PRAVILA ZAŠTITE PODATAKA I PRIVATNOSTI

VULKANIZACIJA PASARIĆ d.o.o. — during the conduct of all its business processes — places great importance on information security management, taking into account the requirements and expectations of all interested parties.

The management of VULKANIZACIJA PASARIĆ d.o.o. commits that through continuous investment in employee knowledge, establishing a framework for achieving high information security goals, planning, implementing and continuously monitoring the information security management system, complying with all legislative and regulatory requirements as well as all contractual obligations and professional standards:

all information received from all interested parties will be treated at the highest security level in terms of their protection;
information will be protected from any unauthorized access;
confidentiality of information will be ensured;
integrity of information will be maintained;
availability of information for business processes will be ensured and monitored;
legislative and regulatory requirements will be met;
business continuity plans will be regularly maintained and tested;
information security training will be available to all employees;
all actual and suspected security breaches will be processed and thoroughly investigated.

DEFINITIONS

Process Owner: a person appointed by an authorized person in the Organization, who is responsible within a defined scope for monitoring and ensuring compliance of personal data processing with the Data Protection Regulation. Each Process Owner may, in accordance with their authority, appoint another Process Owner depending on needs and the managerial role they hold within their specific function and department. Such appointment must specify the tasks for which the delegated person is responsible.

Advisor: a person/function whose primary role is to provide advice and support on matters related to compliance with the Data Protection Regulation.

User: a person who, as an employee or associate of the Organization, is involved in any procedure relating to personal data processing in the course of their work duties.

Data Subject: a natural (and where specifically provided — legal) person whose personal data is processed by the Organization or any of its bodies.

“Personal Data”: all data relating to an individual whose identity is established or can be established (“data subject”); an identifiable individual is a person who can be identified directly or indirectly, in particular by reference to identifiers such as a name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.

Special Categories of Personal Data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic and biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, and data related to criminal or misdemeanor proceedings.

Processing: any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, including the implementation of logical, mathematical and other operations on personal data or sets of personal data.

Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyze or predict aspects concerning that individual’s work performance, economic situation, creditworthiness, health, personal preferences, interests, reliability, behavior, location or movements.

Consent for Processing: means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them. This could include ticking a checkbox when visiting a website, or a statement or behavior that clearly indicates that the data subject accepts the proposed processing of their personal data. Silence, a pre-ticked box or inaction should therefore not constitute consent.

Data Processor: a subject (organization or individual, administrative or other body) that processes personal data on behalf of the data controller. Data Processors are entities outside the Organization that process data on behalf of the latter. Entities within the Organization may also act as data processors when they carry out processing activities on behalf of a client or another entity.

Platform: an automated tool that enables the Organization’s entities to fulfill the requirements of the General Data Protection Regulation, including but not limited to creating and updating the Data Register, notifications and audits, privacy impact assessments, and personal data breach notification.

Sub-processor: a subject (organization or individual) appointed by the data processor to carry out processing of personal data on behalf of the data controller, supervised by the data processor. Sub-processors are entities outside the Organization that process data on behalf of the Organization’s clients.

Data Controller: a subject (organization or individual, administrative or other body) that, alone or jointly with others, determines the purposes and means of processing personal data.

Personal Data Breach: a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Supervisory Authority: the national supervisory authority for personal data protection that is competent for a given matter. Different Supervisory Authorities may be competent for matters relating to the Organization’s entities, depending on the specifics of each case.

Organization Entities: depending on context, collectively the Organization’s entities operating in the EU, which may act as controllers or processors for a given processing activity, depending on the case.

RULES FOR ADEQUATE PROCESSING OF PERSONAL DATA

PROCESSING OF PERSONAL DATA

General Principles of Personal Data Processing

Personal data may be processed, with certain exceptions, for the purposes specified in the privacy notice given to a particular data subject.

Personal data:

must be processed lawfully, fairly and transparently;
must be collected and recorded for specified, explicit and legitimate purposes and used in processing operations compatible with those purposes;
must be accurate and, where necessary, kept up to date;
must be adequate, relevant and not excessive in relation to the purposes for which they are collected and processed;
must be stored in a form that allows identification of the data subject for no longer than is necessary for the purposes for which they were collected and processed; and
must be processed in a manner that ensures appropriate security, including protection by appropriate technical and organizational measures against unauthorized or unlawful processing, loss, destruction or accidental damage.

The General Data Protection Regulation requires that the Data Subject be properly informed about the processing of their data as prescribed in Article 13 of the GDPR. The Data Subject must give their free, informed and unambiguous consent to the processing of their personal data if those personal data will be processed for purposes other than the performance of a contract with the Data Subject.

Every Data Subject must be provided with the opportunity to contact the data controller or the responsible person.

VULKANIZACIJA PASARIĆ D.O.O. has designated a responsible person within its organization entrusted with overseeing compliance with data protection regulations: the “Data Protection Officer.”

All employees of the Organization are obliged to comply with the rules of the Personal Data Protection Policy. During the term of the employment/cooperation agreement, each employee or associate must receive — in addition to the privacy notice describing the modalities of processing their personal data — this Personal Data Protection Policy as part of the contractual documents by which they are bound, and must specifically accept it and declare that they have reviewed and understood its terms. The purpose of this Personal Data Protection Policy is to inform all Data Subjects of their obligations when processing personal data on behalf of the Organization.

Conditions for Processing Personal Data on Behalf of the Data Controller

If the organization carries out data processing on behalf of the Data Controller, it must be appointed as the Data Processor by the Data Controller. In accordance with the General Data Protection Regulation, the processing activities carried out by the Processor must be governed by a contract between the Data Controller and the Processor, which shall stipulate the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the Data Controller. The said contract must establish that the organization as Processor:

processes personal data only according to clear and documented instructions from the Controller;
ensures that persons authorized to process personal data have committed themselves to confidentiality;
takes all appropriate security measures;
if authorized by the Data Controller to engage sub-processors, imposes the same data protection obligations set out in the contract with the Controller upon the sub-processor;
taking into account the nature of the processing, assists the Data Controller using appropriate technical and organizational measures, insofar as this is possible, to fulfill the Controller’s obligation to respond to requests for the exercise of data subjects’ rights;
assists the Controller in ensuring compliance with obligations under Articles 32–36 of the GDPR (security of processing, notification obligation in the event of a personal data breach, data protection impact assessment, portability), taking into account the nature of the processing and the information available to the Processor;
at the request of the Data Controller, deletes or returns all personal data to the Data Controller upon completion of the provision of services;
makes available to the Data Controller and the competent privacy supervisory authority all information necessary to demonstrate compliance with data privacy laws.

Every Data Subject who, within the scope of their duties, processes personal data on behalf of the Data Controller must ensure that their actions do not go beyond the scope set out in the instrument by which the processor was appointed.

INFORMATION ABOUT PERSONAL DATA

Every data subject must receive from the Data Controller all information relating to the processing of their personal data as required by the General Data Protection Regulation. Such privacy information must be presented at the time of collection of personal data. If personal data is obtained from a third party, the privacy information must be delivered:

within a reasonable time after obtaining the personal data, but in any case no later than one month after collection, taking into account the specific circumstances under which the personal data is processed;
if the personal data is intended for communication with the data subject, no later than at the time of the first possible contact; or
if communication is intended with another recipient, no later than at the time of the first communication or collection of personal data.

The privacy notice must contain certain information required by the General Data Protection Regulation, including, among other things, the purposes for which personal data are processed, details about the processor, the data subject’s ability to exercise their rights under the GDPR, the data retention period, and the ability to lodge a complaint with the competent privacy supervisory authority.

Only the Data Controller must provide privacy information to data subjects, while the Data Processor must process personal data on behalf of the Data Controller in accordance with the Controller’s instructions and only for the purposes specified by the Data Controller in the written appointment of the Processor.

When acting as data controllers, VULKANIZACIJA PASARIĆ d.o.o. must deliver privacy information to data subjects.

CONSENT OF THE DATA SUBJECT

The data subject’s consent is required for processing personal data in all cases, except in the cases defined below under Articles 6 and 9 of the General Data Protection Regulation.

Processing of personal data that does not constitute special categories of personal data is permitted without the data subject’s express consent if one of the following conditions exists:

when processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract;
processing is necessary for compliance with a legal obligation to which the controller is subject;
processing is necessary in order to protect the vital interests of the data subject or of another natural person;
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, especially where the data subject is a child.

In addition to the above, processing of special categories of personal data is permitted without the explicit consent of the data subject in the following cases:

processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment law and social security and social protection law (including collective agreements);
processing is necessary to protect the life or health of the data subject or of another individual when the data subject is physically or legally incapable of giving consent;
processing is carried out in relation to their legitimate activities, with appropriate safeguards;
processing is necessary for the purposes of preventive medicine, medical diagnosis, health management or health services, provided that the personal data are processed by health professionals on the basis of specific regulations and rules of competent authorities;
processing is necessary for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, proportionate to the aim pursued and which respects the essence of the right to data protection and provides appropriate and specific measures to safeguard the fundamental rights and interests of the data subject;
processing relates to personal data which are manifestly made public by the data subject;
processing is necessary for reasons of substantial public interest.

For any processing of personal data for purposes not related to the performance of a contract or law, and in all cases where processing of personal data is carried out for purposes not connected to the specific contract to which the privacy policy relates: explicit and separate consent must be requested from the data subject (e.g. for marketing, promotional purposes, profiling, etc.).

Regarding services provided on websites, applications, etc., either confirmation that the data subject is not under 16 years of age — or a lesser age if so specified by applicable law in the Republic of Croatia — or parental/guardian approval must be obtained in relation to services provided to minors.

The data subject’s explicit consent must be given in paper or electronic form such that there is appropriate unambiguous evidence that consent was given.

DATA SUBJECT RIGHTS

Data subjects may request the exercise of their rights by submitting their request in writing by email or by post to the registered address of the contact person designated by VULKANIZACIJA PASARIĆ d.o.o. for this purpose, or in person at the organization’s registered address.

All data subject requests should be forwarded to the Data Protection Officer within the Organization.

Likewise, if a data subject’s request is addressed to a third party (e.g. an IT provider or marketing agency) that processes the data subject’s personal data on behalf of the Organization, that third party must immediately forward the request to the person within the Organization responsible for that contract, who will then notify the Data Protection Officer. The above obligations (to notify the Controller) must be included in contracts between the Organization/controller and the third party/processor. The Data Protection Officer must verify the identity of the data subject who submitted the request and compare the data contained in the request with data already held by VULKANIZACIJA PASARIĆ d.o.o.

If discrepancies are found, the data subject must be contacted using available contact details and asked to send identification data.

After verifying the identity of the data subject, the following must be done:

i) immediately record such a data subject request to ensure coordination and involvement of other departments of the Organization that may be relevant — depending on the request — in order to enable identification of the personal data that is the subject of the request and to ensure that the request is fulfilled (e.g. in the case of a right to erasure request). Fulfillment of the request is required in respect of all computer systems and documents of the Organization and suppliers. The Data Protection Officer must ensure that compliance with the data subject’s request is duly recorded.

ii) Immediately respond to the data subject in writing (by letter or email) within 30 calendar days of the data subject’s request.

If the request is particularly complex, the Data Protection Officer must:

i) where applicable, within 30 calendar days of the request, explain in writing to the data subject the reasons why an extension of the response deadline is necessary. ii) In any case, respond in writing to the data subject within 60 calendar days of the extension notice.

No costs may be charged for fulfilling a data subject’s request, except in cases where the data subject’s request is manifestly unfounded or excessive, i.e. repetitive, in the case where the data subject requests additional copies beyond those provided on the first request.

Right of Access to Personal Data

Data subjects have the right to obtain confirmation as to whether or not their personal data is being processed and, if so, have the right to access their personal data as well as information about the following:

the origin of the personal data;
the purposes of the processing;
the categories of personal data concerned;
where possible, the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period;
the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject, or to object to such processing (according to the procedures described in this paragraph);
the existence of automated decision-making, including profiling and, in that case, the logic applied and the envisaged consequences of such processing for the data subject;
the recipients or categories of recipients to whom the personal data have been or will be disclosed (in the case of transfer of personal data), in particular recipients in third countries (or international organizations) and, where applicable, the existence of appropriate safeguards for that transfer;
the right to lodge a complaint with the competent supervisory authority;
the right to rectification, consolidation and portability.

Right to Erasure (“Right to be Forgotten”)

Data subjects have the right to obtain erasure of personal data concerning them where:

the personal data are no longer necessary in relation to the purposes for which they were collected;
the data subjects withdraw their consent on the basis of which processing is carried out and where there is no other legal basis for the processing;
the data subjects object to the processing (see section 8.6) — the data subject lodges an objection to the processing and there are no overriding legitimate grounds for the processing;
the personal data have been unlawfully processed;
the personal data must be erased for compliance with a legal obligation; and
the personal data were collected in connection with the offer of information society services — offering information society services directly to a child.

Right to Restriction of Processing

Data subjects may obtain restriction of processing of personal data concerning them, resulting in the data not being usable for a limited period, in the following situations:

when the data subject contests the accuracy of the personal data, for a period enabling the Organization to verify the accuracy of such data;
when the processing is unlawful and the data subjects oppose the erasure of the personal data and request the restriction of their use instead;
when the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims in separate proceedings;
when the data subjects have objected to processing, pending the confirmation from the Organization as to whether the Organization’s legitimate grounds override those of the data subject.

In the above cases, when acting as data controllers, the Organization’s entities may process the data subject’s personal data only for storage purposes, in cooperation with the Data Protection Officer and all other relevant services involved for that purpose.

In these circumstances, apart from storage, VULKANIZACIJA PASARIĆ d.o.o. may process the data subject’s data — pending the restriction of processing — only in the following circumstances:

when the data subjects have given their consent;
for the establishment or defense of legal claims or the protection of the rights of another natural or legal person;
to safeguard the rights of the Organization;
for relevant reasons of public interest.

Right to Data Portability

The data subject has the right to receive the personal data concerning them, which they have provided to the Organization, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from the Organization where:

processing is carried out by automated means;
processing is based on the consent of the data subject or on the basis of legitimate interest — a contract to which the data subject is a party; and
the data subject is requesting the transfer of data that they themselves provided or generated (excluding information that VULKANIZACIJA PASARIĆ d.o.o. derived or inferred on the basis of information provided by the same data subject).

The data subject may also request a copy of the processed data provided that this does not adversely affect the rights and freedoms of other data subjects. Such data must be delivered electronically by the process owner to the requesting data subject via email, or in writing in other cases, and details of third parties must be covered or deleted.

Right to Object

The data subject has the right to object to the processing of personal data concerning them where VULKANIZACIJA PASARIĆ d.o.o. processes those data, among other things, for direct marketing purposes, including profiling.

Right to Rectification and Consolidation

Data subjects have the right to rectification of inaccurate personal data or consolidation of incomplete personal data. Once the data has been corrected, the process owner will send a confirmation by email or in writing to the data subject who submitted the request, and details of third parties must be covered or deleted.

Right Not to Be Subject to a Decision Based Solely on Automated Processing

Data subjects have the right not to be subject to a decision based solely on automated processing — i.e. without human intervention — including profiling, except in cases where:

it is necessary for the purposes of entering into or performance of a contract between the data subject and the data controller;
it is based on the data subject’s explicit consent.

The above scenario is envisaged, for example, if during a recruitment process VULKANIZACIJA PASARIĆ d.o.o. implemented an automated screening and selection of candidates who were therefore excluded solely based on an automated decision.

MANAGEMENT OF PERSONAL DATA

Personal data may not be disclosed to a third party unless the data subject has given their consent or unless there is another legal basis for the purpose of data transfer, for example — if it relates to a third party processing personal data on behalf of the Organization and whose actions are necessary for the performance of a contract with a customer (e.g. IT services) or for the provision of services to a customer (e.g. further follow-up of a customer request).

As a general rule, except in the case of specific exceptions under applicable law, personal data may not be transferred outside the European Economic Area unless arrangements compliant with the General Data Protection Regulation that authorize such transfers have been implemented with the data recipient, such as the EU Standard Contractual Clauses for data transfers.

DATA RETENTION / STORAGE PERIOD

We store and process data only for as long as is necessary for the fulfillment of a specific legitimate purpose, unless applicable regulations provide for a longer or shorter retention period for a specific purpose.

COOKIES

In order to provide Data Subjects and visitors with the best possible functionality and the most interesting content when visiting our websites or the websites of our partners, and in order to create services and offers that meet the needs and wishes of Data Subjects, we use cookies and/or other common technologies (hereinafter: cookies) that collect certain data of Data Subjects (e.g. the IP address from which the website is accessed, connection time, etc.). Detailed information about the cookies used by a particular website is provided to Data Subjects immediately upon their first visit to the website. Based on this information, the Data Subject, upon visiting the website, gives or withholds their consent to the use of cookies. Cookie settings can always be adjusted in the internet browser. VULKANIZACIJA PASARIĆ d.o.o. is not responsible for cookies on other websites not owned by VULKANIZACIJA PASARIĆ d.o.o. Information about Data Subjects obtained through cookies will be combined with other data about the Data Subject in order to better understand Data Subjects and provide a better experience, only on the basis of consent.

Statement on the Protection of Personal Data Transfers

Protection of personal data in accordance with the General Data Protection Regulation of the European Parliament and of the Council No. 2016/679 and the implementation of the General Data Protection Regulation.

Stripe Payments Europe, Limited, as the processor carrying out the authorization and charging of credit cards, processes personal data in the capacity of a data processor and handles personal data in accordance with the General Data Protection Regulation of the European Parliament and of the Council No. 2016/679 and in accordance with the strict rules of PCI DSS L1 regulations on the protection of data entry and transfer. Stripe uses encryption and TLS cryptographic protocols as the highest levels of protection for data entry and transfer.

WSPay, as the processor carrying out the authorization and charging of credit cards, processes personal data in the capacity of a data processor and handles personal data in accordance with the General Data Protection Regulation of the European Parliament and of the Council No. 2016/679 and in accordance with the strict rules of PCI DSS L1 regulations on the protection of data entry and transfer. WSPay uses an SSL certificate with 256-bit encryption and the TLS 1.2 cryptographic protocol as the highest levels of protection for data entry and transfer.

Personal data used for the purpose of authorization and charging, i.e. for the fulfillment of obligations under or pursuant to the Agreement, are considered confidential data. The following personal data of the buyer are required for the performance of the Agreement (authorization and charging):

First and last name
Email
Telephone
Address
City
Postal code
Country
Card type
Card number
Card expiry date
Card CVV code

Stripe and WSPay do not process or use this personal data except for the purpose of performing the authorization and charging agreement.

Stripe guarantees fulfillment of all conditions established by applicable personal data protection regulations for processors of personal data, as confirmed by the Data Processing Agreement (DPA) available at stripe.com/legal/dpa and the PCI DSS L1 certificate.

WSPay guarantees fulfillment of all conditions established by applicable personal data protection regulations for processors of personal data, and in particular the implementation of all necessary technical, organizational and security measures, as further confirmed by the PCI DSS L1 certificate.

All interested parties may submit all questions and requests relating to the processing of their data or anything else related to data privacy in person at the organization’s location, in writing to the address, or by email to the contact details listed below.

VULKANIZACIJA PASARIĆ d.o.o.

Address: Zagrebačka 123, Šibice, 10290 Zaprešić

Email: vulkanizacija@pasaric.hr

The Privacy Protection Policy is publicly published. It is binding on all our employees.

Zagreb, 27 June 2019

Directors: Michael Pasarić and Petra Pasarić