1. GENERAL INFORMATION

This data processing notice outlines how we handle data that can directly or indirectly identify you as an individual ("personal data"). All processing of personal data is carried out in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws through appropriate legal, technical, and organizational measures.

1.1 Data Controller

The data controller for all personal data collected via the Espera X website is:

Although Espera X is presented as a standalone brand, it is not a separate legal entity and operates under the full responsibility of AITAC.

1.2 Scope of This Privacy Policy

This Privacy Policy applies to:

• Personal data you share with Espera X via forms, emails, or online tools;
• Personal data collected automatically when you access or use the Espera X website;
• Any data collected for communication, service provision, or marketing purposes related to Espera X, as a brand of AITAC.

It does not apply to other websites or services of AITAC unless specifically stated.

1.3 Data Protection Officer (DPO)

AITAC has appointed a Data Protection Officer (DPO) responsible for overseeing privacy and data protection compliance. You may contact the DPO regarding any concerns about your data:

By post:

By email:

zastitapodataka@aitac.nl

2. PERSONAL DATA PROTECTION RULES

2.1 What Data Are Collected?

When interacting with Espera X, a brand of AITAC Ltd., we may collect the following personal data through various communication channels (such as through our website, email inquiries, contract negotiations, tenders, and events):

• Name and surname
• Email address
• Postal address
• Phone number
• Position within your company
• ID number (OIB)
• Bank account number
• Basic employer details (company name, address, company profile)

We may also collect non-personal data, including but not limited to:

• Device data used for internet access
• Internet browser type and version
• Usage data regarding your interaction with our web services

2.2 Legal Basis for Personal Data Processing

Your personal data are processed only when legally justified. The legal bases for processing include:

• Compliance with legal obligations, such as invoicing or complaint handling
• Performance of a contract or taking steps prior to entering into a contract
• Legitimate business interests, unless overridden by your fundamental rights and freedoms
• Your explicit consent, in cases where required

2.3 Use of Personal Data Based on Legal Obligation, Contract, or Legitimate Interest

2.3.1 Delivery of Goods and Services

We process your data to fulfill requests, respond to inquiries, provide support, and deliver goods or services as part of our legitimate and contractual obligations. This includes:

• Communication via email, chat, or phone
• Account creation and billing
• Information on updates, legal changes, or service improvements
• Non-marketing operational communications

Marketing communications will only occur with your explicit prior consent, and you may withdraw it at any time by emailing us at zastitapodataka@aitac.nl.

2.3.2 Legitimate Interest

We may process your data for the following purposes based on legitimate interest:

• Surveys and questionnaires (voluntary and anonymized where possible)
• Anonymized data analysis for product/service improvement
• Recording of calls or chats (only after informing you)
• Event feedback after your participation in seminars/webinars
• Digital marketing/newsletters to existing or past customers, tender participants, or those who expressed interest

You can object to such processing at any time by contacting zastitapodataka@aitac.nl.

2.4 Use of Data Based on Consent

We request your consent for specific cases, including:

• Health or dietary data for event accessibility and comfort
• Event profiling, such as sharing your name and company with other event attendees
• Marketing communications, where required

You can withdraw consent at any time without affecting previous processing, by emailing zastitapodataka@aitac.nl. Certain services or benefits may no longer be available after withdrawal.

2.5 Methods of Data Collection

We collect data:

• Directly, via forms, email, contracts, account registration, in-person visits, or phone calls
• Indirectly, from publicly available sources (social media, forums, databases), cookies, or third parties like educational institutions and former employers

2.5.1 Data Retention

We retain personal data only as long as needed to:

• Fulfill service delivery or legal obligations
• Resolve disputes or enforce agreements
• Comply with applicable law

After the retention period ends, your data is securely deleted or anonymized.

2.6 Services for Children

Our website and services are not intended for individuals under 16 years of age.

2.7 Where Your Data Is Processed

Your personal data is processed within the European Economic Area (EEA). The only exception is for our use of MailChimp for email marketing, whose provider is based in the U.S.:

This transfer is permitted under GDPR via the Adequacy Decision and Privacy Shield mechanisms (Article 45, GDPR).

2.8 Your Rights Under GDPR

You have the right to:

• Access your data
• Correct or delete data
• Restrict processing
• Object to processing
• Request data portability

Submit any requests to zastitapodataka@aitac.nl. We will respond within 30 days, and may require identity verification. In rare cases, a fee may be charged if the request is excessive.

You also have the right to know:

• The purpose of data processing
• Categories of data processed
• Data recipients and storage locations
• Retention periods
• Whether automated decision-making is used
• Source of data if not collected directly from you

2.9 Automated Decision-Making

We do not use automated decision-making or profiling in any way that affects your rights or services.

2.10 Right to File a Complaint

You may submit a complaint to the Croatian supervisory authority:

2.11 Data Security

We apply physical, technical, and organizational safeguards to protect your data from unauthorized access, alteration, or loss. Our security measures include:

• Access control to data systems
• Encrypted data transmission
• Data integrity logging and audit trails
• Data minimization and retention policies
• Separate processing for different data purposes
• Processor compliance with our instructions

3. THE PRIVACY POLICY ON THE WEB

3.1 Cookies and Other Similar Technologies

When browsing our web pages, the Company may collect information through various technologies such as cookies, web beacons, and similar tools. In this document, the term "cookies" encompasses all such technologies.

Cookies are used to:

• Collect standard information from your browser (e.g., browser type, language settings)
• Record your IP address or another device identifier
• Track your activities on our website, including visited pages and clicked links
• Monitor the websites or content you access in relation to our services
• Log the date and time of access or usage of the service
• Track the handling of E-mails, such as opening, reading, clicking on links, or forwarding

These technologies help improve user experience, analyze usage patterns, enhance site security, and tailor our communications and services to better suit your interests.

3.1.1 Information from the Registry

When you browse our website or interact with us via any platform using programmatic support, we automatically collect and store certain data in server logs. This includes:

• Login credentials
• Cookie information
• Device-specific details
• IP address
• Activity logs related to the use of our services

This data is used exclusively for system maintenance, security analysis, troubleshooting, and service improvement.

3.1.2 Links to Other Websites

Our website may contain links to external websites owned or managed by third parties. These websites are not governed by this Privacy Policy.

The Company assumes no responsibility for the privacy practices, content, or security of such third-party sites. We recommend reviewing the privacy policies of all external sites you visit.

3.1.3 Safety

The Company implements comprehensive technical and organizational security measures to protect the personal data of individuals. These measures apply during data entry, transmission, processing, and storage.

Access to personal data is restricted solely to employees who require such access to perform their work duties and company activities.

All individuals have the right, at any time, to request:

• Access to their personal data being processed
• Correction of inaccurate or incomplete data
• Deletion of data no longer needed for its intended purpose

Requests can be submitted in writing to the Personal Data Protection Representative at the Company.

4. PRIVACY POLICY DURING THE EMPLOYMENT

This section outlines how the Company collects and processes personal data during the candidate selection and employment process. Personal data will be handled in accordance with the rules set forth below.

Voluntary Submission of Personal Data

By submitting personal data for employment or business registration purposes, you voluntarily provide your personal information to the Company.

4.1 Personal Data Collection

The Company collects the following categories of information:

• Contact Information: Name, surname, address, telephone number, email address
• Candidate Data: Date and place of birth, citizenship, gender, academic title, language proficiency
• Qualifications and Experience: Curriculum vitae (CV), educational background, previous employment history, driver's license (if required for the role)

In addition, the Company may verify information provided by the candidate through third-party sources (e.g., to confirm educational credentials, employment history, or references).

4.2 Sensitive Personal Information

The Company does not request or process sensitive personal information unless legally required. This includes information related to:

• Religious beliefs
• Health or disability status
• Sexual orientation
• Political opinions
• Ethnic or racial background
• Marital status or family members

4.3 Voluntary Disclosure

All personal data provided during the employment process is given voluntarily. The Company will only request information necessary to ensure a lawful and fair recruitment process and will not collect excessive or unrelated personal data.

4.4 Use of Personal Information

The Company may use your personal data for the following purposes:

• Communicating with you during the selection process
• Conducting candidate evaluations
• Managing recruitment and hiring procedures
• Meeting organizational and legal obligations

If selected for employment, your data may be further used for onboarding, employee administration, and internal organizational management.

4.5 Sharing of Personal Data

The Company may share your personal information:

• Internally with authorized personnel involved in recruitment and HR functions
• With third-party service providers (e.g., background check agencies)
• With public authorities or regulatory bodies, where legally required (e.g., for national security or legal compliance)

All third parties are bound by confidentiality agreements and must use the data solely for the purposes disclosed.

4.6 Security and Confidentiality

The Company implements robust technical and organizational measures to protect personal data. Only employees who need access to personal data for work purposes are granted such access and are bound by confidentiality obligations.

Security procedures may include surveillance of premises and monitoring of IT systems. Such activities are carried out in accordance with applicable laws and are designed to safeguard the Company's assets and data.

4.7 Candidate Responsibilities

Candidates are responsible for ensuring that:

• The information they provide is accurate, complete, and truthful
• No misleading or defamatory content is submitted
• Any third-party personal data (e.g., referees) is submitted only with the individual's prior consent

5. UPDATING INFORMATION ON PERSONAL DATA PROCESSING

This Privacy Policy is reviewed and updated regularly to reflect changes in how the Company processes personal data. The most current version is always available on AITAC's website.

In the event of significant changes that may affect your rights or freedoms, the Company will inform you promptly and clearly, using appropriate communication channels.