Younify D.O.O. Vozda Karadjordja 5/14 Niš, has the capacity of the Controller in the sense of Article 4 paragraph 1 item 8) of the Law on Protection of Personal Data (Official Gazette, No. 86/18, hereinafter LPPD), hereby informs the persons whose personal data are collected and processed about all relevant aspects of the collection and processing of such information in accordance with the provisions of the applicable Personal Data Protection Law.
What is Personal Data?
“Personal data” means any information relating to an individual whose identity is determined or identifiable, directly or indirectly, in particular on the basis of an identity tag, such as name and identification number, location data, identifiers in electronic communications networks or one that is, more features of his physical, physiological, genetic, mental, economic, cultural and social identity;
What is the processing of personal data?
“Personal Data Processing” means any action or set of actions that are performed with personal data or sets thereof, such as collecting, recording, sorting, grouping, or structuring, storing, rendering, or modifying, disclosing, the use, disclosure by transmission, i.e. delivery, duplication, dissemination or otherwise of making available, comparison, restriction, deletion or destruction (hereinafter referred to as processing);
What can the data collection be all about?
“collection of data” means any structured set of personal data that is available in accordance with specific criteria, whether the collection is centralized, decentralized or classified on a functional or geographical basis;
What is profiling?
“profiling” means any form of automated processing used to evaluate a particular personality trait, in particular for the purpose of analyzing or predicting the physical performance of an individual, his or her economic position, health status, personal preferences, interests, reliability, behavior, location or movement;
Who does “third party / Who are third parties” mean?
“third party” means a natural or legal person, or authority, other than the data owner, nor controller or processor, nor a person authorized to process personal data under the direct control of the controller or processor;
When collecting and processing data, the Controller adheres to the basic principles of processing, which imply that personal data must:
1) be processed lawfully, fairly and transparently in relation to the data subject (“legality, honesty and transparency”). Data processing is performed solely with an adequate legal basis in accordance with the law;
2) be collected for purposes that are specifically specified, express, justified and lawful and still cannot be processed in a manner inconsistent with those purposes (“restriction on processing purpose”);
3) be appropriate, relevant and limited to what is necessary for relation to the purpose of the processing (“data minimization”);
4) be accurate and, if necessary, updated. Considering the purpose of the processing, all reasonable steps must be taken to ensure that incorrect personal data are promptly deleted or corrected (“accuracy”);
5) be stored in a form that permits the identification of the person only within the time necessary for the accomplishment of the processing purpose (“retention limit”);
6) be handled in such a way as to ensure adequate protection of personal data, including protection against unauthorized or unlawful processing, as well as from accidental loss, destruction or damage by appropriate technical, organizational and personnel measures (“integrity and confidentiality”).
1. The categories of persons whose data are collected and to whom this notification applies.
2. What data are being collected and for what purposes are being collected?
3. How are they collected?
4. How data are stored and what are protection measures taken?
5. Legal basis for collection?
6. Data retention period?
7. Rights of persons whose data are being processed?
8. Information to be provided when personal data are not collected from the data subject.
9. Automated individual decision making and profiling.
10. The legitimate interest of the Controller.
11. Who has access to personal information?
12. Data transmission outside the country.
13. Sharing and disclosing your information.
14. Links to Third-Party Sites.
15. Updating Notifications
16. Special and additional notices regarding the processing of personal data
17. Additional information on personal data processing
1. The categories of persons whose data are collected and to whom this notification applies:
The Collector (Younify D.O.O .; “we”; “us”; “our”) collects and processes personal information from:
1. Applicants applying for a job
2. Visitors of our website and social media profiles
3. Business partners (Clients, our business partners, our associates, the people we hire to work on projects of our clients…)
2. What information do we collect and for what purposes do we collect and process it?
We collect a minimum amount of data only to the extent necessary to achieve the purpose of the processing, which is specified, justified and lawful. We collect personally identifiable information directly from the data subject, or through their employers, subcontractors, business partners or, where applicable, other third parties, only to the extent necessary for the specific purpose and depending on the category persons to whom personal data relate.
Depending on the category of the data subject and depending on the purpose of collecting and processing the data, we may collect your personal information such as:
I From Job Candidate: If you are a candidate applying for a job to us, or create an application for registration on our website, by submitting a CV and participating in the job candidate selection process, the following types of personal information may be collected and processed :
• name, surname, address, email address and telephone number
• CV information:
• employment and education history;
• language skills and other skills related to work, in accordance with the requirements of a specific workplace according to Systematization of Jobs;
• ID number, if we conclude the Contract
• Date of Birth;
• the information provided in the references;
• information provided on your career interests and other information on the qualifications of job applicants
-information about your recommendations or other people you would like us to get in touch with because of vacancy. (By making a recommendation, the Collector understands that you have obtained the authorization of the person you recommend for such communication) ;.
For what purposes do we collect and process job applicant information?
• Establishing an employment relationship or other types of employment (processing is done to conclude a contract with the data subject or to take appropriate measures of assessment, verification and identification of the data subject before the conclusion of the contract) to job candidates;
• Assessment of the eligibility of candidates for open positions with the Collector, which includes the assessment of individual performance and skills and the assessment of the fulfillment of the conditions, criteria, and requirements of the open position, i.e. profiling.
• Potential contacting of job candidates after the end of a specific vacancy, and refers to candidates who want us to have their data processed after the end of a specific vacancy when a new position is opened;
• Responding to candidates’ questions and requests by email;
• Informing the persons whose data (candidates) are being processed on the activities of the Controller, promoting our and sending advertisement messages through the various communication methods available (sending promotional emails, informing through announcements on social network accounts, sending promotional materials and periodic employment announcements.).
• Compliance with and implementation of applicable legal requirements, relevant standards, contractual obligations and our policies.
II From Persons who are visiting our websites and profiles on social networks:
1) Contact information and data left when filling out the contact form on the website of the Controller (Name, surname, e-mail address, contact telephone);
2) Data collected through cookies on the Web site of the Controller and data from Google Analytics (demographics, location, age> 18, gender), but based on this information we can not identify a specific person, but only to which group, according to the data types, you belong to e.g. Over 18 years old, geographical location, but not the exact location ..
3) Data that are designated as publicly available in accordance with the policy of the particular social network and such processing is done on the basis of data subject activities on our page on social network, in accordance with the policy of the specific social network.
The purpose of collecting information from visitors to the web site is:
• providing solutions for hiring and connecting people to job opportunities;
• improving services and conditions for the benefit of our employees, clients, candidates, and associates; (legitimate interest of the controller – see point 10 of this Notice)
• if permitted by law, sending promotional materials and other communications promoting the activities of the controller (sending promotional emails, informing through posts on social network accounts, sending promotional materials);
• when permitted by law to pass on information to others about special or new services, promotions, programs, offers, and market research;
• answering questions and requests of persons completing the contact form about the services of the Controller or applying for employment on a vacancy
• managing, evaluating and enhancing our business (including developing, improving, analyzing and enhancing our services, managing our communications, performing data analytics and performing accounting, auditing, and other internal functions);
III From business partners
• We collect information relating to legal entities: Company name, address, PIB number, company identification number, telephone number, however, this information does not belong to personal data. We may obtain personal information such as first and last name, job position in the client’s company, business e-mail address containing the first and last name and contact telephone.
This information are necessary to communicate and ensure that the person with whom we are communicating is indeed authorized to do such communication and correspondence on behalf of our business partner.
Personal information is also necessary when establishing a contractual relationship with a business partner.
Another way we collect information about you is to fill in the contact forms on our website when you leave your personal information (name and surname, contact phone number, e-mail address), and again in order to answer your questions and leave you a notification about our work and the services we provide.
Your data may be collected even by visiting our site, but with the help of cookies settings, you can choose which of your data will be saved and disable those for which you do not give your consent. You are under no obligation to give consent to the collection of all data and this will in no way affect the quality of the services we may provide to you, however, it is explained in more detail in the Cookies Policy.
The purpose of collecting information from business partners is to:
• Making of the contract with the data subject and performance of contractual obligations.
• Performance of legal and contractual obligations of the Controller
• Performing a contract-defined work that is concluded with the (client) data subject
• When justified by law for the purpose of informing data subjects about the activities of the Controller, informing about new services
• Improvement of business relations and improvement of services and conditions between business partners and the Controller
• The legitimate interests of the controller (see clause 10 of this Notice)
3. How are the data collected?
• From Candidate: Personal data are collected either directly from the subject or from their employers, co-contractors, business partners, data that persons seeking work make public on their social profiles, on their own initiative publicly disclosing their personal data on social and business networks, persons applying for a position to the controller by sending a CV to the email or creating an application for registration on the controller’s website or, where applicable, from other third parties (for example, the Infostud-HR Lab website, in relation to the candidate’s personal data ). When it does not obtain data directly from the data subject, the controller shall be informed in advance whether the data subject is authorized to forward the data to the controller.
• Personality information is collected through contact forms, which are filled in by the persons whose information is collected on the website of the controller.
• From business partners: Personal information we collect either directly from the person whose data are processed or through their, employers, partners or through cookies or contact forms on the website which the clients themselves fill out.
4. How are the data protected?
The personal data are kept by the controller in internal electronic and material records (databases) over which all necessary organizational, technical and personnel protection measures are applied in accordance with the requirements of the applicable LPPD, including:
– control of physical access to the system where the data are stored, which in particular implies that the server on which the data are stored is protected by a frame – rack, which is kept under lock and key, which is owned only by authorized persons; the systems on which the data are stored are on the premises provided with an alarm system that provides access only to employees who know the password for deactivating the alarm system
– control of access to data: the computer systems on which the data are stored are secured by a password system and electronic access is only possible for authorized persons and only with knowledge of a password that respects valid recommendations regarding password formation (combination of lower and upper case letters, characters, appropriate lengths, etc.).
-control of access to data, physical and electronic accesses are available only for authorized persons, only those persons whose jobs require access to records.
– control of data entry, which implies that only the authorized person collects personal data and stores them in the records;
– control of data transmission, which implies that the transmission to any authorized person is done exclusively by the usually protected forms of communication;
– other information security measures, in accordance with best practice;
-All other measures are necessary for the protection of personal data.
5. Legal basis for data collection:
The controller processes personal data, depending on the category of the data subject, based on:
1. informed consent of the data subject within the meaning of Article 15 of the Law of personal data protection. In the case of processing on the basis of informed consent, the data subject is authorized to revoke that consent at any time, the recall entails the termination of any further processing, without prejudice to the processing performed so far.
2. for the fulfillment of the legal obligations of the controller, which regulates the records in the field of work, as well as the laws governing social and health care, and such processing is necessary in order to comply with the legal obligations of the controller within the meaning of Article 12 paragraph 1 item 3) of the LPPD;
3. for the exercise of the legitimate interests of the controller or third party (within the meaning of Article 12, paragraph 1, item 6) of the personal data protection law, all depending on the category of personal data being processed and on the purpose of processing personal data.
4. work out the realization and fulfillment of contractual obligations with the person who is the contracting authority. Processing is necessary to execute a contract concluded with the data subject or to take action, at the request of the data subject, before concluding the contract;
6. Data retention period
• Depending on the category of data which is being processed, personal data are stored for a period in which it is necessary to carry out a specific purpose or until there is a legitimate interest in processing them (see clause 10 of this Notice, to which all legitimate interests may relate), or until the revocation of informed consent, within the meaning of Article 15, paragraph 3 of the personal data protection law, which also signifies the automatic cessation of further processing of personal data.
• Data are kept to a minimum, ie only as long as it is necessary to achieve a specific purpose and only the data necessary to achieve a legitimate purpose are retained, all other personal data are deleted immediately after the fulfillment of the specific purpose.
– Data of candidates who have not passed the selection process are deleted upon completion of the specific recruitment process unless the candidate has voluntarily emphasized that he or she wants us to keep his Cv for the next open positions whose conditions match his qualifications.
– Customer contact information is kept for 10 years from the last contact with the customer, due to the potential re-cooperation, possible contact in case of providing services for which the client is interested, possible updates, improvement of business cooperation, demand and market research, feedback on services, possible referrals and marketing when permitted by law and when a business partner gives consent for this processing, while other personal data provided by clients are deleted immediately after the termination of cooperation with them.
7. Rights of persons whose data are collected and processed
Rights of the data subject:
• the right to request processing information (Articles 23 and 24 of LPPD);
• the right to request from the controller access to personal data and processing information (Article 26 of the LPPD);
• the right to request the correction, supplementation or deletion of personal data, as well as the limitation of processing (Art. 29,30,31 and 33 LPPD);
• the right to data portability (Article 36 LPPD);
• the right to process complaints (Articles 37-39 of the LPPD);
• the right not to be subject to a decision made solely on the basis of automated processing, including profiling (Article 38 of the LPPD);
• the right to be informed of a violation of personal data, if such a breach of personal data may create a high risk to the rights and freedoms of natural persons (Article 53 of the LPPD);
• the right to file a complaint with the Commissioner for access to information of public importance and protection of personal data (Article 82 LPPD);
• the right to judicial protection if he/she considers that his / her rights under the LPPD have been violated (Article 84 of the LPPD);
• other rights guaranteed by the applicable Law of personal data protection.
The controller is obliged to reply to the request to the data subject without delay and to do so without delay, not later than 30 days from the day of receipt of the request. That deadline can be extended by another 60 days if necessary, taking into account the complexity and number of requests. The controller shall notify the data subject within 30 days of receipt of the request about the extension of the deadline and the reasons for such extension.
If the request of the data subject is manifestly ill-founded or excessive, and in particular if the same request is repeated, the controller may:
1) charge the necessary administrative costs of providing information, or acting upon a request;
2) refuses to act on the request.
8. Information that should be provided when personal data are not collected from the data subject.
When the controller collects data from third parties the controller shall be informed in advance whether the data subject is empowered to forward the data to the controller. The controller shall ensure that in any case third parties are informed of their rights and all relevant aspects, in accordance with Article 24 of the LPPD.
9. Automated individual decision making and profiling
In some cases, the persons whose data are collected and processed can be made solely on the basis of automated processing, including profiling, and these are cases where such a decision is:
1) necessary for the conclusion or execution of the contract between the data subject and the controller;
2) based on the law if that law prescribes appropriate measures for the protection of the rights, freedoms and legitimate interests of the data subject;
3) based on the explicit consent of the data subject
In our country, automated decision making and profiling are done only in certain and legally justified situations, with data relating to employees and job candidates, due to:
• Employment according to labor law or other types of employment (processing is done to conclude a contract with the data subject or to take action at the request of the data subject prior to the conclusion of the contract) and applies to job candidates up to the expiry of the specific competition;
• Assessment of the eligibility of candidates for open positions with the controller, which includes an assessment of individual performance and skills and an assessment of the fulfillment of the conditions, criteria, and requirements of the open position.
• Exercising rights from labour law, ie inspection supervision.
• Fulfillment of legal obligations (processing is performed in order to fulfill the obligations prescribed by the laws governing records in the field of work, as well as social and health insurance).
10. The legitimate interest of the controller
The data controller may process personal data for certain legitimate business purposes, including some of the following:
• detecting and preventing possible fraud;
• improving the services and conditions we provide for the benefit of our clients, candidates, employees, and associates;
• to better understand and enhance your interaction with our sites;
• for marketing purposes when necessary;
• check the effectiveness of our own promotional campaigns and advertisements;
• improving business cooperation with potential clients;
• to answer any questions you may have when asking us about our work, services, and employment with us;
• identify target groups that are interested in our services and provide all the necessary information;
• to contact interested job candidates when a position which fits with their qualifications is opened;
• to improve our way of doing business and to inform you about all the important aspects of our work;
• email you information that is consistent with your interests;
• communicate with you and your representatives in order to complete the agreed work.
When collecting and processing your data, we use the principle of data minimization, where we collect only data that is necessary for a specific purpose. When collecting data from visitors to our website, we obtain data only at what age group you are, but not exactly how old you are, then from which geographical region you access but not your exact place of residence.
When collecting your information, we will make sure that your rights and the information are secured. You have the right not to consent or to request the revocation of consent or further processing, and if you choose to do so, contact the person below. Also, be aware that this will disable us or at least limit our ability to perform and provide services in your favor, and for that, you have previously given written consent to process or enable the processing of data without consent in accordance with the provisions of the applicable Personal Data Protection Act.
11. Who has access to personal information?
• Employees and otherwise engaged persons at the controller, who have signed a contract with the controller which ensures that all data are kept confidential (NDA).
• Business associates or other organizations whose involvement is necessary in order to fulfill the legal obligations of the Controller, fulfill the obligations arising from employment, perform the ordered work to the controller by the client. All persons having access to personal data are authorized to do so and they have also entered into a contract with the Controller that ensures that all important data they encounter when working as a strictly confidential business secret is kept. The storage and processing of data by all persons with the controller is carried out in accordance with all regulations of the applicable Law on Protection of Personal Data
• Exceptionally, personal data may also be provided to the competent state authorities, if this is a legal obligation of the controller, and only to the extent necessary for the fulfillment of a specific legal obligation.
12. Data transmission
The transfer of data to EU / EEA countries is based on the default level of appropriate protection of personal data in those countries, in accordance with applicable law. These countries may not have the same data protection laws as the country where you originally provided your personal information. Countries, where we can transfer personal information we collect about you, could be:
1. Within the European Union
2. Outside the European Union
• An adequate level of protection is provided within the EU with respect to automatic processing of personal data, i.e. data are protected and processing is done as described in this Privacy Notice and such transfers will be in accordance with applicable law.
• When we transfer personal data from the European Union to countries or international organizations outside the EU, the transfer is made on the basis of:
• Decisions on adequacy by the European Commission;
• in the absence of a decision on the adequacy of another legally permissible basis (a) a legally binding and enforceable instrument between public authorities or bodies; (b) binding corporate rules (in accordance with Article 47 GDPR); (c) standard data protection clauses (formerly called Model Clauses) adopted by the Commission. The standard clause establishes obligations for the exporter and importer of portable data to ensure that the transfer will protect the rights of the data subjects. The European Commission has defined standard clauses to be used when transferring personal data outside the EU / EEA and
their content must not be altered.
• With prior notice from the local state personal data protection authority
13. Sharing and disclosing your information
Your information we collect will not be shared, sold or disclosed outside the Younify D.O.O. without your approval. However, this does not include third parties that allow us to securely store information on servers, then those that help improve our business, service and maintain our systems and provide better
service to you and a better experience on our sites, with all parties being required to keep all information confidential. Your information may be shared only in accordance with the Law, to protect your or others’ rights, as well as our property and safety.
14. Links to Third Party Sites
If links to third-party sites or services owned or controlled by Younify are found on our sites, we have no control over such content, privacy policies or practices of any third-party sites or services and does not take over responsibility for them. You hereby acknowledge that you will read the terms, conditions, and guidelines on the privacy policies of the websites or services provided by any of the third parties you encounter on our sites, and that Younify will not be liable, directly or indirectly, for any damage or loss caused or allegedly caused or related to the use or reliance on such content, link, sites or services.
15. Update notification:
16. Special and additional notices regarding the processing of personal data
Given the specificity of the purpose that the collection and processing of data should achieve and in relation to the legal basis, the controller shall, as appropriate, in relation to such processing, inform the data subjects of all its specificities (Special Notice). Such notice and Special Notice shall apply to such processing if required. Also, if certain changes to the law or our work occur, this Notice will be updated to comply with the work of the controller and applicable law.
17. Additional information on personal data processing
All additional questions regarding the processing of personal data, including how to exercise the rights of the data subject, can be directed to the e-mail address: firstname.lastname@example.org. and/or address of Vozda Karadjordja 5/14, 18 000 Niš. The controller will respond to each query as soon as possible, depending on the query itself, but no later than 30 working days from the date of the duly received query. The deadline can be extended by another 60 days if necessary, taking into account the complexity and number of requests. The controller is obliged to inform the data subject within 30 days from the day of receipt of the request about the extension of the deadline and the reasons for such extension.