ZF Slovakia, a. s. (“ZF”)
Employee Data Protection Notice
I. Introduction and scope
ZF Slovakia (“ZF”) considers protecting the Personal Data of all employees to be an important priority. ZF is committed to processing Personal Data responsibly and in compliance with the applicable data protection laws in all countries in which ZF operates. Please refer to our internal Data Protection rules for more information on definitions, our overall data protection principles and our approach to data protection compliance.
This Employee Data Protection Notice (the “Notice”) describes the types of Personal Data that ZF collects, how ZF uses that Personal Data, with whom ZF shares your Personal Data, and the rights you, as a Data Subject, have regarding ZF’s use of the Personal Data. This Notice also describes the measures ZF takes to protect the security of the data, how long we keep your data, how we transfer your data internationally and how you can contact ZF about our data protection practices.
II. Contact details of the Data Controller
ZF Slovakia, a. s.
917 02 Trnava
Phone: +421 33 5959 111
III. Contact details of the ZF Data Protection Officer
A Data Protection Officer (“DPO”) is designated.
The DPO is involved in all issues related to the protection of your Personal Data. For questions you may have regarding this Notice and/or in order to exercise your rights explained under Section X. below, please contact Ms. Martina Kubíčková, the ZF Slovakia DPO, at
ZF Friedrichshafen AG
917 02 Trnava
You may also contact the DPO by e-mail under firstname.lastname@example.org.
IV. Categories of Personal Data processed
The provision of Personal Data is a requirement necessary to enter into a contract with ZF or a requirement by law or regulation for ZF to administer your employment relationship. The Personal Data processed is limited to the data necessary for carrying out the purpose for which such Personal Data is collected.
ZF processes the following Personal Data:
Employee master data such as the first name, family name, name suffix, title, date of birth, gender, marital status, nationality, user ID number;
Contact information such as home address, (mobile) phone number, email address;
Data relating to the employment relationship such as educational details, date of hire, job title, skills, performance evaluation, time management data, department, social security number, tax ID number, payroll details, bank account;
Travel information such as credit card numbers, driving license details, visa details and passport number; and
Communications information such as network log-in details, computer system usage data and data contained in regular backups of ZF systems
Sensitive Personal Data will be processed in the employment context. Sensitive Personal Data consists of:
Racial or ethnic origin,
Trade Union Membership,
Genetic and biometric data,
Health-related data and
Such Sensitive Personal Data will be processed where specific express consent is obtained, or if one of the particular exemptions provided for by law applies, including:
Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of ZF or of the Data Subject in the field of employment and social security and social protection law;
Processing is necessary to protect the vital interests of the Data Subject;
Processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity; or
Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
ZF will collect the Personal Data as a general rule directly from you. However, in line with legal provisions, data will also be collected from third parties. In particular, ZF will collect tax-relevant information from the responsible tax authority as well as sick leave information from the responsible health insurer if required in a specific case.
ZF will maintain Personal Data in a manner that ensures it is accurate, complete and up-to-date.
V. Purposes of Data Processing and legal bases
ZF processes Personal Data in accordance with applicable data protection laws and regulations, such as the General Data Protection Regulation (“GDPR”) and the Slovak Data Protection Act (“Zákon na ochranu osobných údajov č. 18/2018 Z.z.”) and only for limited, explicit and legitimate purposes. ZF will not use Personal Data for any purpose that is incompatible with the original purpose for which it was collected unless you provide your prior explicit consent for further use.
Personal Data relating to employees will be processed for the purposes of:
Creation, performance and termination of the employment relationship, including professional training;
In this context, the processing of Personal Data is necessary in order to take steps at your request prior to entering into a contractual employment relationship, as well as for the performance of the employment contract. Furthermore, collective agreements allow for such data collection.
Administration and payment of salary and calculation of compensation and benefits;
In its role as an employer, ZF must comply with labor law, collective bargaining law, social security and tax law provisions. To this end, and based on (1) statutory obligations as well as (2) for the performance of the employment contract, Personal Data will be collected.
Other data processing purposes include:
Recruitment, promotion, performance review and online presentation of employees;
Career development, succession planning and talent management;
Management and support of expats and redeployment;
Resignation, retirement and pension scheme management and billing;
Administration of ZF’s in-house medical service and business travel planning;
Administration of time management data;
Administration of employees’ IT system access and usage as well as management of IT security;
Managing research and product development and providing technical support; and
Company organization management
The purposes listed above find their legal basis in the underlying employment contract or alternatively in the applicable law provisions.
Additionally, Personal Data will be collected for the purposes of the legitimate interests of either ZF or a third party such as public authorities, e.g. for the investigation of (criminal) offences or actual or reasonably suspected misconduct, for compliance with legal regulations (compliance) and for defending against or asserting legal claims.
Moreover, ZF is obliged by the European Anti-Terror Regulation No. 2580/2001 and 881/2002 to screen your Personal Data against EU “terror lists” to ensure the enforcement of the prohibition of providing financial means to individuals and organizations falling within the scope of these regulations.
The processing of special categories of Personal Data is based on contractual obligations or statutory obligations, such as those stemming from labor law, social security law and social protection law. Health-related data can be processed to assess the working capacity of the employee.
Your explicit consent can also serve as the legal basis for the processing of special categories of Personal Data.
Prior to using your personal data for a purpose other than the one for which it was initially collected, you will be informed about such new purpose.
VI. Data Security
ZF has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Such risk analysis includes an analysis of the risk of compromising the rights of the Data Subject, the costs of implementation, and the nature, scope, context and purposes for Data Processing.
These measures include:
encryption of personal data where applicable/appropriate;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
VII. Recipients of Personal Data
ZF will only grant access to Personal Data on a need-to-know basis and such access will be limited to the Personal Data that is necessary to perform the contractual or legal function for which such access is granted. Authorization to access Personal Data will always be linked to the function, so that no authorization will be extended to access Personal Data on a personal basis. Service providers will only receive Personal Data according to the purposes of the service agreement with ZF.
In its role as an employer, ZF is required either by contract or by law to disclose employee’s Personal Data to recipients outside of ZF. These recipients include:
Public authorities (tax authorities, courts, pension insurers, social security insurers, etc.);
Your health insurer;
Third-party debtors in the event of salary seizure; and/or
Insolvency administrator in the event of private bankruptcy.
VIII. International data transfers
International data transfers refer to transfers of Personal Data outside of the European Economic Area (“EEA”). The international footprint of ZF involves the transfer of Personal Data to and from other group companies or third parties which may be located outside the EEA, including the United States of America. ZF will ensure that Personal Data is only transferred to countries that have adequate data protection standards as per the European Commission’s specifications. Alternatively, data will only be transferred after the implementation of appropriate safeguards to adequately protect the Personal Data and secure that such data transfers are in compliance with applicable data protection laws. ZF has implemented data transfer agreements based on EU model clauses to cover international data transfers. A copy of these agreements can be obtained by contacting the DPO. More information on our international group companies can be found on the Intranet and under the following link:
IX. Retention of Personal Data
ZF will not retain your Personal Data for longer than is justified for the purpose for which it was originally collected. After termination of employment, ZF will only retain your Personal Data as long as we are legally required to do so. The main legal retention obligations can be found, inter alia, in the Commercial and Tax Codes, which stipulate retention periods of up to 10 years. Additionally, Personal Data may be stored and retained for as long as the statutory period of limitations concerning legal claims against ZF has not expired, i.e., for a period up to 50 years.
X. Data protection rights
Under applicable data protection laws, you will benefit from the following rights. You can exercise these rights at any time by contacting the DPO, where applicable:
Right to access
You have the right to receive at any time upon request information about the Personal Data relating to you which are processed by ZF. This includes information on the questions of whether and which personal data are processed for which purposes, and which recipients receive these data. You also have the right to obtain a copy of the data free of charge (except in case of repetitive or excessive requests).
Right to rectification
You have the right to obtain without undue delay the rectification of inaccurate, incomplete or outdated Personal Data concerning you.
Right to erasure
You have the right to obtain without undue delay the erasure of your Personal Data if the statutory conditions apply. These conditions establish a right to erasure if the Personal Data are no longer necessary for the purposes for which they were collected or otherwise processed, as well as in situations involving unlawful processing, the existence of a right to object or withdraw consent, the existence of a duty to erase data under European Union law or EU Member State law governing ZF or when the data were collected in relation to the offer of information society services.
Right to restriction of processing
You have the right to demand that ZF restricts the processing of your Personal Data. This right restricts the processing of your Personal Data if their accuracy is contested by you for a period enabling ZF to verify the accuracy of the data, as well as in the event that there is a right to erasure and the user demands a restriction of processing instead of erasure, and also when ZF no longer needs your Personal Data for its processing purposes but you, however, need the data for the establishment, exercise or defense of legal claims, as well as in those situations where the successful exercise of an objection is disputed between ZF and you.
Right to object
As a rule, you have the right to object to the processing of your Personal Data at any time with legitimate grounds relating to your particular situation. ZF will no longer process the Personal Data concerned unless it can demonstrate compelling legitimate grounds for the processing, which override your interests or if the processing serves to establish, exercise or defend against legal claims.
Right to data portability
In cases where the Data Processing is based on your consent or subject to your contract and where such processing is carried out by automated means, you can request (i) that the Personal Data concerning you, is provided to you in structured, commonly used and machine-readable format in order to be able to further transmit such Personal Data to another Data Controller; or (ii) that the Personal Data is directly transmitted to another Data Controller if technically feasible.
However, ZF can refuse such a request if the processing concerned is necessary for the performance of a task carried out in the public interest or if responding to such request risks to adversely affect the rights and freedoms of others.
Right to withdraw consent
Where the processing of your Personal Data is based on consent, you have the right to withdraw such consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
Right to lodge a complaint
You also have the right to lodge a complaint with the competent supervisory authority.
This Notice will be effective as of May 25, 2018 and will be applicable to ZF.
This Notice may be revised and amended from time to time and appropriate notice about any amendments will be given.