Privacy Policy

• Technical data: IP addresses, browser type and version, operating system, device identifiers, referring URLs, pages visited, time spent on pages, cookie identifiers;
• Communication data: Name, email address, telephone number, company name, and content of enquiries submitted via contact forms, email, or live chat;
• Marketing preferences: Choices you make regarding receipt of marketing communications.

• Identity and contact information: Full name, job title, employer, business address, email address, telephone number;
• Contractual information: Details necessary for the performance of contracts, statements of work, or service agreements;
• Financial information: Billing address, bank account or payment details where required for invoicing and payment processing;
• Communication records: Correspondence, meeting notes, and records of negotiations or discussions;
• Due diligence data: Information collected as part of know-your-client (KYC) or anti-money-laundering (AML) compliance procedures.

• Recruitment data: CV, cover letter, employment history, educational qualifications, references, skills assessments, and interview notes;
• Employment records: Personal identification details, tax and social security information, salary and benefits data, performance records, disciplinary records, and training records;
• Sensitive data where applicable and legally permitted: Health information relevant to workplace adjustments, criminal record checks in accordance with applicable law.

Where we act as a processor on behalf of a client, we will process only such categories of personal data as are specified in the applicable data processing agreement. The client acts as data controller in such circumstances and is responsible for providing lawful grounds for processing.

Article 12(1)(2) Serbian PDPL / Article 6(1)(b) GDPR

We process personal data where processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract. This includes:

• Providing technology consulting, software development, system integration, and related services;
• Managing client relationships and service delivery;
• Processing invoices and managing payments;
• Fulfilling obligations under employment contracts.

Article 12(1)(3) Serbian PDPL / Article 6(1)(c) GDPR

• Compliance with Serbian tax, accounting, and corporate law requirements;
• Compliance with EU regulations applicable to our business operations, including GDPR, NIS2, and the EU AI Act;
• Compliance with anti-money-laundering and counter-terrorism financing legislation;
• Responding to lawful requests from public authorities or law enforcement;
• Employment law obligations.

Article 12(1)(6) Serbian PDPL / Article 6(1)(f) GDPR

We process personal data where it is necessary for the purposes of our legitimate interests or those of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms. Our legitimate interests include:

• Improving and developing our website, products, and services;
• Conducting business development and marketing activities directed at business contacts;
• Managing, securing, and operating our IT systems and network infrastructure;
• Preventing and detecting fraud, misuse, or unlawful activity;
• Managing legal claims and disputes;
• Conducting due diligence on prospective clients, partners, and suppliers;
• Internal administrative and management purposes, including quality assurance and financial reporting.

Article 12(1)(1) Serbian PDPL / Article 6(1)(a) GDPR

Where we rely on consent as the legal basis for processing, we will request your consent in a clear and unambiguous manner. You have the right to withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal. We rely on consent for:

• Placement of non-essential cookies and similar technologies (see Section 12);
• Sending direct marketing communications to individuals where consent is required by applicable law;
• Any other processing activities specifically notified to you at the time consent is obtained.

In exceptional circumstances, we may process personal data where necessary to protect your vital interests or those of another person, or to perform a task carried out in the public interest. Such processing will be undertaken only where no other legal basis is available.

Personal data may be shared between different business units or affiliated entities of Universe Force Group where there is a legitimate business need to do so, and where appropriate internal agreements and safeguards are in place.

We engage third-party service providers who process personal data on our behalf as data processors, subject to binding contractual obligations in accordance with Article 45 of the Serbian PDPL and Article 28 of the GDPR. Categories of processors include:

• Cloud computing, hosting, and infrastructure service providers;
• IT security and monitoring services;
• Customer relationship management (CRM) platform providers;
• Communication and collaboration tool providers;
• Payroll, accounting, and financial management service providers;
• Legal, audit, and professional advisory services;
• Recruitment and HR technology platforms.

In the context of project delivery, we may share relevant personal data (typically business contact information) with our clients, subcontractors, or consortium partners as necessary for the performance of services.

We may disclose personal data to competent courts, regulators, law enforcement agencies, or other public authorities where required to do so by law or where we have a legitimate legal basis to make such disclosure.

In connection with any merger, acquisition, restructuring, sale of assets, or similar corporate transaction, personal data may be transferred to the relevant parties involved, subject to appropriate confidentiality obligations and compliance with applicable law.

Universe Force Group does not sell, rent, or trade personal data to any third party for their own independent commercial purposes.

Transfers of personal data from Serbia to third countries are governed by Chapter V of the Serbian PDPL (Articles 64–79). Where we transfer data outside Serbia, we rely on one of the following:

• A decision of the Commissioner confirming an adequate level of protection in the recipient country;
• Appropriate safeguards such as Standard Contractual Clauses approved by the Commissioner;
• Binding corporate rules where applicable;
• Your explicit consent for specific transfers;
• A derogation applicable under Article 69 of the Serbian PDPL.

Where we process personal data of individuals in the EU/EEA in the context of offering services to EU/EEA-based clients, or monitoring the behaviour of individuals in the EU/EEA, we comply with GDPR requirements. Transfers outside the EEA are subject to Chapter V of the GDPR, including the use of Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or other appropriate safeguards.

Our collaborations with the University of Belgrade, University of Novi Sad, University of Malta, and the Salzburg University of Applied Sciences (Salzburg UAS) may involve sharing of limited professional contact and project-related information. Such transfers are governed by the safeguards described above.

You may request a copy of the transfer safeguards we rely upon by contacting us at the details set out in Section 14.

Article 26 Serbian PDPL / Article 15 GDPR

You have the right to obtain confirmation as to whether we process personal data about you, and if so, to receive a copy of that data and information about the processing, including purposes, categories of data, recipients, retention periods, and safeguards for international transfers.

Article 29 Serbian PDPL / Article 16 GDPR

You have the right to request the correction of inaccurate personal data and, taking into account the purposes of processing, the completion of incomplete personal data.

Article 30 Serbian PDPL / Article 17 GDPR

You have the right to request the deletion of personal data about you where: (a) the data is no longer necessary for the purposes for which it was collected; (b) you withdraw consent and there is no other legal basis for processing; (c) you object and there are no overriding legitimate grounds; (d) the data has been unlawfully processed; or (e) erasure is required by applicable law. This right is subject to limitations where processing is necessary for legal obligations or legal claims.

Article 31 Serbian PDPL / Article 18 GDPR

You have the right to request restriction of processing in certain circumstances, including where you contest the accuracy of the data, where processing is unlawful, or where you have objected to processing pending verification of legitimate grounds.

Article 36 Serbian PDPL / Article 20 GDPR

Where processing is based on consent or contract and carried out by automated means, you have the right to receive personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit it to another controller.

Article 37 Serbian PDPL / Article 21 GDPR

You have the right to object at any time to processing based on legitimate interests, including profiling. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims. You have an absolute right to object to processing for direct marketing purposes.

Article 38 Serbian PDPL / Article 22 GDPR

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects concerning you, unless it is: (a) necessary for a contract; (b) authorised by law; or (c) based on your explicit consent. We do not currently employ automated decision-making that produces significant legal effects on individuals.

Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

You have the right to lodge a complaint with the relevant supervisory authority:

• In Serbia: The Commissioner for Information of Public Importance and Personal Data Protection (Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti), Bulevar Kralja Aleksandra 15, 11000 Beograd, Serbia; www.poverenik.rs;
• In the EU/EEA: The data protection supervisory authority of your country of residence, place of work, or place of the alleged infringement.

To exercise any of your rights, please submit a written request to office@universeforcegroup.com. We may need to verify your identity before processing your request. We will respond free of charge unless requests are manifestly unfounded or excessive.

When you first visit our website, you will be presented with a cookie consent banner allowing you to accept or reject non-essential cookies. You may update your preferences at any time through the cookie settings link available on our website.

You may also control cookies through your browser settings. Note that disabling certain cookies may affect the functionality of our website. For further details, please refer to our Cookie Policy available at www.universeforcegroup.com/cookie-policy.