1. General information

We consider personal data protection an exceptionally important and basic part of all processes and corporate governance in Factory X. “Personal Data Protection Privacy Policy in Factory X” represents the framework on how we handle all personal data we collect within our business operations. The Policy is applied as of 25 May 2018 and refers to Factory X, and it was adopted as one of the organizational measures for securing compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), (hereinafter Regulation).

We handle all data we access or process with confidentiality and purpose and in accordance with highest security standards.

Responsible for data processing is:

Factory X j.d.o.o.
Nikole Tesle 28, Pribislavec
HR-40000 Čakovec
Tel: 00385(40) 313 420

Personal data protection officer:

Velimir Sanjković
Nikole Tesle 28, Pribislavec
HR-40000 Čakovec
Tel: 00385(40) 313 420

Personal data protection officer is available via:

Contact form: Link to form

E-mail address: info@factory-x.hr

2. Why we adopted the Privacy Policy

We created and adopted this Privacy Policy because we want to secure that Factory X complies with the requirements of:

  • Valid legislation for personal data protection;
  • Protection of all personal data we come into contact with;
  • Openness and transparency towards all users and data subjects on how we store and process personal data;
  • Reducing the risk of personal data violation;
  • Education and informing our users and data subjects;
  • Increasing the transparency of personal data processing.

3. Risks of personal data protection

We protect personal data against risks they are exposed to, and as main risks related to personal data we recognized as follows:

Risk of fair, lawful and transparent processing – with privacy policy and procedures for personal data protection, we want to provide our users and data subjects with the right to fair, legitimate and transparent processing.

Risk of personal data confidentiality – by introducing the functions of the controller and processor (and possibly a personal data protection officer), we want to create a business environment that restricts the ability and the right to access personal information, so that those who do not have the processing authorization will not possess it.

Risk of personal data integrity – by defining the policy and introducing mechanisms for verifying the accuracy and integrity of personal data, the aim is to achieve: security, protection against unauthorized or illegal processing and from accidental loss, destruction or damage by applying appropriate technical or organizational measures.

Risk of personal data availability – in cases where the data storage system is compromised (attacks, inaccessibility, power failure, readability of recorded data, etc.), it is necessary to provide access to backups as well as frequently check them. Reputational risk – loss or theft of personal data may have a very negative impact on the reputation of the company, and stolen data may be abused, causing substantial damage to users and data subjects.

Risk of compromising data subjects’ rights in case of transfer of data to a third country
personal data may be stored on data carriers located outside the country. In that case, it is necessary to have a clear insight into where the data are located, so that they do not end up with people who should not have access to them.

4. Types of personal data

Within regular business operations, we distinguish the following categories of personal data:

Basic personal data: Identification data (name, surname, Citizen ID Number, PIN, citizenship, address, photo); Online identifiers (cookies, IP addresses).

Also, when required by business operations and in accordance with the requirements of the Regulation, we distinguish the following categories of data subjects: employees, candidates for employment, external staff, buyers and suppliers.

5. Personal data we collect

Within its regular business operations, Factory X develops and maintains its own software solutions and services and we implement our own and partner software applications, provide software maintenance and adjustment services as well as Software as a Service (SaaS) and IT consulting (hereinafter: IT services).

Within our regular business operations or the contractual relationship with users, we collect or process the following personal data according to categories and purposes of processing:

Employment – candidates for a job in Factory X. When you apply for a job in Factory X, based on legitimate interest, we are obliged to collect and process your personal data (name and surname, PIN, address, e-mail address, information about previous employments).

Factory X employees – for exercising labour rights as well as for monitoring and for the development of employees, based on legitimate interest, we collect basic personal data (name and surname, PIN, address, data required for keeping records about employees, annual leaves, salaries, records of working hours, travel orders, records of safety at work practices).

External staff – We process basic personal data of all our external staff (student service jobs, traineeship, contractual external staff) based on legitimate interest for the necessity of performance of contracts.

Factory X IT services – when we are the processor, basic personal data as well as special categories of personal data, if their existence is established, are collected and processed.

Establishing communication –we process personal data exclusively based on your consent given freely for the purpose of receiving news or submitting inquiries.

Website visitors – for the purpose of improving user experience when visiting our websites, we collect personal data indirectly in “cookies” during your visit.

For every data processing system, in accordance with internal methodology, Data Classification is preformed and based on that classification, for risky systems Data Protection Impact Assessment (DPIA) is performed with the goal of establishing whether data processing operations may cause a high risk for the rights and freedoms of data subjects.

Taking into account the importance of protecting children’s privacy, we do not collect, process or use any information relating to natural persons whom we know to be under 16 years old without the prior and credible consent of his or her legal representative. Such legal representative has the right and may request to view personal data collected about the minor and request that the rights of data subject are observed.

6. Safety

Factory X collected personal data stores in physical and / or electronic form and is protected according to existing standards and technical capabilities. All personal data in electronic form is kept on password-protected servers and limited employee access. All physical data is kept in locked rooms with alarm system.

 7. Ways of collecting personal data

Every collection of personal data is based on a legitimate interest and business based purpose and every processing of personal data is based on lawful, fair and transparent processing while acknowledging all legitimate rights of data subjects.

We collect data based on:

  • Approval by consent
  • Exercising rights from employment relationship (necessity for performance of contracts)
  • Achieving cooperation with external staff (necessity for performance of contracts)
  • Establishing business relationship with suppliers, users and clients (necessity of performance of contracts)
  • Enabling and securing regular business operations (backup storage, information system, computer network and assets, log entries) (Factory X legitimate interest)

According to categories of data subjects, we collect data as follows:

CANDIDATES FOR EMPLOYMENT IN Factory X: there are two main ways of collecting your personal data:

  • directly from you
  • from third parties (former employers, Croatian Pension Insurance Institute)

 

We collect data from you from your given consent when you apply for a job placement. We have to process your personal data in the process of evaluating the candidate for employment and making a decision on the selection.

Factory X EMPLOYEES: we collect data about you in two ways:

  • directly from you
  • from third parties (Croatian Institute for Health Insurance, Croatian Pension Insurance Institute)

The scope and purpose of processing data about employees is based on legislation and they are required for compliance with legal obligations of Factory X as the controller, as well as for exercising rights from the employment relationship. We collect data from you based on the employment contract. An additional purpose of data collection is to facilitate the professional development of employees through various types of educations and trainings, monitoring the progress of new employees, and all with the goal for factory X to have satisfied and motivated, and thereby also more productive employees.

EXTERNAL STAFF: Data subjects whose data we collect based on the legitimate interest for the necessity of performance of contracts which students, trainees and other categories of external staff concluded with Factory X. We collect data from data subjects of this category:

  • directly from you: data received based on the concluded contract on cooperation
  • directly from you based on the consent given to Factory X for those external staff with whom a direct contract is not concluded, but a contract through an intermediary (for example: student contract)

BUYERS AND SUPPLIERS: We collect and process data about buyers and suppliers for the necessary processing for the performance of contracts you concluded with Factory X:

  • directly from you: data received through the mutual contractual relationship and which are necessary for the performance of contractual obligations.
  • indirectly from you: data received in processes of the contractual relationship necessary for the performance of contractual obligations between Factory X and buyers or suppliers.

FOLLOWERS OF DIGITAL COMMUNICATION CHANNELS: We collect data about you:

  • directly from you: data received based on the freely given consent via factory -x.hr website and all accompanying sub-domains.

VISITORS OF WEBSITES: We collect data about you indirectly when you visit Factory X websites (http://factory-x.hr/, http://domis.factory-x.hr/, http://netopvision.factory-x.hr/).

If you want to learn more about data we collect about you when you visit the Factory X website, please view Terms of use of factory -x.hr website and all accompanying sub-domains.

8. Principles and purposes of processing personal data

We carry out solely lawful, fair and transparent processing of personal data we collected for special, explicit and lawful purposes. Mainly automatized processes of application processing are applied in the processing and, where possible, manual processing of personal data is carried out.

Factory X is responsible for processing collected data. Processing and data processing are necessary for providing contractual services and other legitimate purposes of processing, and it is performed solely for the purpose of performing the above quoted purposes.

Factory X does not perform comprehensive processing of special categories of personal data, nor systematic and extensive evaluations of personal aspects which are based on automated processing or profiling. We also do not perform systematic monitoring of publicly accessible areas.

According to categories of data subjects, Factory X performs processing solely for the purpose:

CANDIDATES FOR EMPLOYMENT IN Factory X: The purpose of processing is the collection of basic information about candidates, the assessment of the potential of candidates. We collect the minimum scope of data we require to perform the selection. The quantity of data we have to collect depends on the process and the position you apply for and the type of the selection procedure which is performed (for e.g. psychological testing, professional testing, interview and the like). We do not process special categories of personal data in this category, except in case it is required to perform a psychological testing for the job application, we shall request from every candidate a special consent for that processing which is a special category processing, and which will be carried out solely for the purpose of employment of applicants at special positions. The goal of this processing is the selection of candidates as impartially as possible in order to secure avoiding any form of discrimination, respectively to secure the selection of those candidates for employment who meet the requirements of an individual position in the best way by their experience, education, skills and abilities.

Factory X EMPLOYEES: The purpose of processing is exercising rights from employment relationship and compliance with legal requirements, processing when using material resources, monitoring the development and raising employees’ competences, facilitating professional development of employees through various form of educations, trainings and conferences, monitoring the progress of new employees joining the company and monitoring the employees’ satisfaction (those who are currently employed and those who are leaving) with individual aspects of work in Factory X – all with the goal for Factory X to have professional, satisfied and motivated, and thereby also more productive employees. The purpose of collecting data is also the creation of various reports on employees (monitoring educations which employees attend, the number of participants at individual events, monitoring costs of educations and the like), and the fulfilment of obligations of the employer in case of contracting and realizing additional benefits for employees (additional health insurance, use of business card and the like). We process, to the necessary extent, solely those special categories of personal data which refer to the requirements of realizing the rights of employees from the employment relationship (sick leaves, medical and pregnancy information), as well as necessary lawful processing for the requirements of protecting the legitimate interests of Factory X as the controller.

EXTERNAL STAFF: Data subjects whose data we collect for the necessity of performance of contracts which students, trainees and other categories of external staff concluded with Factory X, or on given consent for individual categories of external staff. All internal regulations of processing which we apply on employees we also apply on the processing of personal data of external staff.

BUYERS AND SUPPLIERS: The collected data are processed solely for the requirements of fulfilment and performance of contractual obligations. We carry out solely processing necessary for conducting business operations.

FOLLOWERS OF DIGITAL COMMUNICATION CHANNELS: The collected data are processed solely for the requirements of establishing communication with you.

VISITORS OF WEBSITES: The purpose of processing is enhancing user experience when visiting Factory X websites, we collect personal data indirectly in “cookies” during your visit. The data we collect are as follows: the way how you use our websites, the frequency of visits to websites and the time when our Factory X websites are most often visited.

9. Period of retention of data

We approach the processing of personal data with due care and safety, we take care of securing the rights of all data subjects in accordance with legislation and requests of data subjects, for every purpose of processing we define periods of retention and we shall erase all personal data upon cessation of the contractual relationship or other applicable regulations (for e.g. Work Law, Accounting Act, Law on preservation of archival material).

You can request from us, at any time, information about your personal data we dispose of, and you may request that these data are changed or updated. Prior to accessing data, for every request we shall establish the identity of the applicant and the justifiability of the request. If we are legally obliged to refuse your request, we shall do so, and inform you about the reasons.

We cannot erase data:

If they are required for the performance of contractual obligations or other legal requirements (for e.g. Accounting Act).

According to categories of data subjects, Factory X retains personal data as follows:

CANDIDATES FOR EMPLOYMENT IN Factory X: One year after the end of job application to which the candidate applied, for the purpose of reducing costs regarding the repeated collection of data in case of a new job application respectively 60 months from the day of application via open applications.

Factory X EMPLOYEES: We shall retain your data after the cessation of the employment relationship in accordance with legal requirements. The data will be erased after the expiry of legal obligations (for e.g. Work Law, Accounting Act, Law on preservation of archival material).

EXTERNAL STAFF: Data about external staff are retained solely as long as it is required by the lawful processing. After the expiry of the requirement for processing and the legal requirements for retaining data, the same will be erased.

BUYERS AND SUPPLIERS: Data about buyers and suppliers are processed and retained for the duration of the contractual business relationship. After the expiry of contractual obligations and the legal requirements for retaining data, personal data will be anonymised or erased (for e.g. Work Law, Accounting Act, Law on preservation of archival material).

FOLLOWERS OF DIGITAL COMMUNICATION CHANNELS: The period of data retention equals the duration of your consent that is we retain your data until you request from Factory X to erase the data or withdraw your consent.

VISITORS OF WEBSITES: We retain data collected via “cookies” in accordance with the settings of your Internet browser.

10. Factory X data and systems

Factory X uses systems, technologies and good practices which make possible and secure regular business operations and lawful processing of data (backup data storage, nominal and network directories, computer network, hardware infrastructure, applications and data bases).

In accordance with the defined methods and purposes (pursuant to article 35 paragraph 7 of the Regulation), an initial assessment and classification is performed for every system, and which can result in Data Protection Impact Assessment (DPIA). Based on the assessment of impact on the protection of personal data and the processing risk, we establish appropriate protection measures. All Factory X IT services are classified in accordance with the internal methodology and the requirements of the Regulation, taking into consideration the type of data which are processed, our participation and role in processing and the level of responsibility.

For every application system we have identified the responsible persons, the administrators and implemented the appropriate organizational and technical safety measures to secure compliance with the Regulation. Based on the assessment of processing and data, the impact of threat on personal data processing was established and measures and protection mechanisms for reducing the assessed risk were established. The assessment was performed in accordance with the purposes of data processing.

We harmonized our already existing information safety management system with the requirements of the Regulation, whereby we secure an appropriate level of protection of personal data processing methods with the goal of securing that personal data are protected, true and available. During harmonisation with the Regulation, we performed activities by which we met all requirements of the Regulation, about which we inform you by means of this policy and we communicate clearly and transparently all necessary information about the procedures of processing personal data in Factory X.

The process of managing security incidents is included in all our processing procedures and represents one of basic activities of managing information safety making it possible for us to efficiently and continuously monitor the operation of the system and to timely detect irregularities and possible infringements of personal data.

11. Details specific for IT services

For each of its products or services, Factory X applies appropriate data protection measures as regular activities in business operations, and which make possible the compliance with the requirements of the Regulation.

11.1. Factory X as Controller

For personal data processing in which we have the role of the Controller, we identified the records and activities of personal data processing. For records assessed as risky, “Data Protection Impact Assessment” (DPIA) was performed, and application systems in which processing is performed are classified and assessed as high-risk for the rights and freedoms of natural persons in terms of personal data protection.

11.2. Factory X as Processor

The “Processor” is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller. Factory X is in the function of the Processor for certain IT services which it has delivered to a client or where it maintains the existing system based on a contract, and in which it is the Processor in terms of the Regulation.

For all products and services in which Factory X is the “Processor”, Factory X has a contractual relationship with the Controller. The subject, duration, nature and purpose of processing, as well as the type of personal data and the category of data subjects as well as the obligations and rights of the Controller are defined by the contract.

Taking into consideration the nature of every processing we perform as the Processor, we provide for every Controller all activities of technical, logical and organizational measures and safety management implemented in Factory X. We provide for each Controller a reasonable assurance of protection and processing of personal data based on transferred contractual requirements and our activities in compliance with the requirements of the Regulation in the scope of our services.

Following the order of the Controller, we erase or return to the Controller all personal data.

We shall make available to the Controller all information necessary for proving the compliance with all obligations stipulated for the Processor, and we shall make possible audits or inspections if the same are required or upon the request of the Controller.

We shall make available to the Controller all information necessary for proving the compliance with all obligations of lawful personal data processing.

Factory X has secured that persons authorized for processing personal data have committed to observe confidentiality, and to perform an assessment of legitimacy and purpose of processing and to implement appropriate technical and organizational measures for the purpose of fulfilling the obligation of the Controller in terms of responding to the requirements for exercising the rights of data subjects.

12. Technically required cookies

For all visitor of our websites in order for the website to operate properly, a minimum quantity of information is stored in cookies on the PC or mobile device.

A Cookie is an information stored on the PC or mobile device at the moment of browsing the website you visited. Cookies make an easier use possible since they store your settings for the website (language or address).

Among simple information about settings, cookies can also store personal data (including the IP address of the visitor). Factory X shall not collect personal data of any kind whatsoever, and in case the collection of personal data is required, Factory X shall request the appropriate approval respectively consent for collecting personal data, in accordance with the requirements of the Regulation.

The activities of storing and sending cookies are not visible for the end user, but it is possible to manage the same through internet browser settings, by selecting the approval/rejection of request for storing cookies, erasing stored cookies and other activities related to the use of cookies. More information are available at the link (Conditions of using cookies of the web browser).

13. Transfer of personal data

We can transfer your personal data:

To accountacy service – employees data, data from invoices

To safety at work company – employees data

Google Analytics

Google Analytics is a tool for collecting anonymous customer information about our websites, which collects information about how often users visit our site, which pages they visit, how long they visit them, how long they stay and where they are coming from etc. Cookies with cookies and IP address for the following purposes:

  • improving user experience,
  • tracking the success of a marketing campaign,
  • to analyze patterns of behavior.

If you want to opt out of Google Analytics, you can install a Google plug-in for your browser to prevent it.

The app can be downloaded HERE: https://tools.google.com/dlpage/gaoptout.

More information on how Google uses such aggregated data can be found HERE: https://policies.google.com/privacy/partners?hl=en&gl=uk.

Benchmark

We will collect and process your personal data when submitting our newsletter and promotional emails only with your explicit consent. Your consent can be withdrawn or changed at any time at info@factory-x.hr. To send a newsletter, we use the Benchmark service whose privacy policy can be found at: https://www.benchmarkemail.com/email-marketing/privacy-policy.

14. Transfer of data outside the EU

Factory X as Controller can transfer certain parts of processing to other members of Factory X Group, and which are legal entities outside the EU, in accordance with Chapter V of the Regulation. In case of transfer of data, Factory X shall act in accordance with the defined in article 13 of this Policy. In case of transfer outside the EU, for all personal data we shall secure that the level of protection of natural persons guaranteed by the Regulation is not endangered.

We base the transfer of personal data outside the EU on the provision of the Regulation:

Transfer subject to appropriate safeguard measures: for transfer to third countries outside the approved, appropriate areas, the Controller is obliged to take appropriate safeguard measures and to make possible for data subjects the disposal of enforceable rights and an efficient court protection.

For every transfer of data to third countries, outside the EU, Factory X shall secure an appropriate level of protection, and provide for data subjects all enforceable rights and an efficient court protection on the area of these countries. Factory X has a contractual relationship with all Group members to which data are transferred, and they are located outside the EU, in accordance with article 47 of the Regulation.

15. Managing consents

If you have given us your consent for processing personal data, you can withdraw the same at any time. Also, at any time, you have the right to object to the processing of your personal data. Providing, withdrawal and modification of consent is performed in accordance with the rights of users defined in article 16 of this Ordinance. For the duration of your objection to the processing of your personal data, your data cannot be used in processing.

If you withdraw your consent or object to our processing, your data will not be used in regular processing, which can result in the inability to provide the service in full.

If you want to give again your consent for processing, you can do so in the manner described in the first paragraph of this article.

16. Rights of data subjects

Every data subject has the right to accuracy of information, lawfulness of processing and access to information in accordance with the definitions of the Regulation. We shall provide to all data subjects accurate data about the identity and the contact of the Controller.

Every data subject whose personal data we process has the right to:

Right to access – the data subject can obtain the confirmation (article 15 of the Regulation) per individual purpose of processing, whether or not personal data concerning him or her are being processed. In accordance with articles 13 and 14 of the Regulation, if such personal data are processed, access to personal data and the following information per purpose of individual processing: (i) the purposes of processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations.

Right to rectification – If we are processing your personal data which are incomplete or inaccurate, you can request from us at any time to rectify or complete the same.

Right to erasure (“right to be forgotten”) – You can request from us the the erasure your personal data for which Factory X is the Controller. We shall erase your data based on a valid request if one of the following conditions is fulfilled: (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) if you withdraw the consent on which the processing is based and where there is no other legal ground for the processing; (iii) the data subject objects to processing or if there are no overriding legitimate grounds for processing; (iv) the personal data have been unlawfully processed; (v) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;

Right to restriction of processing – as the data subject you have the right to obtain from us the restriction of processing if one of the following conditions is fulfilled: (i) the accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data; (ii) the processing is unlawful and the data subject opposes the erasure of personal data and requests the restriction of their use instead; (iii) the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; (iv) the data subject has objected to processing pending the verification whether the legitimate grounds of the Controller override those of the data subject;

Right to data portability – The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format and shall have the right to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided, where: (i) the processing is based on consent or on a contract; (ii) the processing is carried out by automated means; (iii) based on legal obligation. In exercising your right to data portability pursuant to this point, you have the right to have the personal data transmitted directly from one Controller to another, where that is legally sound and technically feasible.

Right to object – As the data subject you have the right to object, at any time, to processing of personal data referring to you. From the moment of receiving your objection, we shall no longer process your personal data unless we demonstrate compelling legitimate grounds for processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

If you are not satisfied with our reaction to your objection, you can always file a complaint on the processing of your personal data to the national competent authority (Croatian Personal Data Protection Agency). After filing the complaint, Factory X as the Controller can no longer process personal data unless we establish and demonstrate compelling legitimate grounds for processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims, and we shall inform you about the same.

17. Contact – withdrawal of consent, rectification and access to your personal data

Factory X as the Controller has the right to protection of interests of the Controller as well as the protection of data subjects and accordingly:

We shall perform activities of establishing the identity of the applicant,

  • Valid requests will be accepted solely via defined communication channels and forms,
  • We shall perform the assessment of justifiability of the Request and send a response to the Request,
  • We shall perform the assessment of excessiveness of the Request and if some of the quoted rights are used to an excessive extent and with an obvious intention of misuse, we may charge an administrative fee or reject to process your Request.

 

Out communication based on which you can exercise your rights as the data subject (FORM).

18. Legal framework

Legal framework on which Factory X personal data protection is based

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

Act on Implementation of General Data Protection Regulation (Official Gazette 42/2018)

Consumer Protection Act (Official Gazette 41/2014, 110/2015)

 

Version 01, 25.5.2018.