PRIVACY POLICY

1. General information

IGEA d.o.o. (“Company” or “Controller”) respects your privacy and undertakes to protect the personal data it collects and processes in the course of its business activities. The security of your personal data is of great importance to us, and we undertake to act in accordance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals in connection with the processing of personal data and on the free movement of such data, and on repealing Directive 95/46/EC (“Regulation”) and applicable laws.

This Privacy Policy (“Privacy Policy”) contains key information about the processing and protection of personal data that we carry out as part of our business, and in particular about:

  • the identity and contact information of the data controller
  • contact information of the data protection officer
  • categories of individuals whose personal data we process
  • categories of personal data that we process
  • purposes and legal bases of personal data processing
  • recipients of your personal data and their transfer
  • the period during which your personal data will be stored 
  • protective measures
  • your rights and how to exercise them.

The Privacy Policy applies from May 25, 2018. This Policy applies to the processing of personal data that we carry out as part of our business, including in particular in connection with your use of our websitee https://www.igea.hr/ (“website”), as well as our profiles on social networks:

2. Who is responsible for the processing of your personal data – who is the person in charge of the processing?

The manager of the processing of your personal data is:

IGEA d.o.o.
Frana Supila 7/B
HR-42000 Varaždin
Phone: 00385(42) 556 700

We have appointed a data protection officer to whom you can contact in relation to all questions, objections, objections, requests or other comments regarding our processing of your personal data at the e-mail address: dpo@in2.eu or at the following address:

Law firm Palić i partners j.t.d.
Crvenog križa 33
HR-10000 Zagreb
Phone: 00385(1) 4500 555

Contact form: Link to the form

3. Whose personal data do we process?

The controller processes personal data of the following categories of individuals:

  1. candidate for employment
  2. business partners
  3. visitors to the website.

4. Which categories of personal data do we process and why?

In our regular business, we develop and maintain software solutions and services, implement our own and partner software applications, provide software maintenance and customization services, and provide software as a service (SaaS).

As part of regular business, we collect or process the following personal data according to categories of individuals and processing purposes:

  1. Candidates for employment
    When you apply for a job in the Company, your personal data (name and surname, email address, information from your resume (data on education, professional training, previous employment, skills and specific knowledge, etc.), phone and/or mobile number , address, Skype name, URL of social network profiles (Linkedin, Facebook, Github, StackOverflow, AngelList, Xing, GooglePlus, Twitter or any other permitted URL)) we collect from you and process based on our legitimate interest, i.e. for the purpose of recruiting qualified labor for the business needs of the Controller, and for the purpose of finding, selecting and hiring the best candidate for the advertised position, as well as generating and recording a set of desirable candidates for possible future open positions and strengthening the interest of competent candidates in employment with the Controller.
    In relation to a selected candidate who accepts an offer of employment, the legal basis of data processing is taking the necessary actions before concluding an employment contract with such a candidate, for the purpose of establishing an employment relationship and concluding an employment contract.

    Providing personal data is voluntary. If you want to apply to participate in the recruitment competition for the advertised position, we need your personal data that we requested in the application form, that is, that we will collect about you during the further application process and candidate selection for the above-mentioned purpose. However, the consequence of not providing personal data will be your inability to apply for the published advertisement and/or participate in the further selection process.

  2. Business partners
    In relation to the protection of the privacy of our customers, suppliers and business partners, we distinguish two main categories of business partners: (a) legal entities, primarily trading companies, in which case we process personal data of natural persons employed by such business partners and (b) natural persons, primarily craftsmen or persons who perform independent activities, in which case, in addition to the personal data of workers employed by such business partners, we also process the personal data of the business partners themselves.

    We collect and process primarily personal data prescribed by valid legal regulations in the field of commercial law, accounting, tax law and the like, as well as the corresponding contracts we conclude with business partners. In principle, these are the following categories of personal data:

    • identification data (name and surname, contact information at work, gender, numbers of personal documents, such as the number of an identity card, passport, OIB, etc.)
    • information about the workplace (job title, functions, place of work, department, working hours, etc.)
    • financial data (data on business transactions, travel expenses and other business expenses, bank data and other data prescribed by accounting and/or tax regulations, etc.)
    • data for accessing our business premises and business systems and networks (data for entering business premises and for accessing the Company’s computer and communication systems, networks and programs, such as surveillance camera videos, visitor records, e-mail addresses, individual IDs and other usernames and passwords, electronic content generated using the Company’s systems intended for business partners and data on incidents, etc.).

    We process the above personal data for the following purposes based on our legitimate interest, contracts concluded with business partners or valid legal regulations in the field of commercial law, accounting, tax law and the like:

    • evaluation and selection of business partners (for this purpose, among other things, personal data necessary for the evaluation and selection of business partners are processed, including for determining and verifying the identity of relevant individuals, conducting in-depth analysis and verification based on information from publicly available lists of sanctioned entities published by competent authorities)
    • conclusion and execution of contracts with business partners (for this purpose, personal data necessary for the conclusion and execution of contracts with business partners as well as for recording and payment/collection of delivered services, goods and materials are processed)
    • development and improvement of products and/or services (for this purpose, personal data necessary for the development and improvement of our products and/or services, research and development are processed).
    • relationship management and marketing (this purpose includes activities such as maintaining and promoting contacts with business partners, managing customer relationships, and providing customer support services, withdrawing products from the market, developing, conducting and analyzing market research and marketing strategies, including online marketing activities (for example, advertising, analysis of the use of services and purchases of products online, as well as the use of our website)
    • execution of business processes, management of affairs and reporting to management staff (this purpose includes managing company assets, conducting audits and investigations, reviewing and monitoring compliance with our internal rules that apply to relationships with business partners and other individuals, finance and accounting, conducting business controls , providing central means for processing for the purpose of efficiency, management of status changes (mergers, mergers, separations, etc.) and processing of personal data for the purpose of reporting to the management staff, as well as for the purposes of analysis, archiving and insurance, legal or business consulting and prevention, guidance and dispute resolution)
    • health, safety, protection and integrity (this purpose includes the protection of the interests, safety and property of IGEA and its workers and/or business partners, as well as activities related to the protection of the health of our workers, i.e. other individuals and confirming the status and access rights of business partners) 
    • compliance with the law (this purpose includes the processing of personal data for the execution of legal obligations or sectoral recommendations that apply to the Company, including the disclosure of personal data to competent authorities or supervisory authorities, including tax authorities)

    If we need to process personal data for other purposes, we will inform you separately. For the stated purposes, we can process personal data of individuals using technical means, especially in the context of video surveillance of our business premises and external areas, as well as in the context of monitoring information and communication systems, networks and devices, and in accordance with the procedures and other internal general and individual acts of the Company.

    The processing of most of this personal data is prescribed by appropriate legal regulations in the field of commercial law, accounting, tax law, etc., and is therefore binding, that is, you are obliged to provide it to us, and we are obliged to collect and process it in accordance with such regulations. If you do not provide us with such mandatory data, we will not be able to establish a business relationship, or remain in a business (contractual) relationship. Only exceptionally, providing us with certain types of data for certain purposes may be voluntary, i.e. the only consequence of not providing such personal data would be your inability to obtain some additional benefits that we can offer you based on your voluntary and informed consent, which you will be able to withdraw at any time.

  3. Site visitors:
    • When signing up for the newsletter via the Site, the visitor directly provides the following personal data:
      1. name and surname
      2. e-mail address

    Your subscription to the newsletter represents your consent to the processing of your personal data, and the personal data obtained in this way is processed for the purpose of direct promotion and sale of our products or services, with the fact that you will always have the option of simply withdrawing the given consent when receiving each subsequent electronic message.

    • When submitting an inquiry through the Site, the visitor directly provides the following personal data:
    1. name and surname
    2. mobile phone number (optional)
    3. e-mail address
    4. message/query
    5. name of the company/entity (arbitrary)

    We process personal data collected in this way solely for the purpose of answering your inquiry.

    • Indirect data collection
    1. Through cookies – the user is assigned a unique identifier through the Cookie method (More under “Cookies”)
    2. Other collective data related to user use of websites via Google Analytics

    If you do not agree with any term in this Privacy Policy, please do not use the Site or provide us with any personal information.

    Sensitive personal data
    In some countries, photographs and videos of individuals are considered data on racial or ethnic origin and therefore sensitive data. IGEA will process photographs (eg a copy of an ID card or passport with a photo) and video recordings only to the extent necessary to fulfill the following purposes:

    • protection of the property of IGEA, business partners and other individuals, for access to our location and for other security purposes
    • determining and verifying the identity of individuals
    • to verify and prove the views expressed by IGEA in communication with individuals (eg when individuals participate in video conferences that are recorded).

5. Principles of personal data processing

We only carry out legal, fair and transparent processing of personal data that we have collected for special, explicit and legal purposes. In the processing itself, automated processes of applicative processing are mainly applied and, where this is not possible, manual processing of personal data is carried out. IGEA is responsible for processing the collected data. Processing and processing of data is necessary for the provision of contractual services and other legitimate processing purposes and is carried out exclusively for the purpose of fulfilling the aforementioned purposes. IGEA does not carry out extensive processing of special categories of personal data, nor systematic and extensive evaluation of personal aspects based on automated processing or profiling. Also, we do not systematically monitor the publicly accessible area.

6. How long do we keep your data?

As a data controller, we approach the processing of personal data with due care and security, we take care of ensuring the rights of all respondents in accordance with legal regulations and the requests of the respondents, we define retention periods for each purpose of processing, and we will delete all personal data upon termination of the contractual relationship or other applicable regulations. At any time, you can ask us, as the data controller, for information about your personal data that we have, and you can request that this data be changed or updated. Before accessing the data for each request, we will determine the identity of the applicant and the justification of the request itself. If we are legally obliged to reject your request, we will do so and inform you of the reasons.
According to the categories of respondents, IGEA stores personal data for the following periods:

Employment candidates: one year after the end of the competition to which the candidate applied, in order to reduce costs related to re-collection of data in the case of a new application for employment, i.e. 24 months from the date of application through open applications.

Business partners: data on customers, suppliers and business partners are processed and stored for the duration of the contractual business relationship in accordance with legal regulations. Upon expiry of contractual obligations and legal obligations to store data, personal data will be anonymized or deleted.

Site visitors: the data retention period is the same as the duration of your consent, i.e. we keep your data until you ask us to delete the data or withdraw your consent yourself. We store data collected through “cookies” in accordance with the settings of your Internet browser.

7. Cookies

When using, i.e. visiting the Site, the server stores certain information in the form of cookies on the visitor’s computer/mobile device. A cookie is a set of data generated by a website server, which the Internet browser saves on the visitor’s disk in the form of a small text file. Cookies are used to recognize visitors during one of their connections and are deleted after that. Cookies cannot be used to launch programs or introduce viruses to the visitor’s computer.

When visiting the Site, the servers use a type of cookie known as a temporary cookie (eng. session based cookie), which is placed on the visitor’s computer only during his visit to the Site and enables him to use these pages more efficiently and expires automatically when he closes his browser.

No phone number, account or payment details of a username or visitor are stored in the cookie and this information cannot be accessed. By using cookies, IGEA does not in any way collect information regarding the use of computers or the browsing of other pages on the Internet by visitors. Given that the cookie is located on the visitor’s computer, IGEA cannot find it if the visitor visits the Site from another computer.

Temporary cookies are standardly used in online applications that must provide the visitor with authorized access to private servers after identification. This solution is conditioned by the technology of creating online applications and is also used by the websites of the igea.hr and in2.hr domains, which require the visitor to set a temporary cookie that is active while using the Site in order to function properly in the browser.

The visitor has the option of accepting or rejecting cookies through the Internet browser settings. In the event that the visitor refuses to accept cookies, there is a possibility that some parts or functionalities of the Site will not work on the user’s computer/mobile device. For the stated reason, IGEA advises the use of cookies when visiting the Pages.

8. Who has access to your personal data?

Our authorized personnel will access personal data only in order to be able to perform their work tasks and if it is necessary to achieve the purposes described in this Policy. Business contact information of business partners, such as first and last name, job title, phone number, postal address of the place of work and business e-mail address will be generally available to all our employees for (internal) communication purposes.

We may also need to share personal data with third parties in the context of achieving the purposes described above. These third parties are primarily:

  • our affiliated companies, that is, other members of the IN2 Group for the purpose of providing services provided by the IN2 Group or where one of the companies from the group is the processor. The aforementioned companies may use this data exclusively in the manner provided for in this Privacy Policy. For example if we process your personal data on the basis of consent, withdrawal of consent will also be applied to the listed companies. Whenever we have an executor of your personal data, we will inform you about it and familiarize you before the start of the processing itself. 
  • our other business partners with whom we communicate within the framework of our mutual business relations (for example, our and your business banks or our processors such as accounting services, tax or legal advisors, auditors, marketing agencies that we hire for the organization of certain promotional activities, providers training and training services, etc.)
  • in the event that, as part of status changes, a third party wishes to acquire or acquires shares in IN2 Group, such a (potential) acquirer may be disclosed or transferred personal data of individuals in connection with such status or reorganization changes 
  • competent authorities in cases prescribed by applicable legal regulations (for example, the tax administration, various inspections, etc.).

We require service providers and expert advisors who process personal data of individuals in their capacity as processors to apply appropriate measures to protect the confidentiality and security of personal data.

9. How do we protect your data?

The security of your personal data is extremely important to us. Therefore, we have ensured that your personal data is processed and used in a secure manner and in accordance with applicable legal regulations and standards of practice. We implement appropriate technical, physical and organizational measures to protect data from security risks such as accidental, unauthorized, illegal or otherwise unwanted access to data, its destruction or loss or disclosure, and ensure a level of security that corresponds to the risks of data processing.

Your data is stored on a protected internal server infrastructure that cannot be accessed from the outside. Access to the server infrastructure is granted only to persons authorized to maintain it, and access to personal data is granted only to our authorized employees, i.e. contractual collaborators with limited processing rights in accordance with the rules contained in this Privacy Policy.

Through the international certificate ISO 27001:2013 – Management of information security, the Company ensures an appropriate level of security related to the confidentiality, integrity and availability of all information resources of the company, regardless of possible threats to which they are exposed. The established information security management system defines, implements, monitors, checks, maintains and improves processes and controls related to information security, and is based on risk management.

10. Transfer of data outside the EU/EEA

Some of the above-mentioned categories of persons can be found in the so-called third countries, i.e. countries outside the European Economic Area, with the exception of Switzerland, which are not considered to provide an adequate level of personal data protection. In the case of transferring personal data to recipients in such countries, we will ensure an appropriate level of protection based on appropriate contractual and other mechanisms such as standard contractual clauses adopted by the European Commission.

Data collected by various social network cookies from the United States of America (USA) may be transmitted to their servers, which may be located in the USA. In such a case, the transfer of personal data will be carried out either within the framework of the European-American privacy protection system Privacy Shield.

11. Management of consents

If you have given us your consent to process personal data, you can revoke it at any time. You also have the right to object to the processing of your personal data at any time. Giving, withdrawing and changing consent is carried out in accordance with the user’s rights defined in Article 12 of this Privacy Policy. During the duration of your objection to the processing of your personal data, your data cannot be used in the processing.
If you withdraw your consent or object to our processing, your data will not be used in regular processing, which may result in the inability to fully fulfill the service.
If you want to give your consent for processing again, you can do so in the manner described in the first paragraph of this article.

12. What are your rights and how can you exercise them?

Your rights in relation to our processing of your personal data are:

  • Right of access: you have the right to receive confirmation from us as to whether personal data relating to you are being processed and, if such personal data are being processed, access to your personal data, including the right to obtain a copy of the personal data being processed and information on the purpose of the processing, categories of the personal data in question, to the recipients or categories of recipients to whom the personal data has been disclosed or will be disclosed, in particular to recipients in third countries or international organizations.
  • Right to rectification: If we process your personal data that is incomplete or incorrect, you can ask us to correct or supplement it at any time.
  • Right to deletion (“right to be forgotten”): you can ask us to delete your personal data for which we are the data controller. We will delete your data based on a valid request in the event that one of the following conditions is met: (i) the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed; (ii) withdraw the consent on which the processing was based and if there is no other legal basis for the processing; (iii) you object to the processing or there are no stronger legitimate reasons for the processing; (iv) personal data were illegally processed; (v) personal data must be deleted in order to comply with a legal obligation under EU law or the law of a Member State to which we are subject as a data controller. We cannot delete the data if they are necessary to fulfill contractual obligations or other legal requirements (eg the Accounting Act, the Pension Insurance Act and others).
  • The right to restriction of processing: you have the right to obtain from us a restriction of processing if one of the following conditions is met: (i) you dispute the accuracy of personal data, for the period during which it is possible for us to verify the accuracy of personal data; (ii) the processing is unlawful, but you object to the deletion of the personal data and instead request the restriction of its use; (iii) if we no longer need the personal data for processing purposes, but you request it for the purpose of establishing, exercising or defending legal claims; (iv) if you have objected to the processing awaiting confirmation whether our legitimate reasons override your reasons.
  • The right to data portability: you have the right to receive personal data relating to you, which you have provided to us, in a structured, commonly used and machine-readable format, and you have the right to transfer this data to another controller without interference, if: (i) the processing based on consent in accordance or on contract; (ii) processing is carried out by automated means (iii) on the basis of a legal obligation.

When exercising your rights to data portability based on this point, you have the right to direct data transfer from one data controller to another if this is legally based and technically feasible.

  • The right to object: you can object to the processing of personal data relating to you at any time. From the moment of receiving your objection, we will no longer process your personal data, unless we prove the existence of compelling legitimate reasons for processing that go beyond the interests, rights and freedoms of the data subject or to establish, exercise or defend legal claims.

In case you are not satisfied with our reaction to your complaint, you can always submit a complaint to the national competent authority (AZOP) at the address: Agency for the Protection of Personal Data, Selska cesta 160, 10 000 Zagreb. After submitting the application, IGEA, as the data controller, may no longer process personal data unless we determine and prove that there are compelling legitimate reasons for processing that go beyond the interests, rights and freedoms of the data subject or to establish, exercise or defend legal claims, of which we will inform you.

If you want to exercise any of the above rights, you can contact us with a request to the e-mail address dpo@in2.eu, using the form on the link: (link to the form)

Add-ons for connecting to social networks

Facebook
Our website uses the social network plug-in Facebook offered by Facebook Inc. from the USA. The Facebook plug-in is marked with the Facebook logo or the “Like” or “Share” plug-in. More information about Facebook plugins is available here. When you activate such a plug-in (first click), your browser establishes a direct connection with Facebook’s servers. Plug-in content is sent directly to your browser and embedded in our website. Through such integration, Facebook collects the information that your browser has accessed one of our websites, even if you do not have your own Facebook profile or if you are not currently logged into your Facebook profile. This data (including your IP address) is sent via your browser directly to Facebook’s servers, which may also be located in the USA, and stored there. If you are logged into your Facebook profile when you visit our website, Facebook can directly link your visit to our website with your Facebook profile. If you activate the “Like” button, this data is also sent directly to the Facebook servers and stored there. The data is also published on your Facebook profile and shown to your Facebook friends. If you do not want Facebook to associate data about your visit to our website directly with your profile, you must log out of Facebook before visiting our website. You can find out about the purposes and scope of the collection and further processing and use of data by Facebook, as well as about your rights in this regard and about possible settings to protect your privacy in Facebook’s Data Use Rules.
You can also completely disable Facebook plugins on your browser using the appropriate Facebook blocking plugins.

LinkedIn
Our Site uses the LinkedIn social network plug-in offered by LinkedIn Corporation from the USA. You will recognize the plugin by the LinkedIn logo. When you activate such a plugin (first click), your browser establishes a direct connection to LinkedIn’s servers. Plug-in content is sent directly to your browser and embedded in our website. Through such integration, LinkedIn collects information that your browser has accessed one of our websites. This data (including your IP address) is sent via your browser directly to LinkedIn’s servers, which may also be located in the USA, and stored there. If you are logged into your LinkedIn profile when you visit our website, LinkedIn can directly connect your visit to our website with your LinkedIn profile.
You can find out about the purposes and scope of the collection and further processing and use of data by LinkedIn, as well as about your rights in this regard and about possible settings to protect your privacy in LinkedIn’s Privacy Policy.
You can also completely disable LinkedIn plugins on your browser using the appropriate LinkedIn blocking plugins.

Twitter
Our Pages contain “Tweet” buttons, part of the Twitter social network from the USA. The button is recognized by the icon of a dark blue bird and the term “tweet”. If you visit our Site with such a button, your browser establishes a direct connection to the Twitter servers. The “tweet” button brings Twitter directly to your browser and embeds it in your Twitter message. You can find out about the purposes and scope of the collection and further processing and use of data by Twitter, as well as your rights in this regard and about possible settings to protect your privacy in Twitter’s Privacy Policy.

Version 2.0, from 05/21/2021..