RULE ON THE PROCESSING AND PROTECTION OF PERSONAL DATA VANTAGE POINT d.o.o.
Based on the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals in connection with the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46/EC (Official Gazette of the European Union , L 119/1, 04/05/2016) hereinafter “General Regulation on Data Protection” or “Regulation”) and the Law on the Implementation of the General Regulation on Personal Data Protection (Official Gazette 42/2018, hereinafter “the Law”) administration VANTAGE POINT d.o.o., with headquarters in Makarska, Volicija 5, OIB: 71481222113 (hereinafter: “Company”) on 12.05.2018. brings the following
I. FUNDAMENTAL PROVISIONS
(1) This Ordinance on data processing (hereinafter: “Rules”) regulates and establishes the rights of individuals with regard to the processing of personal data and the rules related to the free movement of personal data related to personal data that the Company collects, processes, stores and forwards.
(2) This Ordinance establishes the procedures for processing personal data in the sense of the concept of processing as defined in this Ordinance, and in connection with the specific processing procedures carried out by the Company in relation to personal data.
(3) The provisions of this Ordinance apply fully and directly to all personal data of individuals whose personal data is processed by the Company.
(1) The following terms in the sense of this Ordinance have the following meanings:
“personal data” means any data relating to an individual whose identity has been determined or can be determined
“Respondent” means an individual whose identity can be established, i.e. a person who can be identified directly or indirectly, in particular with the help of identifiers such as name, identification number, location data, online identifier or with the help of one or more factors inherent to physical, physiological , genetic, mental, economic, cultural or social identity of that individual;
“processing” means any process or set of processes performed on personal data or sets of personal data, whether by automated or non-automated means such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, inspection, use, disclosure by transfer, dissemination or otherwise making available, matching or combining, restriction, erasure or destruction;
“restriction of processing” means the marking of stored personal data with the aim of limiting their processing in the future;
“profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects related to an individual, in particular to analyze or predict aspects related to work performance, economic condition, health, personal preferences, interests, reliability , the behavior, location or movement of that individual;
“pseudonymisation” means the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separate and subject to technical and organizational measures to ensure that the personal data cannot attribute to an individual whose identity has been established or can be established;
“storage system” means any structured set of personal data accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis;
“controller” means a natural or legal person, public authority, agency or other body that alone or together with others determines the purposes and means of personal data processing; when the purposes and means of such processing are determined by the law of the Union or the law of a member state, the controller or special criteria for his appointment may be provided for by the law of the Union or the law of a member state, and in the sense of this Ordinance they represent the Company;
“processor” means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the data controller, and is appointed by the Company as a data controller for specially prescribed purposes such as payroll, occupational safety records, etc.;
“recipient” means a natural or legal person, public authority, agency or other body to which personal data is disclosed, regardless of whether it is a third party. However, public authorities that may receive personal data in the context of a specific investigation in accordance with Union or Member State law are not considered recipients; the processing of such data by these public authorities must be in accordance with the applicable rules on data protection according to the purposes of the processing;
“third party” means a natural or legal person, public authority, agency or other body that is not the respondent, processing manager, processor or persons authorized to process personal data under the direct authority of the processing manager or processor;
“consent” of the subject means any voluntary, specific, informed and unambiguous expression of the wishes of the subject by which he gives his consent to the processing of personal data relating to him by a statement or a clear affirmative action;
“personal data breach” means a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of personal data that has been transmitted, stored or otherwise processed;
“genetic data” means personal data related to the inherited or acquired genetic characteristics of an individual that provide unique information about the physiology or health of that individual, and which are obtained in particular by analyzing the biological sample of the individual in question;
“biometric data” means personal data obtained through special technical processing related to the physical characteristics, physiological characteristics or behavioral characteristics of an individual that enable or confirm the unique identification of that individual, such as facial photographs or dactyloscopic data;
“health-related data” means personal data related to an individual’s physical or mental health, including the provision of health services, which provides information about his or her health status;
“representative” means a natural or legal person with a place of business in the Union appointed by the controller or processor in writing in accordance with Article 27 of the Regulation, who represents the controller or processor with regard to their obligations under the Regulation;
“enterprise” means a natural or legal person engaged in economic activity, regardless of the legal form of that activity, including partnerships or associations that regularly engage in economic activity;
“group of entrepreneurs” means an entrepreneur in a ruling position and entrepreneurs subordinate to him;
“binding corporate rules” means the personal data protection policies to which a controller or processor established in the territory of a Member State adheres to transfers or sets of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings or a group of undertakings that engage in joint economic activity;
“supervisory body” means the Agency for the Protection of Personal Data or another independent body of public authority established by the Republic of Croatia, which is responsible for monitoring the application of the Regulation and the Law in order to protect the fundamental rights and freedoms of individuals with regard to processing and facilitate the free flow of personal data within the European Union.
“subject supervisory authority” means a supervisory authority that is associated with the processing of personal data because:
a) the controller or processor has a place of business in the state territory of the member state of that supervisory authority;
b) the processing significantly affects or is likely to significantly affect respondents residing in the member state of that supervisory authority; or
c) a complaint has been submitted to that supervisory body.
“cross-border processing” means either:
a) processing of personal data that takes place in the Union in the context of the activities of business establishments in more than one member state of the controller or processor, and the controller or processor has a business establishment in more than one member state; or
b) processing of personal data that takes place in the Union in the context of the activities of the sole business entity of the controller or processor, but which significantly affects or is likely to significantly affect respondents in more than one member state.
“relevant and reasoned objection” means an objection to the draft decision as well as to whether there has been a violation of this Regulation, or whether action is foreseen in relation to the controller or processor in accordance with this Regulation, which clearly shows the importance of the risk posed by the draft decisions regarding the fundamental rights and freedoms of data subjects and, if applicable, the free flow of personal data within the Union;
“employee” any person employed by the Company based on an employment contract or management contract
(2) Other terms used in this Ordinance have the meaning in accordance with the Ordinance and the Law.
III. TYPES OF DATA
(1) We share personal data according to the categories of persons:
- personal data of employees;
- personal data of potential employees
- personal data of physical persons of suppliers and/or representatives of suppliers
- personal data of physical persons of service users and/or representatives of service users
(2) According to the types of personal data, personal data specifically includes, but is not limited to:
- name and surname,
- registered registration number, OIB;
- date of birth;
- identity card number;
- passport number;
- father’s or mother’s name;
- residence and address;
- place of birth;
- personal health insurance number;
- MIO insurance number;
- MIO II insurance;
- type of employment (definite, indefinite, employment contract);
- work place;
- vocational education (SSS, VŠS, VSS);
- title of the respondent;
- bank account number;
- work experience before the employer;
- date of establishment of the employment relationship;
- date of termination of employment;
- reason for termination of employment (retirement, dismissal, etc.);
- employee working hours;
- data on realized rights from the employment relationship (e.g. maternity leave, sick leave, etc.);
- employed/unemployed status;
- name and surname of parent (guardian);
- identity card number of the parent (guardian)
(3) The collection and processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and the processing of genetic data, biometric data, data related to health or data on the sex life or sexual orientation of individuals, except in cases specifically prescribed by the Regulation.
(1) The company collects the following personal data:
- basic personal data: first and last name, residential address, personal identification number (OIB), date of birth, gender, mobile phone number and contact information (residential address, e-mail, phone number), information on the type of contractual relationship and content;
- other personal data, which the respondent or third parties make available to the Company in the course of work, business or other relationships, i.e. during the duration of work, business or other relationships, such as data from an identity card, bank account, signature authority, or representation, whereas this does not include data sensitive from the point of view of data protection, especially data on racial or ethnic affiliation, political or religious beliefs or worldview, genetic data or data on health;
- data on the use of the Company’s products and services and their contents, for example, a description of the purchased and used products and services, the method of use.
(2) Personal data is collected either directly from the respondents (verbally and in writing) or indirectly from third parties.
(3) Depending on the type and purpose of personal data, collected personal data is processed, archived and possibly forwarded, all in accordance with the presentation given in Annex 1 of the Ordinance.
IV. DATA PROCESSING
(1) Personal data of respondents are processed for the following purposes:
- Establishing the respondent’s employment relationship – fulfilling the Company’s legal obligations as an employer
- Implementation of business relations – conclusion and execution of Company Agreements with respondents (customers/suppliers)
- Ensuring security and protection of the Company’s property – records of respondents’ entrances and exits to the Company’s premises and surveillance cameras
- Solving complaints from respondents (customers, suppliers)
(2) Personal data are processed in the Company:
- on the basis of legal and sub-legal regulations when it is necessary to comply with the Company’s legal obligations, i.e. in particular in accordance with the applicable Labor Act, Accounting Act, Trade Act, Act on Intermediation in Real Estate Transactions, Act on Consumer Protection, Act on Companies, Act on services, the Law on Obligatory Relations, the General Regulation on Data Protection, the Rules of Procedure of the Company and other applicable regulations and to fulfill tasks that are carried out in the public interest;
- based on the consent of the respondent for the processing of their personal data for one or more special purposes;
- when the processing is necessary for the execution of a contract to which the respondent is a party or in order to take actions at the request of the respondent before concluding the contract;
- on the basis of the Company’s internal acts, when the processing is necessary for the legitimate interests of the Company;
- for the collection of claims and for the purpose of contacting the respondent – personal data are in principle deleted upon termination of the contractual relationship, and at the latest after the expiration of all legal obligations related to the storage of personal data, except in the case that the procedure for forced collection of unpaid claims has been initiated, until final completion procedure, i.e. for the purpose of contacting the respondent during the contractual relationship, as well as after the termination of the contractual relationship, during a period of one year, entering into a relationship through communication channels for which the Company has obtained the consent of the respondent, i.e. via electronic mail (e-mail), social networks and written via (by post).
(1) The company ensures all legal, technical and organizational prerequisites for compliance with the basic principles of personal data processing.
(2) Personal data must be:
- legally, fairly and transparently processed with regard to the respondent;
- collected for special, explicit and lawful purposes and may not be processed in a way that is inconsistent with these purposes, whereby further processing for the purpose of archiving in the public interest, for the purpose of scientific or historical research or for statistical purposes, is not considered incompatible with the original purpose;
- appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- accurate and, if necessary, up-to-date, and the Company takes every reasonable measure to ensure that personal data that is not accurate, taking into account the purposes for which it is processed, is deleted or corrected without delay;
- kept in a form that enables the identification of the data subject only for as long as is necessary for the purposes for which the personal data is processed, whereby the personal data may be stored for longer periods if the personal data will be processed solely for the purposes of archiving in the public interest, for the purposes scientific or historical research or for statistical purposes, which is subject to the implementation of appropriate technical and organizational measures;
- processed in a way that ensures adequate security of personal data, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage by applying appropriate technical or organizational measures
(1) Processing of personal data through video surveillance refers to the collection and further processing of personal data, which includes the creation of a recording that forms or is intended to form part of a storage system.
(2) The processing of personal data through video surveillance is carried out in accordance with the Decision on video surveillance, and only for the purpose that is necessary and justified for the protection of persons and property.
(3) Video surveillance includes only rooms or parts of rooms whose surveillance is necessary to achieve the purpose from the previous paragraph.
(4) The object or individual room in it that is under video surveillance is marked in such a way that the mark is visible at the latest when entering the recording perimeter.
(5) The notice on the label from the previous paragraph should contain all relevant information in accordance with the provisions of Article 13 of this Ordinance, and in particular a simple and easy-to-understand image with text providing the following information to respondents:
- that the space is under video surveillance,
- data about the Company (controller),
- contact details of the commissioner of personal data protection through which the respondent can exercise his rights.
(6) The right of access to personal data collected through video surveillance belongs to the responsible person of the Company and/or the person authorized by him.
(7) Recordings from the video surveillance system may not be used contrary to the purpose established in paragraph 2 of this article.
(8) The video surveillance system is protected against access by unauthorized persons.
(9) The controller is obliged to establish a system of logs for recording access to video surveillance recordings, which will contain the time and place of access as well as the designation of the persons who accessed the data collected through video surveillance.
(10) Recordings obtained through video surveillance may be stored for a maximum of 6 months in accordance with the Law on the Implementation of the General Regulation on Data Protection, unless another law prescribes a longer storage period or if they are evidence in court, administrative, arbitration or other equivalent proceedings.
(11) The processing of workers’ personal data through the video surveillance system of work premises can only be carried out if, in addition to the conditions established by the Act on the Implementation of the General Regulation on Data Protection, the conditions established by the regulations regulating protection at work are also met and if the workers were informed in advance of such measured and if the employer informed the employees before making the decision to install a video surveillance system.
(12) Video surveillance of work premises must not include rest, personal hygiene and changing rooms.
(1) The company keeps records of processing activities electronically and in writing.
(2) For each category of respondents, the purpose of processing, which personal data is processed, and the basis and method of collection, where it is stored, the period of data storage and the type of protection will be stated in the records.
(3) The Director of the Company shall by decision designate the person in charge of keeping records of processing activities.
(1) Personal data collected and processed are, in principle, deleted when the purpose for which they were collected ceases, and at the latest after the expiration of all legal obligations related to the storage of personal data.
(2) The personal data of the respondent-employee shall be kept for the duration determined by the law, by-laws or internal acts of the company.
(3) Personal data of respondents interested in employment in the Company are kept for the duration of the activity for which they are processed, but not longer than 2 (two) years.
The respondents’ consents given for contacting and other purposes, which are outside the scope of the legally prescribed basis for collecting personal data, are valid until revoked, and can be revoked at any time.
(1) Authorized persons for processing personal data process personal data based on the description of the work they perform. Persons authorized to process personal data sign a Confidentiality Statement, in which they undertake to maintain the confidentiality of all personal data to which they are authorized to access and process, and to use it exclusively for the purpose for which it is processed.
(2) When collecting any personal data, the employees of the Company are obliged to inform the respondent about the purpose and legal basis of the processing for which the data is intended.
V. RIGHTS OF RESPONDENT
(1)Right to rectification:if the Company processes personal data that is incomplete or incorrect, the subject may at any time request the Company to correct or supplement it.
(2) Right to erasure: The respondent may request the erasure of his personal data if the Company processed them without a purpose, unlawfully.
(3)The right to restriction of processing:the respondent may request restriction of the processing of his data in the following cases:
- the respondent contests the accuracy of the personal data, for the period during which the data controller is allowed to check the accuracy of the personal data;
- the processing is illegal and the respondent opposes the deletion of personal data and instead requests a restriction of their use;
- the data controller no longer needs personal data for the purposes of processing, but the data subject requests them in order to establish, fulfill or defend legal claims;
- the respondent lodged an objection to the processing based on Article 21, paragraph 1 of the Regulation, awaiting confirmation as to whether the legitimate reasons of the data controller exceed those of the respondent.
(4)The right to the possibility of data transfer:The respondent may request the transfer of his personal data to another data processor in a structured and machine-readable format, if the Company processes such data on the basis of the consent of the respondent or for the purpose of fulfilling contractual obligations and that the processing is done using automated processes.
(5) Right to object: The subject has the right, based on his particular situation, to lodge an objection to the processing of personal data relating to him at any time. The Company may no longer process personal data unless it proves that there are compelling legitimate reasons for the processing that go beyond the interests, rights and freedoms of the data subject or to establish, exercise or defend legal claims.
(6) Right to appeal: In the event that the respondent believes that the Company violated Croatian or European regulations on the protection of personal data during data processing, he has the right to receive an explanation and answers to questions related to the protection of personal data from the Company within 15 (fifteen) days from the delivery of the written complaint and inquiry to the Company. In the event that the respondent does not receive an answer/explanation within the deadline given on the basis of this paragraph, or even after receiving the explanation/answer, he still believes that the Company violates Croatian or European regulations on the protection of personal data when processing personal data, the respondent has the right to file a complaint with the Agency or other competent authority. public authority and supervisory authority within the European Union.
(7) Exercise of rights: The Company’s legal representative will appoint the Company’s trustee as the personal data protection officer and the person who, apart from the Company as an employer, is authorized to monitor, collect, process, use and provide personal data. Before collecting personal data, the Company’s employees will inform the respondent about the identity of the Company’s commissioner for managing personal data protection and about the purpose of the processing for which the personal data is intended.
The company is obliged to provide the following information to each respondent (that is, his legal representative or attorney) no later than 30 days after submitting the request:
- identity and contact information of the controller
- commissioner contact
- the controller for managing the protection of personal data;
- purpose of processing and legal basis for processing personal data;
- recipients or categories of recipients of personal data (if any);
- if applicable, the fact that the controller intends to transfer personal data to a third country on the basis of an adequacy decision in accordance with Article 45 of the Regulation
VI. PERSONAL DATA PROTECTION MEASURES
If the respondent wants to exercise any of the rights from Art. 12 of this Ordinance, may address the appointed person from Article 12, paragraph 7 of this Ordinance, who is obliged to respond in writing within 30 days from the date of submission of the respondent’s request.
(1) The company is obliged to implement appropriate technical, personnel and organizational measures to enable the effective application of data protection principles, and in order to protect the collected data from accidental loss or destruction, from unauthorized access or unauthorized change, unauthorized publication and any other abuse.
(2) In the event that individual personal data is processed on behalf of the Company by a third party (processor), with the same contract the obligation to comply with the rules on personal data protection prescribed by the Law and this Rulebook.
(3) The obligation to comply with the rules on the protection of personal data from the previous paragraph is contracted with every legal or natural person who has access to personal data, when maintaining applications, that is, the Company’s information system.
(1) An employee authorized to process individual personal data, upon learning of a data breach, is obliged to report the same to the data protection officer of the Company’s personal data processing manager.
(2) In the case where it is likely that a breach of personal data will cause a risk to the rights and freedoms of an individual, the commissioner of the data controller and/or the director of the Company or the person authorized to do so shall, without undue delay and if feasible, no later than 72 hours after becoming aware of the violation, notify the Personal Data Protection Agency (hereinafter: the Agency) of the personal data violation by submitting the Personal Data Breach Report form submitted as Annex 2 to this Rulebook. In the event that the Company does not notify the Agency within 72 hours, it will explain the reason for such action.
(3) In the case where it is likely that a breach of personal data will cause a risk to the rights and freedoms of an individual, the director of the Company or a person authorized to do so, shall notify the respondent of the breach without undue delay.
(4) The notification from paragraph 3 of this article is not mandatory if the Company has taken appropriate technical and organizational protection measures and applied them to the personal data that have been violated, and if it has taken subsequent measures to ensure that it is no longer likely that a high risk will occur for the rights and freedoms of the respondents.
(5) The processor, if any, is obliged to notify the Company without undue delay after becoming aware of a personal data breach.
(1) Personal data from Articles 3 and 4 of this Ordinance are considered business secrets, and employees who, on any basis, learn the data from Articles 3 and 4 of this Ordinance are authorized to use them exclusively for the performance of their employment obligations. .
(2) Violation of the duty to keep business secrets from the previous paragraph is considered a particularly serious violation of the obligation from the employment relationship, which is a reason for the extraordinary termination of the employment contract.
(3) If property or non-property damage occurs to the Employer due to the unauthorized disclosure of information that is considered a business secret, the Employer will initiate proceedings for damages against the person who violated the duty of confidentiality.
VII. TRANSITIONAL AND FINAL PROVISIONS
These Rules of Procedure are published on the Company’s notice board before they come into force, and they come into force and apply from May 25, 2018. years.