PRIVACY POLICY OF COMPANY EPTISA ADRIA d.o.o.

This Privacy Policy is intended to provide you with information on how EPTISA ADRIA d.o.o. (“Eptisa”, “we”, “us” and “our”) collect and process your personal data.

This Privacy Policy explains how, and for which purposes we process your personal data. We will only process your personal data in accordance with this Privacy Policy and applicable law to which we are subject, in particular the EU General Data Protection Regulation (EU 2016/679) (hereinafter the “GDPR”) and the Croatian General Regulation Data Protection Implementation Act (Official gazette 42/18) supplementing the GDPR and any amendments thereto.

This Privacy Policy does not apply to employees of Eptisa, but information on the processing of personal data of employees is contained in a separate document.

The company responsible for processing your personal data is:

EPTISA ADRIA d.o.o.
Rapska ulica 4
10000 Zagreb
OIB: 28457369235
represented by Mr. Josip Ćorić, director
adria@eptisa.com

You can always contact Eptisa with questions or concerns about how we process your personal data.

We get your personal data from the following sources:

• by filling out the contact form
• by filling out the open job application form

Eptisa collects and processes your personal data during the recruitment process, which it received directly from you via an open application for employment, an application for employment on an open application in person and/or by mail and/or by email and/or through alternative channels (for example, portals specialized in advertising vacancies).

The data we process in this case includes, but is not limited to, the following data:

• Identification and contact information: name and surname, date of birth, personal identification number, telephone number, e-mail, mobile phone, address (street, city, postal code);
• Data on education and work experience: data from the CV, certificate of professional training, document proving work experience, recommendations from former employers or third parties;
• Other information that you provide us in the application and CV and other accompanying documentation (e.g., skills and personal interests, driver’s license, photo, etc.).

In general, Eptisa does not collect special categories of candidate’s personal data, but it is possible for the candidate to provide information on health and/or social status in the job application and/or open application. In that case, the legal basis for processing this data is the candidate’s publication of this data.

Your data may be processed for the following purposes:

• potential employment in Eptisa.

Eptisa processes your personal data for the purpose of checking and determining qualifications for employment, evaluating candidates and communicating during the employment process. In the case when we process personal data on the basis of an open request and by sending an application, we process it in order to take actions at your request before concluding a contract.

• Creating a candidate base and/or contacting candidates for potential future employment of candidates in Eptisa.

Eptisa may ask the candidate for consent for the processing of personal data (for example, for the purpose of processing personal data after the end of the competition in order to save the candidate’s data in the Company’s database), in which case such processing is based on the candidate’s consent.

When visiting the Eptisa website www.eptisa-adria.hr Eptisa uses certain technologies that automatically collect certain information related to the way the user uses our website, such as an IP address or some other unique device code (computer, mobile phone or other device) that serve you to search the Internet page, technical data that may include the URL from which the user originates, browser data, language. These data could lead to your identification, but we do not use them for that. From time to time, we use the data for statistical purposes, but at the same time we maintain the anonymity of each user, so that person cannot be identified.

The issue of personal data processing through cookies can be found in the Cookie Policy, where you can get information about the possible processing of personal data through cookies and adjust the cookies that will be used on the website.

On the Eptisa website www.eptisa-adria.hr there is a contact form through which you can contact Eptisa. In the event that you fill out such a form, we will process your personal data specified in it in order to respond to your request.

Eptisa keeps your personal data as long as it is necessary for the business purposes for which the data was collected.

We will delete the personal data of candidates with whom a working relationship has not been established within 6 months from the end of the competition or the date when the candidate is notified of the results of the competition. With the consent of the candidate, Eptisa stores personal data until your consent is withdrawn. If you do not withdraw your consent, we will delete your personal data by after 5 years from collection of those data. If the candidate is offered and the candidate accepts employment in Eptisa, the data will continue to be kept as an employee data.

Recordings obtained through video surveillance are a business secret and are stored for a maximum of 30 days, unless another law prescribes a longer retention period or if they are evidence in court, administrative, arbitration or other equivalent proceedings.

Data related to cooperation with suppliers and business associates are kept throughout the entire period of business relationship between Eptisa and the supplier. After the termination of the business relationship, personal data obtained in the relationship with the supplier will be kept for a further period of three years from the termination of the relationship.

We may share your personal data with:

• EPTISA PROYECTOS INTERNACIONALES S.A.;
• Other Eptisa entities (e.g., Eptisa affiliates in other countries)
• Suppliers or vendors that assist our company (e.g., providers assisting Eptisa with employee share programs, consultants, IT service providers, financial institutions, law firms);
• Public authorities, where permitted or required by law.

To the extent suppliers or vendors are engaged to process personal data on our behalf, those third parties are data processors. Contractual arrangements are established to ensure that such data processors are only allowed to process personal data in accordance with our instructions and for our purposes and to require such data processors to establish adequate organizational and technical security measures.

For the purposes described above in Section 3, we may need to transfer your personal data to countries outside the European Economic Area (EEA). The level of data protection in certain countries outside the EEA does not conform to the level of data protection for personal data currently applied and enforced within the EEA. We therefore use the following safeguards, as required by law, to protect your personal data in case of such transfers:

• The destination countries are deemed by the EU Commission to have an adequate level of protection of personal data;
• We have entered into Standard Contractual Clauses for the Transfer of Personal Data to Third Countries. You can get a copy of the Clauses by contacting us as described in Section 1.

You have a number of rights in relation to our processing of your personal data, including the right to:

• Get an overview of what personal data we have about you;
• Get a copy of your personal data in a structured, commonly used and machine-readable format;
• Get an update or correction to your personal data;
• Have your personal data deleted or destroyed;
• Have us stop or limit processing your personal data;
• Object to our processing of your personal data;
• If you have given consent for us to process your personal data, you can withdraw your consent at any time. Your withdrawal will not affect the lawfulness of the processing carried out before you withdrew your consent;
• Lodge a complaint with a supervisory authority. In Croatia, the supervisory authority is the Croatian Data Protection Agency

You should be aware that your rights may be subject to conditions or restrictions, meaning that you will not always be able to exercise all your rights. It depends on the specific circumstances in connection with the processing activities. Please make use of the contact details listed in Section 1, should you have any questions or requests relating to these rights.