Introduction
This Policy defines a responsible and transparent framework to ensure compliance with the General
Data Protection Regulation.
This Policy applies to all organizational units of Zlaring d.o.o. (hereinafter referred to as the
CONTROLLER), as well as all employees, including part time and temporary employees and all external
service providers acting on behalf of the Controller.
Policy Statement
The Controller is committed to conducting its business in compliance with all applicable laws,
regulations and highest business ethics standards. This Policy presents the rules for expected
conduct of Controller’s employees and service providers engaged in the collection, use, storage,
transmission, disclosure or destruction of any personal data belonging to Controller’s employees,
business partners, or any other natural persons. The purpose of this Policy is to standardize the
protection of data subjects’ rights and freedoms by preserving the privacy of their personal data in
all aspects of Controller’s business that involve personal data. This Policy defines that Zlaring
d.o.o. will not disclose such personal data to any third parties without authorization and shall not
act in any manner that may compromise them.
Principles of personal data processing
The Controller has adopted the following principles to be adhered to in the process of collecting,
using, retaining, transmitting or destroying personal data:
LAWFULNESS, FAIRNESS AND TRANSPARENCY
Personal data shall be processed in a lawful, fair and transparent manner in relation to the data
subjects. This means that the Controller shall whenever appropriate notify the data subject of how
it will process his data (transparency) and such data will be processed based solely on what is said
(fairness) in accordance with the purpose defined by the applicable personal data protection law
(lawfulness).
PURPOSE LIMITATION
Personal data shall be collected for specified, explicit and legitimate purposes and not further
processed in a manner that is incompatible with those purposes. This means that the Controller must
clearly specify the purpose for which the personal data collected will be used and limit its
personal data processing operations to those necessary to achieve such purposes.
DATA MINIMIZATION
Personal data collected shall be relevant and limited to what is necessary in relation to the
purposes for which they are processed. This means that the Controller shall not collect, process or
store any more personal data than absolutely necessary.
ACCURACY
Personal data collected shall be accurate and kept up to date, which means that the Controller shall
have procedures in place to detect and manage any obsolete, inaccurate or unnecessary personal
data.
CAREFUL STORAGE OF DATA
Personal data shall be kept in a form which permits identification of data subjects for no longer
than is necessary for the purposes for which the personal data are processed. This means that the
Controller shall whenever possible store personal data in a manner that limits or prevents data
subject identification.
DATA SECURITY
Personal data shall be processed and stored in a manner that ensures appropriate security against
breaches such as unauthorised or unlawful processing and against accidental loss, destruction or
damage. The Controller shall implement appropriate technological and organizational measures as
described in the Personal Data Security Policy to ensure that personal data remain integral and
confidential at all times.
PRIVACY EMBEDDED IN THE SYSTEM DESIGN
When designing new and reviewing and extending Controller’s existing systems and processes, it shall
be ensured that these principles are complied with to protect data subjects’ privacy to the extent
possible.
Rights of data subjects
All data subjects whose data are collected and processed by the Controller shall have the following
rights:
RIGHT OF ACCESS TO INFORMATION
Each data subject shall have the right to obtain a copy of the data stored by the Controller for
viewing purposes. In addition to the right to view his own data, the data subject shall also have
the right to obtain the following information:
- the purposes and legal grounds of processing
- legitimate interest, if the processing is based on it
- the types and categories of the personal data collected
- any third parties to whom such data may be forwarded
- the data retention period
- the source of the personal data, if not collected from the data subject
All information shall be provided to the data subject by using plain and simple language to ensure
that it is understood, and must be clearly identified and visible to avoid being overlooked by the
data subject.
The provision of such information to the data subject may reveal information about another person.
In such cases, the data must be anonymized or completely denied to protect the rights of such
person.
To exercise the right of access, the data subject or his legal representative or proxy may submit a
written request to obtain information in connection with the processing of his personal data using
the contact particulars provided below:
E-mail: zlaring@zlaring.hr
Mailing address: Zlaring d.o.o., Avenija Dubrovnik 24, 10020 Novi Zagreb
RIGHT TO RECTIFICATION
Each data subject shall have the right to rectification of any inaccurate or incomplete data stored
by the Controller.
RIGHT TO BE FORGOTTEN
A data subject may request that his data be erased. Such request shall be considered and shall be
granted if it is not contrary to the legal grounds of personal data processing, i.e. if any of the
following grounds apply:
the personal data are no longer necessary in relation to the purposes for which they were collected,
the data subject withdraws consent on which the processing is based and where there is no other
legal ground for the processing, the data subject objects to the processing and there are no
overriding legitimate grounds for the processing, the personal data have been unlawfully processed,
the personal data have to be erased for compliance with a legal obligation in Union or Member State
law to which the controller is subject, the personal data have been collected in relation to the
offer of information society services.
RIGHT TO RESTRICTION OF PROCESSING
The data subject shall have the right to restriction of the scope of processing where
applicable.
RIGHT TO DATA PORTABILITY
The data subject shall have the right to receive a copy of his data for the purpose of transmitting
them to another controller without hindrance from the controller to which the personal data have
been provided, where:
- the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article
9(2) or on a contract pursuant to point (b) of Article 6(1);
- the processing is carried out by automated means;
- the personal data may be transmitted directly from one controller to another, where technically
feasible;
- the exercise of the right is without prejudice to Article 17 („Right to be forgotten“); and
- the right does not adversely affect the rights and freedoms of others.
RIGHT TO OBJECT
The data subject shall have the right to object, in particular where processing is based on
Controller’s legitimate interest. In such case, the purpose of processing must be reviewed and its
legal grounds need to be established and, where applicable, the data subject must be allowed to
withdraw his consent to data processing and /or demand that his data no longer be processed.
RIGHT TO ASSESSMENT
The data subject shall have the right to request from a supervisory authority to make an assessment
of whether or not the Regulation or Controller’s internal policies are being violated.
RIGHT TO OBJECT TO PROFILING
The data subject shall have the right to object to automated profiling and other forms of automated
decision-making.
In case the Controller rejects a data subject’s request, the response must state the reason for such
rejection and the data subject may submit a complaint with regard thereto to the competent personal
data protection authority: Personal Data Protection Agency (AZOP), Marticeva ulica 14, 10000
Zagreb.
Legal grounds
The legal grounds for the collection and processing of personal data of data subjects are as
follows:
LEGAL OBLIGATION
The laws concerning the obliged entity’s conduct of business define the datasets necessary to comply
with such legal obligation. The Controller shall not request data subject’s consent for collecting
and processing data defined by such laws, however, it shall only collect data defined by such laws
and shall not use them for any other purposes. This shall in particular apply to data collected
pursuant to the following laws and the relevant ordinances, including but not limited to:
- Accounting Act
- Value Added Tax Act
- Personal Income Tax Act
- Labor Act
- Content and Maintenance of Employee Records Ordinance
- Occupational Safety Act
- Flammable Liquids and Gases Act
- Building Code
PERFORMANCE OF CONTRACTUAL OBLIGATIONS
The Controller shall collect personal data necessary to perform a contractual obligation without
data subject’s consent, to the extent necessary to perform such obligation.
LEGITIMATE INTEREST
The Controller shall disclose a list of its legitimate interests based on which it collects and
processes personal data to allow the supply and/or improvement of its services or products.
PROTECTION OF DATA SUBJECT’S VITAL INTERESTS
The Controller may collect and process personal data without data subject’s consent if this is done
to protect his vital interests.
PUBLIC INTEREST OR EXERCISE OF OFFICIAL AUTHORITY VESTED IN THE CONTROLLER
Where Controller’s activities include acting in the public interest or if data processing is based
on any other form of official authority, it shall not always be necessary to notify the data subject
of such personal data collection.
CONSENT
In all other cases, the Controller shall request data subject’s consent to personal data collection
and processing, which shall clearly specify the purpose of processing. The data subject may at any
time withdraw his consent and his data must then be automatically erased and the processing must
end. The Controller shall maintain records of effective and withdrawn consents to ensure that its
business is compliant.
Legitimate interest
The Controller hereby discloses the following legitimate interests:
FACILITY SERVICING AND MAINTENANCE SERVICE – installers and servicers
ZLARING D.O.O. SERVICES AND MAINTAINS MECHANICAL EQUIPMENT AND HVAC INSTALLATIONS.
SOME OF THESE BUILDINGS ARE PROTECTED BY THE MINISTRY OF CULTURE AND ALSO INCLUDE HEALTHCARE
FACILITIES, TOURISM FACILITIES, SPORTING FACILITIES AND DATA CENTERS WHERE ACCESS IS SUBJECT TO
PERSONAL IDENTIFICATION.
TO ALLOW ITS PERSONS ACCESS AND PERFORMANCE OF THEIR TASKS AND TO BE ABLE TO PROVIDE THE AGREED
SERVICE, ZLARING D.O.O. MUST NOTIFY IN ADVANCE THE PERSONS WHO SHALL BE PROVIDING THE SERVICE BY
USING THEIR FOLLOWING PERSONAL DATA: NAME, PIN OR IDENTITY CARD NUMBER.
FACILITY SERVICING AND MAINTENANCE SERVICE – gas installers
ZLARING D.O.O. PROVIDES GAS INSTALLATION INSPECTION SERVICES. THIS SERVICE REQUIRES A LICENSED GAS
INSTALLER.
THE COMPANY EMPLOYS 3 LICENSED GAS INSTALLERS WHOSE DATA AND CERTIFICATES OF TRAINING IT IS REQUIRED
TO PRESENT TO THE CITY GASWORKS TO DEMONSTRATE THAT THEY ARE LICENSED TO PROVIDE SUCH SERVICES:
certificate of final exam or graduation/ professional exam / license to practice.
TENDERS
ZLARING D.O.O. APPLIES FOR PRIVATE AND PUBLIC TENDERS.
TO BE ELIGIBLE, IT MUST PROVIDE ALL REQUIRED DOCUMENTATION, INCLUDING BUT NOT LIMITED TO EMPLOYEES’
IDENTIFICATION DOCUMENTS. TO DEMONSTRATE THEIR TRAINING AND HEALTH REQUIRED FOR THE WORK THEY
PERFORM, THE FOLLOWING DOCUMENTS MUST BE PROVIDED:
- CERTIFICATE OF FINAL EXAM, GRADUATION OR PROFESSIONAL EXAM/LICENSE TO PRACTICE
- HEALTH CERTIFICATE
The data subject shall have the right to object to the processing of personal data based on these
legitimate interests.
Definition of terms
GENERAL DATA PROTECTION REGULATION (GDPR)
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation whereby the
European Parliament, Council of the European Union and European Commission aim to reinforce and
integrate the processes of protecting personal data of all natural persons within the European Union
(EU). The Regulation also applies to the export of personal data from the EU.
CONTROLLER
An entity that determines the purposes, terms and means of the processing of personal data.
PROCESSOR
An entity which processes personal data on behalf of the controller.
PERSONAL DATA PROTECTION AGENCY
A state agency responsible for protecting data and privacy, supervising the Regulation application
processes, and actively implementing the Data Protection Regulation within the European
Union.
DATA PROTECTION OFFICER
A data protection professional acting autonomously to ensure that the entity acts in compliance with
the policies and procedures defined pursuant to the Regulation.
DATA SUBJECT
A natural person whose personal data are processed by a controller or processor.
PERSONAL DATA
Any information relating to a natural person (data subject) which may be used to identify a person
directly or indirectly, such as a name, an identification number, phone number, location data, an
e-mail address comprising a name, an online identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic, cultural or social identity of that natural
person.
PERSONAL DATA PROCESSING
Any operation which is performed on personal data, whether or not by automated means, including
collection, use, recording, etc.
PROFILING
Any automated data processing for the purpose of evaluating, analyzing or predicting data subject’s
behavior.
RIGHT OF ACCESS BY THE DATA SUBJECT
Also referred to as the ‘right of access’, it allows the data subject to access personal data
concerning him, which are held by the controller.
Legislation
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
General Data Protection Regulation Implementing Act, Official Gazette No 42/2018