Combis Policy on the Protection of Privacy (hereinafter: “Policy”) is aimed at all users (data subjects) who in any way get in touch with Combis (“we”, “us”), and it explains what, why, and in which manner happens with their personal data when contacting us. The Policy also contains information on users’ rights, as well as on how to exercise them.
In the context of this Policy Combis is, as a rule, a data controller in relation to personal data it processes. However, in the context of its core business, Combis usually takes on the role of a data processor while providing IT services.
All questions regarding this Policy, protection of privacy and personal data, or manners, reasons and security of processing can be referred to our Data protection officer:
Data protection officer
Combis, Information Technologies and Systems Integration, Ltd.
10 000 Zagreb
1. Categories of data subjects
A. Visitors to our websites
This Policy applies to all web locations owned by Combis, consisting of the main website www.combis.hr and, depending on particular Combis solutions and services, of the remaining websites (Combis Conference, Networking, Cloud, Big Data, ComCloud, Printing and others).
Visiting our websites is normally anonymous, and we process your personal data when you decide so. In other words, Combis usually processes personal data that visitors directly provide in the following situations:
- when providing e-mail address for the purpose of subscribing to our Newsletter;
- when leaving their data (name, surname, e-mail address) and any other additional information contained in a message which users may send us through contact form;
- when filling in the fields (name, surname, e-mail address, subject, message) for the purpose of leaving comments and/or suggestions; and/or
- providing data necessary to participate in Combis Awareness programme (name, surname, company, job position, company address, city, e-mail address, telephone number, and technical information of informative nature relating to the service itself (e.g. ICT services that may be subject to analysis, or Cloud services that may be of interest etc.)
Aforementioned personal data Combis uses solely for the purposes of providing the required services, e.g. in order to deliver Newsletter, in order to reply to your inquiries, comments and/or suggestions, or to enable participation in the Awareness programme. Data collected based on your consent, Combis will in no case share with third parties. The exception is Newsletter, for which delivery we use the services provided by MailChimp. MailChimp may use your data exclusively for the purpose of delivering our Newsletter, and all more detailed information about the rules on privacy protection are accessible at https://mailchimp.com/legal/privacy/.
Apart from the data visitors provide themselves, Combis collects certain personal data automatically, by using web analytics tools and cookies.
Web analytics tool which Combis uses on its web locations is Google Analytics. This Google’s software enables the collection of data inherent in an internet environment, such as IP addresses, browser and operating system type, etc. It also enables the collection of information on the number of visitors and details of their behaviour patterns. These data and information represent statistical data, which do not allow for the identification of visitors, and are collected for the purposes of our internal analysis, statistics and system administration.
Managing cookies depends on browser type used by individual user, and more detailed information may be found on websites of the corresponding company (e.g. Apple Safari, Google Chrome, Microsoft Edge, Microsoft Internet Explorer, Mozilla Firefox and others).
Our websites may point to other web locations that are not owned by, controlled by, nor which are the responsibility of Combis. If you visit such websites, we recommend getting yourselves familiar with their policies, privacy and security rules, since the latter might differ in relation to this Policy.
Combis uses WordPress software to create and manage the content of its individual websites. More information on how Automattic as the owner and the operator of the WordPress.com service processes personal data of visitors to our websites are accessible at https://automattic.com/privacy-notice/.
COMBIS also uses TalentLyft as a platform for publishing job ads, as well as for job applicants. More about job ads and open work positions can be found on https://combis.talentlyft.com/#.
Combis websites use Facebook Social Plugin operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA and Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, D02 X525, Ireland (hereinafter: “Facebook”). Facebook Social Plugin is an icon containing Facebook’s logo, and by clicking on it, the visitors of our websites are being redirected to Facebook’s websites. In that case, Facebook may receive information about our visitors, such as IP addresses due to technical reasons. The selection of Facebook’s icon enables the visual display of Facebook’s website, and it enables COMBIS to measure the number of visits to our websites. The consequence of using Facebook’s icon for visitors who are at the same time logged into Facebook is the storage of visitors’ actions in their Facebook accounts (e.g. clicking the Like Button or publication of comments). If you do not want Facebook to process your data in such way, check whether you are logged out of your Facebook account before visiting Combis websites. More detailed information on how Facebook collects and uses personal data, and on Facebook’s privacy policies may be found on Facebook websites.
Combis websites use LinkedIn Social Plugin operated by LinkedIn Corporation, 1000 W. Maude Avenue, Sunnyvale, CA 94085, USA and LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (hereinafter: “LinkedIn”). LinkedIn Social Plugin is an icon containing LinkedIn’s logo, and by clicking on it, the visitors of our websites are being redirected to LinkedIn’s websites. In that case, LinkedIn may receive information about our visitors, such as IP addresses due to technical reasons. The selection of LinkedIn’s icon enables the visual display of LinkedIn’s website, and it enables Combis to measure the number of visits to our websites. The consequence of using LinkedIn’s icon for visitors who are at the same time logged into LinkedIn is the storage of visitors’ actions in their LinkedIn accounts (e.g. clicking the Like Button or publication of comments). If you do not want LinkedIn to process your data in such way, check whether you are logged out of your LinkedIn account before visiting Combis websites. More detailed information on how LinkedIn collects and uses personal data, and on LinkedIn’s privacy policies may be found on LinkedIn websites.
Combis websites use Twitter Social Plugin operated by Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA and Twitter International Company, 1 Cumberland Place, Fenian Street, Dublin 2, Ireland (hereinafter: “Twitter”). When accessing our websites using the Twitter icon, a connection is established between your browser and Twitter’s servers, during which certain information are passed on to Twitter. If at the same time you are logged into Twitter, this information may be connected to your Twitter account (e.g. publication of comments, or clicking the Like Button etc.). If you want to prevent this, you should log out of Twitter before visiting our websites. More detailed information on how Twitter collects and uses personal data, and on Twitter’s privacy policies may be found on Twitter websites.
Combis websites use YouTube Social Plugin operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA (hereinafter: “YouTube”). When accessing our websites using the YouTube icon, a connection is established between your browser and YouTube’s servers, during which certain information are passed on to YouTube. If at the same time you are logged into YouTube, this information may be connected to your YouTube account (e.g. publication of comments, or clicking the Like Button etc.). If you want to prevent this, you should log out of YouTube before visiting our websites. More detailed information on how YouTube collects and uses personal data, and on YouTube’s privacy policies may be found on YouTube websites.
Combis websites use Instagram Social Plugin operated by Instagram, 1 Hacker Way, Menlo Park, CA 94025, USA (hereinafter: “Instagram”). When accessing our websites using the Instagram icon, a connection is established between your browser and Instagram’s servers, during which certain information are passed on to Instagram. If at the same time you are logged into Instagram, this information may be connected to your Instagram account (e.g. publication of comments, or clicking the Like Button etc.). If you want to prevent this, you should log out of Instagram before visiting our websites. More detailed information on how Instagram collects and uses personal data, and on Instagram’s privacy policies may be found on Instagram websites.
Combis will retain visitors’ personal data collected through its websites for as long as we maintain a relationship with the individual visitor.
B. Business contacts
Business contacts mean existing and potential clients and business users of Combis, whose personal data Combis processes using a CRM system to manage business and relationship with clients (Customer Relationship Management).
Categories of personal data of business contacts and their import into Combis CRM include, among others, name and surname of an individual business contact, the name of his/her employer, title, phone number, e-mail address, and other business information such as workflow tracking and communication with clients. In the CRM system, we also document interests an individual business contact has demonstrated regarding the content and news that he/she would like to receive from Combis (e.g. Newsletter, invitations to Combis events and conferences, etc.).
Processing of business contacts’ data is based on the legitimate interests of Combis for the following purposes:
- Management of our business and services, their further development and improvement, including: managing relationship with clients; identifying clients’ needs and improving service delivery; conducting analysis and projections necessary to leadership of Combis on e.g. market trends, sales intelligence, and achieved progress in relation to defined business targets and goals; organisation or enabling organisation of social events; administration of Combis websites, systems and applications;
- Sending notifications about Combis and our services, as well as invitations to Combis events (as long as an individual business contact does not ask to stop receiving any notification from Combis).
All e-mails that Combis sends for marketing and promotional purposes contain a clearly visible link following which it is possible to unsubscribe from our mailing list.
Without previous notification and without an explicit consent from an individual business contact, Combis will not sell, nor will it share in any other way business contact’s personal data with third parties, for the purpose of direct marketing of third parties’ products and services.
Combis will retain business contacts’ personal data for as long as it maintains a relationship with a particular business contact or his/her employer. Exceptionally, Combis will retain business contacts’ personal data even after the termination of business relationship, if longer retention periods are required in accordance with legal and/or internal regulations, and/or if that is necessary in order to establish, exercise or defend our legal rights.
C. Clients, business users, suppliers and subcontractors
Combis provides a range of various services, products and solutions, which providing occasionally requires the processing of clients’ and business users’ personal data. E.g. in order to ensure a successful functioning of printing solutions, in case of malfunction we need our client’s employee’s contact data.
Combis also collects and processes personal data of its suppliers and subcontractors, which mostly consist in data typical for business cards, as well as business correspondence.
In previously mentioned and other business situations, Combis therefore collects only those personal data that are necessary for contractually stipulated purposes.
Collected personal data of clients, business users, suppliers and subcontractors Combis processes for the following purposes and on the following legal grounds:
- Provision of professional and expert services to clients and business users, based on the concluded contract, or upon request prior to entering into contract;
- Receiving services from suppliers and subcontractors, based on the concluded contract, or upon request prior to entering into contract;
- Management of our business and services, their further development and improvement, including: managing relationship with clients; identifying clients’ needs and improving service delivery; administration of Combis IT systems and applications; based on the legitimate interests of Combis;
- Acting in accordance with laws and regulations, based on our legal obligation or legitimate interests.
As a rule, Combis will retain personal data of clients, business users, suppliers and subcontractors for as long as it maintains business and contractual relationship with a particular legal subject. Exceptionally, Combis will retain personal data of clients, business users, suppliers and subcontractors even after the termination of business and contractual relationship, if longer retention periods are required in accordance with legal and/or internal regulations, and/or if that is necessary in order to establish, exercise or defend our legal rights.
Those who wish to become a part of the Combis team can demonstrate their interest either by sending a job application or by applying for an open position announced on Combis websites, Combis social network profiles, or through job vacancy and recruitment portals. Participants of student contests organised by Combis, who by standing out with their knowledge and skills drew our attention, often have an opportunity for a job interview.
During the recruitment process, Combis processes the following categories of personal data for the purpose of finding the ideal candidate and establishing employment relationship, on the following legal grounds:
- Information provided by the candidate him/herself in a CV and in communication with us: name and surname, phone number, e-mail address, academic and professional qualifications, experience gained during education period, working experience, fields of interest, information given during job interview, the assessment of relevant professional and psychological tests, contact information of persons giving a recommendation for a candidate (under the assumption that a candidate is allowed to provide such data), financial data in case of a successful recruitment process (consent);
- Information we collect from third parties or from publicly available sources, such as recommendations from former employers, colleagues, mentors, etc., profile information on specialized social networks such as LinkedIn etc. (legitimate interests of Combis);
- Information contained in applications that students delivered in order to participate in student contests organised by Combis, and which Combis may further process for the purpose of finding young talents (legitimate interests of Combis).
Combis solely collects and processes personal data that are necessary for the performance of successful recruitment process and for potential future employment, and hence it does not require nor does it process sensitive categories of personal data. Contrary to the previously stated, we will process sensitive personal data only when this is required by law (e.g. processing of health data for the purpose of preventive or occupational medicine).
Personal data of job candidates may only be accessed by managers of organisational units to which a candidate’s job application refers, and by employees responsible for human resources management. Hrvatski Telekom d.d., the parent company of Combis, manages human resources on behalf of Combis. In case of submitting a job application through specialized job vacancy and recruitment portals, employees of the portal’s operator may also have an insight into, and access to candidates’ personal data.
Personal data of candidates chosen for the announced job position Combis retains permanently as a part of the employee’s record, and in accordance with special legal provisions. In case of unsuccessful recruitment process, personal data are kept on the basis of candidate’s consent, for the purpose of potential employment in relation to future job openings. Consent may be withdrawn at any moment, by sending an e-mail to email@example.com.
E. Visitors to our offices
Combis carries out certain measures necessary for the security of building, offices and other business premises in the building, including video surveillance and building access control.
During their arrival and leaving, all visitors are required to sign in and identify themselves at reception, as well as to take, and eventually return a card that enables them further passing through corridors and premises in the building.
Certain areas inside and outside the building are under video surveillance for security reasons, which placement is indicated in a clear and plain manner. However, these video cameras are not under the control of Combis, but under the control of the building landlord who acts as a data controller.
On the other hand, Combis maintains surveillance over video cameras in especially important technical areas (such as server rooms), as well as in its warehouses. Video recordings are kept for a maximum of 30 days, after which they are automatically deleted.
The purposes of data processing in the context of video surveillance and building access control are security reasons, the protection of people and property, and prevention and detection of crime, while the processing of visitors’ data is based on the legitimate interest of Combis.
On its business premises, Combis enables to its visitors to use wireless network (Wi-Fi), by providing them with a specified address and password, which we renew once a month. The access to Wi-Fi network does not require the disclosure of visitors’ personal data.
Combis is not liable for, nor does it have under the control the way visitors use internet while they are in our offices.
The purpose of data processing in the context of Wi-Fi network is to enable the visitors to our offices a free access to internet, while the processing of visitors’ data is based on the legitimate interest of Combis.
2. Security of information
Combis has implemented and it carries out technical, organisational and security measures in order to protect your personal data from loss, misuse, unauthorised access, alteration and disclosure. Among others, this includes the following:
- We examine our collection, storage, and the ways in which we process personal data, including physical security measures, in order to protect our systems from unauthorised access;
- We apply Binding Corporate Rules on Privacy by Deutsche Telekom, which were approved in a special procedure by all the relevant data protection agencies in the European Union;
- We are a holder of ISO/IEC 27001 : 2013 certificate by which we demonstrate the maintenance and administering information security systems in accordance with legal requirements, as well as a proactive approach in the protection of your personal data;
- We restrict access to personal data to Combis employees and to employees of our suppliers and subcontractors, who are ought to follow strict contractual confidentiality obligations;
- We carry out necessary measures to meet security and data protection requirements before placing our products, services and solutions on the market (privacy and security by design);
- We conclude special contracts on the protection of personal data with our clients, business users, suppliers and subcontractors;
- We have established a special procedure in case of personal data breach.
With regard to personal data collected through Combis web locations, and with respect to the nature of internet, we undertake all necessary security measures to ensure the highest level of security, and to protect your personal data from the previously mentioned perils.
In no case will Combis share, sell, or in any other way disclose or give your personal data to third parties, unless in cases prescribed by this Policy. We pass your personal data to our suppliers and subcontractors who help us and support us in providing our services. With respect to the nature of Combis business operations, the latter mostly refer to IT service providers, as well as to logistics and delivery service providers. In addition, based on the previous informed data subject’s consent, Combis passes participants’ personal data to sponsors of the events, conferences, and contests held in our organisation, and for the purpose of promotion of sponsors’ products and services. As data controllers, the sponsors are obliged to act in accordance with the requirements of relevant laws on the protection of personal data, as well as to provide adequate information to data subjects. In order to ensure the high level of protection, confidentiality and security of the data that we pass on under the described circumstances, we regularly conclude special commissioned data processing agreements.
The list of Combis business partners is available here.
As a rule, we process your personal data in the Republic of Croatia. However, certain subcontractors that we hire to support our business operations are located outside the European Union. In case of international transfer of data to countries outside the European Union which are not encompassed by the adequacy decision adopted by the European Commission (e.g. EU-U.S. Privacy Shield), Combis implements appropriate legal mechanisms to ensure a sufficient level of data protection in accordance with the requirements of the European legislation (e.g. Standard contractual clauses on data protection approved by the European Commission).
In certain situations, Combis is by legally prescribed requirements, court order, public authorities, or for the purposes of a legal procedure, obliged to disclose your personal data.
In accordance with the relevant laws on the protection of personal data, we are required to inform you about your rights. The exercise of rights, among others, also depends on the legal basis of data processing. For example, if the processing is based on consent, you have the right to withdraw consent, but when the processing is based on legitimate interest – instead of the withdrawal of consent – it is possible to object to the processing.
You have the right to obtain a confirmation as to whether we process your data at any time, as well as to request a copy of your personal data, i.e. to gain a clear insight into the ways we use or storage your personal data.
You have the right to request a rectification of data that you consider as inaccurate at any time, as well to complete the data you find incomplete.
Under specified circumstances, you have the right to request the erasure of your personal data.
Under specified circumstances, you have the right to request the restriction of processing of your personal data.
When we process your personal data based on our legitimate interests, or for the purpose of direct marketing, you have a right to object to such processing. In case of direct marketing, your right to object is absolute. However, when it comes to the processing on the basis of legitimate interest for other purposes, the processing may still be possible if Combis demonstrates the existence of compelling legitimate grounds which override the interests, rights and freedoms of data subjects, or when this is necessary for the establishment, exercise or defence of legal claims.
Under specified circumstances, you have the right to receive your personal data, and to have them transmitted to another data controller.
When personal data are processed on the basis of a data subject’s declaration of will, you have the right to withdraw consent at any time. We remind you that the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
The exercise of your rights and the provision of aforementioned information is usually performed free of charge, by sending an e-mail to firstname.lastname@example.org. Where applicable, an update of data and interests, the withdrawal of consent or objecting to processing is also possible via appropriate links in the e-mails that you receive. If we do not act in accordance with your request, we are obliged to inform you about the reasons behind our decision within one month of receipt of your request, as well as about the possibility to lodge a complaint with an authorised supervisory authority.
Combis will undertake all necessary measures to reply to your request. However, if you are not satisfied with our reply, or you generally have objections to our services and the ways in which we process your personal data, you have the right to submit a complaint to the Croatian Personal Data Protection Agency, a supervisory authority responsible to enable the exercise of individuals’ rights in the Republic of Croatia.
5. Changes to Combis Policy on the Protection of Privacy
Combis regularly checks this Policy on the Protection of Privacy, and it holds the right to its occasional changes. The aim of such changes is not to diminish your rights, but exclusively to ensure compliance of the Policy with the relevant legal framework for personal data protection.
Each change to the Policy will be published here at the appropriate time, and it will come into force on the day of its publication. However, if the changes in this Policy also involve the intention of Combis to additionally process your personal data as a data controller for the purposes other than those for which the data were initially collected, you will be informed in due time and before the commence of using your data for new, but compatible purposes.
Combis will keep an archive of all the previous versions of the Policy on the Protection of Privacy.