Information about protection of personal data

Last updated: 13.02.2025

1. General terms

   We, NanduQ PLC (hereinafter referred to as the Company), acting as the controller of personal data consider the protection of rights and freedoms of data subjects and the implementation of data protection principles as an important condition for our personal data processing activities while achieving our business purposes.

   This Privacy Notice (hereinafter referred to as the Notice) defines our basic principles and terms for the personal data processing, as well as the measures we have taken to ensure the security of personal data.

   The Notice is developed in accordance with the requirements of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as GDPR) as well as the applicable local legislation, including The Protection of Physical Persons Against the Processing of Personal Data and Free Movement of such Data Law 125(I)/2018 (hereinafter referred to as Law 125). The meanings of terms used in this document are as specified in laws mentioned above.

   The Notice applies to the processing and security of the personal data processed by us, which can be obtained both from a natural or a legal person in the framework of a contractual relationship with us as well as from other data subjects.

   If you have any questions regarding the Notice, please, contact the data protection officer or the person responsible for personal data processing by email at privacy@nanduq.com.

2. Information about the processing of personal data

   1. Categories of data subjects

      As part of our business we can process personal data of the following categories of data subjects:

      • Candidates for vacant positions: the personal data of individuals (hereinafter referred to as applicants) who are applying for a job opening at NanduQ PLC;
      • Representatives of prospective counterparties: the personal data of the prospective companies-counterparties staff members, acting in the name of their company;
      • Representatives of counterparties: the personal data of the current companies-counterparties staff members, acting in the name of their company;
      • Website users: the personal data of individuals who are using the website;
      • Marketing newsletter subscribers: the personal data of individuals who receive marketing communications from the Company.

      Other categories of data subjects are being informed through different means, ex. Employee Privacy Notice or Privacy Policy.

   2. The purposes and categories of personal data processing

      We process personal data of the indicated categories of data subjects for predefined purposes as presented below.

      Candidates for vacant positions

      Purposes of personal data processing	List of personal data	Retention Period	Legal basis
      Recruitment of candidates for vacant positions (candidate search, resume collection, conducting interviews)	General information: candidate’s full name, date of birth, desirable department, sex Information about education: level of education, enrolment and graduation date, name of the educational institution, location of the educational institution, Diploma number, department, major, mode of education, certificate of completion educational courses, information of language proficiency, information about professional skills, Contact details: phone number (main and additional), email address, Work experience information: work experience in state or municipal service, place of work, types of employment, start and termination, name of the organization, organization address and phone number, job position, job duties, reasons for termination of employment, information about entrepreneurial activities and interests in business, type of activity, project name, working period, work description	4 months after receiving the resume (needed for evaluating the candidate) or until the conclusion of a contract	Contract with a data subject (Employment contract)
      Receiving additional information about candidates for vacant positions	General information: photo, desirable job position and salary, information about hobbies, bad habits, family, place of residence, other information provided by the data subject	4 months after receiving the resume (needed for evaluating the candidate) or until the conclusion of a contract	Consent
      Checking of information about a candidate for employment	General information: full name, date of birth, previous full name, ID details (citizenship, passport number, by whom (including the personal code) and when the document was issued, place of birth, address of registered residence), Contact details: phone number (main and additional), e-mail, The Taxpayer Identification Number assignment certificate: full name, sex, date of birth, place of birth, Taxpayer Identification Number, Insurance Number of Individual Ledger Account information: full name, sex, date of birth, place of birth, Number of Individual Ledger Account, Information about education: level of education, enrolment and graduation date, name of the educational institution, location of the educational institution, Diploma number, department, major, mode of education, Work experience information: work experience in state or municipal service, place of work, types of employment, start and termination dates, name of the organization, organization address and phone number, position, job duties, reasons for termination of employment, information about entrepreneurial activities and interests in business, type of activity, project name, working period, work description, Information about obligations: information about non-disclosure agreements, Information about the existence of non-disclosure agreements, information about financial liabilities, type of financial liabilities, information about the limiting or unfulfilled obligations from previous jobs, Migration card data: migration card series and number, visa number, purpose of the visit, duration of stay, Residence permit data: document number, date of the decision and issue of the document, citizenship	4 months after receiving the resume (needed for evaluating the candidate) or until the conclusion of a contract	Legitimate interest

      Representatives of prospective counterparties

      Purposes of personal data processing	List of personal data	Retention Period	Legal basis
      Communication with representatives of prospective counterparties (presales)	General information: full name, position, phone number, e-mail	until the purpose of processing is achieved (before the conclusion or execution of a contract)	Legitimate interest
      Conducting due diligence on counterparties before entering into a contract	General information: Full name, e-mail, phone number, date of birth, place of birth, citizenship, ID details: passport number, by whom (including the personal code) and when the document was issued, validity period of the document, Taxpayer Identification Number, address of registered residence, current residence address, number of the power of attorney, position, name of the organization, Visa details: visa number, visa’s date of issue, visa’s validity period, Migration card details: card number, card’s date of issue, card’s validity period	5 years from the end of the contractual relationship (defined by the legislation of Cyprus)	Legal requirement (Law on Prevention and Suppression of Money Laundering Activities (13.12.2007))
      Application processing for connecting an agent, provider, or lessor	General information: full name, e-mail, phone number, name of the organization, Taxpayer Identification Number, contract / ATM number	until the purpose of processing is achieved (until the conclusion of a contract)	Legitimate interest

      Representatives of counterparties

      Purposes of personal data processing	List of personal data	Retention Period	Legal basis
      Communication with representatives of contractors during the conclusion and execution of contracts	General information: full name, position, e-mail, phone number	until the purpose of processing is achieved (until the conclusion or execution of a contract)	Legitimate interest
      Conducting settlements with counterparties, conducting banking operations	General information: full name, position, e-mail, phone number	until the purpose of processing is achieved (until the payment is conducted)	Legitimate interest
      Support for an agent, provider, or lessor	General information: full name, e-mail, phone number, name of the organization, Taxpayer Identification Number, contract / ATM number	until the purpose of processing is achieved (until technical support is provided)	Legitimate interest

      Website users

      We do not collect or process any personal data of the website users.

3. Personal data transfers

   When we transfer personal data to third parties, we make sure that they have sufficient guarantees to implement the appropriate technical and organizational measures. We transfer personal data to third parties with whom we have concluded the appropriate types of contracts with the required obligations regarding the protection of personal data at the level defined by us.

   When we need to transfer personal data to a third country, we transfer the data to third country which ensures an adequate level of protection

   List of counties providing adequate protection: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

   . If we transfer the data to third country which does not ensure an adequate level of protection, we implement appropriate safeguards in place (Standard Contractual Clauses approved by the European Commission).

   We monitor compliance with the principles of personal data processing and application of the appropriate security measures by third parties. We control that cross-border transfer of personal data is limited by the purposes for which the data was collected.

   In addition, in order to transfer personal data to third parties abroad we conduct TIA (Transfer Impact Assessment) to the activities, where necessary.

   Information about companies involved in data sharing is provided below.

   1. Bank that the Company uses for conducting payments

      United States — country does not guarantee sufficient levels of personal data protection according to Chapter 5 of GDPR.

      The legal basis for cross-border transfer: we use Standard Contractual Clauses approved by the European Commission.

      Data subjects	Purpose of Transfer	The role of the third party	The basis of interaction with a third party
      Representatives of counterparties	settlements with counterparties of the Company	Controller	Contract that includes security measures

4. Data subject’s rights

   We guarantee free of charge the following rights under the Law 125 and GDPR regarding your personal data:

   Your rights	Article of the law
   If we are processing your personal data based on consent that you gave us when we got the data, you may have the right to withdraw your consent at any time	Article 7 of the GDPR
   You can obtain form us confirmation that we process your personal data, access to the personal data and the information about its processing. You can also ask for a copy of your personal data in a machine-readable format. We cannot exercise this right if it affects the rights and freedoms of others	Article 15 of the GDPR
   If you believe that any personal data, we are holding about you is incorrect or incomplete, you can request that we correct or supplement the data. Please contact us as soon as possible if you notice any inaccuracy or incompleteness	Article 16 of the GDPR
   You can request that we erase some or all of your personal data without undue delay	Article 17 of the GDPR
   You can ask us to restrict further processing of your personal data. This just means you can ask us to stop using it for what we have been using it for	Article 18 of the GDPR
   When the processing is based on your consent or on the Contract with you, you can receive your personal data, which you have provided to us, in a structured, commonly used and machine-readable format and can freely transmit those data to another controller. Where technically feasible, you can also ask us to transmit the personal data directly to another controller	Article 20 of the GDPR
   If we processing your personal data based on legitimate interest you can let us know that you object to the collection	Article 21 of the GDPR
   You have the right to lodge a complaint about the Company practices with respect to your personal data with the supervisory authority of the EU Member State of your habitual residence, place of your work or place of the alleged infringement	Article 77 of the GDPR

   To exercise your rights mentioned in the table above, contact the following email: privacy@nanduq.com.

   Please note, that we can enforce these rights only if you are expressly identified as a personal data subject for which we may ask you for additional information.

   We process and respond to the requests for the exercise the rights without undue delay and in any event within one month of receipt of the request. Considering the complexity and the number of requests, the term for the preparation of an answer to the request can be extended by two months. In this case we will notify you about the reasons for the delay within one month.

5. Cookies and Web Analytics

   We use cookies to enhance performance characteristics of our websites, make it more user-friendly, collect information about visits and take measures to improve the websites. We do not collect or process your personal data using cookies.

   More information on Cookies is provided in our Cookie Notice.

6. Measures to ensure the security of personal data processed

   When processing personal data, we take the necessary organizational and technical measures, selected based on the risk analysis, to protect personal data from unlawful or accidental access to them, destruction, alteration, blocking, copying, provision, dissemination of personal data, as well as from other illegal actions in relation to personal data.

   The security of personal data is ensured by the following:

   • we have assigned the responsibility for the organization of personal data processing to a specific employee;
   • we have implemented data protection policies to ensure that our personal data processing activities comply with the Law 125 and GDPR (internal policies, internal allocation of responsibilities, trainings);
   • we have implemented the necessary measures to protect personal data (access control, encryption, antivirus protection);
   • we keep up to date the records of processing activities;
   • we have organized a process of receiving and controlling the processing of data subjects’ requests;
   • we carry out a DPIA for personal data processing activities that result in a high risk to data subjects due to the nature or scope of the operation (for more information, see Data Protection Impact Assessment);
   • we ensure data protection by design and data protection by default (for more information, see Data protection by design and by default);
   • we ensure security of third parties (controllers, processors, joint controllers);
   • we control the transfers of personal data outside the EU;
   • we document personal data breaches (if any) and their consequences, investigating them, notifying the relevant parties about leaks within 72 hours, and taking measures to eliminate the consequences of personal data breaches;
   • we carry out planned and unscheduled audits of personal data processing activities.

7. Contact information

   Our contact information is specified below.

   NanduQ PLC

   Postal address: 12 Kennedy Avenue, Kennedy Business Centre, 2nd Floor, 1087-Nicosia, Cyprus

   Tel.: +357 22-65-33-90

   Contacts of the person responsible for the personal data processing

   Email: privacy@nanduq.com