Privacy Policy

I. PRIVACY POLICY

At Porton PharmaTech, farmacevtska družba, d.o.o. (hereinafter “Porton”), we recognize the right to privacy as a fundamental human right and are therefore committed to safeguarding the privacy of data that we may collect on our website https://portonpharmatech.si/ and all of its eventual subpages (hereinafter the “Website”) in line with applicable data protection legislation, especially the Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) and Slovenian Personal Data Protection Act (Official Gazette of Republic of Slovenia nr. 163/22).  This Privacy Policy is meant to help you, our Website visitors and users, understand what information we collect, why we collect it, and how you can update, manage, export, and delete your information.

II. CONTROLLER & ACCOUNTABILITY

When you, as our Website user (i.e., also data subject), visit our Website, we may process some of your personal data. In this regard we (i.e., Porton) act as a controller and determine the purposes and means of personal data processing. Therefore, as a controller, we hold full responsibility for the compliance of personal data processing.  When based on this privacy policy, we act as a controller of your personal data; you may contact us at the following address: Porton PharmaTech, farmacevtska družba, d.o.o., Kolodvorska cesta 27, 1234 Mengeš, Registration number: 9083391000 Email address: gdpr@portonpharmatech.com

III. WHAT INFORMATION WE COLLECT, HOW AND WHY?

When you visit our Website, we may collect and process the following types of your personal data.

Information we may collect *Method of data collectionPurpose of data collectionName, Date of Birth, Address, E-mail, Contact Number, Education History, Employment History, Language, Areas of Interest, and any other information you provide in your job application.The data is acquired directly from you when you submit your application for vacancies via a tool available at https://portonpharmatech.com/site/job-opportunities RECRUITMENT Name, E-mail Address, Company Name, Occupation, Country, Areas of Interest, Inquiries/Comments, and any additional information you provide in the inquiry. The data is acquired directly from you when you raise inquiries via the “contact form” at https://www.portonpharmatech.com/contact RESPONDING TO INQUIRIES Information about your internet connection, the equipment you use to access our Website and usage details, such as Internet Protocol (IP) address. The data is acquired via cookies, i.e. collected automatically during your visit to our Website.  COOKIES – ENSURING AND IMPROVING WEBSITE USE AND THE USER EXPERIENCE**

* Special categories of personal data under GDPR will not be collected. ** More information available in a separate Cookie Notice available at https://www.portonpharmatech.com/cookies

IV. LEGAL BASES USED FOR PROCESSING PERSONAL DATA

We collect and process your personal data based on one of the following legal bases or a combination thereof:
- Article 6(1)(a) of the General Data Protection Regulation: Data subject has given consent to the processing of their personal data for one or more specific purposes;
- Article 6(1)(b) of the General Data Protection Regulation: Processing is necessary for the performance of the contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
- Article 6(1)(c) of the General Data Protection Regulation: Processing is necessary for compliance with a legal obligation to which we as a controller are subject; and
- Article 6(1)(f) of the General Data Protection Regulation: Processing is necessary for the purpose of the legitimate interests pursued by us as the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require personal protection of personal data, in particular where the data subject is a child.
A) When do we process personal data under given consent?
We ask for your consent to process your information for specific purposes, which are not necessary for performance of our service, and you have the right to withdraw your consent at any time. When we process your personal data based on your consent, you will always be informed about prior to giving the consent. We process your personal data on this legal basis when:
- you give us your consent to the retention of your job application data for potential future vacancies after the end of the recruitment process, if you are not selected as a candidate for the job for which you initially applied;
– you opt-in to allow non-functional cookies.  In accordance with the data minimisation principle, we process only job application data necessary for us to consider you for our future recruitment. Please see our Cookie Notice for more information regarding personal data processed when you allow the use of non-functional cookies.
B) When do we process personal data based on an agreement or negotiations thereof?
We collect and process personal data you provide in your application and during the employment recruitment process with the aim to sign an employment or other agreement of collaboration. On this legal basis, we may also process some data in the event when your inquiry via our Website’s contact form is initiated with the aim of any sort of contractual collaboration with us.  In accordance with the data minimisation principle, we process only personal data that is relevant and strictly necessary for recruitment purposes and providing relevant information/offer as response to your inquiry. 
C) When are we complying with legal obligations?
We’ll process your personal data when we have a legal obligation to do so, for instance, if we’re responding to a legal process or an enforceable governmental request. Another example is the legal requirement to keep certain information for financial record-keeping purposes. However, considering the nature of the personal data we collect based on our Website, cases where we process personal data based on a legal obligation are rare.
D) When are we pursuing legitimate interest?
We mostly process your information for our legitimate interests and those of third parties while applying appropriate safeguards that protect your privacy. This means that we process your information mainly for things like:
- Understanding how people use our Website to ensure and improve the performance of it;
- Detecting, preventing, or otherwise addressing fraud, abuse, security, or technical issues;
- Protecting against harm to the rights, property or safety of Porton, our clients, or the public as required or permitted by law, including disclosing information to government authorities;
- Enforcing legal claims, including investigation of potential violations of applicable contracts and Terms of Website Use.

V. DATA SHARING

Generally, personal data we collect based on the use of our Website is not shared with any third parties. However, third parties may access data if we decide to engage third-party service providers to redesign, upgrade or order maintenance service. Similarly, we may engage third-party recruitment service providers. In this case, personal data provided within the job application may be shared with such partners. All our partners are subject to strict scrutiny before we engage our collaboration, especially in terms of data privacy standards and safety measures they exercise while processing personal data. With all our business partners who act as processor of personal data with process and control, we have concluded data processing agreements that meet all legal requirements.  When required, we may share your personal data with law enforcement bodies and other governmental bodies that are eligible to such disclosure assuming such sharing is authorized by the law, usually due to being necessary to prevent, discover and prosecute criminal offences. We ensure to only disclose personal data to governmental authorities when and where we are mandatorily required to do so by the law.  Processing of personal data is strictly limited to staff required to provide the service. In no circumstances do we sell or rent your personal data.

VI. INTERNATIONAL TRANSFERS

Transfer of personal data to any country outside the European Economic Area (“EEA”) is only possible under strict terms and conditions enforced to protect your personal data. We may transfer your personal data to third countries if that is required to respond to your inquires and in cases of recruitment procedures. When internationally transferring your personal data, we always take adequate organisational and technical measures to ensure protection of your personal data. All our business and web applications and partners use adequate measures to prevent unauthorized access or use of all information, including your personal data. To protect and safekeep your personal data, we use due business organisation measures and procedures, including safeguards to physically protect personal data stored in our servers (e.g., fire safety equipment etc.). Under no condition is the personal data transferred in a country outside of EEA, unless an appropriate safeguard in terms of Chapter V of the General Data Protection Regulation is in place (e.g., adequacy decision, standard contractual clauses, etc.).

VII. RETENTION AND ERASURE OF PERSONAL DATA

Your personal data is kept in a form which permits your identification for no longer than is necessary for the purposes for which the personal data are processed. In accordance with the purpose limitation and data minimisation principles, we collect and process personal data for the specified purpose only and exclusively personal data that is relevant and necessary for the purpose. To determine if personal data may be processed further, we use a compatibility test to look for link between purposes, nature of the data, method of collection, consequences of secondary uses and safeguards. We pay extra care to ensure that all personal data is accurate and up-to-date. In accordance with the above, we delete the personal data needed for the recruitment procedure after the end of the selection procedure. If the candidate is selected, we will continue to process their personal data under the terms of the internal privacy policy applicable to employees. On the other hand, the personal data of non-selected candidates are deleted immediately after 30 days from delivery of our rejection notice unless the candidate gives us their consent to use the personal data from their job application for future vacancies. Personal data that is processed on the basis of consent are deleted when and in the moment data subjects withdraws their consent. Where certain personal data is necessary for protection of Porton’s rights, such personal data may be stored until the end of litigation started in pursue of the right such personal data relate to or until the expiration of the statute of limitation period, if the litigation was not started by then. In Slovenia, general statute of limitation is 5 years (exceptions may apply). For data retention periods applicable to personal data collected based on the use of cookies please see our Cookie Notice available at https://www.portonpharmatech.com/cookies.  Please note that where necessary under mandatory laws, we may store your personal data under different time limits (e.g., when necessary for legitimate business or legal purposes, such as security, fraud and abuse prevention, or financial record-keeping). Namely, some accountancy information may even be subject to permanent storage; however, neither Website users’ or job candidates’ personal data are normally part of accountancy documentation. After the expiry of designated retention period, we either permanently delete your data or we anonymise it (i.e., process of taking away information necessary for the information to be relating to an identified or identifiable natural person). When deleting your personal data, we take special care to ensure your personal data is safely and completely removed from our servers or retained only in anonymized form. We try to ensure that our services protect information from accidental or malicious deletion. Because of this, there may be delays between when we delete something and when copies are deleted from our active and backup systems. As with any deletion process, things like routine maintenance, unexpected outages, or bugs may cause delays in the processes and timeframes defined herein. We maintain systems designed to detect and remediate such issues. Please note that in accordance with the data minimisation principle, we only store personal data that is relevant and necessary for the purpose. This means that when specific personal data becomes unnecessary for pursuing a particular purpose, we strive to delete it immediately after. This also means, for instance, when retaining personal data for litigation and pursuing legal claims, we only keep personal data that we deem essential for successful dispute resolution.

VIII. DATA SUBJECT’S RIGHTS

In this section, we present the rights you have regarding the personal data concerning you that we process and the processing thereof. You may exercise your rights by sending us an email at gdpr@portonpharmatech.com. In case you need additional information regarding your rights, you can always ask for additional information or explanation via the said email address gdpr@portonpharmatech.com.   
A) Right to withdraw consent
Where your personal data are being processed based on a given consent, you may always decide to withdraw it by sending a written request to the above email address. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. If you chose to withdraw your consent, you may and will not be subject to any detrimental consequences.
B) Right to access
You can obtain our confirmation as to whether or not we process personal data concerning you, and where that is the case, obtain a copy of your personal data, as well as other supplementary information listed by Article 15 of the General Data Protection Regulation (e.g., purposes of the processing, retention periods, international transfers, etc.). Please note that we may deny the right to access if and to the extent of such disclosure adversely affecting the right and freedoms of others. 
C) Right to rectification
You can rectify any inaccurate or incomplete personal data concerning you. Upon your request for rectification, we will without undue delay rectify any inaccurate personal data concerning you. 
D) Right to erasure (right to be forgotten)
Upon your request, we will, without undue delay and subject to examination of merits of your request, delete any personal data concerning you, which:
- are no longer required for the purposes they were initially collected or otherwise processed;
- are processed based on a withdrawn consent and there is no other legal bases for their processing;
- were subject to objects to the processing and there are no overriding legitimate grounds for the processing; or
- were unlawfully processed. a)    Right to restriction of processingThis right is not absolute and only applies in certain circumstances. When processing is restricted, we remain permitted to store the personal data, but are not allowed to use it. Upon your request, we will, without undue delay and subject to examination of merits of your request, will restrict processing of personal data concerning you in case:
- you contested accuracy of the personal data (restriction for a period enabling the controller to verify the accuracy of personal data);
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- we no longer need the personal data for the purposes of the processing, but you need them for the establishment, exercise or defence of legal claims; or
- you objected to processing based on your right to object (restriction for a period required to verify whether the legitimate grounds of the controller override those of the data subject). For the time processing is restricted, we don’t process the restricted data in any way except to store it, unless it is processed:-        upon your consent;-        for the establishment, exercise or defence of legal claims;
- for the protection of the rights of another person (natural or legal); or
- for reasons of important public interest. Before lifting the restriction of processing, we will always duly inform you about it.
E) Right to data portability
Upon you request, we may transfer personal data concerning you to another controller, when processing is based on consent or agreement and when it is technically feasible.
F) Right to object
The right to object only applies in certain circumstances. Whether it applies depends on your purposes for processing and your lawful basis for processing. You have the absolute right to object to the processing of your personal data if it is for direct marketing purposes. You can also object if the processing is for our legitimate interest; however, in this case the right to object is not absolute. You must give specific reasons why you are objecting to the processing of your data, based upon your situation. Upon your request, we will stop processing your personal data, unless we will have compelling legitimate grounds for the processing, which override your interests, rights and freedoms, or the processing is for the establishment, exercise, or defence of legal claims.

IX. EXERCISING DATA PROTECTIONS RIGHTS

We ensure to all our clients and other data subjects a process, in which they can exercise their rights without undue delay and in any event respond within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of requests. We shall inform you of an such extension within one month of receipt of the request, together with the reasons for the delay. Please note that if we have reasonable doubts concerning the identity of the natural person making the request to exercise their rights we may request the provision of additional information necessary to confirm the identity of the data subject. Generally, we provide information requested by exercising your rights free of charge; however, please note that we may charge a reasonable fee or refuse to act on the request in case of requests that are manifestly unfounded or excessive, in particular because of their repetitive character. As already mentioned above, you may exercise your rights by sending us an email on info@porton.cn .

X. RIGHT TO FILE A COMPLAINT AT THE INFORMATION COMISSIONER

If we fail to provide information or action taken on your request to exercise any of your above listed rights in one month of receipt of the request or deny it, you may file a complaint at the Information Commissioner – the data protection supervisory authority. You can submit your complaint by using special forms published by the Information Commissioner at its website: https://www.ip-rs.si/obrazci/varstvo-osebnih-podatkov/. Information Commissioner contact details are: Informacijski Pooblaščenec RS, Dunajska 22, 1000 Ljubljana, E-mail: gp.ip@ip-rs.si Phone number: +386/1 23 09 730 Website: www.ip-rs.si 

XI. DATA PRIVACY AND SECURITY RECOMMENDATIONS

We highly recommend and encourage you to protect your privacy and personal data at all times and take adequate measures yourself as well. Every data subject is responsible to ensure adequate antivirus protection of their computer or other multimedia devices.

XII. AMENDMENTS OF THIS PRIVACY POLICY

Porton reserves the right to update this Privacy Policy in order to keep it up to date and in accordance with specifics of our data processing activities. Date of last update is always specified at the end of the Privacy Policy.  We recommend that you regularly check this Privacy Policy, in order to keep yourself informed about the personal data that we process and updated with our processing activities.

XIII. ADDITIONAL INFORMATION AND CONTACT DETAILS

For additional information regarding our processing of personal data and suggestions for improvement please contact us at gdpr@portonpharmatech.com or at Porton PharmaTech, farmacevtska družba, d.o.o., Kolodvorska cesta 27, 1234 Mengeš, Slovenia.

Porton PharmaTech, farmacevtska družba, d.o.o