Privacy policy for HR purposes

1. General

    Medis Group, d.o.o., with its affiliated companies, respects your right to privacy and strives to maintain the highest level of personal data protection. Therefore, in carrying our activities, we are committed to act in accordance with the laws and regulations that define the protection of personal data, in particular in accordance with the applicable Slovenian Personal Data Protection Act, the Electronic Communications Act and the EU General Data Protection Regulation. We prepared this Privacy Policy for HR Purposes (hereinafter: the Policy) to provide information for respondents. The purpose of this Policy is to inform you of the purposes for which your personal data will be acquired and how they will be used, what are your rights in relation to the data we keep about you and how you can exercise them.

    Medis Group, d.o.o., with its affiliates, undertakes to use the collected personal data provided by you in accordance with this Policy, to not sell, lend or otherwise transfer your personal data to third parties, except in the cases defined in this Policy.

    2. Data controller

      The controller of your personal data is Medis Group, d.o.o., Brnčičeva ulica 3, 1231 Ljubljana - Črnuče, gdpr(at)medis.com, 00386 1 589 69 00 (hereinafter referred to as the “employer, “we” or “us”).

      Your privacy is extremely important to us, which is why we have appointed a data protection officer whom you can contact should you have any questions regarding the processing of your personal data. The company serving as data protection officer is JK Group d.o.o, Stegne 27, SI-1000 Ljubljana.

      To contact the data protection officer, write an email to gdpr(at)medis.com or call the telephone number (003861) 589 69 00.

      You can address any questions about the processing of your personal data or the execution of your rights related to the processing of personal data, to any of the contacts listed in this chapter (both the contacts of the employer and the contacts of our data protection officer). We will answer any questions or requests free of charge.

      All the issues and materials that will be addressed by the data protection officer shall be subject to strict confidentiality.

      This Privacy Statement applies to:

      • employees at the employer,
      • students who work at the employer on the basis of a referral of an authorised organisation that carries out the activity of mediating work for high school and university students,
      • scholarship holders and candidates for a scholarship,
      • potential candidates who applied for any vacancy published by the employer,
      • potential candidates who sent a job application via the Employment Form, on a career portal or in writing to the address of the company/via e-mail, unrelated to the current job vacancies published by the employer and
      • non-selected candidates who have consented to the retention of personal data for future recruitment purposes.

      3. The purpose of data processing

        All personal data you provide to us will be treated confidentially and will be used only for the purposes for which they were provided. If there is a need for further processing of your data for any other purpose, we will contact you in advance and ask for your consent.

        The purposes for which we may use your personal data are as follows:

        1. The purposes of the processing related to the employees:

        • entry into and execution of an employment contract concluded with the employer and the fulfilment of other obligations of the employer arising from the employment relationship (for example, accounting and payroll preparation, payment of taxes and contributions etc.),
        • supervision of the fulfilment of the obligations arising from the employment relationship for a particular worker and the conduct of disciplinary proceedings, procedures for the termination of an employment contract and legal proceedings against an employee,
        • providing access to the Idejnica project and e-learning application for employees,
        • keeping records of employees, which we are obliged to keep pursuant to the law,
        • entry into and execution of other contracts with employees (e.g. education contract, contract for the use of a company vehicle or company equipment) and the keeping of records arising from such contracts (e.g. a register of company vehicles and cars),
        • transfer of employee’s personal data to third parties where there is a legal basis for this,
        • entry into and execution of a scholarship contract,
        • publication of a birthday in Outlook business card (if you give consent)
        • publication of a photo in the presentation of new employees (if you give consent)
        • publication of photos taken at events (if you give consent)
        • publication of a slogan with first and last name and, where appropriate, a role on the screens and HR advertisements in group companies (if you give consent)
        • giving presents and taking pictures with children (if you give consent).

        The purposes pertaining to the employment contract and / or employees also apply mutatis mutandis to all who perform work as high school or university students.

        2. The purposes of the processing related to the candidates:

        • processing of personal data provided by the candidate in the context of an employment process at the employer (e.g. a CV, the information you provide to us through the Questionnaire upon applying for a job) in order to select the appropriate candidate for a vacant post,
        • processing of personal data submitted by the candidate through the Employment Form on the career portal, in order to determine whether the candidate is suitable for the published job vacancy or if the candidate could potentially be employed in the near future (in the latter case, we will ask for your consent for the retention of data),
        • processing of personal data submitted by the candidate in writing to the address of the company or via e-mail unrelated to the current job vacancies published by the employer, in order to determine whether the candidate is suitable for the published job vacancy or if the candidate could potentially be employed in the near future (in the latter case, we will ask for your consent for the retention of data),
        • retention of potential candidates’ data who have submitted their personal data on the basis of any of the above three indents of point b) of this Policy.

        The retention of potential candidates’ data is possible only with a prior consent of the potential candidate. Such retention shall last one year from the receipt of the personal data of each individual. After this time period, the data shall be permanently deleted.

        4. Categories of personal data

          Your personal data are processed solely on the basis of clearly defined and legitimate purposes as defined in this Policy. We are committed to the principle of “data minimisation”, which means that we collect, keep and process only the data we need to fulfil the purposes for which they are collected.

          We obtain your personal data directly from you (for example, when you provide us with a CV or if you provide us with the information when concluding an employment contract).

          Personal data are kept in records available to you in the HR department of the employer. Certain records are also accessible through internal applications. Such records are marked with *.

          The employer keeps the following records of the processing activities:

          • Record of employees
          • Record of data on persons who work at the employer on the basis of a referral of an authorised organisation that carries out the activity of mediating work for high school and university students
          • Record of data on candidates for scholarships and scholarship holders
          • Records of salaries, travel orders and other monthly payments
          • Records on the use of working time
          • Record of injuries at work
          • Record of medical examinations
          • Record on training of employees
          • Record of company cars and drivers*
          • Record of job applications
          • Record of unsuccessful candidates whose data are kept on the basis of their explicit consent

          5. Data users

            At the employer, your personal data are processed only by people who are authorised to process personal data. The authorisation can be explicit (for example, given by the director or the head of the department) or general (such authorisation is evident from the description of the tasks of a particular position).

            The data controller can forward your personal data to third parties. The access of third parties to data and the processing of data by these persons are limited to the purposes for which such data were collected. All third parties to whom we can forward your personal data are bound to comply with the applicable law as well as the provisions of this Privacy Statement.

            We can forward your personal data:

            1. To our affiliated companies listed below: 

            • Medis, d.o.o., Brnčičeva 1, 1000 Ljubljana, Slovenia
            • Medis GmbH, campus 21, Europaring F15/301, A-2345 Brunn am Gebirge, Austria
            • Medis Pharma Bulgaria EOOD, Sofia 1700, 31, Prof. Atanas Ishirkov street, office № 6, Bulgaria
            • Medis International d.o.o. Sarajevo, Ahmeda Muratbegovića 2, 71000 Sarajevo, Bosnia and Herzegovina
            • Medis Adria d.o.o., Buzinska cesta 58, 10000 Zagreb, Croatia
            • Medis Hungary Kft., VIV Center, Hosszúrét u. 1., 2045 Törökbálint, Hungary
            • MEDIS MAKEDONIJA DOOEL Skopje, Ul. Naum Naumovski Borče 50/2–11, 1000 Skopje, North Macedonia
            • Medis Poland Sp. z o.o., Ul. Aleksandra Wejnerta 21/23 lok. 8, 02- 619 Warszawa, Poland
            • Medis RO S.R.L., 22 Nicolae Caramfil Street, Apt. 103, 014143 Bucharest, Romania
            • Medis Pharma d.o.o. Beograd, Milutina Milankovića 11b, 2 sprat, 11070 Novi Beograd, Serbia
            • Medis Pharma Slovakia s.r.o., Europeum City Center, Regus - 1st floor, Suche myto 1, Bratislava 81103
            • Medis Pharma Lithuania UAB, Kuršių g. 7-23, LT-48107 Kaunas, Lithuania

            2. To our contracted processors providing certain services.

            3. We provide data to the public administration bodies and the courts when required by law (for example, the financial administration of the Republic of Slovenia, the Health Insurance Institute, the Pension and Disability Insurance Institute, the requests of the courts, etc.).

            Personal data that may be forwarded to affiliated companies defined in section 1 are provided in the framework of joint management and on the basis of the “Agreement on sharing of personal data” concluded between group companies. In accordance with this agreement, the data from the field of HR are processed both by us and by other relevant companies in the group. With regard to the processing of personal data carried out by Medis Group, d.o.o., you can contact us or Medis, d.o.o. at gdpr(at)medis.com. You can also exercise your rights in relation to processing with all companies (the rights are defined in more detail in section 9 below). We would like to inform you that any requests for the erasure of personal data will be handled by all relevant companies. Personal data may only be processed for the purposes defined in this Policy.

            When we share personal data with third parties referred to in section 2, we will ensure that access to third parties is made possible only for the purposes set out in this Policy. Furthermore, the access to your data will be limited to those employees of any of those third parties who need access to the personal data to perform their work. All employees who have access to personal data are obliged to protect the personal data they process.

            When we forward the data to third parties referred to in section 3, they are provided in the scope and in the manner prescribed by the applicable law.

            Your personal data may also be processed by the employer and the above-mentioned third parties outside the European Economic Area, including in some countries that may not provide the same level of personal data protection as it applies within the European Economic Area. 

            In accordance with the relevant data protection and privacy regulations, we will take appropriate measures to ensure that your personal data remains secure and safe in every transfer. We will set out these measures by concluding appropriate contractual frameworks that will define the protection of personal data.

            6. Legal bases for the use of personal data

              The bases on which we use your personal data are as follows:

              • The law – We process your personal data when we are required to do so by the law (this includes, in particular, the Employment Relationship Act, which serves as the basis for the majority of processing activities arising from the employment relationship or the management of recruitment procedures. Other laws can serve as a basis as well, for example Labour and Social Security Registers Act, which imposes an obligation on the employer to keep records of employees).
              • Contractual or pre-contractual relationship – When personal data are not processed on the basis of the law, the contractual relationship with the employer can serve as the basis for the processing of personal data. This may mean an employment contract or another contract, such as an education contract. Such data include, in particular, a private (contact) telephone number, a private (contact) e-mail address, information on education, information on company vehicles, etc.).
              • Legitimate interests – Your personal data may be processed on the basis of our legitimate interests. Whenever we process your personal data on the basis of legitimate interests, we will explicitly indicate this in this Policy or inform you in advance by a special form. On the basis of our legitimate interest to provide a healthy and safe working environment and improve our communication with employees, we process your personal data within the Idejnica application offered by the employer. On the basis of our legal interest to optimise the organisation of business trips in the Medis network, personal data of the employee may be forwarded to one of the affiliated companies, for the purpose of organising the accommodation, transport and participation of individual employees at the event or a business trip.
              • Your explicit consent – We may occasionally ask you to give consent so we can use your personal data for one or more purposes. Whenever the legal basis for the processing of your personal data is your consent, we will inform you in advance.

              We will ask all candidates for the consent to fulfil certain parts of the Employment Form and the Questionnaire upon applying for a job, and we will ask our employees for their consent to publish their birthday in the Outlook business card, to publish photos in the presentation of new employees, to publish a slogan with personal data on the screens and HR ads in the group companies, to publish photos from events, and to process data of children for the purpose of giving them gifts and to publish photographs of children from events. We will also ask non-selected candidates for the consent, i.e. whose personal data we want to keep for future recruitment purposes. Check out the section your rights for information about the rights that you have if we process your data on the basis of your consent.

              You are obliged to provide us with personal data that we collect and process on the basis of the law. The submission of personal data for the entry into (and execution) of a contract is voluntary. Nevertheless, we warn you that if you do not provide personal data that we absolutely need to provide a service, we cannot provide you with such services (for example, the submission of data on a personal car that an employee wants to use as a company vehicle is necessary for the entry into of a contract on the use of a company vehicle).

              When processing your personal data on the basis of a consent, the provision of personal data is always voluntary and without any negative consequences for you. Nevertheless, we warn you that we will not be able to provide you with certain services without your consent or after the withdrawal of your consent (for example, keeping your personal data in order to contact you when a relevant job vacancy opens for you). 

              7. Retention period

                We store all personal data that we process in accordance with the law and only for the time period required to achieve the purposes for which the data were collected.

                When the time period for the retention of personal data is prescribed by the law, the data are kept in accordance with the provisions of such act.

                With regard to the collection and processing of personal data on the basis of a contract, the time period for the retention of data is the entire period of the validity of the contract, including warranty or any other time periods arising from the concluded contract.

                With regard to the collection and processing of personal data on the basis of your explicit consent, we will keep your personal data permanently or until the withdrawal of the consent. If the purpose for which we have processed the data is fulfilled, we will delete your data even if you do not withdraw the consent. For example, if we decide not to post photos of new employees, we will delete all of the already published photos even without a withdrawal of the consent.

                8. The manner of protecting your data

                  The employer undertakes to protect any personal data you provide to us. The employer undertakes to do everything to protect personal data against any violations and abuses.

                  The personal data are kept in a written form (in personal folders, in locked cabinets) and in computerized form. Our computer systems are protected by technical and organisational measures that prevent accidental or deliberate destruction, loss, damage, alteration and unauthorised disclosure or access to your personal data.

                  Among other things, technical and organisational measures that we use to protect your personal data include:

                  • regular backup of copies, which are properly protected,
                  • limitation of access to personal data,
                  • care for education of employees in the field of personal data protection and supervision over the work of employees.

                  Technical and organisational measures for the protection of personal data referred to in this policy are defined in more detail in the Rules on the protection of personal data in force at the employer.

                  After the expiry of the retention period or the withdrawal of the given consent, the data (including any copies thereof) shall be immediately irretrievably and permanently deleted. Any carriers of personal data where these data are located shall also be destroyed/permanently deleted.

                  In the event of a personal data breach, we will immediately inform the competent supervisory authority of the violation. In Slovenia, the competent authority for personal data protection is the Information Commissioner. You can find out more about the function of the competent authority on their website: https://www.ip-rs.si/. If, in the event of a personal data breach, a suspicion could arise that a criminal offence was committed, we will immediately notify the police or the competent prosecutor's office.

                  In the event of a personal data breach where there is a high risk for the rights and freedoms of individuals whose personal data are processed, we will inform you of such a breach without undue delay.

                  9. Your rights

                    The employer enables you to exercise all of your rights related to the processing of your personal data.

                    The data subject can, at any time, request the employer to:

                    • confirm whether the data relating to the data subject are processed or not,
                    • enable the access to personal data:
                      The access to personal data is only granted when we confirm that we process your personal data; you have the right to request information about what data we process and about the source of the data,
                    • allow rectification of inaccurate or incomplete personal data relating to the data subject:
                      We ask you to inform us of any change in your personal data as soon as possible, as this is the only way to ensure the accuracy and integrity of the personal data that we keep; you can notify the changes to the contacts listed in section 10 of this Policy,
                    • enable the printout of the personal data provided to us by an individual in a structured, commonly used, machine-readable form,
                    • enable the right to delete personal data (i.e. the right to be forgotten):
                      The right to erasure of the personal data is limited; we cannot delete the personal data that we process on the basis of the law or on the basis of a contractual relationship with us (including any warranty and other time periods that may arise from a particular contract),
                    • enable the right to the restriction of processing (for example, the request to restrict processing is possible during the verification of the integrity of your personal data that we are processing),
                    • allow the right to object to the processing:
                      The right to object to the processing of personal data is limited to the processing that is based on a legitimate interest (this Policy states when the basis for the processing of your personal data is legitimate interest, or we will inform you thereof accordingly in advance) and the processing for the purposes of direct marketing, including profiling,
                    • enable the right to data portability and provide the data in a structured, commonly used and machine-readable form or directly transmitted to another controller,
                    • allow the right to withdraw consent where personal data are processed on the basis of consent, whereby the withdrawal of the consent does not affect the legality of the processing of the data that was carried out prior to its withdrawal. The consent may be withdrawn by an individual in any manner specified in section 10 of this Policy. The withdrawal of consent does not create any negative consequences for you. It may happen that after you withdraw your consent, we will not be able to provide you with certain services if these services are of such a nature that we cannot perform them without the transmission of your personal data (for example, without the processing of your email address we cannot provide you with e-mail notification services).

                    Every data subject has the right to file a complaint against us with the Information Commissioner.

                    You can exercise your rights by contacting us by e-mail at: gdpr(at)medis.com, including “personal data protection” in the subject line, or by calling the telephone number (003861) 589 69 00.

                    The employer undertakes to respond to the requests of the data subject without undue delay, and at the latest within the statutory deadlines.

                    10. Contact

                      The responsible person with the employer and/or the data protection officer will respond to any questions about the confidentiality of your data, the manner of collecting and processing data, or your requests for exercising the rights related to your data. To contact the data protection officer, write an email to gdpr(at)medis.com or call the telephone number (003861) 589 69 00.

                      11. Definitions

                        This section defines the terms used in this Policy.

                        Personal data is any information relating to an identified or identifiable individual, in particular: name, identification number, web identifiers as well as factors specific to the individual's physical, physiological, genetic, mental, economic, cultural or social identity.

                        Processing is any operation or set of operations which is performed on personal data and includes, in particular, the collection, editing, storage, alteration, consultation, retrieval and erasure of such data.

                        Controller is a natural or legal person who, alone or together with others, determines the purposes and means of the processing. For the purposes of this Policy, Medis Group, d.o.o. is the controller of personal data .

                        Processor is a natural or legal person, as well as a public authority, agency or another body which processes personal data on behalf of the controller.

                        Employee is a natural person who performs work at the employer on the basis of an employment contract or as part of student work or compulsory practice of high school or university students or scholarship holders.

                        Candidate is a natural person who submits their personal data to the employer as a response to a published job vacancy through the Employment Form, or unrelated to the usual recruitment procedures by e-mail or to the employer's registered office.

                        Potential candidate is a natural person who provided the employer with personal data for the purpose of finding employment at the employer (irrespective of the manner of data submission) but was not selected for employment, however, the employer keeps his/her personal data for the purpose of future employment.

                        12. Changes

                          We reserve the right to periodically adapt this Privacy Policy for HR Purposes to the actual situation and legislation regarding the protection of personal data. For this reason, we ask that you check the current version before submitting any personal data, so you will be familiar with any changes or updates.

                          The current version of this policy will be available on our website and in the Human Resources Department.

                          Version: 1.0

                          In force as of: 27/07/2018