Personal data protection policy

The purpose of the personal data protection policy is to inform individuals, clients, users of products or services, colleagues, employees, and other persons (hereinafter: »individual«), who are engaged with the company FirstClass d.o.o. (hereinafter: »company«), about the purposes, legal bases, security measures, and rights of individuals regarding the processing of personal data carried out by the company.

We value your privacy, so we always carefully protect your data.

We process personal data following applicable legislation in the field of personal data protection and other laws that provide us with the legal basis for processing personal data.

Any changes to this document will be published on our website. By using the website, you confirm that you are familiar with the entire content of the personal data protection policy.

The operator of personal data is the company:

Name of organization: FirstClass d.o.o.
Address: Dalmatinova ulica 2, 1000 Ljubljana
e-mail: info@first-class.si
phone: 040 775 570
website: https://first-class.si/

Authorized person for personal data protection:

DATAINFO.SI, d.o.o.
Tržaška cesta 85, SI-2000 Maribor
https://datainfo.si
e-mail: dpo@datainfo.si
phone: +386 (0) 2 620 4 300

1) Personal data

Personal data means any information relating to an identified or identifiable individual; an identifiable individual can be directly or indirectly identified, in particular by reference to an identifier such as: name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that individual.

We may collect the following types of personal information:

Name, surname, permanent and temporary address, date of birth, gender, home and business phone, business and private email address, Linkedin URL or profile or another similar profile, Skype or other similar address and work-related photos.
Tax, registration number, numbers, and data from personal documents (if necessary), work permit number (if necessary), and other identification numbers.
Data on employment, duration of employment including dates, data on the employer and past employers, places of employment, data on education and training, data on recognitions, certificates and licenses, and other work-related data.

Methods and sources for obtaining personal data

We obtain your data from you personally:

When applying for job vacancies through our website (https://first-class.si/aktualne-priloznosti/, https://it-class.eu/si/aktualne-priloznosti/, https://it-class.eu/current-opportunities/ or https://business-class.si/aktualne-priloznosti/).
When submitting an application for a vacancy directly to the mail of FirstClass d.o.o. (info@first-class.si) or other official emails provided to employees by the company.
When submitting applications submitted via social networks (LinkedIn, Facebook, Instagram, etc.) and online advertising providers (Moje Delo, Slo Tech, etc.)

2) Purposes of processing and legal bases for data processing

We process personal data in particular for the following purposes, such as employment assistance, recruitment, and advertising of employment opportunities with clients. Until the cancellation, we will also notify unselected candidates of any new opportunities. We also process personal data to advise you and our clients, which also includes participation in meetings or telephone conversations and for the needs of voluntary psychological testing.

Data can also be used to improve services, which includes identifying problems with existing services, planning improvements to existing services, and designing new services. We can also help ourselves with surveys.

The company collects and processes personal data on the following legal bases:

processing is necessary for compliance with a legal obligation to which the controller is subject;
processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject before entering into a contract;
processing is necessary for the legitimate interests pursued by the controller or by a third party;
the data subject has consented to the processing of his or her personal data for one or more specific purposes;
processing is necessary to protect the vital interests of the data subject or of another natural person.

Notification of individuals by email (e.g. newsletters)

The company may inform its clients, customers, and users of its services about its services, events, education, offers, and other content on their email address based on the performance of legitimate activities. An individual may at any time request the cessation of such communication and the processing of personal data and cancel the receipt of messages via the unsubscribe link in the received message, or submit a request by email or regular mail to the company’s address.

The legal bases for data processing are legitimate interest and consent. Data will be processed until the withdrawal of the message receipt or until the withdrawal of consent or until the purpose of the processing is fulfilled. The withdrawal of consent does not affect the legality of the processing based on consent before its withdrawal.

Execution of the concluded contract

In cases where an individual enters into a contract with the company, this constitutes the legal basis for the processing of personal data. The company may process personal data for the conclusion and execution of the contract, such as the sale of goods and services, preparation of an offer, participation in various programs, etc. If the individual does not provide personal data, the company cannot conclude the contract, nor can the company provide the service or deliver goods or other products following the concluded contract, as it does not have the necessary data for execution. On this basis, the company processes only and exclusively those personal data that are necessary for the conclusion and proper performance of contractual obligations.

The legal basis for data processing is the contract. The retention period is until the purpose of the contract is fulfilled or up to 6 years after the termination of the contract, except in cases where a dispute arises between the individual and the company concerning the contract. In such a case, the company retains the data for 10 years after the final court decision, arbitration, or court settlement, or if there was no court dispute, for 6 years from the date of amicable resolution of the dispute.

Legitimate interest

The company may also process personal data based on a legitimate interest it pursues. This is not permissible when such interests are overridden by the interests or fundamental rights and freedoms of the individual to whom the personal data relate, which require protection of personal data. In the case of using a legitimate interest, the company conducts an assessment following the legislation. The processing of personal data of individuals for direct marketing is considered to be carried out in a legitimate interest.

The company may process personal data of individuals collected from publicly accessible sources or within the scope of lawful business activities, also to offer goods, services, employment, informing about benefits, events, etc. To achieve these purposes, the company may use regular mail, telephone calls, email, and other telecommunications means. For direct marketing, the company may process the following personal data of individuals: name and surname of the individual, address of permanent or temporary residence, telephone number, and email address. The company may also process these personal data for direct marketing without the individual’s explicit consent. The individual may at any time request the cessation of such communication and the processing of personal data and cancel the receipt of messages via the unsubscribe link in the received message or submit a request by email or regular mail to the company’s address.

Based on the legitimate interest of the operator emails are stored in a special systems that allows the review of existing communication between the candidate and the operator.

The legal base for data processing is a legitimate interest. Data will be processed until the withdrawal of the receipt of messages or until the purpose of the processing is fulfilled. The withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

Processing Based on Consent

If the company lacks a legal basis for processing based on law, contractual obligation, legitimate interest, or the protection of an individual’s life, it may request the individual’s consent. Thus, it can process certain personal data of the individual for the following purposes, when the individual gives their consent:

residential address and email address (for notification and communication);
photographs, videos, and other content related to the individual (e.g. posting pictures of individuals on the company’s website to document activities and inform the public about the company’s work and events);
other purposes for which the individual agrees with consent.

If an individual consents to the processing of their personal data and later decides they no longer wish to do so, they can request the cessation of processing of their personal data by submitting a request via email or regular mail to the company’s address. The revocation of consent does not affect the lawfulness of processing based on the consent before its withdrawal. After receiving a revocation or deletion request, the data must be deleted no later than 15 days. The company may also delete this data before the revocation if the purpose of processing the personal data has been fulfilled or if required by law.

Exceptionally, the company may refuse a deletion request for reasons stated in the General Data Protection Regulation, in cases of exercising the right to freedom of expression and information, complying with a legal obligation for processing, reasons of public interest in the field of public health, for purposes of archiving in the public interest, scientific or historical research purposes, statistical purposes, or for the establishment, exercise or defense of legal claims.

The legal basis for data processing is consent. The data will be processed until the revocation or withdrawal of consent, or until the purpose of processing is fulfilled. The revocation of consent does not affect the lawfulness of processing based on consent before its revocation.

Protection of the vital interests of individual

The company may process the personal data of an individual to whom the data relates if it is necessary to protect their vital interests. In urgent cases, the company may seek an individual’s personal document, check whether that person exists in its database, review their medical history, or make contact with their relatives, for which the company does not need the individual’s consent. This applies in cases where it is necessary to protect the vital interests of the individual.

5) Retention and deletion of personal data

The company will retain personal data only for as long as necessary to achieve the purpose for which the personal data were collected and processed. If the company processes data based on the law, it will retain them for the period prescribed by the law. Some data are kept for the duration of cooperation with the company, while some data must be kept permanently. Personal data processed by the company based on a contractual relationship with the individual will be retained for the period necessary to execute the contract and for 6 years after its termination, except in cases where a dispute arises between the individual and the company regarding the contract. In such a case, the company keeps the data for 10 years after a final court decision, arbitration, or court settlement, or, if there was no court dispute, for 6 years from the day of the amicable resolution of the dispute. Personal data that the company processes based on the individual’s consent or legitimate interest will be kept until the revocation of consent or until a request for deletion of data is made. The company, based on legitimate interest, stores electronic communication with potential candidates in a special systems accessible to all employees, allowing them to review the communication until revoked. Upon receipt of the revocation or request for deletion, the data will be deleted without undue delay. The company may also delete these data before the revocation if the purpose of processing the personal data has been achieved or if required by law. In the case of exercising the individual’s rights, the company keeps the personal data of this individual until the matter has been finally decided, and thereafter in accordance with the final decision in the matter.

Exceptionally, the company may refuse the request for deletion for reasons such as: exercising the right to freedom of expression and information, fulfilling a legal obligation of processing, reasons of public interest in the field of public health, purposes of archiving in the public interest, scientific or historical research purposes, or statistical purposes, enforcement or defense of legal claims. After the retention period expires, the company must effectively and permanently delete or anonymize the personal data so that they can no longer be associated with a specific individual.

6) Contractual processing of personal data and data transfer

The company may entrust certain personal data processing operations to a contractual processor based on a data processing agreement. Contractual processors may process entrusted data exclusively on behalf of the controller, within the limits of their authorization as stipulated in the written contract or another legal act, and by the purposes defined in this personal data protection policy.

The contractual processors with whom the company works are primarily:

accounting services and other legal and business consulting providers;
infrastructure maintenance (security services);
providers of email services and software, cloud services (e.g., Dropbox, Microsoft, Google, MetaView, HRP)
social network providers and online advertising (Google, Facebook, Instagram, Moje delo, etc.).

For better oversight and control over contractual processors and the organization of their contractual relationships, the company also maintains a list of contractual processors, where all specific contractual processors with whom the company cooperates are listed.

Under no circumstances will the company transfer personal data of an individual to third unauthorized parties. Contractual processors may only process personal data within the framework of the company’s instructions and must not use the personal data for any other purpose.

The company as the controller and its employees do not transfer personal data to third countries (outside the member states of the European Economic Area – EU members, Iceland, Norway, and Liechtenstein) or international organizations, except to the USA, where relationships with contractual processors from the USA are regulated based on standard contractual clauses (template contracts adopted by the European Commission) and/or binding corporate rules (adopted by the company and approved by regulatory authorities in the EU).

7) Cookies

The company’s website operates with the help of cookies, which are important for providing online services. They are used to store data about the status of each webpage, to assist in collecting statistics about users and site visits, etc. Upon entering the website, only those cookies that are strictly necessary for the operation of the website (e.g., for the shopping cart) are loaded onto the device. Other cookies will be loaded only with the individual’s consent. Settings can be changed by the individual at any time, and cookies can be deleted (instructions are located on the web pages of each browser).

The organization’s website uses the following cookies:

Cookies stored by the browser can be deleted by the individual (instructions can be found on the web pages of each browser).

8) Data protection and data accuracy

The company ensures information security and the security of infrastructure (premises and application-system software). Our information systems are, among other things, protected with antivirus programs and a firewall. We have implemented appropriate organizational and technical security measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, and against other unlawful and unauthorized forms of processing. In the case of transmitting special types of personal data, we transmit them in encrypted form and password-protected. The individual is responsible for securely transmitting their personal data and ensuring that the transmitted data is accurate and authentic.

9) Individual’s rights regarding data processing

The individual to whom the personal data refers has the right to request access to personal data and rectification or erasure of personal data or restriction of processing concerning the individual, as well as the right to object to processing and the right to data portability. The individual’s request is addressed following the provisions of the General Data Protection Regulation and the applicable personal data protection legislation.

All these rights and any questions can be asserted by the individual through a request sent to the company’s address. The company will respond to the individual’s request without undue delay, at the latest within one month of receiving the request. This period may be extended by a maximum of two additional months, considering the complexity and number of requests, about which the individual will be informed, along with the reasons for the delay. Exercising these rights is free of charge for the individual, but the company may charge a reasonable fee if the request is unfounded or excessive, especially if it is repetitive. In such a case, the company may also refuse to comply with the request. In case of doubt about the individual’s identity, additional information may be requested that the company needs to confirm the identity.

In its decision on the individual’s request, the company will also provide the reasons for the decision and information about the right to complain with a supervisory authority within 15 days of being informed about the decision. The right to complain with the supervisory authority can be exercised by the individual at: The Information Commissioner of the RS at the address: Dunajska 22, 1000 Ljubljana (email: gp.ip@ip-rs.si, website: www.ip-rs.si).

The personal data protection policy is effective from 8 April 2024 onwards.

The responsible person of the company: Til Lajovic