I. INTRODUCTORY PROVISIONS

The General Data Protection Regulation or GDPR (EU General Data Protection Regulation) is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

With this Personal Data Management and Privacy Protection Policy (hereinafter: “Policy”), the Company’s Management expresses the Company’s position regarding the protection of personal data; it defines the rules, methods of collection and use of personal data, as well as the rights of individuals to the protection of such data.

The personal data collected and processed by the Company in its operations are considered confidential information and must be handled with special care and processed exclusively for the purposes for which they were collected.

II. SCOPE OF APPLICATION

This Policy applies to all types of data processing carried out within the Company, regardless of the place of collection.

III. DEFINITIONS

Personal data – any information relating to an identified or identifiable natural person (individual); an identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or by one or more factors specific to the physical, physiological, mental, economic, cultural, or social identity of that natural person.

Data subject – a natural person (individual) whose identity can be determined directly or indirectly, in particular on the basis of a name, identification number, location data, online identifier, or by one or more characteristics specific to that person’s physical, physiological, mental, economic, cultural, or social identity.

Processing – any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Special categories of personal data – data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a person’s sex life or sexual orientation.

Data concerning health – personal data related to the physical or mental health of an individual, including the provision of healthcare services, which reveal information about their health status.

Controller – a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by EU or Member State law, the controller or the specific criteria for its nomination may be provided for by EU or Member State law.

Processor – a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

Third party – a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Recipient – a natural or legal person, public authority, agency, or other body to whom personal data are disclosed, whether or not a third party. However, public authorities that may receive personal data in the framework of a particular inquiry in accordance with EU or Member State law shall not be regarded as recipients; the processing of such data by those public authorities shall comply with applicable data protection rules according to the purposes of the processing.

Consent of the data subject – any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Personal data protection – protection from personal data breaches meaning a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored, or otherwise processed.

IV. PURPOSE AND LEGAL BASIS FOR PERSONAL DATA PROCESSING

The Company collects and processes personal data because they are necessary for the performance of activities conducted by the Company, whether it involves taking actions at the request of a client before entering into a business relationship or performing services arising from such a relationship. The specific data collected and further processed depend on the services requested and contracted.

The collected data are processed exclusively for the purpose for which they were provided, and may be based on one of the following legal grounds:

• processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract
  (e.g., providing an offer for requested services / performing services arising from a business relationship with the client)
• processing is necessary for compliance with the Company’s legal obligations
  (e.g., submitting documentation, records, and data on performed activities to the authority responsible for monitoring and improving occupational safety based on applicable legislation / fulfilling reporting obligations required by tax regulations / complying with mandatory data retention periods)
• processing is necessary to protect the vital interests of the data subject or another natural person
  (e.g., in the case of natural disasters, humanitarian crises, epidemic monitoring, etc.)
• processing is necessary for the legitimate interests of the Company or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data
  (e.g., conducting legal and/or similar proceedings to protect legitimate interests / debt recovery)
• the data subject has given consent for processing
  (e.g., for marketing purposes, receiving promotional materials, etc. / when filling out contact forms, questionnaires, etc. on the Company’s website).

V. PROCESSING BASED ON CONSENT

The processing of personal data may be based on the data subject’s consent. In such cases, the Company must be able to demonstrate that the data subject has given consent for the processing of their personal data.

The data subject gives consent through a clear affirmative action expressing voluntary, specific, informed, and unambiguous agreement to the processing of personal data relating to them for specified purposes.

The request for consent must be presented to the data subject in a manner that is clearly distinguishable from other matters, in an understandable and easily accessible form, using clear and simple language.

The data subject has the right to withdraw their consent at any time; however, this does not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the Company is obliged to inform the data subject of their right to withdraw consent, and the withdrawal must be as easy as giving consent. Consent can only serve as a valid legal basis if it is genuinely voluntary and the data subject can refuse without negative consequences.

VI. PRINCIPLES OF PERSONAL DATA PROCESSING

The principles of personal data processing are:

• lawfulness, fairness, and transparency – personal data must be processed lawfully, fairly, and transparently in relation to the data subject;
• purpose limitation – personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes;
• data minimisation – personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
• accuracy – personal data must be accurate and, where necessary, kept up to date;
• storage limitation – personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
• integrity and confidentiality – personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, by using appropriate technical and organisational measures;
• accountability – the Company’s priority is compliance with the above principles.

VII. RIGHTS OF THE DATA SUBJECT

Right to transparency – before collecting personal data, the data subject must be provided with clear information in an understandable and easily accessible manner about the purpose of processing, legal basis, type of processing, expected storage period or criteria used to determine the period, rights of the data subject, and any recipients of data.

The data subject must also be informed whether providing personal data is a legal or contractual obligation or a requirement necessary for entering into a contract, and the possible consequences of not providing such data.

Information is provided in writing, as a document, or electronically whenever possible. At the request of the data subject, information can also be provided orally, provided that the subject’s identity has been verified by other means.

If the data subject is a minor, the Company must take all necessary measures to ensure the minor clearly understands the consequences of data processing. The collection and processing of personal data of minors must always be approached with particular care, using clear and simple language, and guided by the highest ethical standards.

Right of access – the data subject has the right to obtain confirmation from the Company as to whether personal data concerning them are being processed and, where that is the case, access to those data and information related to personal data protection.

Right to rectification – the data subject has the right to have inaccurate personal data corrected without undue delay. Considering the purpose of processing, the data subject has the right to have incomplete personal data completed.
Where appropriate, the Company may request proof supporting the accuracy of the request.

The Company shall notify each recipient to whom personal data have been disclosed of any rectification, unless this proves impossible or would involve a disproportionate effort. Upon request, the Company shall inform the data subject about those recipients.

Right to erasure (“right to be forgotten”) – the data subject has the right to request the deletion of personal data concerning them, and the Company shall fulfil a justified request without undue delay.

However, the Company will consider all circumstances, taking into account legal obligations and other cases provided under the GDPR that prevent the deletion of certain personal data.

The Company shall notify each recipient to whom personal data have been disclosed of any erasure, unless this proves impossible or would involve a disproportionate effort. Upon request, the Company shall inform the data subject about such recipients.

Right to restriction of processing – the data subject has the right to obtain restriction of processing where the accuracy of data is contested, processing is unlawful, the Company no longer needs the data, or the data subject objects to processing based on legitimate interests.

Right to data portability – the data subject has the right to receive their personal data provided to the Company in a structured, commonly used, and machine-readable format, and the right to transmit those data to another controller without hindrance, where processing is based on consent or contract and carried out by automated means.

The right to data portability shall not adversely affect the rights and freedoms of others.

Right to object – the data subject has the right to object at any time, on grounds relating to their particular situation, to processing of personal data concerning them.

Following an objection, the Company shall no longer process the data unless it demonstrates compelling legitimate grounds for processing that override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defence of legal claims.

Right not to be subject to automated decision-making, including profiling – the data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

Right to withdraw consent – the data subject has the right to withdraw consent at any time if processing is based on consent. The withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

Right to compensation and liability – any data subject who has suffered material or non-material damage as a result of a violation of data protection provisions has the right to receive compensation from the controller or processor for the damage suffered.

VIII. EXERCISING RIGHTS

A data subject may exercise any of the above rights through the contact information published on the Company’s website or by filing a complaint with the national supervisory authority.
The supervisory authority is the Croatian Personal Data Protection Agency (AZOP), Martićeva ulica 14, 10000 Zagreb, Croatia, e-mail: [azop@azop.hr](mailto:azop@azop.hr), tel: +385 (0)1 4609-000.

Before acting on a request, the Company may require the requester to provide additional information necessary to confirm their identity.

The Company will provide a response without undue delay and no later than one month from the receipt of the request. This period may be extended by two additional months where necessary, considering the complexity and number of requests. In the case of an extension, the Company will notify the data subject within one month of receiving the request, providing reasons for the delay.

If the Company does not act on the request, it shall inform the data subject without delay of the reasons and the possibility of lodging a complaint with the supervisory authority and seeking judicial remedy.

Information shall be provided free of charge. However, if requests are manifestly unfounded or excessive, especially because of their repetitive nature, the Company may:

a) charge a reasonable fee considering administrative costs, provided the requester is informed beforehand
or
b) refuse to act on the request.

IX. OBLIGATION OF CONFIDENTIALITY

All Company employees must adhere to the rules defined in this Policy and must respect the confidentiality and privacy of individuals. Accordingly, all employees and other persons who, by any basis, perform tasks for the Company and may directly or indirectly come into contact with personal data must protect the confidentiality and privacy of individuals during and after termination of employment, and must not make such data available or disclose it to anyone.

If, despite all precautionary measures, personal data come into the possession of unauthorised persons, the employee must immediately notify their direct supervisor and the Company’s director and take all necessary steps to prevent harm to the individual concerned, as well as potential harm to the Company.

The Company may enter into legal relationships with other legal or natural persons who do not act as joint controllers or processors. In such relationships, personal data may be exchanged. In all such cases, the Company requires confidentiality and protection of personal data.

X. INFORMATION ON DATA PROCESSING

If personal data are collected directly from the data subject, the Company ensures that the subject is provided with information about the processing procedure, purpose, and additional relevant information, taking into account the circumstances and context of processing in accordance with principles of fair and transparent processing.

When, due to the nature of operations, personal data are not collected directly from the data subject, the Company shall provide all necessary information to the entity collecting such data by delivering this Policy and the document “Information on Privacy and Personal Data Protection,” so that the entity may inform the data subjects accordingly.

XI. RECORD-KEEPING AND DATA RETENTION

The Company ensures the recording and retention of personal data subject to processing in accordance with internal acts and regulations governing its business activities.

Given the Company’s business activity, personal data are adequate, relevant, and limited to what is necessary for the purposes for which they are processed.

XII. SECURITY OF PROCESSING AND BREACH REPORTING

Considering technical possibilities and the nature, scope, context, and purposes of processing, including risks of varying likelihood and severity for the rights and freedoms of individuals, the Company applies appropriate physical, technical, and organisational measures to ensure an adequate level of security.

Despite appropriate measures taken to prevent personal data breaches, such breaches cannot be entirely excluded.

Organisationally, the Company ensures that personal data are accessible only to authorised persons and only to the extent necessary for the performance of their duties.

Technically, the Company uses reliable IT service providers who are obliged to apply high standards of information security to protect personal data and ensure the required level of processing security.

In the event of a personal data breach, the Company will, without undue delay and no later than 72 hours after becoming aware of it, notify the supervisory authority unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.

The Company documents all personal data breaches, including facts about the breach, consequences, and measures taken to remedy the damage.

XIII. DATA PROTECTION OFFICER

The Company may appoint a Data Protection Officer or engage an employee who will be appropriately and timely involved in all matters concerning personal data protection.

If appointed, the Data Protection Officer’s tasks include informing and advising Company personnel on their legal obligations, monitoring compliance with data protection regulations, and overseeing the implementation of such obligations.

XIV. MEASURES AND COOPERATION

The Company shall take all necessary measures to address weaknesses identified during audits that may affect compliance with personal data protection obligations.

The Company is obliged to cooperate with the Croatian supervisory authority (AZOP) or any other competent authority. The Company shall require its processors to cooperate with supervisory authorities whenever necessary.

XV. FINAL PROVISIONS

This Policy shall be interpreted in accordance with the GDPR and the applicable legislation of the Republic of Croatia relating to personal data protection.

For any disputes arising from violations of personal data protection, the applicable law is that of the Republic of Croatia, and the competent court is the court having jurisdiction over the Company’s registered seat.

If any provision of this Policy is found to be invalid, it shall be replaced with a provision that best reflects the intention that the Company sought to achieve with the invalid provision.

This Policy enters into force on 25 May 2018.

Zagreb, 24 May 2018.

Centar za zaštitu na radu d.o.o.
Technical testing and analysis
Zagreb, Milke Trnine 3
OIB: 36430717123

Ivan Krmek, Director