Personal data protection policy

Personal data protection policy

We value your privacy, so we always protect your information carefully.

We process personal data in accordance with European legislation (Regulation (EU) 2016/697 on the protection of individuals with regard to the processing of personal data and on the flow of such data (hereinafter: the “General Regulation”)), applicable Slovenian legislation on personal data protection and other legislation, which gives us a legal basis for the processing of personal data.

The personal data protection policy contains information on how our company, as an operator, processes personal data received from an individual on the basis of legal grounds.

1) Operator

The operator of personal data is the company:

Name of organization: FirstClass d.o.o.

Address: Dalmatinova ulica 2, 1000 Ljubljana

e-mail: [email protected]

phone: +386 40 775 570

2) Authorized person for personal data protection

In accordance with the provision of Article 37 of the General Regulation, we have appointed the following company as the data protection officer:


Tržaška cesta 85, SI-2000 Maribor

e-mail: [email protected]

phone number: +386 (0) 2 620 4 300

3) Personal data

Personal data means any information relating to an identified or identifiable individual; an identifiable individual is one that can be identified directly or indirectly, in particular by indicating an identifier such as name, identification number, location data, web identifier, or by indicating one or more factors specific to the physical, physiological, genetic, the mental, economic, cultural or social identity of that individual.

We may collect the following types of personal information:

Name, surname, permanent and temporary address, date of birth, gender, home, and business phone or GSM, business and private email address, Linkedin address, or. profile oz. another similar profile, Skype or other similar address and work-related photos.

Tax, registration number, numbers, and data from personal documents (if necessary), work permit number (if necessary), and other identification numbers.

Data on employment, duration of employment including dates, data on the employer and past employers, places of employment, data on education and training, data on recognitions, certificates and licenses, and other work-related data.

4) Purposes of personal data processing

We process personal data in particular for the following purposes, such as employment assistance, recruitment, advertising of employment opportunities with clients. Until the cancellation, we will also notify unselected candidates of any new opportunities. We also process personal data to advise you and our clients, which also includes participation in meetings or telephone conversations and for the needs of voluntary psychological testing.

Data can also be used to improve services, which includes identifying problems with existing services, planning improvements to existing services, and designing new services. We can also help ourselves with surveys.

5) Legal basis for the processing of personal data

The use of personal data is based on one of the following legal bases:

  • Processing of personal data on the basis of the explicit consent and is used as a basis for processing that is mandatory or necessary.
  • Processing of personal data for the performance of a contract to which an individual is a party, on the basis of applications described in Chapter 3 or due to the entering of an employment contract or the implementation of steps to conclude an employment contract or in the case of the employment contract.
  • Processing is necessary to fulfill the legal obligation applicable to clients.
  • Data processing is based on legitimate business interests, including general personnel and work procedures, disclosure for audit and reporting purposes, internal investigations, contractual obligations to third parties, network and information systems security management, business promotion, business management governance, and customer service.
  • Processing is necessary to protect the vital interests of the data subject or other natural persons.

The processing of specific types of personal data (eg racial, biometric, trade union membership, health, religious beliefs, etc.) is always based on the following bases when the processing is determined or permitted by applicable law (eg to ensure compliance with diversity reporting obligations); in the case of processing by the authorities responsible for detecting or preventing crime; when processing is necessary for the enforcement, exercise or defense of legal rights; whether we have obtained your prior express consent before the processing of your specific personal data in accordance with applicable law (this legal basis only applies in connection with processing that is completely voluntary – it does not apply to processing that is in any way necessary or mandatory).

6) Storage and deletion of personal data

The company will only keep personal data for as long as is necessary to achieve the purpose for which the personal data was collected and processed. If the company processes the data on the basis of the law, it will keep them for the period prescribed by law. In doing so, some data is kept for the duration of the cooperation with the company, and some data must be kept permanently. Personal data processed by the company on the basis of a contractual relationship with an individual are kept by the company for the period necessary to perform the contract and for 6 years after its termination, except in cases where there is a dispute between the individual and the company. In such a case, the company keeps the data for 10 years after the final decision of the court, arbitration, or court settlement or, if there was no litigation, 5 years from the date of peaceful resolution of the dispute. Those personal data that the company processes on the basis of the personal consent of the individual or legitimate interest will be kept by the company until the consent is revoked or until the data is deleted. Upon receipt of the revocation or request for deletion, the data shall be deleted within 15 days at the latest. The company may also delete this data before revocation, when the purpose of processing personal data has been achieved or if so provided by law.

Exceptionally, the company may refuse a request for deletion on grounds of the General Regulation, such as: the exercise of the right to freedom of expression and information, compliance with a legal obligation to process, reasons of public interest in public health, archiving in the public interest, scientific or historical research. or statistical purposes, the implementation or defense of legal claims. After the retention period, the company must delete or anonymize personal data efficiently and permanently so that it can no longer be linked to a specific individual.

7) Contractual processing of personal data and export of data

For individual processing of personal data on the basis of a contractual processing contract, the company may entrust it to a contractual processor. Contractual processors may process confidential data only on behalf of the operator, within the limits of his authority, which is written in a contract or other legal act and in accordance with the purposes defined in this privacy policy.

The contractual operators with which the company cooperates are mainly:

  • Accounting services and other providers of legal and business advice.
  • Infrastructure maintainers (security services).
  • Maintenance of information systems.
  • Email service providers and cloud service software providers (e.g. Dropbox, Microsoft, Google).
  • Providers of social networks and online advertising (Google, Facebook, Instagram, My work, etc.).

For the purposes of better review and control over contractual operators and the orderliness of the mutual contractual relationship, the company also maintains a list of contractual operators, which lists all specific contractual operators with whom the company cooperates.

Under no circumstances will the company pass on the personal data of an individual to unauthorized third parties. Contractual operators may process personal data only in accordance with the company’s instructions and may not use personal data for any other purpose.

As an operator and its employees, the company does not export personal data to third countries (outside the European Economic Area – EU member states and Iceland, Norway and Liechtenstein) and to international organizations other than the US. standard contractual clauses (standard contracts adopted by the European Commission) and / or binding business rules (adopted by the company and approved by EU supervisory authorities).

8) Cookies

The company’s website works with the help of cookies. A cookie is a file that stores web page settings.

The organization’s website works with the help of cookies. A cookie is a file that stores web page settings. Websites store cookies on users’ devices that access the Internet in order to identify individual devices and settings that users used to access them. Cookies allow websites to identify if the user has already visited the website. With advanced applications, they can be used to adjust individual settings accordingly. Their storage is under the complete control of the browser used by the individual – the latter can restrict or disable the storage of cookies if desired.

Cookies are fundamental to providing individual-friendly online services. They are used to store information about the status of an individual website, help collect statistics on users and website traffic, etc. We use cookies to evaluate the effectiveness of the design of our website.

The organization’s website uses the following cookies:

Cookie name Dration Function
_ga 2 years Used to differentiate between users.
_ga 24 hours Used to differentiate between users.
_gid 1 minute Used to regulate access to the website.
_gali 24 hours Improved link allocation.

Cookies stored by the browser can be deleted by the individual (instructions can be found on the web pages of each browser).

9) Data protection and data accuracy

The company takes care of information security and infrastructure security (premises and application system software). Our information systems are protected by, among other things, antivirus programs and a firewall. We have introduced appropriate organizational and technical security measures aimed at protecting personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, and other illegal and unauthorized forms of processing. In case of providing special types of personal data, we provide them in encrypted form and password protected.

It is the individual’s responsibility to provide their personal information securely and to ensure that the information provided is accurate and credible. The company will make every effort to ensure that the personal data it processes is accurate and, if necessary, updated, and we may from time to time contact an individual to confirm the accuracy of personal data.

10) Individual rights regarding data processing

According to the General Regulation, an individual has the following rights from the protection of personal data:

  • He/she may request information on whether we have his personal data and, if so, what data we have and on what basis we have it, and why we use it;
  • He/she may request access to his personal data, which allows him to receive a copy of the personal data held by the company and to verify that the company is processing them legally;
  • He/she may request corrections of personal data, such as the correction of incomplete or inaccurate personal data;
  • He may request the deletion of his personal data when there is no reason for further processing or when he exercises his right to object to further processing;
  • He/she may object to the further processing of personal data where the company invokes a legitimate business interest (even in the case of a legitimate interest of a third party) when there are reasons related to the individual’s special situation;
  • He/she has the right to object at any time if the company processes personal data for the purposes of direct marketing;
  • He/she may request a restriction on the processing of their personal data, which means the cessation of the processing of personal data, for example, if the individual wants the company to establish the accuracy or to verify the reasons for further processing of personal data;
  • He/she may request the transfer of its personal data in a structured electronic form to another controller, as far as possible and practicable;
  • He/she may revoke the consent or consent he has given for the collection, processing and transfer of his personal data for a specific purpose; upon receipt of notice that it has withdrawn its consent, the Company will cease to process personal data for the purposes it originally accepted, unless the Company has no other legitimate legal basis for doing so lawfully.

If an individual wishes to exercise any of the aforementioned rights, he can send a request by e-mail to [email protected] or by regular mail to Dalmatinova 2, Ljubljana. The company will respond to a request concerning an individual’s rights without undue delay and in any case within one month of receiving the request. In the event that this deadline is extended (by a maximum of two additional months), taking into account the complexity and number of requirements, you will be notified. Access to the individual’s personal data and asserted rights is free of charge for the individual. However, the company may charge a reasonable fee if the data subject’s request is manifestly unfounded or excessive, especially if repeated. In such a case, the company may also reject the request. In the case of exercising the rights under this title, the company may have to request certain information from the individual to help him confirm the identity of the individual, which is only a security measure to ensure that personal data is not disclosed to unauthorized persons.

In exercising the rights under this title, the individual may use the form of the Information Commissioner, which is available on their website.

In the event that an individual believes that his / her rights have been violated, he / she may turn to the supervisory body (Information Commissioner) for protection or assistance. Link to:

If an individual has any questions regarding the processing of their personal data, you can always contact our company via e-mail at [email protected] or by regular mail at Dalmatinova 2, Ljubljana.

11) Publication of changes

Any changes to our Privacy Policy will be published on the company’s website: By using the website, the individual confirms that he accepts and agrees with the entire content of this personal data protection policy.

The personal data protection policy was adopted by the responsible person of the company on 28.02.2023.

In Ljubljana, on 28 February 2023

Responsible person of the company: Til Lajovic