We are DeepIT Ltd for services (hereinafter: “DeepIT”, “We”, “Our”) with registered seat at the address Jaruščica 1 E, 10020 Zagreb, Croatia, PIN: 28917545089. Our business activities include the provision of various IT services, such as the development of various software solutions, the provision of consulting services in relation to computerization, and we are specialized in the application of advanced information technologies in business information systems.
If you have any questions regarding this General Privacy Policy (hereinafter: “Privacy Policy“), as well as questions regarding our collection, processing and protection of your personal data, please feel free to contact our Data Protection Officer at the following e-mail address: privacy@deepit.hr or in writing at the address of our registered seat Jaruščica 1 E, 10020 Zagreb, Croatia.
In order to fully understand our Privacy Policy, we kindly ask you to carefully read the definitions of the terms below in the text. These are terms that are mentioned in this Privacy Policy and are important for understanding the information that we provide to You.
General Regulation means REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of the 27th of April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Personal data means any information relating to an identified or identifiable natural person (data subject);
Data subject means an individual who is identified or identifiable; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
Joint controllers mean two or more controllers jointly determine the purposes and means of processing personal data;
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not;
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
Supervisory authority means an independent public authority which is established by a Member State; in Croatia, it is the Croatian Personal Data Agency (AZOP), Selska cesta 136, 10000 Zagreb, Croatia;
European Union means an intergovernmental and supranational organization of 27 European states whose goals are the economic and political integration of the European continent;
International organization means an organization and its subordinate bodies governed by international law or any other body established by or on the basis of an agreement between two or more countries;
In this Privacy Policy, you can find all important information about the processing and protection of your personal data in our business processes, all as prescribed by the provisions of the General Regulation.
With regard to the business processes in which we process personal data, DeepIT may have the role of a data controller or the role of the processor. This Privacy Policy applies almost entirely to DeepIT in the role of data controller. Situations when DeepIT is in the role of processor are specifically indicated in this Privacy Policy.
Also, all important information on the processing and protection of personal data of our employees can be found in the special Privacy Policy for Employees, which is part of our internal documentation.
Privacy Policy contains the following information:
We will inform you about changes and/or additions to the information in the Privacy Policy in a timely manner and through our regular communication channels (via e-mail, through our website, etc.).
All expressions used in the Privacy Policy, which have a gender meaning, regardless of whether they are used in the masculine or feminine gender, refer equally to the masculine and feminine genders.
In order to make it easier to find the information, we provide it in relation to the categories of data subjects (candidates for employment, candidates for external associates, candidates for student work) and for those categories of data subjects we list the categories of personal data that we collect and process, as well as the purposes and legal grounds of processing.
Candidates for Employment
If you are interested in working at DeepIT, we collect and process your personal data, which you have provided to us during the initial communication or by sending your CV and other supporting documentation (for example applications, letters of recommendation and the like).
We collect and process the following categories of your personal data:
We process those personal data for the following purposes and on the basis of the following legal grounds:
Based on the contractual relationship with certain clients, some of DeepIT's employees are required to work in different places, i.e. at our client’s premises. For this purpose, if you are a candidate for a position for which the job description includes work in different locations, we forward your CV and supporting documentation to some of our clients. When forwarding your CV and supporting documentation, we completely anonymize those personal data through which your identity as a data subject can or is possible to be determined.
Candidates for External Associates
If you are interested in collaborating with DeepIT, we collect and process your personal data, which you have provided to us during the initial communication or by sending your CV and other supporting documentation (for example applications, letters of recommendation and the like).
We collect and process the following categories of your personal data:
We process those personal data for the following purposes and on the basis of the following legal grounds:
Based on the contractual relationship with certain clients, some of DeepIT's external associates are required to work in different places, i.e. at our client’s premises. For this purpose, if you are a candidate for an external associate for which the job description includes work in different locations, we forward your CV and supporting documentation to some of our clients. When forwarding your CV and supporting documentation, we completely anonymize those personal data through which your identity as a data subject can or is possible to be determined.
Candidates for Student Work
If you are interested in doing student work at DeepIT, we collect and process your personal data, which you have provided to us during the initial communication or by sending your CV and other supporting documentation (for example applications for doing the student work, letters of recommendation and the like).
We collect and process the following categories of your personal data:
We process those personal data for the following purposes and on the basis of the following legal grounds:
In order to make it easier to find the information, we provide it in relation to the categories of data subjects (responsible and contact persons of our corporate clients and business partners), and for those categories of data subjects we list the categories of personal data that we collect and process, as well as the purposes and legal grounds of processing.
Responsible and Contact Persons of our Corporate Clients
If you are a responsible or contact person at our potential or existing corporate client, we collect and process your personal data depending on the needs of our potential or existing business relationship. We collect and process those personal data that you have provided to us during the initial communication or that we have collected during the establishment and maintenance of our business relationship.
We collect and process the following categories of your personal data:
We process those personal data for the following purposes and on the basis of the following legal grounds:
Responsible and Contact Persons of our Corporate Business Partners
If you are a responsible or contact person at our potential or existing corporate business partner, we collect and process your personal data depending on the needs of our potential or existing business (partner) relationship. We collect and process those personal data that you have provided to us during the initial communication or that we have collected during the establishment and maintenance of our business (partner) relationship.
We collect and process the following categories of your personal data:
We process those personal data for the following purposes and on the basis of the following legal grounds:
In order to make it easier to find the information, we provide it in relation to the categories of data subjects (visitor on our website, inquiry senders), and for those categories of data subjects we list the categories of personal data that we collect and process, as well as the purposes and legal grounds of processing.
Website Visitors
If you are a visitor to our website www.deepit.hr, we currently do not collect or process your personal data. So, currently our website does not collect your personal data, either automatically or with your consent.
In the event of a change in this business process and the start of collecting your personal data, we will inform you without delay and in an appropriate way (through the usual communication channel).
Inquiry Senders
If you send us an inquiry using the link on the e-mail address on our website, or the contact form on our website, or you have obtained our contact in any other way, we collect and process your personal data. We collect and process those personal data that you have provided to us during the initial communication or that we have collected during our communication.
We collect and process the following categories of your personal data:
We process those personal data for the following purposes and on the basis of the following legal grounds:
For the purpose of protecting people and property, DeepIT collects and processes your personal data through video surveillance, based on the legal basis of legitimate interest (Article 6, paragraph 1, point f of the General Regulation). Video surveillance is installed at all entrances/exits to/from business premises. Before entering the recording area, warning notices containing all important information regarding the processing of personal data via video surveillance are posted.
We can deliver the recordings on request to the competent authorities (for example the police) if it is necessary to carry out procedures based on the applicable regulations.
We keep recordings obtained through video surveillance for a maximum of 6 (six) months, unless a longer storage period is defined by applicable regulations or if they are evidence in court, administrative proceedings, arbitration or other equivalent proceedings.
DeepIT has accounts on some social networks, which can be accessed (among other things) through links on our website.
DeepIT has account on the social network LinkedIn (www.linkedin.com/company/deepit/) for the purpose of promoting our activities, getting in touch and communicating with potential and existing clients and the like.
Our website contains links that lead to our account on social network LinkedIn, whose privacy policy may be different from ours. All information and materials that you provide to us through social networks, as well as all communication that takes place through social networks, is done at your own risk. DeepIT is not responsible for the actions of social network users, nor for the actions of the social network itself. Your interaction with the social network in relation to the processing of your personal data is governed by the privacy policy of that social network.
You can find out more about the privacy policies of the social network we use at the following link: www.linkedin.com/legal/privacy-policy.
DeepIT uses legitimate interest as the legal ground for certain processing of your personal data. In the previous sections of this Privacy Policy, we state for which categories of data subjects and personal data, and for which purposes we use legitimate interest as legal grounds.
Prior to the processing of your personal based on legitimate interest as the legal ground, we take into account your interests and fundamental rights and freedoms, as well as your reasonable expectations about the processing of your personal data in our mutual relationship.
In order to prove the existence of our legitimate interest, we conduct the legitimate interest assessment separately for each personal data processing where legitimate interest is the legal ground of processing. The legitimate interest assessment consists of three parts: purpose test, necessity test and balance test, and all parts must have a positive outcome in order to be able to use a legitimate interest as the legal ground for the processing of personal data.
If you wish to have an insight in the conducted legitimate interest assessment, which relates to the processing of your personal data, you can contact us at the following e-mail address: privacy@deepit.hr or by sending a written request to the address of our registered seat: Jaruščica 1 E, 10020 Zagreb, Croatia.
If the provision of personal data is your legal or contractual obligation, or a requirement necessary to enter into a contract, we will clearly inform you at the place of collection of your personal data whether the provision of personal data is mandatory or not and what are the possible consequences if you do not provide personal data.
Our current business processes in which your personal data is processed do not include profiling or automated decision-making based on your personal data.
In case of a change regarding the above stated, we will adequately inform you, as well as warn you of your right not to be subject to a decision made exclusively on the basis of automated processing of your personal data, including profiling.
We treat your personal data confidentially and protect it in accordance with applicable regulations (international, European and national) and best applicable practice.
Certain categories of recipients, to whom we disclose the personal data of data subjects, process your personal data. If we disclose your personal data to these recipients, we take care that we have valid legal grounds and that the business operations of the recipient of your personal data comply with the General Regulation and other regulations on personal data protection.
Below are the categories of recipients of your personal data with a brief description of our relationship.
Processors as the Recipients of Your Personal Data
The recipients of your personal data, among others, can be our processors.
When processors process your personal data on our behalf, we select those processors who sufficiently guarantee the implementation of appropriate technical and organizational measures during the processing of your personal data. Also, any relationship with the processor in relation to the processing of personal data is governed by a special data processing agreement.
Our processors, who can be the recipients of your personal data, provide us with the services necessary for our daily business operations:
Independent Controllers as the Recipients of Your Personal Data
The recipients of your personal data, among others, can be other independent controllers.
Based on our legal obligation or legitimate interest, we enable the processing of your personal data by other independent controllers. Given the role of independent controllers, they are obliged to independently take care of your personal data based on applicable regulations, their own internal procedures and rules of the profession.
Independent controllers who may be recipients of your personal data are our clients, but also providers of certain types of services important for our lawful business operations:
Competent Authorities as the Recipients of Your Personal Data
The recipients of your personal data, among others, can be competent authorities.
Competent authorities act within the scope of their legal powers and may process your personal data on the basis of them.
DeepIT has a legal obligation to disclose your personal data to competent authorities as the recipients of your personal data (conducting supervision, conducting inspections, establishment or defense of legal claims, etc.).
DeepIT as the Processor
With regard to our business activity, when providing certain types of services to our clients, DeepIT has the role of processor.
We have the role of processor in the following situations:
If we process your personal data in the above situation where we are in the role of the processor, the controller is obliged to inform you about all the details of the processing of your personal data.
You are obliged to send all requests in relation to the processing of your personal data to the data controller who, in the event that the request relates to the processing carried out by DeepIT as a processor, will inform DeepIT about the request in question.
All relations with controllers where we are the processor are regulated by a special data protection agreement, which defines the details of the processing of your personal data.
If you want to get information about the exact names of all recipients of your personal data, you can contact us at the following e-mail address: privacy@deepit.hr or by sending a written request to the address of our registered seat: Jaruščica 1 E, 10020 Zagreb, Croatia.
In our current daily business operations, we do not transfer and we try to avoid transferring your personal data to third countries or international organizations. Third countries are all those countries that are not members of the European Union.
If in the future our daily business operations involve the transfer of your personal data to third countries or international organizations, we will inform you in a timely manner and in advance of all details of such transfer (including to which third countries and international organizations the data is transferred) and relevant safeguards we use.
In the event of the transfer of your personal data to third countries or international organizations, our internal procedures predict a two-step approach to allow this transfer. The first step consists of identifying the legal grounds of the transfer (including your consent if there is no other relevant legal ground), while in the second step we provide additional measures to protect the transfer, all in accordance with the provisions of Chapter V of the General Regulation.
When determining the means and methods of processing and during the processing itself, DeepIT implements appropriate technical and organizational measures to protect your personal data, taking into account the latest achievements, implementation costs and the nature, scope, context and purposes of processing. All our business processes that include the processing of personal data have undergone a risk analysis and, if necessary, the data protection impact assessment, thus assessing the risk and seriousness for your rights and freedoms as a data subject in relation to the processing of your personal data.
Our technical and organizational measures ensure the effective application of the principles of personal data protection, such as the principle of data minimization, the principle of purpose limitation, the principle of integrity and confidentiality, and so on.
We divide our technical and organizational measures into three groups: measures to ensure confidentiality, measures to ensure integrity and measures to ensure the accessibility of personal data, and the resilience of our processing systems.
Measures to ensure the confidentiality of your personal data include, but are not limited to, general physical access control, general logical access control, special access control to personal data, separation of personal data and the like.
Measures to ensure the integrity of your personal data include, but are not limited to, control in the case of personal data transfer, control when entering personal data into our processing systems and the like.
Measures to ensure the accessibility of your personal data and the resilience of our processing systems include, but are not limited to, accessibility control, resilience of our processing systems, pseudonymization and encryption where possible, periodic audits, assessments and evaluations of our business operations in relation to personal data protection and the like.
Data retention periods vary depending on the categories of personal data that we process, the purposes and legal grounds of the processing of your personal data (criteria we use when calculating data retention periods).
Below are the general data retention periods, but please be aware that these periods may vary depending on the specific processing situations.
Detailed data retention periods are defined by our internal act. For more information on retention periods of your personal data, you can contact us at the following e-mail address: privacy@deepit.hr or by sending a written request to the address of our registered seat: Jaruščica 1 E, 10020 Zagreb, Croatia.
When the applicable regulations define the period during which we are obliged to store your personal data, we store them in the period provided by the applicable regulations and delete them in an additional period of 3 (three) months.
When we have signed a contract with you and there is no period defined by applicable regulations during which we are obliged to store your personal data, we store them for the entire duration of our contractual relationship and delete them within an additional period of 3 (three) months from the date of termination of the contractual relationship. We keep the contract itself and other accompanying documentation concerning our relationship permanently as part of the business documentation.
When we process your personal data on the legal grounds of our legitimate interest, we store them for the entire period of existence of our legitimate interest and delete them within an additional period of 3 (three) months from the termination of existence of our legitimate interest.
When we process your personal data based on your consent, we store them until you withdraw your consent. When you withdraw your consent, we delete your personal data as soon as possible. If you have given us your consent for a certain period, at the end of this period, we will delete your personal data as soon as possible.
As a data subject whose personal data we process, you have the right to exercise the rights listed and described below.
You can exercise your rights by sending a request to the following e-mail address: privacy@deepit.hr or by sending a written request to the address of our registered seat: Jaruščica 1 E, 10020 Zagreb, Hrvatska.
In order to be able to act on your request and provide you with accurate and complete information as soon as possible, please make sure your request contains the following:
Also, in order to make it easier for you to exercise your rights, on our website you can find a form with already defined fields that must be filled in when submitting a request to exercise your rights.
When sending a request to exercise your rights, in case of reasonable doubt about your identity, we have the right to ask you to provide additional information necessary to confirm your identity.
We will respond to your request within one month from the date of receipt of your request. We may extend the deadline by an additional 2 (two) months if it is more than one complex request of yours. We will inform you in time about the extension of the deadline for responding to your request and the reasons for the extension.
All information that we provide to you in relation to your request to exercise your rights, as well as our communication, is provided free of charge. However, if we repeatedly receive your unfounded and excessive requests, we may charge a reasonable fee for our administrative costs incurred in providing the information and acting on the request.
When you exercise your rights by submitting a request, we process your personal data so that we can comply with your request, all in accordance with the provisions of the General Regulation.
Right of Access
As a data subject, you have the right to ask us to confirm whether we process your personal data and if we do, to access your personal data and relevant information in relation to your personal data (information on the processing purposes, the categories of your personal data that we process, the categories of recipients to whom we disclose your personal data, the envisaged retention periods of your personal data, etc.).
Also, we provide you with a free copy of your personal data that we process.
Right to Rectification
As a data subject whose personal data we are processing, you have the right to obtain the rectification of your inaccurate personal data. Taking into account the processing purposes, you have the right to request supplementation of your incomplete personal data, among other, by giving an additional statement.
Right to Erasure (“Right to be Forgotten”)
As a data subject whose personal data we are processing, you have the right to obtain the erasure of your personal data if one of the following conditions is met:
You may not exercise the right to erasure under certain conditions defined in Article 17(3) of the General Regulation. If you have questions regarding the conditions under which you cannot exercise your right to erasure, but also questions regarding the exercise of your rights in general, you can contact us at the following e-mail address: privacy@deepit.hr or by sending a written request to the address of our registered seat: Jaruščica 1 E, 10020 Zagreb, Croatia.
If we have publicly disclosed your personal data that we are required to delete based on your request, taking into account available technology and implementation costs, we will take reasonable steps to delete your publicly disclosed personal data and notify other controllers of your request to delete personal data, links to them, their copies and reconstructions. In doing so, we are not responsible for your publicly disclosed personal data on public sources that we do not manage.
Right to Restriction of Processing
As a data subject whose personal data we are processing, you have the right to obtain the restriction of processing of your personal data if one of the following conditions is met:
Despite your request to exercise the right to restriction of processing, we may continue to process your personal data with your consent, for the establishment, exercise or defense of legal claims, protection of the rights of another natural or legal person and the important public interest of the European Union or a Member State.
The methods we use to enable you to exercise your right to restriction of processing include, inter alia, the temporary transfer of your personal data to another processing system(s), special marking of your personal data in the system(s) as those whose processing is currently restricted, temporary disabling of access to your personal data, temporary disabling of the processing of your personal data, temporary removal of your personal data from our publicly available sources (for example from our website if applicable) and the like. The methods we apply will vary depending on the types of processing of your personal data.
Right to Data Portability
As a data subject whose personal data we process, you have the right to receive your personal data in a structured, commonly used and machine-readable format and transfer them to another controller if the processing of your personal data is based on consent or contract and the processing is automated.
The right to the portability of your personal data must not adversely affect the rights and freedoms of others.
Right to Object
As a data subject whose personal data we process, you have the right, based on your special situation, to object to the processing of your personal data which we process based on our legitimate interest and/or for the purposes of direct marketing, which includes profiling.
Right to the Withdrawal of Consent
As a data subject whose personal data we process on the basis of consent as legal grounds, you have the right to withdraw your consent at any time. The withdrawal of consent will not affect the lawfulness of the processing of your personal data on the basis of consent, prior to its withdrawal.
The Right to Object to the Supervisory Authority
As a data subject whose personal data we process, you have the right to object at any time to an independent public authority for the personal data protection.
The independent public authority in the Republic of Croatia is the Personal Data Protection Agency (AZOP) with seat at the address Selska cesta 136, 10 000 Zagreb, Croatia. You can contact AZOP via e-mail at azop@azop.hr, by calling 00385 (0)1 4609-000 or in writing to the listed seat address.
You can find more information on AZOP on its website www.azop.hr.
