This policy was last updated in December 2020.
At ERGOMED, we are strongly committed to protecting your privacy. We are happy to explain our online information practices and the choices you can make about the way your information is processed. Please note that Ergomed PLC, with registered offices at 1 Occam Court, Surrey Research Park, Guildford, Surrey, GU2 7HJ, United Kingdom (hereinafter referred to as ‘ERGOMED’ and/or ‘we’), is the data controller of the personal data that we hold about you within the scope of this Policy.
This Policy applies to all personal data, whether in electronic, paper, or oral format, of visitors/users of ERGOMED’s websites and ERGOMED’s job applicants. If you are ERGOMED’s employee, contractor, and/or Client, please note that there are separate privacy policies that are regulating details of personal data processing. Relevant documents shall be always shared with you before processing takes place.
Why does ERGOMED collect personal data?
Under this Policy, ERGOMED processes personal data for the following purposes:
- to stay in touch with website visitors who contacted us directly, potential clients, and potential partners for marketing and business development purposes;
- to assess/consider candidates regarding a current and/or future job application (please see below ‘Recruiting Software – SmartRecruiters’ for additional clarification);
- to ensure ERGOMED’s IT systems are secure and robust against unauthorised access;
- for other legitimate interests that are not overruling your rights.
Please note that there may be more than one business reason for processing your personal data.
The legal basis for processing your personal data might be:
- the processing is necessary to take steps at your request before entering into a contract;
- that you have given your consent concerning one or more purposes;
- the processing is necessary to pursue a legitimate, primarily business-related, interest.
What personal data does ERGOMED collect?
ERGOMED endeavours to process personal data only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the data subject. The list below identifies the categories of data subjects that ERGOMED processes under this Policy:
- visitors/users of our webpages;
- business contacts;
- job applicants.
The list below identifies the categories of personal data that ERGOMED collects:
- name and contact information;
- ICT related personal data;
- privacy regulation related personal data – consents, privacy rights requests, etc.;
- HR-related personal data for job applicants.
Human Resource data: ERGOMED collects personal data of job applicants which are relevant to decide on their employment. ERGOMED may also conduct a background check as well as collect the right to work documentation as required by law.
NOTE: Please pay attention! ERGOMED is partnering with SmartRecruiters and is using its recruitment software platform. Keep in mind that there are specifics with regards to personal data processing for job seekers using SmartRecruiters’ Recruiting Software!
Recruiting Software – SmartRecruiters
ERGOMED is using services provided by SmartRecruiters. SmartRecruiters is a technology services company that provides a recruitment software platform to other businesses. This software helps ERGOMED to publicise its roles, manage its interaction with candidates, assess suitability, and manage the offer process. It is important to note that SmartRecruiters is an external partner and it will process your personal data in a manner differently than elaborated in this Policy. Please follow the link to familiarize yourself with all details of processing by SmartRecruiters: https://www.smartrecruiters.com/legal/candidate-privacy-policy/may-14-2019/.
Please be aware that you may be required to set up a personal account (“Candidate Portal”) which allows you to manage different job opportunities and track your applications of several Employers (one of them potentially being ERGOMED). In your Candidate Portal, which is accessible on https://my.smartrecruiters.com/, you may register through the email you received after applying, or if your consent was requested. This is operated by SmartRecruiters for which it is responsible. The registration requires your email address and a password. Your profile will be made available and visible to the Employer to which you applied. You will receive job alerts from the Employers to which you applied. In order to provide world-class services to you and the Employer, SmartRecruiters uses third-party providers to help perform statistical analysis, technical support, and data hosting. Your application information will be collected by SmartRecruiters and be made available to you through the Candidate Portal. SmartRecruiters will never sell, rent, or lease the collected personal data.
Please note that SmartRecruiters will collect the following data from you:
- Data that you input during the application process or job alert creation (such as contact information, experience and education, attachments and answers to screening questions.
- Your IP Address and login information (email address and encrypted password) for your Candidate Portal; and
- Cookies, which allow SmartRecruiters to know how their services are accessed and used.
How personal data will be collected?
Under this Policy, your personal data will be collected as:
- Information you give us – through the online forms (e.g. Contact Us Form) or paper forms, emails, phone calls, application/recruitment process and others.
- Information we collect about you – When you visit our website and receive e-mails from us, we may automatically collect technical information about your equipment, browsing actions and patterns. We collect this by using cookies. For more information please see section below on Cookies.
- Information we receive about you from other sources – we may possibly receive your personal data from a third party too (for example from a recruitment company). Further information will be obtained directly from you during the course of your engagement with us, for example through communication with you.
The use of the cookies, Google Analytics & plugins
Please note that you can find sharing buttons on our websites (for Facebook, Twitter, etc.). Once you use these buttons you will be linked to the social media websites with their own privacy policies (they are not our personal data processors).
ERGOMED uses a variety of security measures (physical, organizational, electronic, and technical) to enhance the security of personal data processing – both internally and on webpages to secure any personal information from loss, misuse, unauthorized access or disclosure, alteration, or destruction. ERGOMED operates in compliance with detailed policies and procedures. We put in place appropriate, industry-accepted controls and measures to mitigate and manage the risk, including but not limited to security policy, physical and logical security, access control, firewalls including intrusion prevention system, data encryption, anti-malware scanners, security patching, backups & disaster recovery plans, and staff training.
Disclosure and transfer of personal data
ERGOMED shall NOT trade in any way with your personal data. All information collected through our websites will be sent through to company mailboxes and further processed in the company’s internal network. We use selected contract-based processors for processing your personal data which assure the same level of your personal data security as we do.
All companies within the ERGOMED Group have executed the Intercompany Personal Data Processing Agreement and adhere to the Ergomed Group Personal Data Protection Policy with the purpose to create common policies and procedures for all the ERGOMED Group and to comply with data protection legislation while processing and transferring personal data between themselves and with third parties.
The cross-border transfer of personal data to a third country (a country which is neither an EU member nor an EEA member and which do not ensure an adequate level of data protection as per GDPR) will be carried out by ensuring compliance with all the formalities and procedures reasonably required by the GDPR, such as the execution of Standard Contractual Clauses obtaining the written explicit consent of data subjects, etc.
For how long does ERGOMED store personal data?
We will retain your personal data during the statutory (including fiscal) retention periods and limitation periods. If such periods do not apply to the relevant personal data, we will keep your personal data for no longer than is necessary for the purposes for which the personal data is processed, unless the law requires us to hold your personal data for a longer period, or delete it sooner, or unless you exercise your right to have your data erased and we do not need to hold it in connection with any of the reasons permitted or required by law.
Your IP-address, collected during your website visits, will be deleted as soon as possible, unless there are legitimate security reasons for keeping it. Please note that when you unsubscribe from our marketing communication, we will keep a record of your email address to ensure that we do not send you marketing emails in future. At the end of the retention period, your data will be reviewed and deleted, unless there is a specific legitimate reason for keeping it.
What are your privacy rights?
Please note that you have the right to:
- be informed– this means that you will be informed that ERGOMED is processing your personal data;
- access– this means that you have the right to access the personal data ERGOMED keeps about you;
- rectification– should any data ERGOMED keeps about you be incomplete or inaccurate, you have the right to request ERGOMED to correct it;
- erasure– you have the right to ask ERGOMED to erase your personal data from ERGOMED’s systems;
- restriction of processing– in certain cases you have the right to request ERGOMED to refrain from processing your personal data;
- object to processing– in certain cases you have the right to object to processing of your personal data by ERGOMED;
- portability– this means that you have the right to request the transfer of your personal data in a structured, commonly used, and machine-readable format to another party.
- withdraw the consent given– this means that you can withdraw your consent (if previously given) at any time, without affecting the lawfulness of any processing based on consent before its withdrawal;
- not to be subject to the decision based solely on automated processing– this means that ERGOMED may not make any decision based solely on automated processing. Please note that ERGOMED does not process personal data in this way.
You need to be aware that there are exceptions/limitations to the above rights. For example, access to personal data may be denied in some circumstances if making the information available would reveal personal information about another person or if we are legally prevented from disclosing such information. Also, deletion of data will not be possible during the applicable retention periods based on labour and other relevant laws. Furthermore, you have the right to lodge a complaint with your national data protection authority.
If you wish to exercise your rights, it is required to make a request in writing to the Data Protection Officer. You shall be asked to complete a specific request form available upon written request to the Data Protection Officer. You must properly identify yourself to enable the fulfilling of the right.
What if you do not want to provide us with your personal data?
Providing appropriate personal data is a precondition for specific services, such as the performance of an executed contract, the possibility to apply successfully for a job, or where there is a legal obligation to process the personal data. Failure to provide specific personal data may affect ERGOMED’s ability to enter into a contract with you, to contact you, and/or to proceed with the selection procedure (e.g. job applicant).
Amendment of this Policy
We reserve the right to change this Policy from time to time, consistent with the requirements of the privacy regulation and best practices. If we decide to change this Policy, we will announce it by publishing our amended Policy online.
Contact, questions and further information
ERGOMED appointed the group Data Protection Officer for all ERGOMED group companies. Should you have any questions regarding this Policy or the processing of your personal data, please send an email to DPO@ergomedplc.com.
If you are located in the EU/EEA, and you would like to contact us or exercise any privacy right elaborated above, you might directly contact our dedicated EU GDPR Representative: Ergomed istraživanja Zagreb d.o.o.
- by sending an email to GDPRREP@ergomedplc.com or
- via post: Oreškovićeva 20A, 10010 Zagreb, Croatia.