O R D I N A N C E

on the methods of processing and use of personal data of the TEILLER d.o.o. company

GENERAL PROVISIONS

Article 1

This Ordinance, with the aim of protection, regulates the categories of personal data, purposes, processing and protection of personal data.

This Ordinance, in terms of the obligations of its content, applies to customers, employees and third parties in a contractual relationship (Data Subjects) with the TEILLER d.o.o. company.  (hereinafter: TEILLER), and other persons whose personal data TEILLER processes (Data Subjects) in the part of personal data processing and in the part in which the provisions of individual contracts are not otherwise agreed on.

This Ordinance does not apply to the processing of data concerning legal persons, including their form and contact details.

An integral part of this Ordinance are appendices related to the processing of personal data of certain categories of Data Subjects.

The provisions of the General Data Protection Regulation (GDPR) and the Law on the Implementation of the General Data Protection Regulation shall apply directly to all relations not regulated by this Ordinance.

Article 2

As a data controller, TEILLER undertakes to process personal data in a legal, fair and transparent manner.

Basic information about the Controller:

TEILLER d.o.o., Nova cesta 2, Krapinske toplice, Personal ID no.: 80196255049

Article 3

For the purposes of this Ordinance, the following terms have the following meanings:

  1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  2. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  3. ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;
  4. ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
  5. “controller” means TEILLER d.o.o. company;
  6. ‘data subject’ means customers, employees, business partners, third parties in the contractual relationship, and persons whose personal data are processed by TEILLER d.o.o. company
  7. ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
  8. ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
  9. ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
  10. ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed,
  11. ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
  12. ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
  13. TEILLER’s ‘main establishment’ means the Republic of Croatia;
  14. ‘data processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
  15. ‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
  16. ‘group of undertakings’ means a controlling undertaking and its controlled undertakings;

17.‘supervisory authority’ means Croatian Personal Data Protection Agency

  1. ‘regulation’ means the General Data Protection Regulation.
  2. ‘relevant and reasoned objection’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;

20.’Employee’ – a person employed by the company (including on the basis of employment contracts, service and copyright contracts, student contracts, and other legal forms).

PRINCIPLES RELATING TO PROCESSING OF PERSONAL DATA

Article 4

  1. Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; except in the case of processing for scientific, statistical or research purposes;

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

Article 5

The legality of processing is ensured in such a way that when processing the personal data of the data subject, at least one of the following bases of processing must be met:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Article 6

If the controller conducts the processing for a purpose other than the purpose for which the data were originally collected, and if the same processing is consistent with the original purpose, the controller will consider that the legal basis of the initial processing is sufficient for subsequent data processing.

Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject of the controller in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:

(a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;

(b) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;

(c) the nature of the personal data, in particular whether special categories of personal data are processed

(d) the possible consequences of the intended further processing for data subjects;

(e) the existence of appropriate safeguards.

CONSENT

Article 7

When the processing of the Data Subject’s personal data is based on consent, the controller must prove the existence of consent.

The data subject may also give consent as part of a document relating to other issues, but the request relating to consent must be, as clearly as possible, separated from the rest of the text and understandable to the Data Subject.

The data subject has the right to withdraw his or her consent at any time in the same form as the consent was given.

Withdrawal of consent does not affect the lawfulness of processing based on consent prior to its withdrawal. Prior to giving consent, the data subject shall be informed. If the consent of the Data Subject is only one of the grounds for the processing of personal data, TEILLER is authorized to continue the processing of personal data from another legal basis.

THE PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

Article 8

  1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
  1. Paragraph 1 of this Article shall not apply if one of the following applies:

(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where the law of the Republic of Croatia provides that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by the law of the Republic of Croatia or a collective agreement pursuant to state law

providing for appropriate safeguards for the fundamental rights and the interests of the data subject;

(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

(e) processing relates to personal data which are manifestly made public by the data subject;

(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

(g) processing is necessary for reasons of substantial public interest, on the basis of the law of the Republic of Croatia which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purpose and is proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

BIOMETRIC DATA PROCESSING

Article 9

The processing of biometric data may be carried out for the purpose of protection of persons, property, classified data, business secrets or for individual and secure identification of service users, taking into account that the interests of data subjects who are contrary to the processing of biometric data referred to in this Article do not prevail.

The legal basis for the processing of biometric data of data subjects for the purpose of secure identification of service users is the explicit consent of the Data Subject.

Employee biometric data processing is allowed for the purpose of recording working hours and for entering and leaving official premises, if prescribed by law or if such processing is carried out alternatively to another solution for recording working hours or entering and leaving official premises, provided that the employee explicit consent to such processing of biometric data in accordance with the provisions of the General Data Protection Regulation.

VIDEO SURVEILLANCE 

Article 10

  1. Video surveillance in the sense of the provisions of this Ordinance refers to the collection and further processing of personal data, which includes the creation of a recording that makes or is intended to form part of the storage system.
  1. The processing of personal data through video surveillance may be carried out only for the purpose that is necessary and justified for the protection of persons and property, taking into account that the interests of data subjects who are contrary to the processing of data through video surveillance do not prevail.
  1. Video surveillance may cover only rooms or parts of rooms whose surveillance is necessary in order to achieve the purpose referred to in paragraph 2 of this Article.
  1. The controller or the processor is obliged to indicate that the object or individual room in it is under video surveillance, and the marking should be visible at the latest when entering the perimeter of the recording.
  1. The notification referred to in paragraph 4 of this Article should contain all relevant information, and in particular a simple and easy-to-understand picture with the text providing the following information to the data subjects:

-that the room is under video surveillance,
-data on the processor,
-contact data through which the data subject can exercise his or her rights.

  1. The responsible person of the controller, i.e. the processor and/or a person authorized by him or her has the right to access personal data collected through video surveillance.
  1. Persons referred to in paragraph 6 of this Article may not use recordings from the video surveillance system contrary to the purpose set out in paragraph 2 of this Article of the Ordinance.
  1. The video surveillance system must be protected from access by unauthorised persons.

Article 11

Recordings obtained through video surveillance may be kept for a maximum of 6 months, unless another law prescribes a longer retention period or if the evidence is used in court, administrative, arbitration or other equivalent proceedings.

Video surveillance of work premises

Article 12

  1. The processing of personal data of employees through the video surveillance system may be carried out only if, in addition to the conditions set out in this law, the conditions set out in regulations governing safety at work are met, if employees were individually notified in advance of such a measure, and if the employer informed employees before making a decision to set up a video surveillance system.
  1. Video surveillance of work premises must not include premises for rest, personal hygiene and changing.

INFORMATION AND ACCESS TO PERSONAL DATA

Article 13

  1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:

(a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;

(b) the contact details of the data protection officer, where applicable;

(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

(d) where the processing is based on point (f) of Article 5(1), the legitimate interests pursued by the controller or by a third party;

(e) the recipients or categories of recipients of the personal data, if any;

(f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation;

(g) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

(h) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;

(i) where the processing is based on point the data subject’s consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

(j) the right to lodge a complaint with a supervisory authority;

(k) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;

(g) the existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in the previous paragraph.

The obligations of the collector referred to in this Article shall not apply only if and to the extent that the data subject already has the said information at his or her disposal.

The information referred to in Article 13 and Article 14 of this Ordinance shall be provided in a concise and comprehensible manner, and in writing or by other means, including, where appropriate, electronically. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.

Article 14

1.If personal data are not obtained from the data subject, the controller shall provide the data subject with the following information:

(a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;

(b) the contact details of the data protection officer, where applicable;

(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

(d) the categories of personal data concerned;

(e) the recipients or categories of recipients of the personal data, if any;

(f) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation

(g) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

(h) where the processing is based on point (f) of Article 5(1), the legitimate interests pursued by the controller or by a third party;

(i) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability;

(j) where processing is based on Data Subject’s consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

(k) the right to lodge a complaint with a supervisory authority;

(l) from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;

(m) the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

The controller shall provide the information referred to in the previous paragraph:

(a) within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;

(b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or

(c) if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in the previous paragraph.

The obligations of the controller referred to in this Article shall not apply where and insofar as:

(a) the data subject already has the information;

(b) the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes,

(c) obtaining or disclosure is expressly laid down by th law of the Republic of Croatia to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests; or

(d) where the personal data must remain confidential subject to an obligation of professional secrecy regulated by the state law, including a statutory obligation of secrecy.

RIGHT OF ACCESS BY THE DATA SUBJECT

Article 15

  1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

(a) the purposes of the processing;

(b) the categories of personal data concerned;

(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

(f) the right to lodge a complaint with a supervisory authority;

(g) where the personal data are not collected from the data subject, any available information as to their source;

(h) the existence of automated decision-making, including profiling, referred to in Article 23(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.

  1. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used

RIGHT TO RECTIFICATION 

Article 16

The data subject has the right to obtain from the controller, without undue delay, the correction of inaccurate personal data relating to him or her. Taking into account the purposes of processing, the data subject has the right to supplement incomplete personal data, including by giving an additional statement.

RIGHT TO ERASURE 

Article 17

  1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the

following grounds applies:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;

(c) the data subject objects to the processing pursuant to Article 21 of the Ordinance, and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

(d) the personal data have been unlawfully processed;

(e) the personal data have to be erased for compliance with a legal obligation in the law of the Republic of Croatia;

  1. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 of this Article to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
  1. Paragraphs 1 and 2 of this Article shall not apply to the extent that processing is necessary:

(a) for exercising the right of freedom of expression and information;

(b) for compliance with a legal obligation which requires processing or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(c) for reasons of public interest in the area of public health in accordance with the provisions of the Ordinance;

(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;

(e) for the establishment, exercise or defence of legal claims.

RIGHT TO RESTRICTION OF PROCESSING

Article 18

  1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

(a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;

(b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

(c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

(d) the data subject has objected to processing pursuant to Article 21(1).   of the Ordinance, pending the verification whether the legitimate grounds of the controller override those of the data subject.

  1. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Republic of Croatia.
  1. A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.

Article 19

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 of this Ordinance to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.  The controller shall inform the data subject about those recipients if the data subject requests it.

RIGHT TO DATA PORTABILITY 

Article 20

  1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

(a) the processing is based on consent or on a contract;

(b) the processing is carried out by automated means.

  1. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

RIGHT TO OBJECT

Article 21

  1. The data subject shall have the right to object at any time to processing of personal data when it is based on a task of public interest, on the exercise of official powers of the controller or on the legitimate interests of the controller.

The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

  1. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
  1. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
  1. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 of this Article shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
  1. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to the provisions of the Regulation, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

SUBMISSION OF REQUESTS AND COMPLAINTS OF DATA SUBJECTS

Article 22

All claims and objections provided for in the provisions of Articles 15-22 of this Ordinance and the Regulation, the data subject submits to TEILLER, as the processor, in writing (by registered letter with confirmation of delivery) to the address:

TEILLER d.o.o., Nova cesta 2, Krapinske toplice, Personal ID no.: 80196255049

or

by e-mail to the e-mail address:

info@teiller.com

TEILLER will act upon the requests of the data subject within 30 days from the day of the proper receipt of the request.

The time limit referred to in the previous paragraph may be extended by an additional two months, taking into account the complexity of the application.

Where they are not able to act on the request, TEILLER will inform the data subject.

 

Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either refuse to act on the request or ask for advance payment of the handling fee.

The fee shall be determined by the decision of the responsible person of the company.

Where the controller has reasonable doubts about the identity of the data subject, he or she may request additional information from the data subject in order to confirm his or her identity.

In the event of a change in TEILLER’s contact details, the new details will be published on the official website (www.TEILLER.com) and/or TEILLER’s notice board.

AUTOMATED INDIVIDUAL DECISION-MAKING, INCLUDING PROFILING

Article 23

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

  1. Paragraph 1 shall not apply if the decision:

(a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;

(b) is authorised by the law of the Republic of Croatia to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or

(c) is based on the data subject’s explicit consent.

  1. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
  1. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 8(1), unless point (a) or (g) of Article 8(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.

RESPONSIBILITY OF THE CONTROLLER

Article 24

Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Ordinance and Regulation.  Those measures shall be reviewed and updated where necessary.

Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Ordinance, Regulation, implementing law and protect the rights of data subjects.

The controller shall, within the scope of capabilities, implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.  That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.

  1. The controller may, by a special general act, specify the protocols, technical, physical and organisational security measures he or she takes in the application of this Article of the Ordinance.

PROCESSOR

Article 25

In order to process the personal data of the data subject, the controller may hire a Processor.

Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Ordinance and ensure the protection of the rights of the data subject.

RECORDS OF PROCESSING ACTIVITIES

Article 26

Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.

That record shall contain all of the following information:

(a) the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;

(b) the purposes of the processing;

(c) a description of the categories of data subjects and of the categories of personal data;

(d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;

(e) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 35(1), the documentation of suitable safeguards;

(f) where possible, the envisaged time limits for erasure of the different categories of data;

(g) | where possible, a general description of the technical and organisational security measures referred to in Article 28(1) of the Ordinance.

  1. Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:

(a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;

(b) the categories of processing carried out on behalf of each controller;

(c) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case specified in the Regulation, the documentation of suitable safeguards;

(d) where possible, a general description of the technical and organisational security measures referred to in Article 28(1).

  1. The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.
  1. The controller or the processor and, where applicable, the controller’s or the processor’s representative, shall make the record available to the supervisory authority on request.
  1. The obligations referred to in this Article shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 8(1) or personal data relating to criminal convictions and offences.

Article 27

The controller and the processor and, where applicable, their representatives, shall cooperate, on request, with the supervisory authority in the performance of its tasks.

Article 28

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

NOTIFICATION TO THE SUPERVISORY AUTHORITY

Article 29

  1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with the Regulation, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
  1. The processor shall notify the controller in accordance with the Regulation without undue delay after becoming aware of a personal data breach.
  1. The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.

COMMUNICATION OF A BREACH TO THE DATA SUBJECT

Article 30

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

  1. The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach.
  2. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:

(a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it.

(b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;

(c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

DATA PROTECTION IMPACT ASSESSMENT

Article 31

  1. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data, except in cases provided for in Article 35(10) Regulation. A single assessment may address a set of similar processing operations that present similar high risks.
  1. The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment.
  1. The controller shall consult the supervisory authority prior to processing where a data protection impact assessment under Paragraph 1 of this Article indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.

DATA PROTECTION OFFICER

Article 32

The controller and the processor may designate a data protection officer in accordance with the provisions of the Data Protection Regulation.

When designated, data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Ordinance.

In the event of designation of a Data Protection Officer, TEILLER will publish a notice to that effect, as well as contact details, on its website, and will notify the supervisory authority.

RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY

Article 33

Every data subject shall have the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her violates a right protected by the provisions of this Ordinance, the Regulation and the Law on the Implementation of the General Regulation.

TRANSFER OF DATA TO A THIRD COUNTRY OR INTERNATIONAL ORGANISATION

Article 34

The transfer of data to a third country or an international organization shall be permitted after the Commission has, in accordance with the Regulation, determined by an adequacy decision that it is an entity providing an adequate level of protection.

In the absence of a decision pursuant to the previous paragraph, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

The appropriate safeguards referred to in paragraph 2 may be provided for, without requiring any specific authorisation from a supervisory authority, by:

(a) a legally binding and enforceable instrument between public authorities or bodies;

(b) binding corporate rules;

(c) standard data protection clauses adopted by the Commission in accordance with the Regulation;

(d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the Regulation;

(e) an approved code of conduct

(f) an approved certification mechanism

Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 2 may also be provided for, in particular, by:

(a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or

(b) provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

Article 35

  1. In the absence of an adequacy decision pursuant to Article 34(1), or of appropriate safeguards pursuant to Article 34(2) and (3), including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:

(a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards; (b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;

(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;

(d) the transfer is necessary for important reasons of public interest;

(e) the transfer is necessary for the establishment, exercise or defence of legal claims;

  1. f) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;

(g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.

Where a transfer could not be based on a provision in Article 34, including the provisions on binding corporate rules, and none of the derogations for a specific situation referred to in the first subparagraph of this paragraph is applicable, a transfer to a third country or an international organisation may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data.

The controller shall inform the supervisory authority of the transfer. The controller shall, in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and on the compelling legitimate interests pursued.

EMPLOYEE OBLIGATIONS

Article 36

When processing personal data, employees of TEILLER d.o.o. company are obliged to be guided by the principles of confidentiality and security in the management of the same data. Employees shall process personal data in accordance with the provisions of this Ordinance and according to the instructions of the Employer. The data shall be used exclusively for the purposes for which the processing is intended, and it will not be made available to persons who do not have the authority to do so.

FINAL PROVISIONS

Article 37

The rights and obligations under this Ordinance shall be exercised, as appropriate, by issuing special statements/contracts/annexes with clients, employees, or third parties to whom this Ordinance applies.

In the case when special statements/contracts are not concluded, and in cases that are not regulated by the same separate legal documents, the provisions of this Ordinance and the Regulation shall directly apply to the relations related to the processing of personal data.

Article 38

This Ordinance shall enter into force on the eighth day from the day of its publication on the notice board.

Article 39

This Ordinance is amended in the manner prescribed for its adoption.

 

TEILLER d.o.o.
by the company director

Krapinske toplice, January 11, 2021

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Annex 1 – Refers to the processing of personal data of employees (including on the basis of employment contracts, service and copyright contracts, student contracts, and the process of recruiting/hiring candidates)

 

 

PERSONAL DATA PURPOSE OF PROCESSING LEGAL BASIS OF PROCESSING CATEGORIES OF DATA RECIPIENTS/THIRD PARTIES PERIOD OF DATA USE
  • Name and surname
  • Date of birth
  • Personal ID no.
  • Place and country of birth
  • Address, Place and country of permanent/temporary residence
  • Resume
  • Photograph
  • Copy of ID card
  • Parents’ data (father or mother)
  • Education and degree data
  • Account number/IBAN
  • Citizenship
  • Birth certificate
  • Children’s birth certificate
  • Tax card
  • Length of service data
  • Health data
  • Income data
  • Signature
  • Scholarship data (student contracts only)
Rights and obligations from the employment relationship, and legal obligations of the employer towards third parties. Employment (concluding a contract, applying to HZMO and HZZO, etc.), issuing certificates, e.g. (enrolment of children into kindergarten), salary payment, implementation of occupational safety, and obligations of the employer from other legal regulations.

Health data are processed for limited purposes related to legal obligations and the exercise of rights and obligations provided by health and social care systems.

Legal

(Pension Insurance Act, Labour Act, Occupational Safety and Health Act, etc.)

Croatian Bureau of Statistics – reports on salaries, etc.

 

Croatian Pension Insurance Institute

 

Croatian Institute for Health Insurance

 

Tax Administration-JOPPD forms-reports on payments made, income payments. For the payment of income (salaries, non-taxable payments and fees) of employees

For the payment of income (fees) of other staff (authors)

For the payment of income (scholarship) to students.

 

Banks

 

Credit card companies

 

Other competent authorities

Permanently, for the duration of the employment relationship, and in the case of the existence of justified reasons and obligations and after the expiration with regular updating of data.
  • Name and surname
  • Date of birth
  • Personal ID no.
  • Contact information
  • Place and country of birth
  • Address, Place and country of permanent/temporary residence
  • Resume
  • Photograph
  • Education and degree data
  • Certificate of nationality/Citizenship
  • Length of service data
  • Health data
  • Signature
  • E-mail
  • Scholarship data (student contracts only)
Candidate recruitment/recruitment process. Contract-condition for concluding a contract.

A legitimate interest-when conducting the recruitment process, it is necessary to collect personal data of the candidate.

Employment agencies During the procedure, up to max. 2 years in case of registering candidates in the database of potential employees.
  • Name and surname
  • Date of birth
  • Personal ID no.
  • Place and country of birth
  • Address, Place and country of permanent/temporary residence
  • Resume
  • Photograph
  • Education and degree data
  • Account number/IBAN
  • Certificate of nationality/Citizenship
  • Birth certificate
  • Children’s birth certificate
  • Tax card
  • Length of service data
  • Health data
  • Income data
  • Signature
  • Scholarship data (student contracts only)
Rights and obligations from employment.

The purpose includes rights and obligations from employment contracts, additional contracts based on employment, and general acts of the employer. Health data are processed for limited purposes related to legal obligations and the exercise of rights and obligations provided by health and social care systems. The processing of this data is necessary for employment.

Contract Competent public bodies, judicial bodies,

Legal representatives of TEILLER,

Accounting,

Audit firms

Permanently, for the duration of the employment relationship, and in the case of the existence of justified reasons and obligations and after the expiration with regular updating of data.
  • Name and surname
  • E-mail
  • Phone number
  • Mobile phone number
Communication within the TEILLER company

Communication with business partners, clients, etc.

1. Contract – a condition for concluding a contract.

 

2. Legitimate interest of the employer (necessity to perform the main businesses of the company)

Business partners, clients, etc. For the duration of the employment relationship in the case of the existence of justified reasons and obligations and after the expiration with regular updating of data.
  • Name and surname
  • E-mail
  • Phone number
  • Mobile phone number
Using web platforms for business communication Contract Business partners, clients, etc. During the employment
  • Biometric data

 

Insurance of protection of property, persons, business secrets. Legitimate interest of the employer (creating a safe environment, business insurance) If necessary, external companies that provide complementary services During the duration of the employment, if necessary and longer for justified purposes.
  • Personal data collected through video surveillance
Protection of property and persons, security assurance. Legitimate interest of the employer If video surveillance of work premises is performed, TEILLER will inform employees about it. If necessary, the competent judicial bodies, law firms, etc. Max. 6 months, except as permitted by law
  • Name and surname
  • E-mail
  • Phone number
  • Photograph
  • Video record

 

 

Publication on the website, presentation materials of TEILLER in order to inform about products, business methods, advice to clients, etc. 1.Contract

 

2. Legitimate interest of the employer (e.g. it is the interest of the employer to provide interested persons with insight into the data on TEILLER employees within, company presentations, etc.)

Website visitors, recipients of materials, etc. For the duration of the employment relationship in the case of the existence of justified reasons and obligations and after the expiration with regular updating of data.
  • Name and surname
  • Photograph
  • Video record
  • E-mail

 

 

Marketing and promotional activities 1.Contract

 

2. Legitimate interest of the employer (it is the interest of the employer to enable the publication of certain content for the purpose of promoting TEILLER

 

 

Event organisers, Advertising agencies, Media, Social networks, Brochures, etc. Occasionally, according to activities
  • Name and surname
  • Personal ID no.
  • E-mail
  • Security data to access the user account
  • Mobile phone number
  • Phone number
  • Photograph

 

Opening, protection and maintenance of e-mail accounts, borrowing and returning equipment Contract System operators, if necessary external companies that provide maintenance of ICT systems During the employment
  • Name and surname
  • Personal ID no.
  • E-mail
  • Security data to access the user account and
  • Mobile phone number
  • Phone number

 

Preventing unauthorized access to electronic communications networks and the spread of malicious code, stopping attacks, preventing damage to computer and electronic communications systems, ensuring the capabilities of the network and ICT systems Contract

 

Legitimate interest of the employer (protection of ICT systems)

System operators, if necessary external companies that provide maintenance of ICT systems For the duration of the employment relationship in the case of the existence of justified reasons and obligations and after the expiration with regular updating of data.
  • Name and surname
  • Personal ID no.
  • E-mail
  • Security data for access to the user account, computer and other communication systems
Supervision of business e-mail and other communication of employees in the exceptional case of suspicion of possible unauthorised data transfer, disclosure of business secrets, breach of employment obligations, mobbing, etc. Legitimate interest of the employer (consists of preventing damage, protection of business) Judicial bodies, Lawyers, etc. During the employment, and in the case of legal proceedings and after the expiration.
  • Name and surname
  • Date of birth
  • Personal ID no.
  • Place and country of birth
  • Place and country of permanent/temporary residence
  • Parents data (name and surname of the father or mother)
  • Signature

 

Disciplinary and other legal proceedings in accordance with the general acts of the TEILLER company Contract Judicial bodies, Lawyers, etc. Archiving as needed during the procedure
  • Name and surname
  • Address
  • Personal ID no.
  • Security data for access to the user account, computer and other communication systems
  • E-mail
  • Phone number
  • Mobile phone number
Execution of contracts from the company’s business Contract

Legitimate interest of the employer

(necessary to process personal data in the course of conducting business from the main activity of the company, and to submit them to business partners, customers, etc.)

Customers, Business partners, third parties related to the business process. Limited depending on the nature of the contract

 

 

Annex 2 – Refers to the processing of personal data of customers, suppliers and business partners of the TEILLER company

 

PERSONAL DATA

(Personal data provided here will be processed in accordance with the intended purposes)

PURPOSE OF PROCESSING LEGAL BASIS OF PROCESSING TRANSFER OF DATA TO THIRD PARTIES PERIOD OF DATA USE
  • Name and surname
  • E-mail
  • Address
  • Phone number
  • IBAN
  • Payment data (card numbers, security code, etc.)
  • A recording of the conversation

 

 

Concluding and executing contracts for the sale of goods and other business contracts, and later exercising the right to warranty and complaint, or for the return of funds to the account Contract 1.Bank

2. Delivery services

3. Equipment manufacturers (related to the use of warranty)

4. Credit card companies

5. Bookkeeping

6. Auditing companies

PERMANENTLY, in accordance with the legal framework
  • E-mail

 

Resolving claims from complaints, communication with customers Contract Manufacturer

(related to the use of warranty)

PERMANENTLY
  • Address
  • Mobile phone number
  • Phone number
Delivery of goods if it was under contract Contract – a condition for fulfilling the contract if delivery is required Delivery services Until the service is performed

 

  • Personal data collected through

video surveillance

Protection of property and persons Legitimate interest (protection of property, ensuring security for customers and employees) If necessary, the competent judicial bodies, law firms, etc. Max. 6 months, except as permitted by law
  • Name and surname
  • Personal ID no.
  • IBAN
  • Date of birth
  • Place and country of birth
  • Place and country of permanent/temporary residence
  • Information on payment and other conditions from the contract
  • A recording of the conversation
Data processing for the purposes of judicial and administrative proceedings Legitimate interest in case of breach of contract Courts, Governing Bodies, Legal Representatives and other related judicial bodies If necessary, in case of initiating judicial, administrative proceedings
  • Name and surname
  • E-mail
  • Address
  • Phone number

 

Delivery of notifications to customers about new products and benefits (newsletter, telephone notification, etc.) Legitimate interest – since customers have done business with the company, it is in the business interest to inform them about new products and benefits Permanently, unless the customer notifies the company that he or she no longer wishes to receive notifications
  • Name and surname/Name
  • Personal ID no.
  • Registration number
  • IBAN
  • Address, Place and country
  • E-mail
  • Phone number
  • Mobile phone number
Communication with business partners and clients of the company

Issuance and receipt of inquiries, offers, outgoing and incoming documents

1.Contract

2.Legitimate business interest

 

Banks

Tax Administration, other competent authorities

For the duration of the business

relationship, and in the case of justified reasons and obligations and after the expiration with regular updating of data.