings. Most web browsers allow cookies by default, but if you are not comfortable with this type of data collection, you can disable cookies in your browser’s privacy settings. However, if you disable all cookies, you may not be able to use all the features of our website. Since each browser is different, please refer to the Help section of your browser for detailed instructions on how to adjust your cookie settings.

For more information about cookies, including how to disable them, please visit aboutcookies.org. On that website, you can also learn how to delete cookies from your computer.

The Controller reserves the right to make ongoing modifications to this Privacy and Data Protection Policy. All updates and the current version of the Policy will be available on this page and also in printed form at the Controller’s office.