PERSONAL DATA PROTECTION PRIVACY POLICY IN IN2

1. General information

We consider personal data protection an exceptionally important and basic part of all processes and corporate governance in IN2. “Personal Data Protection Privacy Policy in IN2” represents the framework on how we handle all personal data we collect within our business operations. The Policy is applied as of 25 May 2018 and refers to IN2 Group, and it was adopted as one of the organizational measures for securing compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), (hereinafter Regulation).

We handle all data we access or process with confidentiality and purpose and in accordance with highest security standards.

Responsible for data processing is:

IN2 d.o.o.
Marohnićeva 1/1
HR-10000 Zagreb
Tel: 00385(1) 6386 800

Personal data protection officer:

Odvjetničko društvo Palić i partneri j.t.d.
Crvenog križa 33
HR-10000 Zagreb
Tel: 00385(1) 4500 555

Personal data protection officer is available via:

Contact form: Link na obrazac

E-mail address: dpo@in2.eu

2. Why we adopted the Privacy Policy

We created and adopted this Privacy Policy because we want to secure that IN2 complies with the requirements of:

  • Valid legislation for personal data protection;
  • Protection of all personal data we come into contact with;
  • Openness and transparency towards all users and data subjects on how we store and process personal data;
  • Reducing the risk of personal data violation;
  • Education and informing our users and data subjects;
  • Increasing the transparency of personal data processing

3. Risks of personal data protection

We protect personal data against risks they are exposed to, and as main risks related to personal data we recognized as follows:

  • Risk of fair, lawful and transparent processing
  • Risk of personal data confidentiality
  • Risk of personal data integrity
  • Risk of personal data availability
  • Reputational risk
  • Risk of compromising data subjects’ rights in case of transfer of data to a third country

4. Types of personal data

Within regular business operations, we distinguish the following categories of personal data:

  1. Basic personal data: Identification data (name, surname, Citizen ID Number, PIN, citizenship, address, photo); Economic status and financial information (income, credit rating, personal insurance, tax obligations, bonuses); Other personal information (lifestyle, information about family members, education, occupation); Online identifiers (cookies, IP addresses, MAC addresses, user identifiers, log entries); Location data (latitude, longitude, altitude, direction of travel, recording time).
  2. Special categories of personal data (sensitive data) we process based on a legitimate interest in delivering certain IN2 products to users. Special categories of personal data are sensitive data or data particularly sensitive by nature, and which refer to: data on health status (sick leaves, disability, genetic data, biological samples, lifestyle, nutrition habits); biometric data (recognition of face, voice, walk, smell, handwriting, typing dynamics, dactylographic data); or other categories (race, ethnic origin, political and religious beliefs, sexual orientation, complaints).

Also, when required by business operations and in accordance with the requirements of the Regulation, we distinguish the following categories of data subjects: employees, candidates for employment, external staff, buyers and suppliers.

5. Personal data we collect

Within its regular business operations, IN2 develops and maintains its own software solutions and services and we implement our own and partner software applications, provide software maintenance and adjustment services as well as Software as a Service (SaaS) and IT consulting (hereinafter: IT services).

Within our regular business operations or the contractual relationship with users, we collect or process the following personal data according to categories and purposes of processing:

  1. Employment – candidates for a job in IN2. When you apply for a job in IN2, based on legitimate interest, we are obliged to collect and process your personal data (name and surname, PIN, address, e-mail address, information about previous employments)
  2. IN2 employees – for exercising labour rights as well as for monitoring and for the development of employees, based on legitimate interest, we collect basic personal data (name and surname, PIN, address, data required for keeping records about employees, annual leaves, salaries, records of working hours, travel orders, records of safety at work practices). Employees’ data are also processed when using material resources enabling and securing regular business operations based on IN2 legitimate interest (material resources include: information system, inventory, computer equipment, work equipment) as well as within the persons and property protection system (video surveillance).
  3. External staff – We process basic personal data of all our external staff (student service jobs, traineeship, contractual external staff) based on legitimate interest for the necessity of performance of contracts.
  4. IN2 IT services – when we are the processor, basic personal data as well as special categories of personal data, if their existence is established, are collected and processed.
  5. Establishing communication –we process personal data exclusively based on your consent given freely for the purpose of receiving news or submitting inquiries.
  6. Website visitors – for the purpose of improving user experience when visiting our websites, we collect personal data indirectly in “cookies” during your visit.

For every data processing system, in accordance with internal methodology, Data Classification is preformed and based on that classification, for risky systems Data Protection Impact Assessment (DPIA) is performed with the goal of establishing whether data processing operations may cause a high risk for the rights and freedoms of data subjects.

Taking into account the importance of protecting children’s privacy, we do not collect, process or use any information relating to natural persons whom we know to be under 16 years old without the prior and credible consent of his or her legal representative. Such legal representative has the right and may request to view personal data collected about the minor and request that the rights of data subject are observed.

6. Safety

IN2 uses physical, technical, logical and organizational safety measures to protect personal data from manipulations, losses, threats or access by unauthorized persons. Any personal data we process is protected at the appropriate level, in accordance with the internal management and safety system. IN2 takes technical, logical and organizational measures in order to avoid the misuse of data by third parties. We are also focused and determined to continuously improve our safety measures in accordance with the technological development and changes in business environment.

7. Ways of collecting personal data

Every collection of personal data is based on a legitimate interest and business based purpose and every processing of personal data is based on lawful, fair and transparent processing while acknowledging all legitimate rights of data subjects.

We collect data based on:

  • Approval by consent (legitimate interest for the purpose of processing)
  • Exercising rights from employment relationship (legitimate interest of the employer)
  • Achieving cooperation with external staff (necessity for performance of contracts)
  • Establishing business relationship with suppliers, users and clients (necessity of performance of contracts)
  • Enabling and securing regular business operations (backup storage, information system, computer network and assets, log entries) (IN2 legitimate interest – justified other interests)
  • Protection of persons and property (video surveillance) (IN legitimate interest, based on article 25 of the “Act on Implementation of General Data Protection Regulation” – justified other interests)

According to categories of data subjects, we collect data as follows:

CANDIDATES FOR EMPLOYMENT IN IN2: there are two main ways of collecting your personal data:

  1. Directly from you
  2. From third parties (former employers, Croatian Pension Insurance Institute)

Podatke od vas prikupljamo putem privole prilikom prijave na natječaj za zapošljavanje. Vaše osobne podatke moramo obraditi u procesu procjene kandidata za zapošljavanje i donošenju odluke o odabiru.

IN2 EMPLOYEES: we collect data about you in two ways:

  1. Directly from you
  2. From third parties (Croatian Institute for Health Insurance, Croatian Pension Insurance Institute)

The scope and purpose of processing data about employees is based on legislation and they are required for compliance with legal obligations of IN2 as the controller, as well as for exercising rights from the employment relationship. We collect data from you based on the employment contract. An additional purpose of data collection is to facilitate the professional development of employees through various types of educations and trainings, monitoring the progress of new employees, and all with the goal for IN2 to have satisfied and motivated, and thereby also more productive employees. Also, for the purpose of using material resources which IN2 as the employer has made available for securing regular business operations, we process your data based on the legitimate interest of IN2. Material resources are defined in article 5 of this Policy.

EXTERNAL STAFF: Data subjects whose data we collect based on the legitimate interest for the necessity of performance of contracts which students, trainees and other categories of external staff concluded with IN2. We collect data from data subjects of this category:

  1. Directly from you: data received based on the concluded contract on cooperation
  2. Directly from you based on the consent given to IN2 for those external staff with whom a direct contract is not concluded, but a contract through an intermediary (for example: student contract)

Just like for our employees, for all external staff using material resources of IN2, we also carry out the processing of personal data of external staff based on the legitimate interest of IN2.

BUYERS AND SUPPLIERS: We collect and process data about buyers and suppliers for the necessary processing for the performance of contracts you concluded with IN2:

  1. Directly from you: data received through the mutual contractual relationship and which are necessary for the performance of contractual obligations.
  2. Indirectly from you: data received in processes of the contractual relationship necessary for the performance of contractual obligations between IN2 and buyers or suppliers.

FOLLOWERS OF DIGITAL COMMUNICATION CHANNELS: We collect data about you in two ways:

  1. Directly from you: data received based on the freely given consent via website https://stayconnected.in2.eu/
  2. From your employer in case of registration for events organized by IN2.

We collect data from you by means of the consent or registration for events organized by IN2.

VISITORS OF WEBSITES: We collect data about you indirectly when you visit IN2 websites.

If you want to learn more about data we collect about you when you visit the IN2 website, please view Terms of use of in2.eu website and all accompanying sub-domains.

8. Principles and purposes of processing personal data

We carry out solely lawful, fair and transparent processing of personal data we collected for special, explicit and lawful purposes. Mainly automatized processes of application processing are applied in the processing and, where possible, manual processing of personal data is carried out.

IN2 is responsible for processing collected data. Processing and data processing are necessary for providing contractual services and other legitimate purposes of processing, and it is performed solely for the purpose of performing the above quoted purposes.

IN2 does not perform comprehensive processing of special categories of personal data, nor systematic and extensive evaluations of personal aspects which are based on automated processing or profiling. We also do not perform systematic monitoring of publicly accessible areas.

According to categories of data subjects, IN2 performs processing solely for the purpose:

CANDIDATES FOR EMPLOYMENT IN IN2: The purpose of processing is the collection of basic information about candidates, the assessment of the potential of candidates. We collect the minimum scope of data we require to perform the selection. The quantity of data we have to collect depends on the process and the position you apply for and the type of the selection procedure which is performed (for e.g. psychological testing, professional testing, interview and the like). We do not process special categories of personal data in this category, except in case it is required to perform a psychological testing for the job application, we shall request from every candidate a special consent for that processing which is a special category processing, and which will be carried out solely for the purpose of employment of applicants at special positions. The goal of this processing is the selection of candidates as impartially as possible in order to secure avoiding any form of discrimination, respectively to secure the selection of those candidates for employment who meet the requirements of an individual position in the best way by their experience, education, skills and abilities.

IN2 EMPLOYEES: The purpose of processing is exercising rights from employment relationship and compliance with legal requirements, processing when using material resources, monitoring the development and raising employees’ competences, facilitating professional development of employees through various form of educations, trainings and conferences, monitoring the progress of new employees joining the company and monitoring the employees’ satisfaction (those who are currently employed and those who are leaving) with individual aspects of work in IN2 – all with the goal for IN2 to have professional, satisfied and motivated, and thereby also more productive employees. The purpose of collecting data is also the creation of various reports on employees (monitoring educations which employees attend, the number of participants at individual events, monitoring costs of educations and the like), and the fulfilment of obligations of the employer in case of contracting and realizing additional benefits for employees (additional health insurance, use of business card and the like). We process, to the necessary extent, solely those special categories of personal data which refer to the requirements of realizing the rights of employees from the employment relationship (sick leaves, medical and pregnancy information), as well as necessary lawful processing for the requirements of protecting the legitimate interests of IN2 as the controller, including technical and physical measures of protection of business premises (such as video surveillance).

EXTERNAL STAFF: Data subjects whose data we collect based on the legitimate interest for the necessity of performance of contracts which students, trainees and other categories of external staff concluded with IN2, or on given consent for individual categories of external staff. All internal regulations of processing which we apply on employees we also apply on the processing of personal data of external staff.

BUYERS AND SUPPLIERS: The collected data are processed solely for the requirements of fulfilment and performance of contractual obligations. We carry out solely processing necessary for conducting business operations for which we have a legitimate purpose.

FOLLOWERS OF DIGITAL COMMUNICATION CHANNELS: The collected data are processed solely for the requirements of establishing communication and registration for events organized by IN2.

VISITORS OF WEBSITES: The purpose of processing is enhancing user experience when visiting IN2 websites, we collect personal data indirectly in “cookies” during your visit. The data we collect are as follows: the way how you use our websites, the frequency of visits to websites and the time when our IN websites are most often visited.

9. Period of retention of data

We approach the processing of personal data with due care and safety, we take care of securing the rights of all data subjects in accordance with legislation and requests of data subjects, for every purpose of processing we define periods of retention and we shall erase all personal data upon cessation of the contractual relationship or other applicable regulations.

You can request from us, at any time, information about your personal data we dispose of, and you may request that these data are changed or updated. Prior to accessing data, for every request we shall establish the identity of the applicant and the justifiability of the request. If we are legally obliged to refuse your request, we shall do so, and inform you about the reasons.

We cannot erase data:

  1. If they are required for the performance of contractual obligations or other legal requirements (for e.g. Accounting Act)

According to categories of data subjects, IN2 retains personal data as follows:

CANDIDATES FOR EMPLOYMENT IN IN2: One year after the end of job application to which the candidate applied, for the purpose of reducing costs regarding the repeated collection of data in case of a new job application respectively 60 months from the day of application via open applications.

IN2 EMPLOYEES: We shall retain your data after the cessation of the employment relationship in accordance with legal requirements. The data will be erased after the expiry of legal obligations.

EXTERNAL STAFF: Data about external staff are retained solely as long as it is required by the lawful processing. After the expiry of the requirement for processing and the legal requirements for retaining data, the same will be erased.

BUYERS AND SUPPLIERS: Data about buyers and suppliers are processed and retained for the duration of the contractual business relationship. After the expiry of contractual obligations and the legal requirements for retaining data, personal data will be anonymised or erased.

FOLLOWERS OF DIGITAL COMMUNICATION CHANNELS: The period of data retention equals the duration of your consent that is we retain your data until you request from IN2 to erase the data or withdraw your consent.

VISITORS OF WEBSITES: We retain data collected via “cookies” in accordance with the settings of your Internet browser.

10. IN2 data and systems

IN2 uses systems, technologies and good practices which make possible and secure regular business operations and lawful processing of data (backup data storage, nominal and network directories, computer network, hardware infrastructure, applications and data bases).

In accordance with the defined methods and purposes (pursuant to article 35 paragraph 7 of the Regulation), an initial assessment and classification is performed for every system, and which can result in Data Protection Impact Assessment (DPIA). Based on the assessment of impact on the protection of personal data and the processing risk, we establish appropriate protection measures. All IN2 IT services are classified in accordance with the internal methodology and the requirements of the Regulation, taking into consideration the type of data which are processed, our participation and role in processing and the level of responsibility.

For every application system we have identified the responsible persons, the administrators and implemented the appropriate organizational and technical safety measures to secure compliance with the Regulation. Based on the assessment of processing and data, the impact of threat on personal data processing was established and measures and protection mechanisms for reducing the assessed risk were established. The assessment was performed in accordance with the purposes of data processing.

We harmonized our already existing information safety management system with the requirements of the Regulation, whereby we secure an appropriate level of protection of personal data processing methods with the goal of securing that personal data are protected, true and available. During harmonisation with the Regulation, we performed activities by which we met all requirements of the Regulation, about which we inform you by means of this policy and we communicate clearly and transparently all necessary information about the procedures of processing personal data in IN2.

The process of managing security incidents is included in all our processing procedures and represents one of basic activities of managing information safety making it possible for us to efficiently and continuously monitor the operation of the system and to timely detect irregularities and possible infringements of personal data.

11. Details specific for IT services

For each of its products or services, IN2 applies appropriate data protection measures as regular activities in business operations, and which make possible the compliance with the requirements of the Regulation.

11.1. IN2 as Controller

For personal data processing in which we have the role of the Controller, we identified the records and activities of personal data processing. For records assessed as risky, “Data Protection Impact Assessment” (DPIA) was performed, and application systems in which processing is performed are classified and assessed as high-risk for the rights and freedoms of natural persons in terms of personal data protection.

11.2. IN2 as Processor

The “Processor” is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller. IN2 is in the function of the Processor for certain IT services which it has delivered to a client or where it maintains the existing system based on a contract, and in which it is the Processor in terms of the Regulation.

For all products and services in which IN2 is the “Processor”, IN2 has a contractual relationship with the Controller. The subject, duration, nature and purpose of processing, as well as the type of personal data and the category of data subjects as well as the obligations and rights of the Controller are defined by the contract.

Taking into consideration the nature of every processing we perform as the Processor, we provide for every Controller all activities of technical, logical and organizational measures and safety management implemented in IN2. We provide for each Controller a reasonable assurance of protection and processing of personal data based on transferred contractual requirements and our activities in compliance with the requirements of the Regulation in the scope of our services.

Following the order of the Controller, we erase or return to the Controller all personal data.

We shall make available to the Controller all information necessary for proving the compliance with all obligations stipulated for the Processor, and we shall make possible audits or inspections if the same are required or upon the request of the Controller.

We shall make available to the Controller all information necessary for proving the compliance with all obligations of lawful personal data processing.

IN2 has secured that persons authorized for processing personal data have committed to observe confidentiality, and to perform an assessment of legitimacy and purpose of processing and to implement appropriate technical and organizational measures for the purpose of fulfilling the obligation of the Controller in terms of responding to the requirements for exercising the rights of data subjects.

12. Technically required cookies

For all visitor of our websites (www.in2.eu), in order for the website to operate properly, a minimum quantity of information is stored in cookies on the PC or mobile device.

A Cookie is an information stored on the PC or mobile device at the moment of browsing the website you visited. Cookies make an easier use possible since they store your settings for the website (language or address).

Among simple information about settings, cookies can also store personal data (including the IP address of the visitor). IN2 shall not collect personal data of any kind whatsoever, and in case the collection of personal data is required, IN2 shall request the appropriate approval respectively consent for collecting personal data, in accordance with the requirements of the Regulation.

The activities of storing and sending cookies are not visible for the end user, but it is possible to manage the same through internet browser settings, by selecting the approval/rejection of request for storing cookies, erasing stored cookies and other activities related to the use of cookies. More information are available at the link (Conditions of using cookies of the web browser).

13. Transfer of personal data

We can transfer your personal data from article 5 and in accordance with article 7 of this Policy (based on our legitimate interest and your consents in accordance with this Policy for the purpose of processing for employment, employees, external staff or buyers and suppliers) to companies within IN2 Group for the purpose of providing services provided by IN2. The quoted companies can use these data solely in the manner provided by this Policy. For e.g. if we process your personal data based on consents, the withdrawal of a consent will also be applied on the quoted companies.

14. Transfer of data outside the EU

IN2 as Controller can transfer certain parts of processing to other members of IN2 Group, and which are legal entities outside the EU, in accordance with Chapter V of the Regulation. In case of transfer of data, IN2 shall act in accordance with the defined in article 13 of this Policy. In case of transfer outside the EU, for all personal data we shall secure that the level of protection of natural persons guaranteed by the Regulation is not endangered.

We base the transfer of personal data outside the EU on the provision of the Regulation:

  • Transfer subject to appropriate safeguard measures: for transfer to third countries outside the approved, appropriate areas, the Controller is obliged to take appropriate safeguard measures and to make possible for data subjects the disposal of enforceable rights and an efficient court protection

For every transfer of data to third countries, outside the EU, IN2 shall secure an appropriate level of protection, and provide for data subjects all enforceable rights and an efficient court protection on the area of these countries. IN2 has a contractual relationship with all Group members to which data are transferred, and they are located outside the EU, in accordance with article 47 of the Regulation.

15. Managing consents

If you have given us your consent for processing personal data, you can withdraw the same at any time. Also, at any time, you have the right to object to the processing of your personal data. Providing, withdrawal and modification of consent is performed in accordance with the rights of users defined in article 16 of this Ordinance. For the duration of your objection to the processing of your personal data, your data cannot be used in processing.

If you withdraw your consent or object to our processing, your data will not be used in regular processing, which can result in the inability to provide the service in full.

If you want to give again your consent for processing, you can do so in the manner described in the first paragraph of this article.

16. Rights of data subjects

Every data subject has the right to accuracy of information, lawfulness of processing and access to information in accordance with the definitions of the Regulation. We shall provide to all data subjects accurate data about the identity and the contact of the Controller.

Every data subject whose personal data we process has the right to:

  1. Right to access – the data subject can obtain the confirmation (article 15 of the Regulation) per individual purpose of processing, whether or not personal data concerning him or her are being processed. In accordance with articles 13 and 14 of the Regulation, if such personal data are processed, access to personal data and the following information per purpose of individual processing: (i) the purposes of processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations.
  2. Right to rectification: If we are processing your personal data which are incomplete or inaccurate, you can request from us at any time to rectify or complete the same.
  3. Right to erasure (“right to be forgotten”): You can request from us the the erasure your personal data for which IN2 is the Controller. We shall erase your data based on a valid request if one of the following conditions is fulfilled: (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) if you withdraw the consent on which the processing is based and where there is no other legal ground for the processing; (iii) the data subject objects to processing or if there are no overriding legitimate grounds for processing; (iv) the personal data have been unlawfully processed; (v) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;
  4. Right to restriction of processing – as the data subject you have the right to obtain from us the restriction of processing if one of the following conditions is fulfilled: (i) the accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data; (ii) the processing is unlawful and the data subject opposes the erasure of personal data and requests the restriction of their use instead; (iii) the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; (iv) the data subject has objected to processing pending the verification whether the legitimate grounds of the Controller override those of the data subject;
  5. Right to data portability – The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format and shall have the right to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided, where: (i) the processing is based on consent or on a contract; (ii) the processing is carried out by automated means; (iii) based on legal obligation. In exercising your right to data portability pursuant to this point, you have the right to have the personal data transmitted directly from one Controller to another, where that is legally sound and technically feasible.
  6. Right to object – As the data subject you have the right to object, at any time, to processing of personal data referring to you. From the moment of receiving your objection, we shall no longer process your personal data unless we demonstrate compelling legitimate grounds for processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

If you are not satisfied with our reaction to your objection, you can always file a complaint on the processing of your personal data to the national competent authority (Croatian Personal Data Protection Agency). After filing the complaint, IN2 as the Controller can no longer process personal data unless we establish and demonstrate compelling legitimate grounds for processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims, and we shall inform you about the same.

17. Contact – withdrawal of consent, rectification and access to your personal data

IN2 as the Controller has the right to protection of interests of the Controller as well as the protection of data subjects and accordingly:

  1. We shall perform activities of establishing the identity of the applicant,
  2. Valid requests will be accepted solely via defined communication channels and forms,
  3. We shall perform the assessment of justifiability of the Request and send a response to the Request,
  4. We shall perform the assessment of excessiveness of the Request and if some of the quoted rights are used to an excessive extent and with an obvious intention of misuse, we may charge an administrative fee or reject to process your Request.

Out communication based on which you can exercise your rights as the data subject (link to form)

18. Legal framework

Legal framework on which IN2 personal data protection is based

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
  • Act on Implementation of General Data Protection Regulation (Official Gazette 42/2018)
  • Consumer Protection Act (Official Gazette 41/2014, 110/2015)

Version 01, 25.5.2018.