Notice to individuals under article 13 of the general data protection regulation (GDPR) regarding personal data processing
In this privacy statement, we want to tell you what personal information we may process, why we process it, and how we ensure that your rights and privacy are respected.
Protecting your privacy is extremely important to us, so read this notice carefully.
Definition of terms used
- Company: means company Hidria d.o.o.
- Personal data: means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, on the basis of this information.
- Processing: means operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Restriction of processing: means the marking of stored personal data with the aim of limiting their processing in the future.
- Profiling: means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
- Filing system: means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
- Controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- Processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
- Recipient: means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
- Third Party: means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
- Consent of the data subject: means any freely given, specific, informed and unambiguous statement or conduct or another clear affirmative action indicating the data subject's wishes by which they signify agreement to the processing of personal data relating to them.
- Personal data breach: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
- Supervisory authority: means independent public authority established by the member state. In Republic of Slovenia the supervisory authority is Information Commissioner.
- Cross-border processing of personal data: means either (1) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the EU where the controller or processor is established in more than one Member State; or(2) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the EU but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
- Contractual partners of the company: means those entities with which the company cooperates in business and in cooperation with which together or separately prepares benefits and special offers either of its services or the services of these contractual partners. With the prior explicit consent of the individual, the company may provide personal data for permitted marketing purposes to these entities.
For a term not explicitly explained in this paragraph, its meaning shall apply directly as derived from the GDPR and the applicable Personal Data Protection Act.
Identity and contact details of the controller
In accordance with the General Data Protection Regulation (Regulation (EC) No 2016/679) the entity responsible to determine the purpose and method of processing your personal data is the controller:
Name: Hidria d.o.o.
Registered office: Nazorjeva ulica 6A, 1000 Ljubljana
Company ID no.: 5045398000
Telephone no.: 05 3756000
E-mail address: firstname.lastname@example.org
Data protection officer
You can contact Data Protection officer via e-mail: email@example.com.
For what purposes and on what legal basis do we process your personal data?
We process your personal data in accordance with the provisions of General Data Protection Regulation, Personal Data Protection Act, Employment Relationships Act, Rules on the reporting of the vacancy or the type of work to the Employment Service of the Republic of Slovenia, public announcement and the process of job placements, Obligations Act and internal Rules on Video Surveillance.
We collect data for the following purposes:
- persons applying for job vacancy: selection of a candidate for the published vacancy,
- persons who send an application for employment on their own initiative: registration of job seekers due to the potential needs of the manager for the employment of persons with education or work experience that correspond to the job seeker,
- persons accessing premises subject to video surveillance: ensuring the safety of people and property,
- Hidria visitors: ensuring company safety and transparency of visitors,
- relatives of employees of the controller who register for the event: payment of registration fees, planning of number of participants at events, arranging sponsorship suits,
- contact persons and employees of business partners who access personal data of the controller: communication for the execution of transactions,
- persons who contact the controller via the Contact form on the website www.hidria.com
We process data in accordance with the following legal bases:
Conclusion and execution of contracts
The processing of your personal data is based on Article 6(1)(b) of the General Data Protection Regulation.
Personal data that you provide to us in the context of an application for employment or as potential business partners who, on the basis of an individual’s initiative, are at the stage of negotiations for the conclusion of a contract, are data that are strictly necessary for the conclusion of a business relationship or the execution of an individual contractual business relationship. Without the data provided, we cannot conclude the contract and later fulfil the rights and obligations arising from this contractual relationship. In this case, we process the data for the purpose of performance of the contract.
The processing of your personal data is based on Article 6(1)(a) of the General Data Protection Regulation.
The cases where we process your personal data on the basis of the given consent are: when a job seeker sends a job application and personal data to us on their own initiative, the data we collect to inform us about any events of the controller or promotional event and when registering an individual for the event, information about potential business partners and the information you provide to us through the Contact form on the website. Therefore, we also inform you that you have the right to withdraw your consent at any time in the manner described below among your rights.
The processing of your personal data is based on Article 6(1)(c) of the General Data Protection Regulation.
Hidria also processes personal data for the purpose of complying with legal and other regulations in force in the territory of the Republic of Slovenia and it is bound by it. On a legal basis, we process data that we obtain from you through video surveillance, which is required by Articles 74 and 77 of the Personal Data Protection Act and the records of entries and exits from the premises under Article 82 of the Personal Data Protection Act.
Legitimate interest of the controller
The processing of your personal data is based on Article 6(1)(f) of the General Data Protection Regulation.
The controller processes your personal data on the basis of its legitimate interests pursued by the company, in cases where the interests or fundamental rights and freedoms of recipient do not prevail over these interests. Based on a legitimate interest, Hidria processes data on contact persons with business partners who are legal entities for the execution of the cooperation agreement between the controller and the business partner pursuant to Article 10(2) of the Personal Data Protection Act.
If we further process your personal data for a purpose other than that for which we have collected them, we will provide you with all the prescribed information on this other purpose before further processing, in accordance with Article 13 of the GDPR.
What categories of personal data do we process?
The company strives to minimise the processing of personal data (minimisation) and endeavours to collect from its customers or individuals only the data that are strictly necessary for the implementation of legal provisions and legitimate interests of clients in a contractual relationship.
In order to achieve the purpose of the processing set out in this statement, the controller shall process the following categories of personal data:
- data from the online database of job seekers: name and surname, address, city, gender, postal code, country, year of birth, level of completed education, field of education, telephone, e-mail address, active knowledge of foreign languages, passive knowledge of foreign languages, additional skills, previous employers, duration of work experience, desired area of work, desired location of work, comment, other data provided by the job candidate on their own initiative,
- data from the ERP database of job seekers: name and surname, address, city, gender, postal code, country, year of birth, level of completed education, field of education, telephone, e-mail address, active knowledge of foreign languages, passive knowledge of foreign languages, additional skills, previous employers, duration of work experience, desired area of work, desired location of work, comment, date and time of job interview, work experience, medical examination,
- data from job applications and CVs: name and surname, address, postal code, place, telephone number, e-mail address, education, work experience, competencies, other data provided by the job candidate on their own initiative,
- data from the job offer: name, surname, address, telephone number, area of work, work experience, signature, other data provided by the job candidate on their own initiative,
- data from the Application for Employment: name and surname, job position, CV data, basic gross salary,
- video clips: image, date and time,
- intranet records data: name and surname, company from which the person comes from, name and surname of the employee who will receive the visitor, registration plate,
- data from the Excel table and intranet of applications: name and surname, year of birth, address, place, postal code, country, e-mail address, mobile number, gender, company, status, name and surname of family members, family relationship,
- data from the ERP system: name and surname, company, e-mail address,
- data from the b2b.hidria.com supplier portal: name and surname, company, e mail address,
- data from the Excel table for Adrema of journalists: surname, name, medium, e-mail address, address, postal code, place, telephone,
- data from the Excel table List of recipients of Hidria magazine: name and surname, company, address, postal code, place, name and surname of the applicant,
- data from the Risk Management application: name, surname, company, address, financial results of the company,
- information from the Contact form on the operator’s website: first name, surname, company, address.
To whom can your data be disclosed?
If it is necessary to achieve the above-mentioned purpose of processing or if required by regulations, we may disclose your personal data to natural and legal persons, public authorities or other bodies (external users). Regardless of the external users to whom we provide your personal data, we will provide only those data that are necessary to achieve a specific purpose of processing.
We may share the data with the following external users:
- maintainer of the job seeker’s website,
- ERP system maintainer,
- server maintainer.
- intranet portal maintainer,
- external training organisers,
- external users of the B2B.hidria.com portal who are granted access by the operator,
- on the basis of an explicit request, users who are entitled to obtain personal data by the law, personal consent of an individual or contractual relationship.
When, in accordance with the regulations for the processing of your personal data, we hire other natural or legal persons who will process your personal data exclusively on our behalf and in accordance with our instructions (processors), we will only hire those processors who can ensure the implementation of appropriate technical and organisational measures that comply with the requirements of the General Data Protection Regulation and personal data protection regulations and ensure adequate protection of your rights.
Where are your personal data processed?
Your personal data are processed only within the European Economic Area (EEA).
In case there is a need to share your personal data with recipients in third countries, we will only do so if the European Commission decides that these are countries that ensure an adequate level of protection of personal data as required by the GDPR or if there are appropriate safeguards (e.g. Standard Contractual Clauses). For information on the security measures taken, please contact our Data Protection Officer mentioned above.
How long do we keep your personal information?
The storage period of personal data depends on the basis and purpose of processing of each category of personal data. Personal data may be stored only for as long as it is necessary to achieve the purpose for which they were collected or further processed. Personal data shall be erased, destroyed, blocked or anonymised after the purpose of the processing has been fulfilled, unless there is no other legal basis or if this is necessary for the assertion, implementation or defence of legal claims.
Data on unselected persons applying for the vacancy may be kept for 38 days after the individual has been informed that he or she has not been selected (taking into account the deadlines referred to in Article 30 and paragraph 5 of Article 200 of the Employment Act). However, if one of the candidates makes a request for judicial redress before the Labour Court, the data on all applicants may be kept until such a proceedings have been completed.
Data on persons who submit a job application on their own initiative may be kept for as long as is normally necessary to respond to the offers received, on the basis of Article 5(1)(e) of the General Data Protection Regulation, and thereafter only if the job seeker’s consent to retain their data has been given and until such consent has been withdrawn pursuant to Article 7(3) GDPR (right to withdraw consent) in conjunction with Article 17(1)(b) of the GDPR (right to erasure).
Video data are kept on the server of the controller for up to 60 days, in accordance with Article 75(5) of the Personal Data Protection Act.
Data on visitors to Hidria may be kept for a maximum of three years from registration pursuant to Article 82(4) of the Personal Data Protection Act.
Data on relatives of employees of the controller who register for an event may be kept until the individual's consent is revoked on the basis of Article 10(1) of the Personal Data Protection Act and Article 6(1)(a) of Regulation (EU) 2016/679 or until the end of the event on the basis of Article 21(1) of the Personal Data Protection Act, otherwise they are kept for 18 months after the event. In the case of events for which the registration fee is paid, the data may be kept for 5 years after the completion of the individual event (general limitation period) on the basis of Article 346 of the Code of Obligations.
Data on business partners who are natural persons can be kept for the duration of the contractual relationship and for 5 years after the termination on the basis of Article 346 of the Code of Obligations.
Data on contact persons at business partners may be kept for the period of validity of the concluded contract or until the change of contact person or until the expiry of limitation periods in relation to claims from the concluded contract, which could be charged to the contact person on the basis of Article 10(2) of the Personal Data Protection Act.
Data on potential business partners may be kept until the withdrawal of consent by the individual pursuant to Article 10(1) of the Personal Data Protection Act and Article 7(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council.
Data on persons who contact the controller via the Contact form on the website are kept for one year from the registration or until cancellation.
Are your personal data subject to automated decision making and profiling?
Your personal data are not subject to automated decision-making and profiling under Article 13(2)(f) of the GDPR.
What are your rights in relation to the processing of your personal data?
As a person whose personal data we process, we would like to inform you that you have the following rights regarding the processing of your personal data under the conditions prescribed by the General Data Protection Regulation:
Right of access and knowledge
The data subject shall have the right of access to the personal data collected in connection with them in order to become acquainted with the processing and to verify its lawfulness.
Right to correction
You have the right to update your information and correct inaccurate data to ensure that we always have the correct information about you.
Right to erasure
The data subject shall have the right to obtain from the controller the erasure of personal data relating to them without undue delay where one of the following grounds applies:
- personal data are no longer needed for the purpose for which they have been collected or otherwise processed,
- the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
- the data subject objects to the processing and there are no overriding legitimate grounds for the processing,
- personal data were processed illegally,
- where so provided by law.
Right to objection
You can always submit an objection to the processing of your personal data for direct marketing. This means that in case of your objection, we will cease to use your personal data for direct marketing purposes. You also have the right to object to any processing that we carry out on the basis of a legitimate interest. In the event of an objection, you must specify exactly what you object to and why. Then we need to prove convincing legitimate grounds for processing which outweigh the interests, rights and freedoms of the individual, or show that our data processing is aimed at establishing, asserting or defending legal claims.
Right to restriction
You have the right to request a temporary restriction on the processing of your personal data. Processing may be restricted in the following cases:
- the data subject disputes the accuracy of the data for a period which allows the controller to verify the accuracy of the personal data,
- the processing is unlawful and the data subject objects to the erasure of the personal data and requests the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but the data subject needs them to assert, implement or defend legal claims,
- the data subject has lodged an objection in accordance with the provisions of the Personal Data Protection Act (21(1) GDPR) regarding the processing of data until it is verified that the legitimate reasons of the controller outweigh the reasons of the data subject.
Right to data portability
You have the right to obtain the information you have provided to us in order to use it elsewhere. This right applies only in cases where our processing of your personal data is based on your consent to the processing of your personal data or where you have signed a contract with us.
Right to lodge a complaint with a supervisory authority
If you believe that the processing of personal data violates the provisions in the field of personal data protection, you have the right to lodge a complaint with the supervisory authority. In the Republic of Slovenia, this is the Information Commissioner (address: Dunajska 22, 1000 Ljubljana, e-mail address: firstname.lastname@example.org, telephone: 01 230 97 30, website: www.ip-rs.si).
Without prejudice to your right to lodge a complaint with the supervisory authority, we suggest that you contact our Data Protection Officer before clarifying the complaint to clarify any disputes.
Hidria reserves the right to amend this General Information to ensure compliance with regulations related to personal data protection.
This General Information shall apply and be in force as of 9 August 2021.
Cookies are small text files used on websites to make the user experience more efficient.
By law, cookies may be stored on your device if they are strictly necessary for the website to work. For all other types of cookies, your consent is required.
Different types of cookies are used on this website. Some cookies are used at the request of third parties appearing on our site.
The following cookies are used to ensure that all the website functions are available:
- Strictly necessary cookies are required as they make the website functional by allowing basic functions such as page navigation and access to secure website areas. Without these cookies, the website site is unable to work properly.
- Statistics cookies are cookies needed for tracking visits to the website in order to improve the user experience.
- Marketing cookies anonymously collect information about your website visits. Their purpose is to display ads that are relevant and interesting to each individual user.
An exact description and the expiry period of each cookie are provided in the table below.
Strictly Necessary Cookies:
Strictly necessary cookies make the website functional by allowing basic functions such as page navigation and access to secure website areas. Without these cookies, the website site is unable to work properly.
|_iCD2||www.hidria.com||1 year||Used to store the user’s decision regarding cookies. The validity of a cookie is determined by the user.|
Statistics cookies help website owners understand how visitors use and interact with the website by collecting and reporting information anonymously.
|_ga||Google Analytics||2 years||Used to distinguish users.|
|_ga_(container-id)||Google Analytics||2 years||Used to persist session state.|
|_ga||Google Analytics||2 years||Registers a unique ID that is used to generate statistical data on how the visitor uses the website.|
|_gat_UA-10523968-1||Google Analytics||a minute||Used by Google Analytics to throttle request rate.|
|_gid||Google Analytics||a day||Registers a unique ID that is used to generate statistical data on how the visitor uses the website.|
The Policy is published on the website https://www.hidria.com and came into effect on 25 May 2018.