Login
Privacy policy - Elysium CareerPrivacy policy - Elysium Career

Privacy policy

RULE ON COLLECTION, PROCESSING AND
PROTECTION OF PERSONAL DATA

General Provisions
Article 1

This Ordinance regulates the general processing procedures and personal data protection measures, the purposes and means of personal data processing and the protection of individuals with regard to the processing of personal data and the rules by which the trading company ElysiumCareer j.d.o.o., as The processing manager, his
employees, contractual partners and other natural and legal persons and all collaborators adhere to when collecting, processing and storing all groups of personal data, all in order for the Data Controller to fulfill its legal obligations. The Rulebook includes general measures for the protection of personal data
during their collection, processing, storage, transmission and use. The purpose of this Ordinance is to ensure that the trading company ElysiumCareer d.o.o. when processing personal data, it acts in accordance with the regulations in the field of personal data protection,
especially in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46/EC (further: General protection regulation
data or GDPR) as well as the Law on the Implementation of the General Regulation on Data Protection, i.e. in accordance with the Labor Law and the Law on Safety at Work and other relevant positive regulations.

With this Rulebook, the Controller informs the respondent of the scope of collection and purposes of personal data processing, risks, principles of personal data processing, rules, protective measures and rights related to the processing of personal data and the method realization of rights in connection with
processing. The rules described in this Rulebook apply to the Controller, all his employees and all associates, clients, contractual partners and other natural and legal persons who work on behalf of the Controller.

Definitions
Article 2

The terms used in this Ordinance have the meaning provided by the GDPR and the Act on
implementation of the General Data Protection Regulation, and in accordance with Art. 4 of the GDPR, the following terms have
meaning as follows:
Personal Data means any data relating to an individual whose identity has been determined or can be determined (the “Respondent”); an identifiable individual is a person who can be identified directly or indirectly, in particular by means of identifiers such as name,
identification number, location data, network identifier or with the help of one or more factors specific to the physical, physiological,
genetic, mental, economic, cultural or social identity of that individual.

Processing means any procedure or set of procedures performed on personal data or sets of personal data, whether
by automated or non-automated means such as collection, recording, organization, structuring, storage,
adaptation or modification, retrieval, inspection, use, disclosure by transmission, dissemination or posting
disposing in another way, matching or combining, limiting, erasing or destroying.

Restriction of processing means marking stored personal data with the aim of limiting their processing in the future.

Storage System means any structured set of personal data accessible according to specific criteria, whether centralized,
decentralized or dispersed on a functional or geographical basis.

Controller means a natural or legal person, public authority, agency or other body that alone or together with others determines the purposes and means of personal data processing; when the purposes and means of such processing are determined by the law of the Union or the law of a Member State, the controller or special criteria for his appointment may be provided for by the law of the Union or the law of a Member State.

Processor means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.

Recipient means a natural or legal person, public authority, agency or other body to which personal data is disclosed, regardless of whether it
third party. However, public authorities that may receive personal data in the context of a specific investigation in accordance with the law
Unions or Member States are not considered recipients; the processing of such data by these public authorities must be in accordance with
applicable rules on data protection according to the purposes of processing.

Third party means a natural or legal person, public authority, agency or other body that is not the data subject, controller, processor or
persons who are authorized to process personal data under the direct authority of the processing manager or processor.

Consent of the subject means any voluntary, special, informed and unambiguous expression of the wishes of the subject by a statement or
with a clear affirmative action, he gives his consent to the processing of personal data relating to him.

Personal data breach means a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of personal data that is transmitted, stored or otherwise processed.

Principles of personal data processing

Article 3

The controller processes personal data legally, fairly and transparently, in accordance with applicable regulations.
Personal data is collected for specific, explicit and lawful purposes and is not further processed if it is not in accordance with these purposes.
Personal data is collected that is necessary to fulfill the purpose, that is appropriate, relevant and limited to what is necessary.
The personal data collected must be accurate and up-to-date. Personal data is kept only as long as necessary for the purposes for which it is processed. Personal data is stored in a form and in a way that enables the identification of the respondent. Personal data is processed in a reliable way that ensures adequate security of personal data, including protection against unauthorized or illegal processing and against accidental
loss, destruction or damage by applying appropriate technical or organizational measures. Any processing of personal data must be carried out in accordance with the principles of data protection at least as stated in the provisions of Art. 5 of the GDPR. Rules and procedures that define the processing
of personal data with the Controller were created to ensure compliance with the principles of the GDPR and this Rulebook.

Legal basis and legality of processing

Article 4

Processing is lawful only if and to the extent that at least one of the following is fulfilled:
– processing is necessary for the execution of a contract to which the respondent is a party;
– processing is necessary to comply with the legal obligations of the controller;
– processing is necessary to protect the key interests of the data subject or other natural person;
– processing is necessary for the performance of tasks of public interest;
– the processing is necessary for the legitimate interests of the controller;
– the respondent has given his consent for the processing of his personal data in one or more special
purpose.

The data controller processes personal data only on one of the prescribed bases for personal data processing, based on contracts, laws or consent.

Terms of consent
Article 5

When the processing is based on consent, the Controller must be able to prove that the data subject has given consent for the processing of his personal data.
The subject has the right to withdraw his consent at any time. Withdrawal of consent, as a rule, has the meaning of revoking the power of attorney, if the power of attorney was given. Withdrawal of consent does not affect the legality of the processing before the withdrawal.

Scope of collection and purpose of personal data processing

Article 6

The Rules apply to all personal data processed by the Controller in connection with
to identifiable individuals.
The controller processes the personal data of the following categories of respondents:
– personal data of Company employees;
-personal data of job seekers, Company clients and external collaborators, as part of
performance of employment mediation activities.

The data controller collects and processes personal data of respondents for the following purposes:
-providing services for finding job seekers, ie workers and jobs, and connecting job seekers and employers;
– fulfillment of contractual obligations/orders;
– finding employment for the job seeker;
– provision of additional services such as education, counseling and services related to choosing a career and profession;
– assessment of the candidate’s suitability for a specific position;
– performing data analysis, such as analyzing job candidates, performing
assessment of individual performance and abilities, including assessment of work skills, determination of skill gaps, use of data to match individual job seekers, i.e. workers, with specific jobs;
– if the processing is necessary for the legitimate interests of the Controller;
– realization of rights and obligations from the employment contract and employment relationship (payment of salary or other benefits, realization of the right to daily, weekly and annual leave, for the purpose of protecting the rights of workers from the employment relationship, for the purpose of realizing other rights and fulfilling
obligation from the contract);
– employee education;
– management of relations between jobseekers and employers;
– when it is necessary to comply with the legal obligations of the Controller;
– providing answers to respondents’ inquiries;
– management, assessment and improvement of the Company’s operations (including development, strengthening and analysis of services, communication management, data analysis);
– protection and prevention of fraud and other illegal activities;
– implementation of legal obligations and requirements;
– for the purpose of providing other services related to employment mediation activities;
– additional purposes based on consent.

The data controller reserves the right to use personal data for other purposes as well, but is obliged to provide appropriate notice and information about this before collecting and using the data of the subject.

 

Personal data processed

Article 7

The controller processes the following personal data of job seekers:
– name and surname;
– OIB and/or identification number from the home country;
– date and place of birth;
– gender;
– ID card number;
– passport number;
– address of residence or residence;
– citizenship;
– number and country of passport issuance (for job seekers who are foreign citizens) and passport validity period;
– title;
– vocational education;
– special knowledge and skills;
– desired job;
– possession and duration of residence and work permit;
– possession and duration of an entry visa to the Republic of Croatia;
– possession and duration of work permit;
– data on general health and abilities, percentage of disability;
– conviction that no criminal proceedings are being conducted;
– bank account information;
– contact phone number, e-mail address

– desired amount of personal income;
– work experience;
– work evaluations;
– recommendations;
– personal data determined by regulations on records in the field of work;
– data on education and certain specialist knowledge;
– on the contractual ban on matches with the previous employer.

Processing of special categories of personal data

Article 8

Processing of special categories of personal data of respondents (such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data, health data , information about sex life, information about the sexual orientation of an individual, etc.) is prohibited, but the prohibition does not apply if the respondent:
– gave express consent;
– if the processing is necessary for the purposes of labor law and social security;
– if it is necessary to protect vital interests of the respondents;
– if the respondent himself published personal data;
– if it is for the purposes of fulfilling legal requirements before the courts;
– if it is necessary for the needs of public interest, public health, preventive medicine or occupational medicine and
– for the purpose of scientific or historical research or for statistical purposes.

Preservation of personal data
Article 9

The controller will process personal data for as long as he is legally obligated to do so, depending on the basis for processing personal data, and store them secretly.

Method of collecting personal data

Article 10

The client fills out a questionnaire on basic personal data that the Company needs in order to fulfill the order given to the Company and to fulfill the Company’s legal obligations. The questionnaire form is attached to these rules and is an integral part of them as Annex 2.
Personal data is collected directly from the respondents (oral, written or electronic).

Personal data is collected including, but not limited to (if we receive your
consent or we have a legitimate interest in collecting personal data) via:
– email info@elysiumcareer.com and all other email addresses
mail on the elysiumcareer.com domain
– a phone call to the number +385 91 606 5188 as well as SMS messages or messages
through third-party applications (WhatsApp, Viber, etc.) registered on the aforementioned
phone number;
– personal contact with the employees of the Data Controller.

Depending on the type and purpose of personal data, the collected personal data of respondents are processed, archived and forwarded to potential employers, in accordance with the Company’s contractual obligations, i.e. in accordance with the order of the job seeker.< /p>

Information and access to personal data

Article 11

When personal data is collected from the data subject, the Controller at the time of collection
data provides the following information to the respondent:
– the identity and contact information of the Data Controller;
– contact details of the data protection officer, if one has been appointed;
– purpose of processing and legal basis;
– legitimate interests of the Controller;
– recipient or recipient category, if any;
– the fact that personal data is transferred to a third country or an international organization;
– the rights of respondents.

The data specified in the previous paragraph is provided to the respondent directly, and also through a written document entitled Notice on processing and protection of personal data, which provides the respondent with the said information, which is in a visible place in at the Manager’s premises
of processing published and made available to respondents. The text of the Notice in question is attached to these rules and is an integral part of them as Annex 3.

Confirmation of personal data processing

Article 12

The respondent has the right to request and receive from the Controller confirmation of whether personal data relating to him are processed, how these personal data are processed, access to personal data and information on: purpose of processing , categories of personal data in question, recipients,
the stipulated period in which personal data will be stored, the right to correction or deletion and the right to submit a complaint to AZOP.

The confirmation form is attached to this Ordinance and is an integral part of it as Annex 4.

Right to correction and right to erasure (right to be forgotten)

Article 13

The respondent has the right to obtain from the Controller the correction of incorrect data without undue delay.

The respondent has the right to obtain the deletion of personal data from the data controller if it is fulfilled
one of the following conditions:
– personal data are no longer necessary in relation to the purpose for which they were collected;
– the subject withdraws consent, and there is no other legal basis for processing;
– the respondent files an objection to the processing, and there are no stronger legitimate reasons for the processing;
– personal data were illegally processed;
– personal data must be deleted in order to comply with a legal obligation from the law of the Union or a member state;

– personal data were collected in connection with the offer of information society services.

The right to delete personal data can be denied if the processing of personal data is necessary for the fulfillment of the legal obligations of the controller according to special regulations or if it is necessary for one of the conditions from paragraph 3 of Article 17 .General regulations on personal data protection.

Right to restriction of processing
Article 14

The respondent has the right to obtain from the Data Controller a limitation of processing if one of
of the following:
– the respondent contests the accuracy of personal data, for the period during which the controller is allowed to check the accuracy of personal data;
– the processing is illegal and the respondent objects to the deletion of personal data and instead
requests a limitation of their use;
– the data controller no longer needs personal data for processing purposes, but the respondent requests them in order to establish, fulfill or defend legal claims;
– the respondent filed an objection to the processing based on Article 21, paragraph 1 of the General Regulation
awaiting confirmation whether the legitimate reasons of the controller exceed those of the respondent.

If the processing is limited by paragraph 1, such personal data may be processed only with the consent of the data subject, with the exception of storage, or for establishing, exercising or defending legal claims or protecting the rights of other physical or legal persons or due to an important public interest of the Union or a member state. The data subject who obtained the processing limitation based on paragraph 1. The processing manager reports before the processing limitation is lifted.

Right to object
Article 15

The respondent has the right to object at any time to the processing of data relating to him. In this case, the Controller may no longer process the data, unless the Controller proves that there are compelling legitimate reasons for the processing that go beyond the interests, rights and
freedom of the respondent or for the purpose of establishing, realizing or defending legal claims. If the personal data is processed for the purposes of direct marketing, and the data subject objects to this, the personal data may no longer be processed for such purposes.

Exercising the rights of respondents

Article 16

The respondent submits a request to exercise one of his rights to the Company directly or by mail to the address:

ElysiumCareer j.d.o.o., Savska 41, 10000 Zagreb or to the e-mail address: info@elysiumcareer.com

In order to facilitate the exercise of the respondent’s rights, the respondent may request from the Data Controller a form with the respondent’s requests. The request form of the respondent is attached to these rules and is an integral part of them as Annex 5. The processing manager will process the request of the respondent without unnecessary delay and will respond to the request to the respondent within one month at the latest. The Controller’s response must be
explained if the respondent’s request is rejected as unfounded.

Technical and integrated protection

Article 17

The company implements appropriate technical and organizational measures to enable effective application of data protection principles, such as reducing the amount of data and including protective measures in processing in order to meet the requirements of the General Regulation and protect rights of respondents.
Technical and organizational measures include physical protection measures for documents and data (employment contracts, diplomas, certificates, birth certificates, tax cards, account information, resumes, etc.) which documents and data must be protected from unauthorized access.
Among the organizational measures is the declaration of confidentiality of all persons who collect and process personal data.
The text of the confidentiality statement is attached to these rules and is an integral part of them as Annex 6. Technical protection of personal data contained in computer databases is ensured by the application of appropriate programs that protect computers from possible intrusions into the system (hacking),
pseudonymization, encryption and other methods of protection.

Relation between manager and processor

Article 18

The company can entrust certain tasks related to the processing of personal data to an individual processor.
The processor guarantees the implementation of appropriate technical and organizational measures in accordance with the requirements of the General Regulation.
The processor may not hire another processor without the prior special or general written approval of the processor.
The processing carried out by the processor is governed by a contract that must be in written form, including electronic form.

Record of processing activities
Article 19

Recording of processing activities does not apply to an enterprise or organization in which fewer than 250 people are employed, unless the processing it carries out is likely to cause a high risk to the rights and freedoms of the data subject, if the processing is not occasional or processing involves special
categories of personal data. The processing manager keeps records of processing activities that contain the following information: name and
contact details of the data controller and data protection officer, purpose of processing, description of categories of respondents and categories of personal data, category of recipients to whom personal data was disclosed, including recipients in third countries or international organizations,
transfer of personal data to a third country or an international organization, if possible, stipulated deadlines for deletion of different categories of data and, if possible, a general description of technical and organizational security measures.

 

Appointment of data protection officer

Article 20

The controller appoints a data protection officer if it is a public authority or a public body (except for courts), if the core activity of the controller requires regular and systematic monitoring of the data subject to a large extent, and if is the main activity
processing manager extensive processing of special categories of respondents. The data protection officer is appointed on the basis of professional qualifications, especially professional knowledge of law and processes in the field of data protection. The data protection officer may be a member of the data controller’s staff or perform tasks based on a work contract. The data controller publishes the contact details of the data protection officer i
communicates them to AZOP.

Transfers of personal data
Article 21

The transfer of personal data to a third country or an international organization may occur if the third country or international organization provides an adequate level of protection. Such transfer does not require special approval. In the Official Journal of the European Union and on its website, the Commission publishes a list of third countries and international organizations that do not provide an adequate level of protection.
If the third country or international organization has not ensured an adequate level of protection, the Controller may transfer personal data only if it has foreseen adequate protective measures and on the condition that enforceable legal and effective judicial remedies are available to the respondents.
protection.

Breach of personal data
Article 22

In the event of a personal data breach, the Data Controller shall report the personal data breach to the supervisory body, i.e. AZOP, without undue delay and, if feasible, no later than 72 hours after becoming aware of the breach, except if it is unlikely that personal data will be breached
cause a risk to the rights and freedoms of individuals. The data controller documents all violations of personal data, including facts related to
personal data breach, its consequences and measures taken to repair the damage. In the event of a breach of personal data that is likely to cause a high risk for the rights and freedoms of individuals, the Data Controller shall notify the subject without undue delay
violation of personal data.

Notifying the respondent from the previous point is not mandatory if any of the
following conditions:
– the processing manager has taken appropriate technical and organizational protection measures;
– the controller has taken subsequent measures to ensure that it is no longer likely that a high risk to the rights and freedoms of the data subject will occur;
– this would require a disproportionate effort; in such a case there must be a public one
notification or a similar measure by which respondents are informed in an equally effective manner
way.

Legal remedies and liability for damages

Article 23

Each respondent has the right to submit a complaint to the supervisory body, i.e. AZOP. The Agency informs the applicant about the progress and outcome of the complaint, including the possibility of a legal remedy against the Agency’s legally binding decision. If the Agency does not resolve the complaint within three months, the respondent has the right to file a complaint with the Administrative Court. The respondent has the right to submit a lawsuit to the competent court if he believes that his rights from the Regulation have been violated due to the processing of his personal data. Any person who has suffered material or non-material damage due to a violation of the Regulation has the right to compensation for damages from the data controller or processor.

Exclusion of liability for damages

Article 24

The controller is exempt from liability if he proves that he is not responsible in any way for the event that caused the damage.

 

Final Provisions
Article 25

This Rulebook enters into force and is applied from September 21, 2023. The provisions of Regulation (EU) 2016/679, applicable laws of the Republic of Croatia, especially in the area of ​​personal data protection, as well as other acts of the Company published on the Company’s website, apply directly to all cases not regulated by this rulebook. This Rulebook may be periodically updated in accordance with our privacy policy and legal changes. Before submitting personal data and using the Company’s website, the respondent is obliged to check the currently valid version of the Regulations and internal acts, which are published on the Company’s website.