Privacy Policy

The Privacy Policy of Younify D.O.O. (“We”, “us”, “our”) enables you to understand and informs you about all laws regarding the collection and processing of personal data, in a manner consistent with the applicable Law on Personal Data Protection, including the provisions of the European Union General Data Protection Regulation (GDPR) within the relevant scope of application.

Younify D.O.O., Vozda Karadjordja 5/14 Niš, acts as the Data Controller within the meaning of Article 4, paragraph 1, point 8) of the Law on Personal Data Protection (Official Gazette of Serbia, No. 86/18, hereinafter LPPD), and hereby informs the persons whose personal data are collected and processed about all relevant aspects of the collection and processing of such data in accordance with the provisions of the applicable Law on Personal Data Protection.

What is personal data?

“Personal data” means any information relating to an individual whose identity is established or identifiable, directly or indirectly, in particular by reference to an identifier such as a name and identification number, location data, identifiers in electronic communication networks, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, and social identity;

What is the processing of personal data?

“Processing of personal data” means any operation or set of operations performed on personal data or sets thereof, such as collection, recording, organization, grouping or structuring, storage, adaptation or alteration, disclosure, use, disclosure by transmission, i.e., delivery, duplication, dissemination or otherwise making available, alignment, restriction, erasure, or destruction (hereinafter referred to as processing);

What can data collection entail?

“Data collection” means any structured set of personal data available according to specific criteria, whether the collection is centralized, decentralized, or classified on a functional or geographical basis;

What is profiling?

“Profiling” means any form of automated processing used to evaluate certain personal aspects, in particular with the aim of analyzing or predicting an individual’s physical performance, economic position, health status, personal preferences, interests, reliability, behavior, location, or movements;

What does “third party / Who are third parties” mean?

“Third party” means a natural or legal person, or authority, other than the data subject, nor the controller or processor, nor a person authorized to process personal data under the direct control of the controller or processor;

When collecting and processing data, the Data Controller adheres to the basic principles of processing, which entail that personal data must be:

1. processed lawfully, fairly, and in a transparent manner in relation to the data subject (“lawfulness, fairness, and transparency”). Data processing is carried out exclusively with an adequate legal basis in accordance with the law;
2. collected for specified, explicit, justified, and legitimate purposes, and not processed in a manner incompatible with those purposes (“purpose limitation”);
3. adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”);
4. accurate and, where necessary, kept up to date. Taking into account the purpose of the processing, every reasonable step must be taken to ensure that inaccurate personal data are erased or rectified without delay (“accuracy”);
5. stored in a form that permits identification of the person for no longer than is necessary for the purposes of the processing (“storage limitation”);
6. handled in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing, as well as against accidental loss, destruction, or damage, using appropriate technical, organizational, and personnel measures (“integrity and confidentiality”).

In this Privacy Notice and Privacy Policy, you will find all information regarding essential aspects of the collection and processing of personal data, including:

1. The categories of persons whose data are collected and to whom this notice applies.
2. What data are collected and for what purposes are they collected?
3. How are they collected?
4. How is data stored and what protective measures are in place?
5. Legal basis for collection?
6. Data retention period?
7. Rights of persons whose data are processed?
8. Information to be provided when personal data are not collected from the data subject.
9. Automated individual decision-making and profiling.
10. The legitimate interest of the Data Controller.
11. Who has access to personal data?
12. Transfer of data outside the country.
13. Sharing and disclosure of your information.
14. Links to third-party websites.
15. Updating of notices.
16. Special and additional notices regarding the processing of personal data.
17. Additional information on the processing of personal data.

1. The categories of persons whose data are collected and to whom this notice applies

The Collector (Younify D.O.O.; “we”; “us”; “our”) collects and processes personal data from:

1. Applicants applying for a position
2. Visitors to our website and social media profiles
3. Business partners (clients, our business partners, our employees, the persons we hire to work on our clients’ projects…)

2. What information do we collect and for what purposes do we collect and process it?

We collect a minimal amount of data, only to the extent necessary to achieve the purpose of the processing, which is specific, justified, and lawful. We collect personally identifiable information directly from the data subject, or through their employers, subcontractors, business partners or, where applicable, other third parties, only to the extent necessary for the specific purpose and depending on the category of persons to whom the personal data relate.

Depending on the category of the data subject and depending on the purpose of collecting and processing the data, we may collect personal data such as:

I. From applicants

If you are a candidate applying for a position with us, or creating an application for registration on our website, by submitting a CV and participating in the selection process for applicants, the following types of personal data may be collected and processed:

• name, surname, address, email address, and telephone number
• CV information:
• employment and education history;
• language skills and other work-related skills, in accordance with the requirements of a specific position according to the Job Systematization;
• identification number, if we enter into a Contract
• date of birth;
• gender;
• the information provided in references;
• information provided about your career interests and other information about the qualifications of applicants
• information about your recommendations or other persons you wish us to contact regarding a vacancy. (By providing a recommendation, the Collector assumes that you have obtained consent from the person you recommend for such communication).

For what purposes do we collect and process data from applicants?

• Establishing an employment relationship or other forms of employment (processing is carried out to conclude a contract with the data subject or to take appropriate measures for assessment, verification, and identification of the data subject prior to concluding the contract) for applicants;
• Assessment of the suitability of candidates for open vacancies at the Collector, which includes an assessment of individual performance and skills and an assessment of the fulfillment of the conditions, criteria, and requirements of the open position, i.e., profiling;
• Possible contact with applicants after the end of a specific vacancy, regarding candidates who wish us to process their data after the end of a specific vacancy when a new position opens;
• Responding to questions and requests from candidates via email;
• Informing the persons whose data (candidates) are processed about the activities of the Data Controller, promoting our services, and sending advertising messages via the various available communication methods (sending promotional emails, informing via messages on social media accounts, sending promotional materials, and periodic vacancy announcements);
• Compliance and implementation of applicable legal requirements, relevant standards, contractual obligations, and our policies.

II. From persons visiting our websites and social media profiles

1. Contact information and data left when filling out the contact form on the Data Controller’s website (name, surname, email address, contact telephone number);
2. Data collected via cookies on the Data Controller’s website and data from Google Analytics (demographic data, location, age > 18, gender); however, based on this information, we cannot identify a specific person, but only which group you belong to according to the data types, for example, over 18 years old, geographical location, but not the exact location;
3. Data designated as publicly available in accordance with the policy of the specific social network, and such processing is carried out based on the activities of the data subject on our page on the social network, in accordance with the policy of the specific social network.

The purpose of collecting information from website visitors is:

• providing recruitment solutions and connecting people to vacancies;
• improving services and conditions for the benefit of our employees, clients, candidates, and associates (legitimate interest of the data controller – see point 10 of this Notice);
• where permitted by law, sending promotional materials and other communications to promote the activities of the data controller (sending promotional emails, informing via messages on social media accounts, sending promotional materials);
• where permitted by law, passing on information to others about special or new services, promotions, programs, offers, and market research;
• responding to questions and requests from persons who fill out the contact form about the services of the Data Controller or apply for a vacancy;
• managing, evaluating, and improving our business operations (including developing, improving, analyzing, and enhancing our services, managing our communications, performing data analysis, and conducting accounting, audits, and other internal functions).

III. From business partners

• We collect information related to legal entities: company name, address, VAT number, company identification number, telephone number; however, this information does not constitute personal data. We may obtain personal data such as first and last name, position within the client’s company, business email address with first and last name, and contact telephone number. This information is necessary to communicate and ensure that the person we are communicating with is actually authorized to conduct such communication and correspondence on behalf of our business partner. Personal data are also necessary when establishing a contractual relationship with a business partner.

Another way we collect information about you is by filling out the contact forms on our website when you leave your personal data (first and last name, contact telephone number, email address), again to answer your questions and inform you about our work and the services we offer.

Your data may also be collected by visiting our site, but using the cookie settings, you can choose which of your data are stored and disable those for which you do not give consent. You are in no way obliged to give consent for the collection of all data, and this will in no way affect the quality of the services we can provide to you. This is further explained in the Cookie Policy.

The purpose of collecting information from business partners is:

• Drafting the contract with the data subject and the performance of contractual obligations;
• Performance of legal and contractual obligations of the Data Controller;
• Performance of contractually agreed work concluded with the (client) data subject;
• When justified by law, to inform data subjects about the activities of the Data Controller and about new services;
• Improvement of business relationships and improvement of services and conditions between business partners and the Data Controller;
• The legitimate interests of the data controller (see point 10 of this Notice).

3. How is the data collected?

• From candidates: Personal data are collected either directly from the data subject, or from their employers, co-contractors, business partners, data that job seekers make public on their social media profiles, public disclosure of their personal data on social and business networks on their own initiative, persons applying for a position with the data controller by sending a CV to the email address or creating an application for registration on the data controller’s website or, where applicable, from other third parties (for example, the Infostud-HR Lab website, regarding the candidate’s personal data). When data are not obtained directly from the data subject, the data controller is informed in advance whether the data subject is authorized to pass the data to the data controller.
• From site visitors: The data controller collects personal data exclusively directly from the person whose data are processed (using contact forms that the persons whose data are collected fill out on the Data Controller’s website). Where applicable, non-personally identifiable information that does not identify a specific person but only allows for the grouping of persons is collected from other third parties (for example, using Google Analytics and Google AdWords; the service is provided by Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA), using the technology of Cookies stored on a visitor’s device, all for qualitative analysis of the use of the Website itself. More information is available in Google’s Privacy Policy, available via the following link: goo.gl/f1oVC8.
• Personal data are collected via contact forms, which are filled out by the persons whose information is collected on the data controller’s website.
• The data controller processes and uses Cookies via the website. Cookies are information stored on the computer (or other devices) of a user of the Website (a visitor to the Data Controller’s Website), which allows for the monitoring and analysis of user behavior on the Website. Cookies usually do not lead to the disclosure of the identity of a specific user. In the event that they identify a user, Cookies represent personally identifiable information and therefore all points of this Privacy Notice governing the processing of personal data apply to them. In accordance with Article 126, paragraph 3 of the Law on Electronic Communications, the use of Cookies is permitted, provided that the user receives a clear and complete notice of the purpose of collecting and processing the data in accordance with the law governing the protection of personal data, and provided that they are given the opportunity to refuse such processing. You can find more information about the cookie policy and the option to refuse the use of cookies on our website in the Cookie Policy section.
• From business partners: We collect personal data either directly from the person whose data are processed, or through their employers, partners, or via cookies or contact forms on the website that the clients fill out themselves.

4. How is the data protected?

The personal data are kept by the data controller in internal electronic and physical registers (databases) to which all necessary organizational, technical, and personnel protection measures are applied in accordance with the requirements of the applicable LPPD, including:

• control of physical access to the system where the data are stored, which in particular means that the server on which the data are stored is protected by a rack, which is kept under lock and key and to which only authorized persons have the key; the systems on which the data are stored are located in rooms equipped with an alarm system that only grants access to employees who know the password for deactivating the alarm system;
• control of access to data: the computer systems on which the data are stored are secured by a password system and electronic access is only possible for authorized persons and exclusively with knowledge of a password that meets the current recommendations regarding password formation (combination of lowercase and uppercase letters, characters, appropriate lengths, etc.);
• control of access to data, whereby physical and electronic access is exclusively available to authorized persons, only those persons whose function requires access to the registers;
• control of data entry, which means that only the authorized person collects personal data and stores them in the registers;
• control of data transmission, which means that the transfer to any authorized person is done exclusively via the usual protected forms of communication;
• other information security measures, in accordance with best practices;
• all other measures necessary for the protection of personal data.

5. Legal basis for data collection

The data controller processes personal data, depending on the category of the data subject, based on:

1. informed consent of the data subject within the meaning of Article 15 of the Law on Personal Data Protection. In the case of processing based on informed consent, the data subject is authorized to withdraw that consent at any time; the withdrawal entails the termination of any further processing, without prejudice to the processing carried out up to that point.
2. for the fulfillment of the legal obligations of the data controller, which regulates the registers in the field of work, as well as the laws regulating social and health care, and such processing is necessary to comply with the legal obligations of the data controller within the meaning of Article 12, paragraph 1, point 3) of the LPPD;
3. for the pursuit of the legitimate interests of the data controller or a third party (within the meaning of Article 12, paragraph 1, point 6) of the Law on Personal Data Protection, depending on the category of personal data being processed and the purpose of the processing of personal data;
4. the performance and fulfillment of contractual obligations with the person who is the contracting party. Processing is necessary to perform a contract concluded with the data subject or to take action, at the request of the data subject, prior to concluding the contract.

6. Data retention period

• Depending on the category of data being processed, personal data are kept for a period in which it is necessary to carry out a specific purpose, or as long as there is a legitimate interest in processing them (see point 10 of this Notice, to which all legitimate interests may relate), or until the withdrawal of informed consent, within the meaning of Article 15, paragraph 3 of the Law on Personal Data Protection, which also entails the automatic termination of further processing of personal data.
• Data are kept to a minimum, meaning only as long as it is necessary to achieve a specific purpose, and only the data necessary to achieve a legitimate purpose are kept; all other personal data are deleted immediately after the fulfillment of the specific purpose.
• Data of candidates who did not pass the selection process are deleted after completion of the specific recruitment process, unless the candidate has explicitly indicated that they wish us to keep their CV for future open positions whose requirements match their qualifications.
• Contact details of clients are kept for 10 years from the last contact with the client, due to possible renewed cooperation, possible contact in case of providing services in which the client is interested, possible updates, improvement of business cooperation, inquiry and market research, feedback on services, possible referrals, and marketing when permitted by law and when a business partner gives consent for this processing, while other personal data provided by clients are deleted immediately after the termination of cooperation with them.

7. Rights of persons whose data are collected and processed

Rights of the data subject:

• the right to request processing information (Articles 23 and 24 of the LPPD);
• the right to request access to personal data and processing information from the data controller (Article 26 of the LPPD);
• the right to request rectification, completion, or erasure of personal data, as well as restriction of processing (Articles 29, 30, 31, and 33 of the LPPD);
• the right to data portability (Article 36 of the LPPD);
• the right to lodge complaints (Articles 37-39 of the LPPD);
• the right not to be subject to a decision based solely on automated processing, including profiling (Article 38 of the LPPD);
• the right to be informed of a breach in connection with personal data, if such a breach may pose a high risk to the rights and freedoms of natural persons (Article 53 of the LPPD);
• the right to lodge a complaint with the Commissioner for Information of Public Importance and Personal Data Protection (Article 82 of the LPPD);
• the right to judicial protection if they believe their rights under the LPPD have been violated (Article 84 of the LPPD);
• other rights guaranteed by the applicable Law on Personal Data Protection.

The data controller is obliged to respond to the data subject’s request without undue delay, and at the latest within 30 days from the day of receipt of the request. That period may be extended by a further 60 days if necessary, taking into account the complexity and number of requests. The data controller will inform the data subject of the extension of the period and the reasons for such extension within 30 days of receipt of the request.

If the data subject’s request is manifestly unfounded or excessive, and in particular if the same request is repeated, the data controller may:

1. charge the necessary administrative costs for providing information or handling a request;
2. refuse to comply with the request.

8. Information to be provided when personal data are not collected from the data subject

When the data controller collects data from third parties, the data controller is informed in advance whether the data subject is authorized to pass the data to the data controller. The data controller will ensure that in any case third parties are informed of their rights and all relevant aspects, in accordance with Article 24 of the LPPD.

9. Automated individual decision-making and profiling

In some cases, decisions regarding the persons whose data are collected and processed may be taken solely on the basis of automated processing, including profiling. These are cases where such a decision:

1. is necessary for entering into or performing the contract between the data subject and the data controller;
2. is based on the law, if that law prescribes appropriate measures for the protection of the rights, freedoms, and legitimate interests of the data subject;
3. is based on the explicit consent of the data subject.

In our country, automated decision-making and profiling take place exclusively in certain and legally justified situations, with data relating to employees and applicants, for the purpose of:

• Employment according to labor law or other forms of employment (processing is carried out to conclude a contract with the data subject or to take action at the request of the data subject prior to concluding the contract) and applies to applicants until the expiration of the specific vacancy;
• Assessment of the suitability of candidates for open positions at the data controller, which includes an assessment of individual performance and skills and an assessment of the fulfillment of the conditions, criteria, and requirements of the open position;
• Exercising rights from labor law, i.e., inspection supervision;
• Fulfillment of legal obligations (processing is carried out to comply with the obligations prescribed by the laws regulating the registers in the field of work, as well as social and health insurance).

10. The legitimate interest of the data controller

The data controller may process personal data for certain legitimate business purposes, including some of the following:

• detecting and preventing potential fraud;
• improving the services and conditions we offer for the benefit of our clients, candidates, employees, and associates;
• to better understand and improve your interaction with our sites;
• for marketing purposes if necessary;
• monitoring the effectiveness of our own promotional campaigns and advertisements;
• improving business cooperation with potential clients;
• to answer any questions you may have when you contact us about our work, our services, and employment with us;
• identifying target groups interested in our services and providing all necessary information;
• to contact interested applicants when a position matching their qualifications opens;
• to improve our way of doing business and inform you about all important aspects of our work;
• to send you information via email that matches your interests;
• communicating with you and your representatives to complete the agreed work.

When collecting and processing your data, we apply the principle of data minimization, whereby we only collect data that are necessary for a specific purpose. When collecting data from visitors to our website, we only obtain data about which age group you are in, but not exactly how old you are, as well as from which geographical region you are accessing, but not your exact place of residence.

When collecting your information, we will ensure that your rights and the information are secured. You have the right not to give consent or to request withdrawal of consent or further processing; if you choose to do so, please contact the person below. Please also be aware that this will prevent us, or at least limit our ability to perform and provide services for your benefit. For this, you have previously given written consent to process data or to enable the processing of data without consent in accordance with the provisions of the applicable Law on Personal Data Protection.

11. Who has access to personal data?

• Employees and other persons engaged by the data controller, who have signed a contract with the data controller ensuring that all data are treated confidentially (NDA).
• Business partners or other organizations whose involvement is necessary to fulfill the legal obligations of the Data Controller, comply with obligations arising from employment, or perform the work assigned by the client to the data controller. All persons who have access to personal data are authorized to do so, and they have also entered into a contract with the Data Controller ensuring that all important data they encounter during their activities are kept as strictly confidential business secrets. The storage and processing of data by all persons at the data controller is carried out in accordance with all regulations of the applicable Law on Personal Data Protection.
• In exceptional cases, personal data may also be provided to the competent government authorities, if this is a legal obligation of the data controller, and only to the extent necessary for the fulfillment of a specific legal obligation.

12. Transfer of data

The transfer of data to EU/EEA countries is based on the standard level of appropriate protection of personal data in those countries, in accordance with applicable legislation. These countries may not have the same data protection laws as the country where you originally provided your personal data. Countries to which we may transfer the personal data we collect about you may include:

1. Within the European Union
2. Outside the European Union

• An appropriate level of protection is provided within the EU regarding automated processing of personal data, meaning that data are protected and processing is carried out as described in this Privacy Notice, and such transfers will be in accordance with applicable legislation.
• When we transfer personal data from the European Union to countries or international organizations outside the EU, the transfer takes place on the basis of:
• Adequacy decisions of the European Commission;
• in the absence of an adequacy decision, another legally permitted basis: (a) a legally binding and enforceable instrument between public authorities or bodies; (b) binding corporate rules (in accordance with Article 47 GDPR); (c) standard data protection clauses (formerly called Model Clauses) adopted by the Commission. The standard clause establishes obligations for the exporter and importer of transferred data to ensure that the transfer protects the rights of the data subjects. The European Commission has established standard clauses to be used when transferring personal data outside the EU/EEA, and their content may not be modified.
• With prior notification to the local authority for the protection of personal data.

13. Sharing and disclosure of your information

The information we collect about you will not be shared, sold, or disclosed outside Younify D.O.O. without your consent. However, this does not include third parties who enable us to store information securely on servers, or who help us improve our business operations and service delivery, maintain our systems, and provide you with better service and a better experience on our sites, where all parties are obliged to keep all information confidential. Your information may only be shared in accordance with the Law, to protect your or others’ rights, as well as our property and safety.

14. Links to third-party websites

If links to third-party websites or services that are not owned or managed by Younify are found on our sites, we have no control over the content, privacy policies, or practices of such third-party websites or services and accept no responsibility for them. You hereby acknowledge that you will read the terms, conditions, and guidelines of the privacy policy of the websites or services offered by third parties on our sites, and that Younify will not be liable, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on such content, links, sites, or services.

15. Updating of notices

Over time, it may be necessary to amend this Privacy and Cookie Policy as required. We therefore request that you read and review the Policy periodically to stay informed of any changes.

16. Special and additional notices regarding the processing of personal data

Given the specificity of the purpose to be achieved by the collection and processing of data and in connection with the legal basis, the controller will, where applicable, inform data subjects of all specifications of such processing (Special Notice). Such notice and Special Notice shall apply to such processing if required. Also, if certain changes in the law or in our operations occur, this Notice will be updated to remain in accordance with the controller’s operations and applicable legislation.

17. Additional information on the processing of personal data

Any additional questions regarding the processing of personal data, including the exercise of data subject rights, may be directed to the email address: office@younify.nl and/or the address: Vozda Karadjordja 5/14, 18 000 Niš. The controller will respond to each inquiry as soon as possible, depending on the inquiry itself, but no later than within 30 business days from the date the inquiry was duly received. This period may be extended by a further 60 days if necessary, taking into account the complexity and number of requests. The controller is obliged to inform the data subject of the extension and the reasons for such extension within 30 days of receiving the request.

By using our website and our services, you confirm that you agree to the current version of the Privacy Policy. We reserve the right to update the Privacy Policy at any time to align it with current practices, and we encourage you to visit and read the Policy periodically to stay informed of any changes.