VULKANIZACIJA PASARIĆ d.o.o., during the course of all its business processes, attaches great importance to information security management, taking into account the requirements and expectations of all stakeholders.

The Management Board of VULKANIZACIJA PASARIĆ d.o.o. undertakes to constantly invest in the knowledge of our employees, provide a framework for achieving high goals of information security, planning, implementation and constant monitoring of information security management systems, compliance with all legislative and regulatory requirements, as well as all contractual obligations and rules of the profession:

  • all information received by all interested parties be treated at the highest security level in terms of protection;
  • information be protected from any unauthorized access;
  • confidentiality of information to be ensured;
  • integrity of information to be maintained;
  • the availability of information for business processes be ensured and monitored;
  • legislative and regulatory requirements to be met;
  • business continuity plans to be regularly maintained and checked;
  • information security training to be available to all employees;
  • All actual and suspected security breaches to be processed and thoroughly investigated.


Process owner: means a person appointed by an authorized person in the Organization, who within a certain framework is responsible for monitoring and ensuring compliance of personal data processing with the Regulation on Personal Data Protection. Each process owner can appoint another process owner according to their authority, depending on the needs and management role it has within its specific function and department. Such appointment must indicate the tasks for which the delegated person is in charge.
Adviser: means a person / function whose main function is to provide advice and support related to compliance issues with the Personal Data Protection Regulation.
User: means a person who, as an employee or associate of the Organization in the performance of his / her duties, is involved in any procedure related to the processing of personal data.
Respondent: means a natural (and where specifically provided - legal) person, whose personal data is processed by the Organization, or any of its bodies.
"Personal data": means all data relating to an individual whose identity has been established or can be established ("respondent"); an identifiable individual is a person who can be identified directly or indirectly, in particular by means of identifiers such as name, identification number, location data, network identifier or by one or more factors specific to physical, physiological, genetic, mental , the economic, cultural or social identity of that individual.
Special categories of personal data: means personal data on racial or ethnic origin, political views, religious or philosophical beliefs or trade union membership as well as processing of genetic and biometric data for the purpose of unambiguous identification of a natural person, data related to health or sexual life or sexual orientation of an individual; data related to criminal or misdemeanor proceedings.

Processing: means any operation or set of operations carried out on personal data or on sets of personal data, whether automated or non-automated, such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, inspection, use, disclosure transferring, disseminating or otherwise making available, reconciling or combining, restricting, deleting or destroying, including the implementation of logical, mathematical and other procedures with personal data or sets of personal data.
Profiling: means any form of automated processing of personal data consisting of the use of personal data to assess certain personal aspects related to an individual, in particular to analyze or predict aspects related to performance, economic status, creditworthiness, health, personal preferences, interests , the reliability, behavior, location or movement of that individual.
Consent for processing: means any voluntary, special, informed and unambiguous expression of the respondent's wishes by which he gives a statement or clear affirmative action consent to the processing of personal data relating to him. This could include ticking the box when visiting websites, a statement or behavior that clearly shows that the respondent accepts the proposed processing of their personal data. Silence, a pre-ticked field or lack of activity should therefore not be considered as consent.
Processor: means an entity (organization or individual, administrative or other body) that processes personal data on behalf of the controller. Processors are entities outside the Organization that process data on behalf of the latter. Entities of the Organization may also have the role of executor of processing in case they carry out the processing operation on behalf of a client or another entity.

Platform: means an automated tool that enables entities of the Organization to meet the requirements of the General Data Protection Regulation and includes, but is not limited to, the creation and updating of the Data Registry, reporting and auditing, privacy impact assessment and notification of personal data breaches.
By executor: means an entity (organization or individual) appointed by the processor to process personal data on behalf of the controller and supervised by the processor. Executors are entities outside the Organization that process data on behalf of the Organization's clients.
Processing manager: means an entity (organization or individual, administrative or other body) that alone or together with others determines the purposes and processing of personal data.
Violation of personal data: means a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed.
Regulatory body: means the national supervisory authority for the protection of personal data that is responsible for a particular case. It is possible that different Regulatory Bodies are competent for cases related to the subjects of the Organization, depending on the specifics of each case.
Entities of the Organization: depending on the context, together the organizations of the Organization operating in the EU, which may be the managers or executors of a particular processing of personal data, as the case may be.



General principles of personal data processing

Personal data may be processed, with certain exceptions, for the purposes indicated in the privacy information given to a particular respondent.
Personal information:

  1. they must be processed in a lawful, proper and transparent manner;
  2. they must be collected and recorded for a specific, explicit and legitimate purpose and used in processing operations compatible with that purpose;
  3. they must be precise and, where necessary, kept up to date;
  4. they must be adequate, relevant and not more than necessary for the purpose for which they were collected and processed;
  5. they must be kept in a form which permits identification of respondents for no longer than is necessary for the purpose for which they were collected and processed; i
  6. must be handled in a manner that guarantees adequate security, including protection by appropriate technical and organizational measures against unauthorized or unlawful processing, loss, destruction or accidental damage.

The General Data Protection Regulation requires that the Respondent be properly informed about the processing of his data as prescribed in Article 13 of the General Data Protection Regulation. The Respondent must give his / her free, informed and unambiguous consent to the processing of his / her personal data if such personal data will be processed for purposes other than for the purpose of implementing the contract with the Respondent.
Each Respondent must be given the opportunity to contact the processing manager, ie the responsible person.

VULKANIZACIJA PASARIĆ D.O.O. has designated a responsible person within its organization entrusted with the supervision of compliance with data protection regulations: the "Data Protection Officer".
All employees of the Organization are obliged to comply with the rules of the Ordinance on personal data protection. During the term of the employment / cooperation contract, each employee or associate must receive - in addition to privacy information showing the modalities of processing his personal data - this Ordinance on personal data protection as part of the contractual documents to which he is obliged and must specifically accept and declare that he analyzed them and understood the conditions. The purpose of this Ordinance on the protection of personal data is to inform all Respondents of their obligations to process personal data on behalf of the Organization.

Conditions for the processing of personal data on behalf of the Processing Manager

If it conducts data processing on behalf of the Processing Manager, the organization must be appointed by the Processing Manager as the Processing Executor. In accordance with the General Regulation on Data Protection, the processing operations performed by the Executor must be regulated by a contract between the Processing Manager and the Executor which will agree on the subject and duration of processing, nature and purpose of processing, type of personal data and categories of respondents. The contract in question requires that the organization as the Executor:

  1. processes personal data only according to clear and documented instructions from the Manager;
  2. ensure that the persons authorized to process personal data have committed themselves to confidentiality;
  3. take all appropriate security measures;
  4. if the Processing Manager has authorized it to subcontract the processing, in the contract with the processing controller, it shall impose the same data protection obligations set out in the contract with the Processor;
  5. taking into account the nature of the processing, assist the Processing Manager using appropriate technical and organizational measures, as far as possible, to fulfill the Manager's obligation to respond to requests to meet the respondent's rights;
  6. assists the Manager in ensuring compliance with the obligations under Art. 32.-36. General data protection regulations (processing security, obligation to notify in case of personal data breach, personal data protection impact assessment, transferability), taking into account the nature of the processing and the information available to the Processor;
  7. at the request of the Processing Manager, deletes or returns all personal data to the Processing Manager after the completion of the provision of services;
  8. make available to the Processing Manager and the competent privacy regulatory authority all data necessary to demonstrate compliance with the data privacy law.
  9. Any Respondent who processes personal data on behalf of the Controller in the context of his / her tasks should ensure that his / her actions do not go beyond the scope set out in the act appointing the controller.


Each respondent must obtain from the Controller all information related to the processing of his personal data required by the General Data Protection Regulation. Such privacy information must be provided at the time of collection of personal information. If personal data is obtained from a third party, privacy information should be provided to:

  1. within a reasonable time from the moment of acquisition of personal data, but in any case no later than one month from the collection, taking into account the special circumstances under which personal data are processed;
  2. in the event that personal data are intended for communication with the respondent, at the latest at the first possible contact, or;
  3. if the communication is intended with another recipient, at the latest during the first communication, ie collection of personal data.

The privacy information must contain certain information specified in the General Data Protection Regulation, including, inter alia, the purposes for which personal data are processed, details of the executor of the order, the respondent's ability to exercise his rights under the General Data Protection Regulation, data retention period and filing a complaint with the competent privacy regulator.
Only the Processing Manager must provide the respondents with privacy information while the Processing Agent must process personal data on behalf of the Processing Manager according to the instructions of the Processing Manager and only for the purposes specified by the Processing Manager in the written appointment of the Processor.
When acting as processing managers, VULKANIZACIJA PASARIĆ d.o.o. must provide privacy information to respondents.


The consent of the respondents is required for the processing of personal data in all cases, except in the cases defined below according to Articles 6 and 9 of the General Data Protection Regulation.
The processing of personal data that do not represent special categories of personal data is allowed without the express consent of the respondents, if any of the following conditions exist:

  • when processing is necessary to perform the contract to which the respondent is a party or to take action at the request of the respondent prior to the conclusion of the contract;
  • processing is necessary to comply with the legal obligations of the controller;
  • processing is necessary to protect the key interests of the respondent or other natural person;
  • processing is necessary for the performance of a task of public interest or in the performance of the official authority of the controller;
  • processing is necessary for the legitimate interests of the controller or a third party, except when those interests are stronger than the interests or fundamental rights and freedoms of the respondent requiring the protection of personal data, especially if the respondent is a child.

In addition to the above, the processing of special categories of personal data is allowed without the express consent of the respondents, in the following cases:

  • processing is necessary for the purposes of fulfilling obligations and exercising the special rights of processing managers or respondents in the field of labor law and social security and social protection law (including collective agreements);
  • processing is necessary to protect the life or health of the respondent or another individual when the respondent is physically or legally prevented from giving consent;
  • processing has been carried out in relation to their legitimate activities, with appropriate guarantees;
  • processing required for the purposes of preventive medicine, medical diagnoses, health management or health services, provided that personal data are processed by health professionals on the basis of special regulations and rules of the competent authorities;
  • processing is necessary for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, in proportion to the aim pursued and which respects the essence of the right to data protection and provides appropriate and special measures to protect fundamental rights and interests.

For any processing of personal data for purposes not related to the implementation of the contract or law and in all cases where the processing of personal data for purposes not related to the specific contract to which the privacy policy applies: explicit and separate consent from the respondent must be required (e.g. for marketing, promotional purposes, profiling, etc.).
In relation to services provided on websites, applications, etc., a certificate must be obtained that the respondent is not younger than 16 years or less if so determined by applicable law in the Republic of Croatia, or parental / guardian approval in relation to services provided to minors.
The explicit consent of the respondent must be given on paper or electronically so that there is adequate unequivocal evidence that the consent has been given.

  • processing refers to personal data that are obviously published by the respondent;
  • processing is required for reasons of significant public interest.


Respondents can request the exercise of their rights by sending in writing to the e-mail or address of the headquarters their request for the exercise of any of their rights to the contact person that VULKANIZACIJA PASARIĆ d.o.o. for this purpose or in person at the address of the headquarters of the organization.

All requests of respondents should be forwarded to the Data Protection Officer in the Organization:
1. Likewise, if the respondent's request is addressed to a third party (eg an information technology supplier or a marketing agency) that processes the respondent's personal data on behalf of the Organization, that third party must immediately forward the request to the person responsible within the Organization. a contract which will then notify the Data Protection Officer. The above obligations (notifications to the Manager) must be included in the contracts between the Organization / Manager and the third party / executor. The Data Protection Officer must verify the identity of the respondent who submitted the request, and compare the data contained in the request with the data provided by VULKANIZACIJA PASARIĆ o.o. already has.
2. If discrepancies are found, the respondent must be contacted via the available contact details and the respondent must be asked to send identification data.
3. After establishing the identity of the respondent must;

  1.  i) immediately record such a request of the respondent in order to ensure coordination and involvement of other departments of the Organization that may be relevant - depending on the request, and to allow identification of personal data subject to the request and to ensure that the request will be implemented (e.g. in case of request for forgetting). The implementation of the requirements is required in relation to all computer systems and documents of the Organization and suppliers. The Data Protection Officer must ensure that compliance with the respondent's request is properly recorded.
  2.   ii) Respond immediately to the respondent in writing (in writing or by e-mail) within 30 calendar days of the respondent's request.

If the request is particularly complex, the Data Protection Officer must:

  1. i) where applicable, within 30 calendar days of the request, explain in writing to the respondent the reasons why the deadline for reply needs to be extended.
  2. ii) In any case, within 60 calendar days of the notification of the extension, respond in writing to the respondent.

The costs of fulfilling the respondent's request cannot be charged, except in cases when the respondent's request is obviously unfounded or excessive, ie repetitive in the case when the respondent requests additional copies in relation to those submitted at the first request.

The right of access to personal data

Respondents have the right to obtain confirmation of whether their personal data are being processed and, if so, have the right to gain access to their personal data as well as information on the following facts:

  1.  origin of personal data;
  2.  processing purposes;
  3.  categories of subject personal data;
  4.  where possible, the intended period of storage of personal data or, if this is not possible, the criteria used to determine that period;
  5.  the existence of a right to request the correction or deletion of personal data or to restrict the processing of personal data concerning the respondent or to object to such processing (according to the procedures described in this paragraph);
  6.  the existence of automatic decision-making, including the development of profiles and, in that case, the applied logic and the foreseeable consequences of such processing for the respondent;
  7.  the recipients or categories of recipients to whom personal data have been or will be disclosed (in the case of transfers of personal data), in particular to recipients in third countries (or international organizations) and, if applicable, the existence of appropriate safeguards;
  8.  the right to lodge a complaint with the competent regulatory authority;
  9.  the right to rectification, consolidation and transferability;


Right to delete ("Right to forget")

Respondents have the right to delete personal data relating to them when:

  1.  personal data are no longer needed for the purposes for which they were collected;
  2.  the respondents withdraw their consent on the basis of which the processing is carried out and where there is no other legal basis for the processing;
  3.  the respondents object to the processing (see section 8.6) - the respondent objects to the processing, and there are no stronger legitimate reasons for the processing;
  4.  personal data have been illegally processed;
  5.  personal data must be deleted in order to fulfill a legal obligation; and
  6.  personal data are collected in connection with the offer of information organization services - offering information organization services directly to the child.

The right to restrict processing

Respondents may obtain a restriction on the processing of personal data relating to them, which results in the data not being able to be used for a limited period of time in the following situations:

  1.  when the respondent disputes the accuracy of personal data, for the period necessary for the Organization to verify the accuracy of such data;
  2.  when the processing is illegal and the respondents oppose the deletion of personal data and demand a restriction of their use;
  3.  when the controller no longer needs personal data for the purposes of processing, but the respondent requests them for the purpose of setting, realizing or defending legal claims in a separate procedure;
  4.  when the respondents object to the processing, while the Organization is awaiting confirmation as to whether the legitimate reasons of the Organization outweigh the reasons of the respondents.

In the above cases, when acting as controllers, the subjects of the Organization may process the personal data of the respondents only for the purposes of storage, in cooperation with the Data Protection Officer. and all other relevant services involved for that purpose.

In these circumstances, in addition to storage, VULKANIZACIJA PASARIĆ d.o.o. may process the respondent's data - pending processing restrictions - only in the following circumstances:

  1.  when the respondents gave their consent;
  2.  for the purpose of exercising or defending legal claims or protecting the rights of another natural or legal person;
  3.  in order to guarantee the protection of the rights of the Organization;
  4.  relevant reasons of public interest.


The right to data portability

The respondent has the right to receive personal data relating to him, which he provided to the Organization, in a structured, commonly used and machine-readable format, and has the right to transfer this data to another controller without interference from the Organization if:

  1.  processing carried out by automated means
  2.  processing based on the consent of the respondent or on the basis of a legitimate interest - a contract to which the respondent is a party; i
  3.  those data that were provided or generated by the respondent himself (excluding information provided or concluded by VULKANIZACIJA PASARIĆ o.o. on the basis of information provided by the same respondent).

The respondent may also request a copy of the processed data, provided that this does not violate the rights and freedoms of other respondents. Such information must be electronically submitted by the process owner to the respondent by e-mail, or in other cases in writing, and details of third parties must be overlaid or deleted.

The right to object

The respondent has the right to object to the processing of personal data relating to him when that data VULKANIZACIJA PASARIĆ d.o.o. processes, inter alia, for direct marketing purposes, including profiling.


The right to rectification and unification

Respondents have the right to correct inaccurate personal data or aggregate incomplete personal data. Once the data is corrected, the process owner will send a confirmation email or written confirmation to the respondent who submitted the request, and details of third parties must be overlaid or deleted.

The right not to be subject to a decision based solely on automated processing

Respondents have the right not to be subject to a decision based solely on automated processing, ie. without human intervention, including the production of profiles, except in cases where:

  1.  it is necessary for the purposes of concluding or fulfilling a contract between the respondent and the controller;
  2.  is based on the explicit consent of the respondent.

The above scenario is foreseen, for example, if during the employment procedure VULKANIZACIJA PASARIĆ d.o.o. assigned automatic verification and selection of candidates who were therefore excluded solely on the basis of an automated decision


Personal data may not be disclosed to a third party if the respondent has not given his consent or if there is no other legal basis for the purposes of data transfer, for example - if it relates to a third party processing personal data on behalf of the Organization and whose actions are necessary to implement contracts with the customer (eg information technology services) or to provide services to the customer (eg further monitoring of customer requirements).
As a general rule, except in the case of specific exceptions under applicable law, personal data may not be transferred outside the European Economic Area unless arrangements under the General Data Protection Regulation authorizing such transfers are implemented with the data recipient, such as the so-called EU standard contractual clauses for data transfers.


We store and process the data only to the extent necessary for the execution of a certain legitimate purpose, unless the applicable regulations provide for a longer or shorter retention period for a particular purpose.


In order to provide respondents and visitors with the best possible functionality and interesting content when they visit our websites or the websites of our partners, and to create services and offers that meet the needs and wishes of respondents, we use cookies and / or other common techniques (hereinafter: cookies). which collect certain data of the Respondent (eg IP address from which the website is accessed, connection time, etc.). Detailed information about cookies used by each website is given to the respondent immediately upon the first visit to the website. Based on this information, the Respondent gives or denies his / her consent to the use of cookies when visiting the website. Cookie settings can always be set in a web browser. VULKANIZACIJA PASARIĆ d.o.o. are not responsible for cookies of other websites that are not owned by VULKANIZACIJA PASARIĆ d.o.o. We will link the information about the Respondent obtained by cookies with other data about the Respondent in order to get to know the Respondent better and provide a better experience, only on the basis of consent.


Statement on protection of personal data transfer

Protection of personal data in accordance with the General Data Protection Regulation of the European Parliament and of the Council No. 2016/679-Regulation and the implementation of the General Data Protection Regulation

WSPay, as the executor of authorization and payment of credit cards, handles personal data as a processor and treats personal data in accordance with the General Data Protection Regulation of the European Parliament and the Council No. 2016/679 and the strict rules of PCI DSS L1 regulations on protection of registration and data transmission.

WSPay uses SSL certificate 256 bit encryption and TLS 1.2 cryptographic protocol as the highest levels of protection when writing and transferring data.

Personal data used for the purpose of authorization and collection, ie for the performance of obligations under the Agreement or under the Agreement, shall be considered confidential data.

The following personal data of the buyer are required for the execution of the Contract (authorization and collection):

Name and surname
Zip code
Card type
Card number
Card life
CVV card code
WSPay does not process or use this personal data except for the purposes of executing the authorization and collection agreement.

WSPay guarantees the fulfillment of all conditions determined by the applicable regulations on personal data protection for personal data processors, and in particular the taking of all necessary technical, organizational and security measures, and this is especially confirmed by the PCI DSS L1 certificate.


All interested parties, all questions and requests related to the processing of their data or anything else related to the privacy of data may be submitted in person to the location of the organization, in writing to the address or by e-mail to the contact below.
Address: Zagrebačka 123, Šibice, 10290 Zaprešić

We make the privacy policy public. It is mandatory for all our employees.


In Zagreb, June 27, 2019
Director: Michael Pasarić and Petra Pasarić