Privacy Policy

Through this Privacy Policy, we tell you transparently which personal data we collect, why, how we process it, how long we retain it, and what your rights are.

Personal data means any information relating to an identified or identifiable natural person. Direct identification means the data itself reveals who it refers to; indirect identification means the person can be recognised by combining several available data points. This Policy applies to natural persons only. Data on legal entities is not personal data within the meaning of this Policy. We do not collect personal data of minors under 16.

• Performance of a contract — necessary for a contract you are party to or for pre-contractual steps you requested.
• Legal obligation — tax, labour, accounting, immigration.
• Legitimate interest — sourcing and selecting candidates, service improvement, security.
• Consent — newsletters, marketing, future-opportunity outreach. Withdraw at any time without affecting prior lawful processing.

We treat your data as a business secret. We do not sell it and do not disclose it to third parties for their own purposes. We share with:

• Employers and clients — companies for which we seek workers, within the selection you applied to or consented to
• Partner agencies and affiliated companies — when they have suitable open roles
• Service providers — IT, accounting, post, archiving — bound by data processing agreements
• Competent authorities — courts, tax administration, regulators, when required by law
• Advisors and auditors — legal, accounting, audit, only as necessary

When using digital services from major technology vendors (Google, Microsoft, etc.), we accept their terms. We cannot fully verify their handling beyond their published guarantees, so we minimise risk through pseudonymisation and other technical measures.

Your data is generally processed within the EEA and Serbia. For exceptional transfers outside the EEA, we apply Standard Contractual Clauses approved by the European Commission or other safeguard mechanisms.

We do not carry out automated decision-making, and we do not create profiles for that purpose. None of our decisions are based on automated data processing.

If you subscribe, we process your email address to send the newsletter. The legal basis is your consent, which you may withdraw at any time.

We apply technical and organisational measures including:

• Encryption and modern protection methods
• Access control to resources containing personal data
• Pseudonymisation where possible
• Data minimisation in every process
• Confidentiality requirements for staff and associates
• Continuous monitoring of processing resources
• Regular security audits and staff training

• Mandatory legal retention (accounting, tax) — duration prescribed by law, deletion within a reasonable period after
• Job candidates — up to 3 years from last active communication, unless earlier deletion is requested or consent is withdrawn
• Consent-based — until withdrawal, then deleted as soon as possible
• Legitimate interest — for as long as the interest exists, then deleted within one year
• Contact and communication — until withdrawal of consent or end of business need
• Technical (cookies, IP) — up to 12 months

If legal proceedings are initiated, we retain data until their final conclusion, in line with applicable rules.

• Access — confirmation of processing, access to data, and information on how it is processed.
• Rectification — correction of inaccurate data, completion of incomplete data.
• Erasure — when there is no longer a legal basis or under other applicable grounds.
• Restriction — in defined situations, e.g. where accuracy is contested.
• Data portability — receive data in a structured, machine-readable format and transfer to another controller.
• Object — to processing based on legitimate interest.
• Withdraw consent — at any time, without affecting prior lawful processing.
• Lodge a complaint — with the competent supervisory authority.

You may amend or withdraw consent in whole or part at any time by writing to fran@werklist.com. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. After withdrawal we will no longer use the data for the relevant purposes; this may make it impossible to provide certain services. If you do not provide data necessary for a contract or for legal obligations, we may not be able to provide the agreed services.

Data you provide through forms, applications, or email is used only for the purposes in this Policy and treated as confidential. Access to the website follows standard technical protocols that record certain technical data (visit time, OS, screen resolution, transfer size) used to ensure functionality, security, and a better experience.

We may verify the identity of anyone submitting a request, accept requests only through defined channels, assess each request on the merits, and refuse those that are manifestly unfounded or excessive. Where rights are abused, we may take legal action.

We may amend this Policy to keep it aligned with practice and law. Material changes will be communicated through the website. We recommend reviewing the Policy regularly.

Matters not covered here are governed by the Serbian Law on Personal Data Protection, the GDPR, and other applicable rules. Anyone who believes their rights have been violated may contact us by email at fran@werklist.com; we respond within one month. You also have the right to address the competent supervisory authority or court.