"Bread and Wine" trade
Ivana Jeličić bb
51266 Selce
OIB: 96024309528
Introductory provisions
This Policy establishes a responsible and transparent framework for ensuring compliance with the General Data Protection Regulation. The Policy applies to all organizational parts of “ Obrt „Kruh i Vino“ ” (hereinafter referred to as the DATA CONTROLLER) and to all employees, including part-time and temporary workers, as well as to all external collaborators acting on behalf of the Data Controller.
Policy statement
The Controller is committed to operating in accordance with all laws, regulations and the highest standards of ethical business practices. This policy sets out the expected conduct of the Controller's employees and its external collaborators who are involved in the collection, use, storage, transfer, disclosure or destruction of any personal data belonging to the Controller's employees, business partners and other natural persons. The purpose of the policy is to standardize the protection of the rights and freedoms of data subjects by preserving the privacy of their personal data in all aspects of the Controller's operations that include personal data. This policy establishes that the CONTROLLER will not disclose personal data to a third party without authorization, nor act in a manner that compromises them.
Principles of personal data processing
The processing manager adopts the following principles to be followed when collecting, using, retaining, transferring and destroying personal data:
LEGITIMACY, FAIRNESS AND TRANSPARENCY
Personal data will be processed legitimately, fairly and transparently towards the data subject. This means that the controller will inform the data subject in all relevant situations about how the data will be processed (transparency), and the processing will be carried out exclusively in accordance with what has been said (fairness) and in accordance with the purpose prescribed in the applicable law on the protection of personal data (legitimacy).
PURPOSE LIMITATION
Personal data will be collected for clearly defined and legitimate purposes and will not be processed in any way that is incompatible with those purposes. This means that the controller must clearly state what the collected data will be used for and limit the processing of personal data to only those processes that are necessary to achieve those purposes.
DATA MINIMIZATION
The personal data collected will be relevant and limited to what is necessary to achieve the purpose of their processing. This means that the controller will not collect, process or store more personal data than is strictly necessary.
ACCURACY OF DATA
Collected personal data will be accurate and up-to-date, which means that the controller will have developed procedures for detecting and dealing with outdated, inaccurate and unnecessary personal data.
CAREFUL DATA STORAGE
Personal data will not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes of the processing. This means that the controller will, wherever possible, store personal data in a form which limits or prevents identification of data subjects.
DATA SECURITY
Personal data will be processed and stored in a manner that ensures adequate protection against violations such as unauthorized and unlawful processing and accidental loss, destruction or damage to data. The controller will implement appropriate technological and organizational measures described in the Personal Data Security Policy to ensure the integrity and confidentiality of personal data at all times.
PRIVACY BUILT INTO SYSTEM DESIGN
When designing new and when reviewing and expanding the existing systems and processes of the data controller, care will be taken to apply all these principles in order to protect the privacy of the respondents as much as possible.
Principles of personal data processing
All respondents whose data is collected and processed by the data controller have the following rights:
RIGHT TO ACCESS INFORMATION
Each respondent has the right to a copy of the data that the data controller has in its archive for inspection purposes. In addition to the right to access their own data, the respondent also has the right to information about:
purpose of processing and legal basis for processing
legitimate interest, if processing is based on it
types and categories of collected personal data
third parties to whom the data is forwarded
data retention period
source of personal data, if they were not collected from the respondents
All information should be provided to the data subject in clear and plain language to ensure understanding, and should be clearly marked and visible so that the data subject does not overlook it. There is a possibility that providing the requested information to the data subject may reveal information about another person. In such cases, it is necessary to anonymize or withhold that information altogether to protect the rights of that person.
RIGHT TO CORRECTION OF DATA
Every respondent has the right to correct incorrect or incomplete data that the data controller has in its archive.
RIGHT TO BE FORGOTTEN
Respondents may request that their data be removed from the archive. The request will be considered and granted if it does not conflict with the legal basis for processing personal data.
THE RIGHT TO LIMIT PROCESSING
Data subjects have the right to limit the scope of processing, in cases where this is applicable.
RIGHT TO DATA TRANSFER
Respondents have the right to a copy of the data for transmission to another controller.
RIGHT TO OBJECT
Data subjects have the right to object, in particular where the processing is based on the legitimate interests of the controller. In such cases, it is necessary to review the purpose of the processing and establish its legal basis and, where applicable, enable the data subject to withdraw consent to the processing of data and/or to stop the processing of their data.
RIGHT TO EVALUATION
Respondents have the right to request from the supervisory authority an assessment of violations of the provisions of the Regulation and the internal policies of the data controller.
RIGHT TO OBJECT TO PROFILING
Data subjects have the right to object to automated profiling and other forms of automated decision-making. In the event that the controller rejects the data subject's request, the response will state the reason for the rejection, which data subjects may appeal to the competent authority for personal data protection (AZOP).
Legal basis
The legal bases for the collection and processing of personal data of respondents are as follows:
LEGAL OBLIGATION
The laws governing the business of the obliged entity prescribe data sets that are necessary for the performance of legal obligations. For the collection and processing of data prescribed by law, the controller will not seek consent from the data subject, but will only collect data prescribed by law and will not use it for other purposes. This applies in particular to data collected pursuant to the following laws and their associated regulations, among which we highlight:
accounting law
accounting law
Value Added Tax Law
Law on income tax
Labor Law
Rulebook on the content and method of keeping records on workers
EXECUTION OF CONTRACTUAL OBLIGATION
Personal data necessary for the fulfillment of the contractual obligation will be collected by the processing manager without the consent of the respondent, in the minimum amount necessary for the fulfillment of the obligation.
LEGITIMATE INTEREST
In the following text, the data controller will publish a list of its legitimate interests on the basis of which it collects and processes personal data for the purpose of enabling and/or improving its services or products.
PROTECTION OF VITAL INTERESTS OF RESPONDENTS
The controller may collect and process personal data without the consent of the subject if it is for the purpose of protecting his vital interests.
PUBLIC INTEREST OR EXECUTION OF THE OFFICIAL AUTHORITY OF THE PROCESSING MANAGER
In the case when the activity of the data controller includes activities on behalf of the public interest or the data processing is based on another type of official authority, it is not always necessary to inform the respondent about the collection of personal data.
CONSENT
In all other cases, the controller will request consent from the data subject for the collection and processing of personal data, in which the purpose of the processing will be clearly stated. The data subject may withdraw consent at any time, and their data must be automatically removed and the processing terminated. The controller will keep records of active and withdrawn consents for the purpose of ensuring the correctness of the business.
Legitimate interest
The controller declares the following legitimate interests:
PROTECTION OF PERSONAL DATA GDPR
Respondents have the right to object to the processing of personal data based on these legitimate interests.
Terms and definitions
GENERAL DATA PROTECTION REGULATION (GDPR)
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify the protection of personal data of all individuals within the European Union (EU). The regulation also applies to the transfer of personal data outside the EU.
PROCESSING MANAGER
The entity that determines the purpose, conditions and method of personal data processing.
PERFORMER OF PROCESSING
The entity that performs data processing on behalf of the controller.
PERSONAL DATA PROTECTION AGENCY
State agency whose task is to protect data and privacy, supervise the processes of application of the Regulation, and actively implement the Regulation on the protection of personal data within the European Union.
PERSONAL DATA PROTECTION OFFICER
A data protection professional acting independently to ensure that a business entity operates in accordance with the policies and procedures set out under the Regulation.
EXAMINEE
A natural person whose personal data is processed by the manager or executor of data processing.
PERSONAL DATA
Any information that is linked to a natural person, i.e. the data subject, and that can be used to directly or indirectly identify the person.
PERSONAL DATA PROCESSING
Any activity carried out on personal data, whether automatic or not, which includes the collection, use, creation of records and the like.
PROFILING
Any automated data processing for the purpose of evaluating, analyzing or predicting the behavior of the data subjects.
RIGHT OF ACCESS OF RESPONDENTS
Known as the 'right of access', it allows the data subject to access personal data concerning him or her held by the data controller.
Legal regulations
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Law on the Implementation of the General Regulation on Data Protection.
