Article 1.
This privacy policy defines the rules related to the protection of individuals with regard to the processing of personal data and the rules related to the free movement of personal data, and in particular the obligations of the manager of personal data processing, the rights of data subjects, informing data subjects, the right to access data, the right to deletion, correction and limitation processing of personal data, the right to object, the right to data portability, the principles of personal data processing, supervision and other issues in accordance with the General Regulation on the Protection of Personal Data (hereinafter the Regulation), as well as other relevant legal norms in the Republic of Croatia.
In terms of this Policy, the following terms have the meaning as follows:
- – “personal data” means all data relating to an individual whose identity has been determined or can be determined (“the respondent”); an identifiable individual is a person who can be identified directly or indirectly, in particular with the help of identifiers such as name, identification number, location data, online identifier or with the help of one or more factors inherent to physical, physiological, genetic, mental , economic, cultural or social identity of that individual;
- – “processing” means any procedure or set of procedures performed on personal data or on sets of personal data, either by automated or non-automated means such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, performance of insights , use, disclosure by transfer, dissemination or otherwise making available, matching or combining, restriction, deletion or destruction;
- – “processor” means a natural or legal person, public authority, agency or other body that alone or together with others determines the purposes and means of personal data processing; when the purposes and means of such processing are determined by the law of the Union or the law of a Member State, the controller or special criteria for his appointment may be provided for by the law of the Union or the law of a Member State;
- – “processor” means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller;
- – “recipient” means a natural or legal person, public authority, agency or other body to which personal data is disclosed, regardless of whether it is a third party. However, public authorities that may receive personal data in the context of a specific investigation in accordance with Union or Member State law are not considered recipients; the processing of such data by these public authorities must be in accordance with the applicable rules on data protection according to the purposes of the processing;
- – “consent” of the respondent means any voluntary, special, informed and unequivocal expression of the wishes of the respondent by which he gives his consent to the processing of personal data relating to him by a statement or a clear affirmative action;
- – “personal data breach” means a breach of security that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data that has been transmitted, stored or otherwise processed;
Article 2.
The protection afforded in connection with the processing of personal data should apply to individuals regardless of their nationality or residence. The Regulation does not cover the processing of personal data concerning legal entities, and especially entrepreneurs who are established as legal entities, including the name and form of the legal entity and contact information of the legal entity.
CONSENT
Article 3.
Consent is given by a clear affirmative action expressing the subject’s voluntary, specific, informed and unequivocal consent to the processing of personal data relating to him, such as a written statement, including electronic, or oral statements. This could include ticking a box when visiting websites, selecting technical settings of information society services or other statements or behavior that clearly show in this context that the data subject accepts the proposed processing of his personal data. Silence, a pre-ticked box or a lack of activity should therefore not be considered consent.
Children deserve special protection with regard to their personal data, since they may be less aware of the risks, consequences and protective measures in question, as well as their rights in relation to the processing of personal data. Such a right to special protection should specifically refer to the use of children’s personal data for the purpose of marketing or the creation of personal or user profiles and the collection of personal data about children when using services that are directly offered to the child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counseling services offered directly to the child.
In the case of data collection, for example through contact forms and access forms and other methods of data collection via the Internet, consent will be given electronically in such a way that before any data is collected, before sending the data, the respondent must actively give consent, i.e. give confirmation that they are familiar with all the data regarding data processing, in accordance with the respondent’s right to information stated below, and that he consents to the same processing. The data controller will ensure access to the subject’s consent before the possibility of sending the data subject’s data to the data controller. Consent can also be given in writing in cases where the same is necessary for technical reasons, for example in the case of data collection through access forms by personally coming to the branches of the data processing manager (e.g. loyalty cards), or in the event that the respondent expresses a desire to give consent in writing, and the same consent will be given in that case before providing the data, in such a way that the data collection form will list all the information that must be provided to the respondent before providing data, and the respondent will confirm by marking the corresponding field on the form that he is familiar with all the data and agrees to the data collection.
PRINCIPLES OF DATA PROCESSING
Article 4.
Any processing of personal data should be lawful and fair. It should be transparent for individuals how personal data relating to them is collected, used, disclosed or otherwise processed, as well as to what extent such personal data is or will be processed. The principle of transparency requires that any information and communication regarding the processing of this personal data be easily accessible and understandable, and that clear and simple language be used. This principle particularly applies to information to the respondent about the identity of the controller and the purposes of the processing and further information to ensure the fairness and transparency of the processing with regard to the individuals concerned and their right to receive confirmation and notification of the personal data being processed, which refer to them. Individuals should be familiar with the risks, rules, safeguards and rights related to the processing of personal data and how to exercise their rights related to the processing. The specific purpose for which personal data is processed should be explicitly stated and justified and determined at the time of personal data collection. Personal data should be adequate, essential and limited to what is necessary for the purposes for which the data is processed. For this reason, it is especially necessary to ensure that the period in which personal data is stored is limited to a strict minimum. Personal data should only be processed if the purpose of the processing could not reasonably be achieved by other means. In order to ensure that personal data are not kept longer than necessary, the controller should set a deadline for deletion or periodic review. Every reasonable step should be taken to ensure that inaccurate personal data is corrected or deleted. Personal data should be processed with appropriate respect for the security and confidentiality of personal data, which also includes preventing unauthorized access to personal data and equipment used for data processing or their unauthorized use.
- – Personal data must be:
- (a) – lawfully, fairly and transparently processed with respect to the data subject (“lawfulness, fairness and transparency”);
- (b) – collected for specific, explicit and lawful purposes and may not be further processed in a manner inconsistent with these purposes;
- (c) – adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“reduction of the amount of data”);
- (d) – accurate and, if necessary, up-to-date; every reasonable measure must be taken to ensure that personal data that is inaccurate, taking into account the purposes for which it is processed, is deleted or corrected without delay (“accuracy”);
- (e) – stored in a form that enables the identification of the subjects only as long as is necessary for the purposes for which the personal data is processed;
- (f) – processed in a way that ensures adequate security of personal data, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage by applying appropriate technical or organizational measures (“integrity and confidentiality”);
- – The controller is responsible for compliance with paragraph 1 and must be able to prove it (“reliability”).
Article 5.
- – Obrada je zakonita samo ako i u onoj mjeri u kojoj je ispunjeno najmanje jedno od sljedećega:
- (a) – ispitanik je dao privolu za obradu svojih osobnih podataka u jednu ili više posebnih svrha;
- (b) – obrada je nužna za izvršavanje ugovora u kojem je ispitanik stranka ili kako bi se poduzele radnje na zahtjev ispitanika prije sklapanja ugovora;
- (c) – obrada je nužna radi poštovanja pravnih obveza voditelja obrade;
- (d) – obrada je nužna kako bi se zaštitili ključni interesi ispitanika ili druge fizičke osobe;
- (e) – obrada je nužna za izvršavanje zadaće od javnog interesa ili pri izvršavanju službene ovlasti voditelja obrade;
- (f) – obrada je nužna za potrebe legitimnih interesa voditelja obrade ili treće strane, osim kada su od tih interesa jači interesi ili temeljna prava i slobode ispitanika koji zahtijevaju zaštitu osobnih podataka, osobito ako je ispitanik dijete.
Article 6.
- – When the processing is based on consent, the controller must be able to prove that the subject has given consent for the processing of his personal data. Consent can be given electronically or in writing in accordance with the above.
- – If the respondent gives consent in the form of a written statement that also refers to other issues, the request for consent must be presented in such a way that it can be clearly distinguished from other issues, in an understandable and easily accessible form using clear and simple language.
- – The respondent has the right to withdraw his consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent prior to its withdrawal. Before giving consent, the subject is informed about it. Withdrawing consent must be as easy as giving it. The subject can withdraw consent by sending a statement of withdrawal of consent to the e-mail address of the data processor listed below (even when consent is not given in writing), and consent can always be withdrawn by sending a statement of withdrawal of consent or in person, by sending a statement of withdrawal of consent to the address of the headquarters of the data processing manager, or by personally coming to the branch office where consent was given or by coming to the headquarters of the data processing manager in case the same branch office is no longer working.
- – When assessing whether the consent was voluntary, to the greatest extent possible, it is taken into account whether, among other things, the performance of the contract, including the provision of the service, is conditioned by the consent to the processing of personal data that is not necessary for the performance of that contract.
THE RESPONDENT’S RIGHT TO BE INFORMED
Article 7.
- – If personal data relating to the data subject are collected from the data subject, the data controller shall provide the data subject with all of the following information at the time of collection of the personal data:
- (a) – the identity and contact details of the data controller and, if applicable, the representative of the data controller Data controller is Marko Deak, operations director of ForgeBIT d.o.o.
- (b) – contact details of the data protection officer, if applicable, and the data protection officer is Marko Deak
- (c) – purposes of processing for which personal data are used as well as the legal basis for processing, the purpose of processing is: According to Annex 1.
- – In addition to the information from paragraph 1, the controller at the time when personal data is collected provides the subject with the following additional information necessary to ensure fair and transparent processing:
- (a) – the period in which personal data will be stored or, if this is not possible, the criteria used to determine that period. Categories of personal data and length of storage are defined in Annex No. 1
- (b) – the existence of the right to request access to personal data from the data controller and the correction or deletion of personal data or the restriction of processing related to the data subject or the right to object to the processing of such data and the right to data portability;
- (c) – if the processing is based on Article 6 paragraph 1 point (a) or Article 9 paragraph 2 point (a) of the Regulation, the existence of the right to withdraw consent at any time without affecting the legality processing that was based on consent before it was withdrawn;
- (d) – the right to submit a complaint to the supervisory authority;
- (e) – information on whether the provision of personal data is a legal or contractual obligation or a necessary condition for concluding a contract, and whether the respondent has an obligation to provide personal data and what are the possible consequences if such data are not provided;
- (f) – the existence of automated decision-making, which includes the creation of profiles from Article 22 paragraphs 1 and 4 of the Regulation and, at least in these cases, meaningful information about the logic involved, as well as the importance and anticipated consequences of such processing for of the respondents.
RESPONDENT’S RIGHT OF ACCESS
Article 8.
- – The respondent has the right to receive from the controller a confirmation as to whether personal data relating to him are being processed and, if such personal data are being processed, access to personal data and the following information:
- (a) – purpose of processing;
- (b) – categories of personal data in question;
- (c) – recipients or categories of recipients to whom personal data has been disclosed or will be disclosed to them, especially recipients in third countries or international organizations;
- (d) – if possible, the anticipated period in which personal data will be stored or, if this is not possible, the criteria used to determine that period;
- (e) – the existence of the right to request from the controller the correction or deletion of personal data or the restriction of the processing of personal data relating to the respondent or the right to object to such processing
- (f) – the right to submit a complaint to the supervisory body;
- (g) – if personal data is not collected from the respondent, any available information about its source;
- (h) – the existence of automated decision-making, which includes the creation of profiles from Article 22 paragraphs 1 and 4 of the Regulation and, at least in these cases, meaningful information about the logic involved, as well as the importance and anticipated consequences of such processing for of the respondents.
- – If personal data is transferred to a third country or an international organization, the data subject has the right to be informed about the appropriate protective measures in accordance with Article 46 of the Regulation relating to the transfer.
- – The controller provides a copy of the personal data being processed. For any additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. If the respondent submits the request electronically and unless the respondent requests otherwise, the information is provided in the usual electronic form.
- – The right to obtain a copy from paragraph 3 must not negatively affect the rights and freedoms of others.
RIGHT TO CORRECTION AND DELETE
Right to rectification
Article 9.
The respondent has the right to obtain from the controller the correction of inaccurate personal data relating to him without undue delay. Taking into account the purposes of the processing, the respondent has the right to supplement incomplete personal data, including by providing an additional statement.
Right to erasure (“right to be forgotten”)
Article 10.
- – The respondent has the right to obtain from the controller the deletion of personal data relating to him without undue delay, and the controller has the obligation to delete personal data without undue delay if one of the following conditions is met:
- (a) – personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- (b) – the subject withdraws the consent on which the processing is based in accordance with Article 6, paragraph 1, point (a) or Article 9, paragraph 2, point (a) of the Regulation and if there is no other legal basis for the processing;
- (c) – the subject objects to processing in accordance with Article 21, paragraph 1 of the Regulation and there are no stronger legitimate reasons for processing, or the subject objects to processing in accordance with Article 21, paragraph 2;
- (d) – personal data were illegally processed;
- (e) – personal data must be deleted in order to comply with a legal obligation under Union law or the law of a Member State to which the data controller is subject;
- (f) – personal data were collected in connection with the offer of information society services from Article 8, paragraph 1 of the Regulation
- – If the data controller has made public personal data and is obliged to delete such personal data in accordance with paragraph 1, taking into account the available technology and the cost of implementation, the data controller shall take reasonable measures, including technical measures, to inform the data controllers who process personal data if the data subject has asked these processors to delete all links to them or a copy or reconstruction of that personal data.
- – Paragraphs 1 and 2 do not apply to the extent that processing is necessary:
- (a) – in order to exercise the right to freedom of expression and information;
- (b) – to comply with a legal obligation requiring processing under Union law or the law of a Member State to which the data controller is subject, or for the performance of a task in the public interest or in the exercise of official authority of the data controller;
- (c) – due to public interest in the field of public health in accordance with Article 9, paragraph 2, points (h) and (i) as well as Article 9, paragraph 3;
- (d) – for the purposes of archiving in the public interest, for the purposes of scientific or historical research or for statistical purposes in accordance with Article 89, paragraph 1, to the extent that it is likely that the right from paragraph 1 can make it impossible or seriously jeopardize the achievement of the objectives and processing; or
- (e) – in order to establish, exercise or defend legal claims.
The right to restriction of processing
Article 11.
- – The respondent has the right to obtain a limitation of processing from the data controller if one of the following is met:
- (a) – the respondent contests the accuracy of personal data, for the period during which the controller is enabled to verify the accuracy of personal data;
- (b) – the processing is illegal and the respondent objects to the deletion of personal data and instead requests a limitation of their use;
- (c) – the data controller no longer needs personal data for processing purposes, but the data subject requests them in order to establish, exercise or defend legal claims;
- (d) – the respondent filed an objection to the processing on the basis of Article 21, paragraph 1 of the Regulation, awaiting confirmation whether the legitimate reasons of the data controller exceed those of the respondent.
- – If the processing is limited by paragraph 1., such personal data may be processed only with the consent of the data subject, with the exception of storage, or for the establishment, realization or defense of legal claims or the protection of the rights of another natural or legal person or for the important public interest of the Union or member states.
- – The data subject who obtained the limitation of processing on the basis of paragraph 1 shall be notified by the data controller before the limitation of processing is lifted.
Obligation to report regarding correction or deletion of personal data or restriction of processing.
Article 12.
The controller shall communicate any correction or deletion of personal data or restriction of processing carried out in accordance with Article 16, Article 17 paragraph 1 and Article 18 of the Regulation to each recipient to whom personal data has been disclosed, unless this proves impossible or requires a disproportionate effort. The controller informs the data subject about these recipients if the data subject requests it.
The right to data portability
Article 13.
- – The respondent has the right to receive personal data relating to him, which he has provided to the data controller in a structured, commonly used and machine-readable format, and has the right to transfer this data to another data controller without interference from the data controller to whom the personal data was provided , if:
- (a) – processing is based on consent in accordance with Article 6, paragraph 1, point (a) or Article 9, paragraph 2, point (a) or on a contract in accordance with Article 6, paragraph 1, point (b); and
- (b) – processing is carried out by automated means.
- – When exercising their rights to data portability based on paragraph 1, the subject has the right to direct transfer from one data controller to another if this is technically feasible.
- – Exercising the right from paragraph 1 of this article does not call into question article 17. This right does not apply to processing necessary for the performance of a task of public interest or in the exercise of official authority granted to the controller.
- – The right from paragraph 1 must not negatively affect the rights and freedoms of others.
The right to object
Article 14.
- – The subject has the right, based on his particular situation, to file an objection to the processing of personal data relating to him at any time. The controller may no longer process personal data unless the controller proves that there are compelling legitimate reasons for the processing that go beyond the interests, rights and freedoms of the data subject or to establish, exercise or defend legal claims.
- – If personal data is processed for the purposes of direct marketing, the respondent has the right at any time to object to the processing of personal data relating to him for the purposes of such marketing, which includes creating a profile to the extent related to such direct marketing.
- – If the respondent objects to processing for direct marketing purposes, personal data may no longer be processed for such purposes.
- – No later than at the moment of the first communication with the respondent, the respondent must be explicitly drawn to the right from paragraphs 1 and 2, and this must be done in a clear manner and separately from any other information.
- – The respondent has the right to submit a complaint to the Agency for the Protection of Personal Data, or to the supervisory authority.
PROCEEDING AT THE RESPONDENT’S REQUEST
Article 15.
The manager of data processing will act on all the requests of the respondents from the previous articles within one month from the date of receipt of the request, and if the same is not possible, he will inform the respondent within the same period of the impossibility of acting on that request. Respondents can submit a request for access, correction, deletion, limited, objection and portability of data, withdrawal of consent and all other requests regarding the protection of personal data to the email: [email protected]
Automated individual decision-making, including profiling.
Article 16.
- – The respondent has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects that relate to him or similarly significantly affect him.
- – Paragraph 1 does not apply if the decision:
- (a) – necessary for the conclusion or execution of the contract between the respondent and the data controller;
- (b) – permitted by the law of the Union or the law of the Member State to which the controller is subject and which also prescribes appropriate measures to protect the rights and freedoms and legitimate interests of the data subjects; or
- (c) – based on the express consent of the subject.
RECORDS OF PROCESSING ACTIVITIES
Article 17
- – Each controller and representative of the controller, if applicable, keeps records of the processing activities for which he is responsible. This record contains all the following information:
- (a) – the name and contact details of the controller and, if applicable, the joint controller, the representative of the controller and the data protection officer;
- (b) – processing purposes;
- (c) – description of categories of respondents and categories of personal data;
- (d) – categories of recipients to whom personal data has been or will be disclosed, including recipients in third countries or international organizations;
- (e) – if applicable, transfers of personal data to a third country or international organization, including identifying that third country or international organization
- (f) – if possible, the deadlines for the deletion of different categories of data;
- (g) – if possible, a general description of technical and organizational security measures from Article 32, paragraph 1 of the Regulation
- – Records from paragraph 1 must be in written form, including electronic form.
Reporting to the supervisory authority about the violation of personal data
Article 18
- – In the event of a violation of personal data, the data controller shall notify the supervisory body, namely the Personal Data Protection Agency, without undue delay and, if feasible, no later than 72 hours after becoming aware of the violation. If reporting is not done within 72 hours, it must be accompanied by reasons for the delay.
- – The controller documents all personal data breaches, including the facts related to the personal data breach, its consequences and measures taken to repair the damage. This documentation allows the supervisory authority to verify compliance with this article.
Notifying the respondent about the violation of personal data.
Article 19
- – In the event of a personal data breach that is likely to cause a high risk for the rights and freedoms of individuals, the data controller shall notify the subject of the personal data breach without undue delay.
- – Notifying the respondent from paragraph 1 is not mandatory if any of the following conditions are met:
- (a) – the controller has taken appropriate technical and organizational protection measures and these measures have been applied to the personal data affected by the personal data breach, especially those that make the personal data unintelligible to any person who is not authorized to access it, such as encryption;
- (b) – the data controller has taken subsequent measures to ensure that it is no longer likely that a high risk to the rights and freedoms of the data subject referred to in paragraph 1 will occur;
- (c) – this would require a disproportionate effort. In such a case, there must be public notification or a similar measure by which respondents are informed in an equally effective manner.
Security measures
Article 20.
In the case of data contained in documented files, technical protection measures are foreseen, in such a way that only authorized persons have access to the area where the files containing such data are located. In the case of data contained in electronic records, IT protection measures are provided, such that the computers on which the documents are located are secured with a password and an anti-virus program is installed.
ForgeBIT d.o.o.
Director: Marko Deak
In Zagreb on December 23, 2022