RULEBOOK ON THE PROCESSING AND PROTECTION OF PERSONAL DATA of the company LAV i VUK d.o.o in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46/EC (General Data Protection Regulation)(hereinafter: Regulation), the Law on the Implementation of the General Regulation on Data Protection (Official Gazette 42/2018), the Labor Law and other accompanying laws and by-laws.
Controller: LAV i VUK d.o.o. with its registered seat in Zadar (Grad Zadar), Zagrebačka ulica 48, Croatia, OIB/PIN: 73882458106, contact requests can be made to legal@lavivuk.com
I GENERAL PROVISIONS
Article 1.
In the process of personal data processing and the protection of individuals with regard to the processing of personal data and the rules related to the free movement of personal data LAV i VUK d.o.o. is subject to the application of the General Data Protection Regulation. Pursuant to Article 4, Point 7 of the General Regulation on Data Protection, LAV i VUK d.o.o. is the controller. LAV i VUK d.o.o., as the controller, determines the purpose and means of personal data processing in accordance with the General Data Protection Regulation, the current legislation of the Republic of Croatia (hereinafter: the Republic of Croatia), the law of the European Union (hereinafter: the EU) and other internal acts of the Company that regulate personal data protection.
Subject of the Rulebook
Article 2.
This Rulebook on the protection of personal data (hereinafter the Rulebook) contains rules for the protection of personal data in the process of collecting and processing personal data relating to natural persons, which LAV i VUK d.o.o. obtains in the course of its regular business. The purpose of personal data protection is the protection of private life and other human rights and fundamental freedoms in the collection, processing and use of personal data. LAV i VUK d.o.o. ensures the protection of personal data for every natural person regardless of citizenship and residence and regardless of race, skin color, gender, language, religion, political or other belief, national or social origin, property, birth, education, social position or other characteristics in accordance with the provisions of the General Data Protection Regulation.The right to the protection of personal data belongs to all respondents in the same way and under the same conditions, and the respondents are equal in exercising it.
Article 3.
This Rulebook contains provisions that are in accordance with European Union acts: Article 8, paragraph 1 of the Charter of Fundamental Rights of the European Union ("Charter"), Article 16, paragraph 1 of the Treaty on the Functioning of the European Union (TFEU), which establish that everyone has the right to the protection of his personal data, according to the General Data Protection Regulation and the current legislation of the Republic of Croatia in the field of personal data protection.
Terms and definitions
Article 4.
Certain expressions in this Rulebook have the following meanings:
The “General Data Protection Regulation” is a regulation adopted by the EU Commission in April 2016 and which has legal force for all EU member states. The Regulation regulates the rights and obligations in the field of personal data protection of natural persons
“Personal data” means all data relating to an individual whose identity has been determined or
can be determined;
“Respondent” is any individual (natural person) from whom the Company collects and processes personal data in the sense of the General Data Protection Regulation;
“Controller” in the sense of this Ordinance is LAV i VUK d.o.o., which company determines the purposes and means of personal data processing;
“Processor” is a natural or legal person, state or other body, which processes personal data on behalf of the manager of the collection of personal data;
“Processing” means any process or set of processes performed on personal data or sets of personal data, whether by automated or non-automated means such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, inspection, use, disclosure by transfer, dissemination or otherwise making available, matching or combining, restriction, erasure or destruction;
“Storage system” is a collection of personal data, that is, any structured set of personal data that is available according to special criteria;
“Recipient” is a natural or legal person, state or other body to which personal data is disclosed;
“Respondent consent” is any voluntary, special, informed and unequivocal manifestation of the will of the respondent by which he expresses his consent to the processing of his personal data for specific purposes by a statement or a clear affirmative action;
“Data protection officer” is a person appointed by the trading company LAV i VUK d.o.o., who takes care of the legality of the processing of personal data and the exercise of the right to the protection of personal data;
“Personal data breach” means a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of personal data that has been transmitted, stored or otherwise processed;
“Pseudonymization” means the processing of personal data in such a way that the personal datacan no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separate and subject to technical and organizational measures to ensure that the personal data cannot attribute to an individual whose identity has been established or can be established;
“Supervisory body”; is the Personal Data Protection Agency.
II PROCESSES AND RULES IN THE PROCESSING OF PERSONAL DATA
Processing of personal data
Article 5.
LAV i VUK d.o.o. processes personal data only under the conditions specified by the General Data Protection Regulation and other internal acts of the Company that govern the protection of personal data.
LAV i VUK d.o.o. processes personal data legally, fairly and transparently. Only appropriate and relevant personal data are processed and exclusively for special, explicit and lawful purposes and are not further processed in a way that is not in accordance with these purposes.
Personal data must be accurate, complete and up-to-date.
Personal information that is incorrect is deleted or corrected without delay. The company processes personal data exclusively in a way that ensures adequate security of personal data, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage by applying appropriate technical and organizational measures.
The company stores personal data only as long as is necessary for the purposes for which the personal data is processed. Exceptionally, personal data can be stored for longer periods, but only if it will be processed exclusively for archiving purposes in the public interest, for the purposes of scientific or historical research or for statistical purposes.
The purpose of collecting personal data
Article 6.
LAV i VUK d.o.o. collects personal data for the purpose with which the respondent is aware, which is expressly stated and in accordance with the General Data Protection Regulation and valid legislation of the Republic of Croatia.
Personal data is further processed only for the purpose for which it was collected, i.e. for a purpose that is consistent with the purpose of collection.
LAV i VUK d.o.o. will not collect personal data to a greater extent than is necessary to achieve the established purpose.
LAV i VUK d.o.o. will use personal data only for the time necessary to achieve a specific purpose, unless a longer period is specified by the General Data Protection Regulation and/or special regulations of the Republic of Croatia or the EU, and after the specified time, the Company will delete personal data.
Basis for the collection and further processing of personal data
Article 7.
LAV i VUK d.o.o. processes personal data only and to the extent that one of the following
conditions is met:
– that the respondent has given his consent for the processing of his personal data for one or more special purposes;
– that the processing is necessary for the execution of a contract to which the respondent is a party;
– that the processing is necessary to comply with the legal obligations of LAV i VUK d.o.o.;
– that the processing is necessary to protect the key interests of the data subject or other natural persons;
– that the processing is necessary for the performance of a task of public interest or for the performance of public powers of LAV i VUK d.o.o.;
– that the processing is necessary for the needs of the legitimate interests of LAV i VUK d.o.o. or a third party, except in the case when those interests are stronger than the interests or fundamental rights and freedoms of the data subject that require the protection of personal data, especially if the data subject is a child.
Informing of respondents
Article 8.
In the process of personal data processing, LAV i VUK d.o.o. provides the respondent in an appropriate manner (written or directly orally) with all information related to the processing of his personal data, especially about:
– the identity of LAV i VUK d.o.o. as the controller;
– purposes of data processing;
– the legal basis for data processing;
– legitimate interests;
– intentions to transfer personal data to third parties;
– the period in which personal data will be stored;
– on the right to access personal data and to correct or delete personal data and limit processing;
– the right to object.
Management of respondent requests
Article 9.
LAV i VUK d.o.o. will immediately, and at the latest within one month from the date of submission of the respondent's request:
– inform the respondent about the purpose of processing his personal data, the categories of personal data that are processed, about the recipients or categories of recipients to whom the personal data has been disclosed or will be disclosed to them, the anticipated period during which the personal data will be stored and in the event that the personal data is not collect from respondents about their source;
– deliver to the respondent a printout of the personal data contained in the storage system that
relate to him;
– correct incorrect data or supplement data;
– carry out the deletion of personal data relating to the respondent, provided that the personal data are no longer necessary in relation to the purposes for which they were collected or if the respondent withdraws the consent on which the processing is based.
The deadline from paragraph 1 of this article can be extended by an additional two months if necessary, taking into account the complexity and number of requests. LAV i VUK d.o.o. notifies the respondent of any such extension within one month of receiving the request, along with the
reasons for the delay.
If the respondent’s request is submitted electronically, LAV i VUK d.o.o. provides the information electronically if possible, unless the respondent requests otherwise.
LAV i VUK d.o.o. will inform the respondent of the reasons for rejecting the request without delay, and no later than one month from the date of receipt of the request, about the reasons for rejecting the request of the respondent from paragraph 1 of this article.
Article 10.
LAV i VUK d.o.o. provides information in accordance with Article 8 of this Rulebook free of charge.
Exceptionally, if the requests of the respondents are clearly unfounded or excessive, LAV i VUK d.o.o. will charge a reasonable fee taking into account the administrative costs of providing information or notifications.
Management of incidents related to the violation of personal data
Article 11.
Activities and procedures related to the management of incidents related to the violation of personal data refer to all organizational units and all employees of LAV i VUK d.o.o. and include:
– registration of a report on the violation of personal data
– sending a notification about the violation of personal data
– notification of the supervisory body about the violation of personal data.
Implementation of control and supervision in personal data processing processes
Article 12.
The implementation of control and supervision in the processing of personal data is the responsibility of the Data Protection Officer, as well as the Agency for Personal Data Protection. Reporting on personal data protection
Article 13.
Respondents address requests and objections to the controller and have the right to report on the protection of personal data and the right to notification of a personal data breach in the event of a personal data breach.
Records of processing activities
Article 14.
LAV i VUK d.o.o. collects and processes the following types of personal data:
– personal data of employees;
– personal data on candidates for employment at LAV i VUK d.o.o.;
– personal data of external associates;
– personal data of customers;
– supplier’s personal data.
LAV i VUK d.o.o. collects and processes the following personal data, which include, for example, name and surname, address, date of birth, OIB, professional qualification, e-mail address and other personal data for the purposes specified in this Rulebook and other internal acts of the Company governing the protection of personal data .
LAV i VUK d.o.o. collects and processes personal data for the purpose of:
– employee records and salary calculations;
– fulfilment of the Company’s contractual obligations to clients (bookkeeping of customers andsuppliers);
– fulfilling the Company’s legal obligations;
– for marketing purposes.
Article 15.
For the personal data specified in Article 14 of this Article, LAV i VUK d.o.o. keeps records of processing activities for all collected personal data, which is attached to this Rulebook and is considered an integral part of it.
Article 16.
The records of processing activities contain all the following information:
– name and contact information of LAV i VUK d.o.o.;
– processing purposes;
– description of respondent categories and categories of personal data;
– categories of recipients to whom personal data has been disclosed or will be disclosed to them;
– if applicable, transfers of personal data to a third country or international organization;
– if possible, the deadlines for deleting different categories of data (retention period);
– protection measures (general description of technical and organizational security measures).
Records from paragraph 1 of this article must be in written form, including electronic form. LAV i VUK d.o.o. is obliged to provide the records referred to in paragraph 1 of this article for inspection by the authority that supervises the protection of personal data in accordance with the regulations of the Republic of Croatia and the EU.
Article 17
In accordance with the Regulation and the laws of the Republic of Croatia, the Company will appoint a Data protection officer, in accordance with the provisions of this Rulebook.
Entrusting the processing of personal data to the processor
Article 18.
LAV i VUK d.o.o. can, taking into account business needs and justification, and on the basis of the contract, entrust certain tasks related to the processing of personal data within the framework of its business to another natural or legal person, i.e. the processor. In such cases, the contract between the Company and the processor must be concluded in writing.
LAV i VUK d.o.o. will entrust tasks related to the processing of personal data only to a processor who is registered to perform such activities and who provides sufficient guarantees regarding the implementation of appropriate measures for the protection of personal data, i.e. classified data if it meets the conditions established by special regulations governing the area of information security.
The contract that LAV i VUK d.o.o. concludes with the data processor will regulate mutual rights and obligations, especially with the obligation of the data processor to perform tasks based on the order of LAV i VUK d.o.o., and not to provide personal data for use by other recipients or to process them for any any purpose other than the contracted one. At the same time, the processor ensures the implementation of appropriate technical, organizational and personnel measures for the protection of personal data in accordance with the applicable legal regulations as well as the requirements of LAV i VUK d.o.o. in the area of personal data protection.
Providing data to recipients
Article 19
LAV i VUK d.o.o. is authorized to provide personal data for use by other recipients based on therecipient's written request if this is necessary for the performance of work within the scope of the recipient’s legally established activity.
The written request must contain the purpose and legal basis for the use of personal data and the type of personal data requested.
Transfer of personal data
Article 20.
LAV i VUK d.o.o. will transfer personal data contained in the records of processing activities from the Republic of Croatia for the purpose of further processing only if the country or international organization to which the personal data is transferred has an appropriately regulated protection of personal data, i.e. an adequate level of protection is ensured.
An exception to the above rule is transfer to the companies that are connected to LAV i VUK d.o.o.
Processing of personal data for marketing purposes
Article 21
Before collecting personal data for marketing purposes, LAV i VUK d.o.o. will inform the respondent about the intended processing of personal data for marketing purposes, and will obtain the consent of the respondent and enable him to object to such processing of personal
data.
Security of personal data processing
Article 22.
LAV i VUK d.o.o. will implement appropriate technical and organizational measures in accordance with the possibilities and assessment of the impact on the protection of personal data in order to ensure an appropriate level of security, including as necessary:
– pseudonymization and encryption of personal data;
– ability to ensure permanent confidentiality, integrity, availability and resilience of processing systems and services;
– the ability to timely re-establish the availability of personal data and access to them in the event of a physical or technical incident;
– a process for regular testing, evaluation and assessment of the effectiveness of technical and organizational measures to ensure processing security.
III DUTIES AND RESPONSIBILITIES
Data protection officer
Article 23.
The data protection officer will be appointed by LAV i VUK d.o.o. in accordance with this Rulebook, the Regulation and legal regulations.
The data protection officer is a person who is employed by LAV i VUK d.o.o. (employee) and/or an external associate, i.e. a person with whom LAV i VUK d.o.o. has an employment contract (this depends on what is acceptable for LAV i VUK d.o.o. in the specific case).
The data protection officer monitors compliance with the rules and principles of the General Data Protection Regulation and other data protection regulations, raises awareness and trains people within LAV i VUK d.o.o. who participate in processing procedures.
The data protection officer is appointed on the basis of professional qualifications, and especially professional knowledge of law and practices in the field of personal data protection.
The data protection officer has the highest responsibility for the compliance of the entire personal data protection system in LAV i VUK d.o.o.
The data protection officer is appointed on the basis of professional qualifications, especially expert knowledge of law and practices in the field of data protection, and the ability to perform the tasks established by the General Data Protection Regulation.
The data protection officer is appointed by the Board of LAV i VUK d.o.o., through an internal or external competition.
The data protection officer should understand the data processing procedure, information technology and security, know the sector and the organization of LAV i VUK d.o.o.
The data protection officer should have the ability to promote data protection within LAV i VUK d.o.o.
Contact details of the Data Protection Officer, if appointed, LAV i VUK d.o.o. publishes on its website.
Responsibility of the Company’s employees
Article 24
All employees employed by LAV i VUK d.o.o. are responsible for the processing of personal data in accordance with the General Data Protection Regulation and other internal acts of LAV i VUK d.o.o. governing the protection of personal data and valid regulations of the Republic of Croatia in the field of personal data protection.
Each organizational unit within LAV i VUK d.o.o. with the head of the organizational unit undertakes and implements appropriate technical and organizational measures.
Employees of the company LAV i VUK d.o.o. are obliged to report all irregularities related to the processing of personal data to the e-mail address of the company, or to the Data Protection Officer, if appointed.
LAV i VUK d.o.o. will continuously and in accordance with business needs provide training for its employees in the field of personal data protection.
Liability of other persons
Article 25
All legal and/or natural persons in the course of doing business with LAV i VUK d.o.o. are obliged to comply with the provisions of this Rulebook and other internal acts of LAV i VUK d.o.o. that govern the protection of personal data, and LAV i VUK d.o.o. will inform them of its rules and processes for the protection of personal data.
IV PROTECTION OF THE RESPONDENT’S RIGHTS
Article 26
LAV i VUK d.o.o. will, no later than within 15 days from the submission of the request to each respondent at his personal request, or at the request of his legal representative or attorney:
– submit a confirmation on whether personal data relating to him are processed or not;
– give notice in an understandable form about the data related to him, whose processing is in progress, as well as about the source of this data;
– enable access to the records of processing activities and access to personal data contained in the records of processing activities that relate to him and their overwriting;
– submit extracts, confirmations or printouts of personal data contained in the records of processing activities related to him, which must also contain an indication of the purpose and legal basis for the collection, processing and use of such data;
– submit a printout of information about who and for what purposes and on what legal basis obtained the use of personal data relating to him;
– give notification about the automatic processing of data related to him.
LAV i VUK d.o.o. will, at the request of the respondent, i.e. his legal representatives or attorneys, supplement, change or delete personal data if the data is incomplete, incorrect or out of date, and if its processing is not in accordance with the General Protection Data Regulation and valid regulations of the Republic of Croatia in the field of data protection personal data.
Regardless of the respondent’s request, LAV i VUK d.o.o. will delete, supplement and/or change the respondent's personal data if it determines that the personal data is incomplete, incorrect or out of date. About the deletion, change and/or addition of personal data, the Company will notify the respondent to whom the personal data relates and the recipient of the personal data within 30 days at the latest.
V TRANSITIONAL AND FINAL PROVISIONS
Article 27
This Rulebook is in effect from December 15, 2024.
Article 28
The authentic interpretation of the provisions of this Rulebook is provided by the management of the company – LAV i VUK d.o.o. In Zadar, December 15, 2024.
LAV i VUK d.o.o.
