- Xessable identity/Who are we/Introduction.
Xessable LTD is founded in 2017 with headquarters at Franklin Ruzvelt No.33A Skopje and has headquarters in the Netherlands, Newtonlaan 115, 3584BH Utrecht. We are devoted to safeguarding and it’s treating the security of the data seriously and according to GDPR regulations that apply in the Netherlands and in North Macedonia.
1a. GDPR principles and objectives
Relevant laws and legislation
- North Macedonia – Law on Personal Data Protection adopted on February 16, 2020, Official Gazette of North Macedonia No. 42, and changes No. 294 from December 27, 2021
- Netherlands -General Data Protection Regulation Implementation Act
- Why do we use and collect your personal data?
We want transparently to disclose how we may use your data so in this section we will explain the categories of personal data that we may collect and process in the given capacity and for the sole purposes for which may they be collected and processed accordingly.
Xessable LTD Skopje collects and controls personal data according to legislation, transparent and legitimate. To provide impeccable business services and thus comply with our regulations, we must provide an operational website. We think and work very carefully about our usage of personal data. In the context below you will find what we do to protect your privacy ensuring high quality and ethical standards are implemented and the necessary information is valid. Xessable LTD may appear in the capacity of controlling and processing personal data.
- In the capacity of controlling data, Xessable processes your personal data for the following purposes.
- In the collection of data for employees – for exercising rights and regulations from employment
- In the collection of data for job applicants – for new employment
- In the collection of data of collaborators – for exercising rights of legal obligations from established agreements and contracts and
- The legal basis for processing personal data is
- In the collection of data for employees – for the fulfillment of legal aspects, fulfillment of contract obligations, and in rare cases agreements
- In the collection of data for job applicants – for the fulfillment of legal aspects and agreements
- In the collection of data of collaborators – for the fulfillment of legal aspects of contracts.
- Altogether in the capacity of controller of personal data Xessable LTD Skopje gives personal data to processors on its behalf committing the processors with an agreement for safe and secure processing of the personal data.
- In the capacity of the processor of personal data, Xessable LTD Skopje, processes the personal data whose controllers are its business collaborators and for the following purpose:
- Realization and exercise of the rights and obligations that come out of the established business collaboration and from the contracts for processing data, to realize concrete projects that are subject to business collaboration.
The legal basis for this process of personal data is the fulfillment of contract obligations.
Xessable LTD Skopje completely respects the principle of the minimal scope of data, and it collects only the data that are necessary, relevant, and limited for the fulfillment of the purpose for which they are processed.
We reassure you that from Xessable LTD Skopje’s point of view, the personal data are not processed for any other purpose except for the purpose they are collected.
- How long do we keep your personal data?
Your personal data will not be stored in a form that may ID you, and longer than necessary for the sole purpose they are processed.
Personal data of the employee is in accordance with laws prescribed deadlines, particularly for the longevity of the employment period and after.
- Employment record books, dossiers, and employment-related documents are permanent to keep. Records for employment contracts and agreements are kept for 45 years. Internal vacation records and sick leaves are due to 2 years of keep and time attendance is under 1 year of keep.
- Personal data of candidates – All applicants or candidates that apply on a job ad are back to the candidates that are not chosen particularly if they are deleted/erased within a deadline of 5 days from the day of contracting with the chosen candidate. Personal data of candidates that are not applying for a particular job ad, based on agreement are processed and are kept until withdrawal or by the deadline of 3 months.
- Personal data for collaborators that are processed based on contracts are kept by the end of the deadline for 10 years more.
The deadlines for keeping personal data are arranged by internal acts of Xessable LTD Skopje.
- Your rights
Right to be informed (article 17 и 18 from Law on Personal Data Protection)
Xessable LTD has the obligation to inform all the subjects which personal data it collects for them, for what purposes and how long it stores them, and if they are being transferred to third parties. Xessable LTD has the obligation to announce this information on its website in its office venues or to deliver the information to its subjects in paper or in digital form.
Right to access (article 19 from Law on Personal Data Protection)
On request, Xessable LTD has the obligation to deliver detailed information regarding the data that is collected or processed.
(Form 3 Request for access to personal data)
Right to change (article 20 from Law on Personal Data Protection)
On request, Xessable LTD will change or complement subjects’ personal data.
(Form 4 Request to change personal data)
Right to Delete (article 21 from Law on Personal Data Protection)
On request, Xessable LTD will delete data if the sole purpose is fulfilled, if the subject withdraws the agreement for collection and processing, if the data were illegally processed, or If the subject objects to the processing or to respect the legal obligation of Xessable LTD to delete data when the reason for collection or processing is obsolete.
(Form 5 Request to delete personal data)
Right to limit the processing (article 22 from Law on Personal Data Protection)
On request, Xessable LTD will limit the processing of personal data, if the subject objects the validity of the personal data in the period of validation, if the subject considers the process is illegal, but contraries of deleting, or if the data is needed to exercise legal rights. (Form 6 Request to limit the processing of personal data)
Right to transfer the data (article 24 from Law on Personal Data Protection)
On request, Xessable LTD will transfer the personal data in a structured, usually common, and machine-readable format or it will transfer them to another LTD. This right is applicable when personal data is processed based on an agreement or contract and when the processing is done by automation.
Right to object (article 25 from Law on Personal Data Protection)
Based on the objection given by the subject, Xessable LTD will stop the processing of data for the sole purpose of direct marketing and profiling connected with direct marketing. (Form 7 Objection)
Rights that come out of automated decision making (Article 26 from Law on Personal Data Protection))
The subject has the right to ask not to be a matter of decision based solely on automation processing, based on profiling, if that decision causes legal consequences for them. The controller must not decide if the subject asked in writer to not make such a decision.
Right to withdraw the agreement (Article 11 from Law on Personal Data Protection)
On request, Xessable LTD will stop processing the subject’s personal data. The withdrawal does not influence the legal aspect of processing that was done before the withdrawal of the agreement). (Form 8 Request to withdraw the agreement)
- Notification of breaches
Xessable is maintaining and following up measures to ensure the security protection of personal data whether is collecting or processing and risks against transmission and access by a third party.
We highly value transparency, and it is defined in our GDPR principles and policy when and if a breach of data happens. We will inform affected parties of the accident/breach of their personal data. If a breach of data is noticed for oneself or others, immediately inform our authorized employee for GDPR policy Neda Spasevska via firstname.lastname@example.org
Data Protection Authority Agency (DPA) will be informed within 72 hours. This will be managed in accordance with our Security Incident Protocol which sets out the overall process of handling information security incidents and Personal Data Breach Notification which sets out the process of notification of relevant authorities and data subjects in the event of a privacy breach.