Search

Menu

Privacy policy

(hereinafter referred to as the “Policy”)

Introductory Provisions

Benefit Management s.r.o., Company ID No.: 270 69 770, with its registered office at Doudlebská 1699/5, 140 00 Prague 4, Nusle, registered in the Commercial Register maintained by the Municipal Court in Prague, Section C, File No. 93997, operating the websites www.benefit-plus.cz and www.muza.cz and the digital application for the management of employee benefits Múza (hereinafter referred to as the "Company"), pays due attention to the proper fulfilment of its obligations in the area of personal data protection, in particular pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation; hereinafter referred to as the "GDPR") and Act No. 110/2019 Coll., on the Processing of Personal Data (hereinafter referred to as the "Act on the Processing of Personal Data").

The Company primarily acts in the position of an independent controller within the meaning of Article 4(7) GDPR, in relation to data subjects whose personal data it processes in connection with the provision of its services, in particular in the operation of benefit programmes via websites and digital applications intended for the management of employee benefits, in particular through the Múza application (hereinafter referred to as "Múza") and the Benefit Plus programme (hereinafter referred to as "Benefit Plus").

In cases where a system for the provision of employee benefits is implemented or operated through Múza or Benefit Plus in cooperation with employers or similar entities, the Company may act jointly with these entities as a joint controller within the meaning of Article 26 GDPR, in relation to the personal data of employees or other users of the system. In such a case, the mutual rights and obligations of the joint controllers are governed by the relevant arrangement between these entities. Only in exceptional cases may the Company also act in the position of a processor within the meaning of Article 28 GDPR, if it processes personal data on behalf of and under the instructions of another controller, on the basis of a data processing agreement concluded in accordance with Article 28 GDPR.

This Policy primarily applies to cases where the Company acts as a controller. If, in a specific case, the Company acts as a joint controller or a processor, the processing of personal data is also governed by the relevant arrangement between joint controllers or by the instructions of the relevant controller and the concluded data processing agreement.

Data Protection Officer

The Data Protection Officer is Mr. Jaroslav Raboch. The Company and the Data Protection Officer may be contacted in relation to personal data protection at the email address gdpr@benefit-plus.eu.

Data Subject

The data subject is a natural person who has provided their personal data to the Company, or whose personal data the Company has obtained from a third party, in particular from its business partners, or whose personal data the Company has obtained from other sources.

A data subject may therefore be, in particular but not exclusively, a client of the Company, an employee of the Company's client, a partner of the Company, an employee of the Company's partner, a job applicant, etc.

Scope of Processing of Personal Data

The Company processes personal data to the extent in which they are provided directly by data subjects or to the extent in which the Company obtains them from other persons, in particular from employers of the data subjects – the Company's clients, or from other lawful sources.

In order to provide its services, the Company may process in particular the following categories of personal data:

  • identification data (e.g. first name, last name, or identification of a user account in Benefit Plus or in Múza),
  • contact data (e.g. email address, telephone number),
  • data related to the employment relationship or position with the Company's client (e.g. employer, job position),
  • data on the use of the benefit programme in Benefit Plus or in Múza and allocated benefits (e.g. benefit account balance, use of benefits),
  • login and authentication data related to the use of Benefit Plus or Múza, technical data and data on the use of Benefit Plus or Múza (e.g. IP address, access logs, device information),
  • or other data necessary for the provision of the Company's services or fulfilment of legal obligations.

The provision of certain personal data may be a contractual or legal requirement, and failure to provide such data may result in the inability to use certain services of the Company.

Purpose of Processing of Personal Data

The Company processes personal data for the purpose of providing its services and fulfilling related obligations, in particular on the basis of the following legal grounds pursuant to Article 6(1) GDPR:

  • performance of a contract or implementation of measures taken prior to entering into a contract at the request of the data subject (Article 6(1)(b) GDPR),
  • compliance with legal obligations to which the Company is subject (Article 6(1)(c) GDPR),
  • legitimate interest of the Company, in particular for the purpose of protecting its rights, ensuring the security of services and direct marketing, i.e. offering the Company's products and services,
  • in certain cases, the Company may also process personal data on the basis of the data subject's consent (Article 6(1)(a) GDPR), in particular where such consent is required by applicable legal regulations.

The Company may also process personal data for the purposes of direct marketing, i.e. offering its products and services. The processing of personal data for these purposes is carried out on the basis of the Company's legitimate interest within the meaning of Article 6(1)(f) GDPR.

The authorisation to send commercial communications by electronic means is governed by Section 7 of Act No. 480/2004 Coll., on Certain Information Company Services (hereinafter referred to as the "Act"). The Company sends commercial communications primarily under the regime of Section 7(3) of this Act, i.e. where it has obtained the electronic contact of the data subject in connection with registration, use of the platform or provision of its services and the commercial communications relate to its own similar services. In such a case, the data subject is always given the opportunity to refuse the sending of commercial communications at the time the electronic contact is obtained, and at the same time each individual communication ensures a simple and free option to unsubscribe.

In cases where the conditions of the customer exemption are not met, the Company may send commercial communications only on the basis of the prior consent of the data subject granted in accordance with Section 7(2) of the Act.

Assessment of the Necessity of Processing

The Company pays attention to the protection of the privacy of data subjects and proceeds in accordance with the principle of data minimisation when processing personal data. Therefore, it processes personal data only to the extent necessary to fulfil the specified purposes of processing.

Period of Processing of Personal Data

The Company processes personal data for the period necessary to fulfil the specified purposes of processing or for the period stipulated by applicable legal regulations. If the Company acts as an independent controller or joint controller, it generally processes personal data for the duration of the contractual or other legal relationship with the data subject, or for the duration of the contractual relationship between the Company and the client through whom the services are provided, and subsequently for the period necessary to protect the rights and legitimate interests of the Company, but no longer than 10 years from the termination of such relationship, unless legal regulations stipulate a longer period.

Consent to the Processing of Personal Data

If the data subject has granted the controller consent to the processing of personal data, they may withdraw it at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent given before its withdrawal. The withdrawal of consent also does not affect the processing of personal data that the controller processes on the basis of another legal ground than consent (i.e. in particular where processing is necessary for the performance of a contract, compliance with a legal obligation or for other reasons stated in applicable legal regulations). The withdrawal of consent is generally carried out in the same manner in which the consent was granted. If this is not possible, the data subject is entitled to request withdrawal of consent in writing at the address of the Company's registered office.

Transfer of Personal Data

The Company may, to the necessary extent, disclose or transfer personal data to other entities if this is necessary for the provision of its services, fulfilment of legal obligations or protection of its legitimate interests. Personal data may be disclosed in particular to the Company's suppliers who provide certain services for it and act as processors, in particular providers of IT services, hosting or technical solutions. These processors process personal data exclusively on the basis of a data processing agreement concluded in accordance with Article 28 GDPR and only in accordance with the Company's instructions.

In connection with the provision of employee benefits, the Company may also transfer personal data to contractual partners who provide individual services or products within the benefit programme. These partners generally act as independent controllers and process personal data to the extent necessary for the provision of the relevant performance.

Processing of Personal Data for Marketing Purposes

When visiting Benefit Plus or Múza, information about the behaviour of the data subject on these Benefit Plus websites or within Múza is processed, in particular data on visited pages, used functions, preferences or the manner of using benefit programme services. This data is processed for the purpose of evaluating the use of services, personalising displayed content and providing relevant information about the Company's services. The processing of this data is carried out to the extent permitted by legal regulations, in particular on the basis of the Company's legitimate interest pursuant to Article 6(1)(f) GDPR or on the basis of the data subject's consent where such consent is required (e.g. in connection with the use of cookies or similar technologies).

Based on this information, the Company may perform segmentation of users and adapt displayed offers or sent communications to their preferences. Such processing does not constitute automated decision-making within the meaning of Article 22 GDPR that would have legal or similarly significant effects on the data subject.

In connection with the provision of benefit programme services, the Company may send users information related to their benefit account, in particular information about the status of benefit points or options for their use. These communications are sent continuously as needed and are generally of an informative or service nature related to the use of the provided services.

The Company may also process personal data for the purpose of determining and evaluating user satisfaction with its services, for example through questionnaires or other forms of feedback. Such processing is carried out on the basis of the Company's legitimate interest pursuant to Article 6(1)(f) GDPR.

Information on the Use of Biometric Login

Múza enables login using biometrics (e.g. Face ID, Touch ID), while verification takes place exclusively at the level of the device operating system. The Company does not have access to biometric data of the user, does not process it and does not store it. Múza receives only information about successful or unsuccessful identity verification. The use of biometric login is entirely voluntary, and the user may deactivate it at any time in the settings of their device or application.

Cookie Policy

Cookies are small amounts of data that our servers send to your computer, and which enable better use of our servers and adaptation of their content to your needs.

Almost every website in the world uses cookies. Cookies increase the user-friendliness of repeatedly visited websites and are therefore useful to you. If you use the same computer and the same internet browser to visit our websites, cookies help your computer remember visited pages and your site settings.

Various types of cookies may be used on the Benefit Plus websites and within the Múza application. These include in particular necessary cookies, which are essential for the proper functioning of the websites and their basic functions, analytical cookies used to evaluate traffic and the manner of website use, functional cookies enabling the storage of user settings and preferences, and marketing cookies that may be used to display relevant content and advertising communications. The storage of analytical and marketing cookies takes place only on the basis of user consent, unless legal regulations provide otherwise.

Through our websites, cookies of operators of advertising systems that are operated on our websites may also be stored on your computer. As part of remarketing, our Company also uses Google systems. We use remarketing data exclusively for the segmentation of visitors for the purpose of delivering more relevant advertising communications. These data are processed to a limited extent and generally in pseudonymised form.

Standard web browsers (Safari, Internet Explorer, Firefox, Google Chrome, etc.) support cookie management. Within browser settings, you can manually delete, block or completely disable individual cookies; they can also be blocked or allowed only for individual websites. For more detailed information, please use your browser help.

Upon your first visit to our website, we will display a banner with information about the use of cookies and request your consent. You may withdraw or modify this consent at any time via cookie settings using the link to the cookie bar in the footer of our websites or within the Múza application, or directly in your browser. If you do not wish cookies to be stored, you may block their use in your browser settings.

There are temporary cookies and persistent cookies. Temporary cookies are stored on your computer only until the browser is closed. Temporary cookies allow information to be retained when moving from one website to another and eliminate the need to repeatedly enter certain data. Persistent cookies help identify your computer if you revisit our website, but they do not allow you to be personally identified in any way. Persistent cookies allow the content of websites to be adapted to user preferences during repeated visits. Data obtained through these cookies are generally processed in pseudonymised form and are not, without further action, linked to data enabling the direct identification of a specific person.

Use of Google Analytics

The Company's websites use the Google Analytics service provided by Google Ireland Limited (hereinafter referred to as "Google"). The service is used only on the basis of your consent, which you may grant during your first visit to the website via the cookie banner.

Google Analytics uses cookies and similar technologies to analyse how websites are used and to generate statistics about their usage. Information about the use of websites may be transmitted to Google and processed on its behalf.

In connection with the provision of this service, personal data may be transferred outside the European Economic Area. Such transfers are carried out exclusively in accordance with the requirements of the GDPR and only using appropriate safeguards pursuant to Chapter V GDPR, for example on the basis of an adequacy decision or standard contractual clauses.

Further information on the processing of personal data by Google is available in Google's privacy policy.

How to Disable Google Analytics Tracking

If you do not wish your data to be collected via Google Analytics, you may withdraw your consent at any time using cookie settings on our website or by installing a plugin provided by Google.

Rights of the Data Subject in Relation to the Processing of Personal Data

You have the right to access your personal data and to have it corrected or completed if it is inaccurate or incomplete. You may also request information about its sources and a copy of the processed personal data. The exercise of data subject rights is generally free of charge. However, if the request is manifestly unfounded or excessive, in particular because it is repetitive, the Company may, in accordance with Article 12(5) GDPR, charge a reasonable fee or refuse to comply with the request. You will be informed of any fee in advance.

If your personal data are no longer needed, you withdraw consent to processing, you object, they have been processed unlawfully, or they must be erased under legal regulations, you may request their erasure.

If you contest the accuracy of the personal data or if they are no longer needed for the purposes of processing, you have the right to request restriction of their processing.

In certain cases, you have the right to obtain your personal data in a structured, commonly used and machine-readable format or request their transfer to another controller, if technically feasible.

You have the right to object to the processing of personal data, in particular in the case of profiling or sending commercial communications. You may withdraw your consent to processing at any time. You also have the right to lodge a complaint with the supervisory authority, which is the Office for Personal Data Protection (Úřad pro ochranu osobních údajů).

You also have the right not to be subject to a decision based solely on automated processing of personal data, including profiling, which would produce legal effects concerning you or similarly significantly affect you. If such processing takes place, you have the right to request human intervention by the Company, express your point of view and contest the decision, in accordance with Article 22 GDPR.

The data subject may exercise their rights via the email address gdpr@benefit-plus.eu or in writing at the address of the Company's registered office.

Changes to this Policy

The Company is entitled to update or amend this Policy on an ongoing basis, in particular in the event of changes in legal regulations, technologies or methods of processing personal data. The Company will inform about any changes in an appropriate manner.

The current version of this Policy is always available on the Company's websites and in the Múza application.

Effective date: 1 March 2026

;