Information on processing natural persons' personal data in dealings with business entities
Labud d.o.o. (hereinafter "the Company") pays special attention to the protection of personal data, respects the privacy of employees, visitors, business partners and all other natural persons (data subjects) whose data is being processed, and it undertakes to treat all personal data as confidential information and a business secret. The Company processes data in accordance with the provisions of the Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), the Act on the Implementation of the General Data Protection Regulation (Official Gazette 42/2018) and other relevant regulations applicable in the Republic of Croatia.
With its Personal Data Protection Policy, the Company intends to provide all natural persons (data subjects) with clear information on personal data processing and protection and provide them with simple control and management over their personal data and consents.
I. Principles of personal data processing
1. Lawfulness, fairness and transparency
When processing personal data, we act in accordance with the legal regulations and within they prescribes by providing all information in a clear and easily accessible way and by applying all measures for the protection of personal data.
2. Purpose limitation
We collect and process personal data only for specified and legitimate purposes and we do not process them in a manner that is incompatible with the purposes for which they were collected.
3. Data minimization
We always use only that data of natural persons (data subjects) which is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
4. Data accuracy
The personal data we process must be accurate, complete and up to date, and it is important that the natural person (data subject) notifies us of any changes to personal information immediately or as soon as possible.
5. Storage limitation
We store and process personal data no longer than is necessary to fulfill the specific legitimate purpose, unless the applicable regulations provide for a longer or shorter period of time or, in other cases, it is explicitly prescribed by law. After that, the data is permanently deleted.
6. Integrity and confidentiality
We process personal information in a safe manner, including the protection against unauthorized or unlawful processing and protection from accidental loss, destruction or damage by applying appropriate technical and organizational protection measures.
II. Purpose of collecting personal data
We collect personal data for special, explicit and legitimate purposes, and they shall not be processed in a way that is not in accordance with these purposes. The activities that the Company conducts with personal data are detailed in the document Record of Processing Activities, which include:
- the name and contact details of the controller, if applicable, of the joint controller and the data protection officer;
- the processing purposes;
- a description of the data subject categories and personal data categories;
- the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations;
- where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organizational security measures.
III. Consent
It is considered that the data subject has given consent to personal data processing if he or she has clearly and unambiguously given approval for processing of personal data relating to him or her. Consent is given in the form of a statement or a clear affirmative action.
The Company enables natural persons (data subjects) to give or withdraw consent in a simple way at any time.
The withdrawal of consent does not affect the lawfulness of the processing prior to its withdrawal.
Without consent, personal data may be collected and processed solely in the cases specified by the General Data Protection Regulation and the law.
- signing of confidentiality statements,
- implementation of measures for adequate physical protection of computer and telecommunication equipment that stores, processes and transmits personal data;
- conducting regular inspection of security and personal data protection measures;
- entering into agreements with processors that provide sufficient guarantees regarding the accomplishment of appropriate technical, organizational and personnel protection measures relating to personal data;
- continuous education of employees;
- appointing a Personal Data Protection Officer.
IV. Personal Data Protection
The Company uses various technical and organizational measures to protect the data of natural persons (data subjects) from unauthorized access of persons inside and outside of the Company, alteration, loss and any other violation and misuse of data. These measures, inter alia, include the following:
- signing of confidentiality statements,
- implementation of measures for adequate physical protection of computer and telecommunication equipment that stores, processes and transmits personal data;
- conducting regular inspection of security and personal data protection measures;
- entering into agreements with processors that provide sufficient guarantees regarding the accomplishment of appropriate technical, organizational and personnel protection measures relating to personal data;
- continuous education of employees;
- appointing a Personal Data Protection Officer.
VI. Rights of natural persons (data subjects)
1. The right to information
At the moment of collecting personal data from a natural person (data subject), the Company provides the person with the information about the identity and contact details of the controller, the contact details of the Data Protection Officer and details on the purpose and legal basis of the processing.
2. The right to access
A natural person (data subject) has the right to receive confirmation from the Company whether his/her personal data are being processed and (if such personal data is being processed) access to such data and the information on the purpose of processing.
3. The right to rectification
A natural person (data subject) has the right to obtain the rectification of incorrect personal data concerning him/her from the Company and the right to have incomplete personal data completed.
3. The right to rectification
A natural person (data subject) has the right to obtain the rectification of incorrect personal data concerning him/her from the Company and the right to have incomplete personal data completed.
4. The right to erasure ("right to be forgotten")
A natural person (data subject) has the right to obtain the erasure of personal data relating to him/her, without undue delay and under the conditions set out in the General Data Protection Regulation.
5. The right to restriction of processing
A natural person (data subject) may exercise the right to restriction of processing in cases where it is not clear whether or when the personal data will have to be deleted.
This right can be exercised when:
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the data are no longer needed for the original purpose, but they are required by the data subject for the purpose of realizing legal claims;
- the data subject has objected to the processing, the processing is restricted until the decision on the objection has been made.
6. The right to data portability
A natural person (data subject) has the right to obtain the erasure of personal data relating to him/her, without undue delay and under the conditions set out in the General Data Protection Regulation.
A natural person (data subject) has the right to receive the personal data relating to him or her, that he or she has provided to the Company in a structured, commonly used and machine-readable format, and he or she has the right to transmit those data to another controller where the processing is based on consent or on a contract and has been carried out by automated means.
Exercising of the right
A natural person (data subject) may exercise the rights specified under item VI by requesting, that is, by submitting a corresponding request to the e-mail address osobni.podaci@meteor-grupa.hr, to the mailing address: Labud d.o.o., Radnička cesta 173/r, 10 000 Zagreb, with the indication "Attn. Personal Data Protection Officer" or to the phone number +385 (0)1 6460 235.
If the natural person (data subject) suspects a violation of his or her personal data, he or she shall report his or her suspicion in writing to the Personal Data Protection Officer's e-mail address: osobni.podaci@meteor-grupa.hr, to the mailing address: Labud d.o.o., Radnička cesta 173/r, 10 000 Zagreb, with the indication "Attn. Personal Data Protection Officer" or to the phone number +385 (0)1 6460 235.
The supervisory body for monitoring the implementation of the General Data Protection Regulation and submission of objections is the Personal Data Protection Agency www.azop.hr.
VII. Final provisions
The Personal Data Protection Policy applies from 25 May 2018, and it is available on the website of the Labud d.o.o. company and on the Company intranet.
Zagreb, 25 May 2018