This Policy defines a responsible and transparent framework to ensure compliance with the General Data Protection Regulation.
This Policy applies to all organizational units of Zlaring d.o.o. (hereinafter referred to as the CONTROLLER), as well as all employees, including part time and temporary employees and all external service providers acting on behalf of the Controller.
The Controller is committed to conducting its business in compliance with all applicable laws, regulations and highest business ethics standards. This Policy presents the rules for expected conduct of Controller’s employees and service providers engaged in the collection, use, storage, transmission, disclosure or destruction of any personal data belonging to Controller’s employees, business partners, or any other natural persons. The purpose of this Policy is to standardize the protection of data subjects’ rights and freedoms by preserving the privacy of their personal data in all aspects of Controller’s business that involve personal data. This Policy defines that Zlaring d.o.o. will not disclose such personal data to any third parties without authorization and shall not act in any manner that may compromise them.
Principles of personal data processing
The Controller has adopted the following principles to be adhered to in the process of collecting, using, retaining, transmitting or destroying personal data:
LAWFULNESS, FAIRNESS AND TRANSPARENCY
Personal data shall be processed in a lawful, fair and transparent manner in relation to the data subjects. This means that the Controller shall whenever appropriate notify the data subject of how it will process his data (transparency) and such data will be processed based solely on what is said (fairness) in accordance with the purpose defined by the applicable personal data protection law (lawfulness).
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. This means that the Controller must clearly specify the purpose for which the personal data collected will be used and limit its personal data processing operations to those necessary to achieve such purposes.
Personal data collected shall be relevant and limited to what is necessary in relation to the purposes for which they are processed. This means that the Controller shall not collect, process or store any more personal data than absolutely necessary. ACCURACY
Personal data collected shall be accurate and kept up to date, which means that the Controller shall have procedures in place to detect and manage any obsolete, inaccurate or unnecessary personal data.
CAREFUL STORAGE OF DATA
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. This means that the Controller shall whenever possible store personal data in a manner that limits or prevents data subject identification.
Personal data shall be processed and stored in a manner that ensures appropriate security against breaches such as unauthorised or unlawful processing and against accidental loss, destruction or damage. The Controller shall implement appropriate technological and organizational measures as described in the Personal Data Security Policy to ensure that personal data remain integral and confidential at all times.
PRIVACY EMBEDDED IN THE SYSTEM DESIGN
When designing new and reviewing and extending Controller’s existing systems and processes, it shall be ensured that these principles are complied with to protect data subjects’ privacy to the extent possible.
Rights of data subjects
All data subjects whose data are collected and processed by the Controller shall have the following rights:
RIGHT OF ACCESS TO INFORMATION
Each data subject shall have the right to obtain a copy of the data stored by the Controller for viewing purposes. In addition to the right to view his own data, the data subject shall also have the right to obtain the following information:
- the purposes and legal grounds of processing
- legitimate interest, if the processing is based on it
- the types and categories of the personal data collected
- any third parties to whom such data may be forwarded
- the data retention period
- the source of the personal data, if not collected from the data subject
All information shall be provided to the data subject by using plain and simple language to ensure that it is understood, and must be clearly identified and visible to avoid being overlooked by the data subject.
The provision of such information to the data subject may reveal information about another person. In such cases, the data must be anonymized or completely denied to protect the rights of such person.
To exercise the right of access, the data subject or his legal representative or proxy may submit a written request to obtain information in connection with the processing of his personal data using the contact particulars provided below:
Mailing address: Zlaring d.o.o., Avenija Dubrovnik 24, 10020 Novi Zagreb
RIGHT TO RECTIFICATION
Each data subject shall have the right to rectification of any inaccurate or incomplete data stored by the Controller.
RIGHT TO BE FORGOTTEN
A data subject may request that his data be erased. Such request shall be considered and shall be granted if it is not contrary to the legal grounds of personal data processing, i.e. if any of the following grounds apply:
the personal data are no longer necessary in relation to the purposes for which they were collected, the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing, the data subject objects to the processing and there are no overriding legitimate grounds for the processing, the personal data have been unlawfully processed, the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject, the personal data have been collected in relation to the offer of information society services.
RIGHT TO RESTRICTION OF PROCESSING
The data subject shall have the right to restriction of the scope of processing where applicable.
RIGHT TO DATA PORTABILITY
The data subject shall have the right to receive a copy of his data for the purpose of transmitting them to another controller without hindrance from the controller to which the personal data have been provided, where:
- the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1);
- the processing is carried out by automated means;
- the personal data may be transmitted directly from one controller to another, where technically feasible;
- the exercise of the right is without prejudice to Article 17 („Right to be forgotten“); and - the right does not adversely affect the rights and freedoms of others.
RIGHT TO OBJECT
The data subject shall have the right to object, in particular where processing is based on Controller’s legitimate interest. In such case, the purpose of processing must be reviewed and its legal grounds need to be established and, where applicable, the data subject must be allowed to withdraw his consent to data processing and /or demand that his data no longer be processed.
RIGHT TO ASSESSMENT
The data subject shall have the right to request from a supervisory authority to make an assessment of whether or not the Regulation or Controller’s internal policies are being violated.
RIGHT TO OBJECT TO PROFILING
The data subject shall have the right to object to automated profiling and other forms of automated decision-making.
In case the Controller rejects a data subject’s request, the response must state the reason for such rejection and the data subject may submit a complaint with regard thereto to the competent personal data protection authority: Personal Data Protection Agency (AZOP), Marticeva ulica 14, 10000 Zagreb.
The legal grounds for the collection and processing of personal data of data subjects are as follows:
The laws concerning the obliged entity’s conduct of business define the datasets necessary to comply with such legal obligation. The Controller shall not request data subject’s consent for collecting and processing data defined by such laws, however, it shall only collect data defined by such laws and shall not use them for any other purposes. This shall in particular apply to data collected pursuant to the following laws and the relevant ordinances, including but not limited to:
- Accounting Act
- Value Added Tax Act
- Personal Income Tax Act
- Labor Act
- Content and Maintenance of Employee Records Ordinance
- Occupational Safety Act
- Flammable Liquids and Gases Act
- Building Code
PERFORMANCE OF CONTRACTUAL OBLIGATIONS
The Controller shall collect personal data necessary to perform a contractual obligation without data subject’s consent, to the extent necessary to perform such obligation.
The Controller shall disclose a list of its legitimate interests based on which it collects and processes personal data to allow the supply and/or improvement of its services or products.
PROTECTION OF DATA SUBJECT’S VITAL INTERESTS
The Controller may collect and process personal data without data subject’s consent if this is done to protect his vital interests.
PUBLIC INTEREST OR EXERCISE OF OFFICIAL AUTHORITY VESTED IN THE CONTROLLER
Where Controller’s activities include acting in the public interest or if data processing is based on any other form of official authority, it shall not always be necessary to notify the data subject of such personal data collection.
In all other cases, the Controller shall request data subject’s consent to personal data collection and processing, which shall clearly specify the purpose of processing. The data subject may at any time withdraw his consent and his data must then be automatically erased and the processing must end. The Controller shall maintain records of effective and withdrawn consents to ensure that its business is compliant.
The Controller hereby discloses the following legitimate interests:
FACILITY SERVICING AND MAINTENANCE SERVICE – installers and servicers
ZLARING D.O.O. SERVICES AND MAINTAINS MECHANICAL EQUIPMENT AND HVAC INSTALLATIONS.
SOME OF THESE BUILDINGS ARE PROTECTED BY THE MINISTRY OF CULTURE AND ALSO INCLUDE HEALTHCARE FACILITIES, TOURISM FACILITIES, SPORTING FACILITIES AND DATA CENTERS WHERE ACCESS IS SUBJECT TO PERSONAL IDENTIFICATION.
TO ALLOW ITS PERSONS ACCESS AND PERFORMANCE OF THEIR TASKS AND TO BE ABLE TO PROVIDE THE AGREED SERVICE, ZLARING D.O.O. MUST NOTIFY IN ADVANCE THE PERSONS WHO SHALL BE PROVIDING THE SERVICE BY USING THEIR FOLLOWING PERSONAL DATA: NAME, PIN OR IDENTITY CARD NUMBER.
FACILITY SERVICING AND MAINTENANCE SERVICE – gas installers
ZLARING D.O.O. PROVIDES GAS INSTALLATION INSPECTION SERVICES. THIS SERVICE REQUIRES A LICENSED GAS INSTALLER.
THE COMPANY EMPLOYS 3 LICENSED GAS INSTALLERS WHOSE DATA AND CERTIFICATES OF TRAINING IT IS REQUIRED TO PRESENT TO THE CITY GASWORKS TO DEMONSTRATE THAT THEY ARE LICENSED TO PROVIDE SUCH SERVICES: certificate of final exam or graduation/ professional exam / license to practice.
ZLARING D.O.O. APPLIES FOR PRIVATE AND PUBLIC TENDERS.
TO BE ELIGIBLE, IT MUST PROVIDE ALL REQUIRED DOCUMENTATION, INCLUDING BUT NOT LIMITED TO EMPLOYEES’ IDENTIFICATION DOCUMENTS. TO DEMONSTRATE THEIR TRAINING AND HEALTH REQUIRED FOR THE WORK THEY PERFORM, THE FOLLOWING DOCUMENTS MUST BE PROVIDED:
- CERTIFICATE OF FINAL EXAM, GRADUATION OR PROFESSIONAL EXAM/LICENSE TO PRACTICE
- HEALTH CERTIFICATE
The data subject shall have the right to object to the processing of personal data based on these legitimate interests.
Definition of terms
GENERAL DATA PROTECTION REGULATION (GDPR)
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation whereby the European Parliament, Council of the European Union and European Commission aim to reinforce and integrate the processes of protecting personal data of all natural persons within the European Union (EU). The Regulation also applies to the export of personal data from the EU.
An entity that determines the purposes, terms and means of the processing of personal data.
An entity which processes personal data on behalf of the controller.
PERSONAL DATA PROTECTION AGENCY
A state agency responsible for protecting data and privacy, supervising the Regulation application processes, and actively implementing the Data Protection Regulation within the European Union.
DATA PROTECTION OFFICER
A data protection professional acting autonomously to ensure that the entity acts in compliance with the policies and procedures defined pursuant to the Regulation.
A natural person whose personal data are processed by a controller or processor.
Any information relating to a natural person (data subject) which may be used to identify a person directly or indirectly, such as a name, an identification number, phone number, location data, an e-mail address comprising a name, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
PERSONAL DATA PROCESSING
Any operation which is performed on personal data, whether or not by automated means, including collection, use, recording, etc.
Any automated data processing for the purpose of evaluating, analyzing or predicting data subject’s behavior.
RIGHT OF ACCESS BY THE DATA SUBJECT
Also referred to as the ‘right of access’, it allows the data subject to access personal data concerning him, which are held by the controller.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
General Data Protection Regulation Implementing Act, Official Gazette No 42/2018