Applicant privacy policy

Last update on:

This notice explains how Chipolo d.o.o. processes personal data of job applicants in accordance with Regulation (EU) 2016/679 (GDPR), the Slovenian Personal Data Protection Act (ZVOP-2), and applicable employment laws.

Controller and Data Protection Officer

Chipolo d.o.o., Gabrsko 12, 1420 Trbovlje, Slovenia, is the controller of your personal data for the purposes described in this notice. You can contact us at privacy@chipolo.net.

We have appointed Vesna Stanković - ITLAW, legal consultancy, Vesna Stanković s.p., as our Data Protection Officer (DPO). You can contact our DPO at privacy@chipolo.net

What data we collect

During the recruitment process, we may collect and process the following categories of personal data:

  • Identification and contact details: Name, address, email address, telephone number.
  • Application data: CV/resume, cover letter, work history, education, qualifications, and skills.
  • Assessment data: Interview notes, test or assessment results.
  • Employment preferences and eligibility: salary expectations, availability, and, where relevant, information confirming your right to work.
  • References: Information provided by your previous employers or professional references.
  • Communications: Any correspondence between you and us during the hiring process.

We only request and process applicant data that is relevant and necessary for assessing your application, verifying that you meet job requirements, communicating with you, and complying with applicable legal obligations.

Please do not include special categories of personal data in your application, such as health data, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, or information about sex life or sexual orientation. We do not request or intentionally process such data for recruitment purposes. If you provide such data voluntarily and it is not relevant to the recruitment process, we will disregard it and, where reasonably possible, delete or redact it.

Sources of your data

Most of the data we process is provided directly by you. However, we may also receive data from:

  • Professional social networks (e.g., LinkedIn) where relevant to the role and permitted by applicable law, for example from professional profiles you make publicly available.
  • Recruitment agencies or headhunters acting on our behalf.
  • Employee referrals. In such cases, we may receive limited professional contact and background information relevant to the role.
  • Named references provided by you, only where relevant to the role and, where required, after you have identified the reference or otherwise been informed in advance.

Where we receive your personal data from a source other than you, we will provide you with this notice at the latest at the time of our first communication with you, or otherwise within the period required by Article 14 GDPR, unless an exception applies.

Purposes, legal bases, recipients, and retention

We process your personal data strictly for recruitment purposes. Below is a detailed breakdown of why we use your data, the legal basis for doing so, who receives it, and how long we keep it:

  • Managing the recruitment process (reviewing applications, arranging interviews, assessing suitability)
    • Categories of Data: Identification, Application, Assessment, Preferences and eligibility, Communications.
    • Legal Basis: Necessary for taking steps at your request prior to entering into an employment contract (Art. 6(1)(b) GDPR).
    • Recipients: Internal HR, hiring managers, interviewers, IT staff, ATS and 3rd party cloud hosting providers.
    • Retention: For unsuccessful applicants, we retain recruitment documentation until the recruitment process is completed and, as a rule, for up to two months after the end of the relevant recruitment process, taking into account the statutory periods for notifying unsuccessful candidates and for possible legal claims. We may retain specific information longer only where necessary to establish, exercise, or defend legal claims, or where required by applicable law. Hired candidates’ data becomes part of the employee record.
  • Protecting our legal rights and documenting hiring decisions
    • Categories of Data: All categories listed above that are relevant to the recruitment process.
    • Legal Basis: Legitimate interests in managing our business, defending against legal claims, and ensuring fair hiring practices which we have carefully balanced against your rights and interests (Art. 6(1)(f) GDPR).
    • Recipients: Internal HR, legal advisors, public authorities (if mandated).
    • Retention: As a rule, up to two months following the conclusion of the hiring process, unless longer retention is necessary to establish, exercise, or defend legal claims.
  • Retaining your application in our talent pool for future opportunities
    • Categories of Data: Identification, Application, Preferences and eligibility.
    • Legal Basis: Your separate consent (Art. 6(1)(a) GDPR). You may withdraw your consent at any time without affecting the lawfulness of processing prior to withdrawal.
    • Recipients: Internal HR, IT processors.
    • Retention: Two (2) years from the date consent is given or last renewed.
  • Complying with laws (employment, tax, anti-discrimination)
    • Categories of Data: Identification, Application.
    • Legal Basis: Complying with applicable legal obligations, where relevant, such as obligations under employment and anti-discrimination law, candidate notification obligations, and, where applicable, tax/accounting obligations connected with reimbursed expenses or employment onboarding (Art. 6(1)(c) GDPR).
    • Recipients: Internal HR, public authorities.
    • Retention: For as long as required by applicable employment, tax, accounting, anti-discrimination, or other legal retention obligations.
  • Identifying and contacting potential candidates
    • Categories of Data: Identification, Application, publicly available professional information, referral information.
    • Legal Basis: Our legitimate interests in identifying and contacting suitable candidates for open roles, balanced against your rights and interests (Art. 6(1)(f) GDPR).
    • Recipients: Internal HR, hiring managers, recruitment agencies or IT processors where applicable.
    • Retention: If you are not interested or do not respond, we will delete or anonymise the data within six months after our last contact with you, unless longer retention is necessary to establish, exercise, or defend legal claims, or required by law.

If we process your personal data for a purpose other than that for which it was originally collected, we will provide you with information about that further purpose before doing so, where required by law.

International transfers and security measures

We use recruitment, communication, cloud hosting, and IT support providers as processors. Where these providers process or access applicant data outside the EEA, we rely on an adequacy decision or appropriate safeguards such as Standard Contractual Clauses, together with supplementary measures where required.

You may request further information about, or a copy of, the applicable safeguards for a specific transfer by contacting us. 

We implement appropriate technical and organisational measures in accordance with Article 32 GDPR to ensure a level of security appropriate to the risk. These measures include, in particular, access controls, data minimisation, staff training, confidentiality obligations, and the use of secure IT systems and vetted service providers.

Is providing data mandatory?

Providing your basic application data (contact details, CV) is necessary to enter into the recruitment process. If you do not provide this information, we will be unable to assess your application or consider you for employment.

Consent for the talent pool is requested separately from the job application process and is not required to apply for a specific position.

Automated decision-making

We do not use fully automated decision-making or profiling to evaluate your application or make hiring decisions. All recruitment decisions involve human review.

Your legal rights

Under the GDPR and ZVOP-2, you have the right to:

  • Access the personal data we hold about you.
  • Request rectification of inaccurate or incomplete data.
  • Request erasure of your data when it is no longer necessary for the purposes collected.
  • Object to the processing of your data when we rely on legitimate interests.
  • Request restriction of processing under certain legal conditions.
  • Data Portability: Where applicable, receive the personal data you have provided to us in a structured, commonly used, machine-readable format and transmit those data to another controller.
  • Withdraw consent at any time (e.g., for the talent pool), without affecting the lawfulness of processing based on consent before its withdrawal.

These rights are not absolute and may be limited in certain cases under applicable law.

You may exercise your rights by contacting us at privacy@chipolo.net.

Right to complain

If you believe that our processing of your personal data infringes applicable data protection law, you have the right to lodge a complaint with the Slovenian Information Commissioner (Informacijski pooblaščenec) available at www.ip-rs.si. You may also seek judicial remedy in accordance with applicable law.