The company CanDo d.o.o. for trade and services, Oriovac, Zagrebačka 52, VAT no.: 56531095048 conducts business in accordance to the legislation concerning personal data protection, in particular in accordance with the General Data Protection Regulation (Regulation EU 2016/679 of the European Parliament and of the Council of 27 April 2016) and the Act on the Implementation of the General Data Protection Regulation. In the following text, we would like to inform you of the personal data we collect, for what purpose we use it and how you can monitor these procedures and exercise your rights.
2. Controller and/or processor of personal data
CanDo d.o.o. for trade and services, Oriovac, Zagrebačka 52
VAT no.: 56531095048
Mislav Kemec, VAT no.: 65593818248, Oriovac, Braće Radić 38, director
3. Purposes and legal basis of the processing of personal data
3.1. CanDo d.o.o. collects personal data directly from you for the purpose of entering into or executing the agreement/buying and selling of products and providing services, as well as in the course of actions that precede the entering into the agreement (quotes, inquiries and/or requests within the scope of the ordering of products or services, sending inquiries or requests concerning our products or services), or based on other legal grounds.
We use personal data only for established purposes and we do not forward them nor use them for unforeseen or unexpected purposes.
We also collect personal data when you provide us with them, for example by sending an email or in similar situations in which you have chosen to provide your data to us.
3.2. When you wish to enter in to an agreement with CanDo d.o.o., submit a request for a quote, request our services and in any case when you enter into a contractual or business relationship with CanDo d.o.o., we process your personal data in order to provide you with the service, that is to enable the use our products in accordance to your request or so that we could respond to your request. When submitting your request for purchasing a product or providing services, that is when entering into a contractual relationship with CanDo d.o.o., you will be familiarized with the type of data you are required to provide to us for the purposes of fulfilling your request, that is of entering and executing the agreement. We do not collect and we do not process data that is not in the service of executing the requested service.
The personal data we collect for the purposes stated in this item might include:
– name and surname, maiden name
– OIB (PIN), JMBG
– date, place and country of birth
– sex, marital status
– professional qualification, profession
– members of family
– insured period
– nationality, ethnicity
– date of start and end of employment
– telephone number
– biometric data – fingerprint for keeping records of the employee’s working hours (with consent).
3.3. CanDo d.o.o. might also ask for your consent for processing your data for one or more special purposes that are not in their final purpose a condition for the execution of the agreement nor a legal requirement of CanDo d.o.o. or that are not necessary for entering into and executing the agreement or that are not in your legitimate interest (for example for the purposes of marketing activities, offering new products and services, etc.). You are not required to provide consent for such processing, but your are free to sdo so, and you can withdraw it at any time, without it affecting the lawfulness of processing based on consent before its withdrawal. The request for consent shall be presented to you in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
3.4. As a legal entity, CanDo d.o.o., naturally, is subject to legal requirements that might also prescribe the obligation to process data for the purpose of fulfilling the purpose prescribed by law. In this event, CanDo d.o.o. conducts the processing of your personal data based on this legal basis prescribed by law.
3.5. Our information systems are protected against unauthorized access, change or transfer of your data, as well as from potential data loss or deletion using technical and organisational measures.
4. Recipient of personal data
4.1. The data we have collected from you and about you remain the the CanDo d.o.o. databases.
Your data might be delivered to third parties:
a) when this is our legal obligation or as a response to a legal proceeding, that is upon the request of competent law enforcement authorities concerning infringement, criminal or other proceedings
b) for the purpose of protecting our rights, privacy, security, property or for the purpose of protecting the public interest
c) for the purpose of administrative or technical support (for example to our accountants, delivery services, etc.) or for other business purposes that facilitate easier transactions with you
d) for the purpose of analysing our data, conducting mobile analytics services or maintaining or enhancing our services (subject to non-disclosure agreements, if appropriate)
e) for the purpose of appealing and/or responding to legal requests that we might be exposed to
f) for the purpose of fulfilling the conditions laid down in any Agreement or business relationship with you
h) in other cases, with your consent.
4.2. Personal data might be transferred to another legal entity in the event of a transfer, change of ownership, reorganisation or merger of the company or part of the company CanDo d.o.o. or its property to another company.
4.3. We might disclose your personal data to members of the group, third parties, service providers or subcontractors. These service providers might be located in a country that is different from your main country, such as the United States of America or a European Union member country. These service providers are contractually obligated to preserve the confidentiality and the safety of your data.
4.4. In the events of sharing the data with third parties, CanDo d.o.o. forbid these parties from using your data for any other purpose than the one laid down in the contract, and will require the business partner to preserve the confidentiality of the personal data.
5. Period of storage of personal data
5.1. The period of keeping and storage of your data depends on the type/category of data, the purpose the data was given, i.e. collected for, and the laws or legal obligations CanDo d.o.o. is subject to. We store personal data for as long as it is prescribed by the law or for as long as it is necessary to provide the requested service or the purpose for which you gave your consent, except if prescribed differently by the law (for example in relation to an ongoing court procceding).
5.2. The data concerning legal obligations of CanDo d.o.o. are stored for the period prescribed by the relevant law – for example the obligation and the period of storing invoices and accounting documents (that also contain your data) is prescribed by the Accounting Act.
5.3. The data for which there is no period of storage prescribed by law or other regulations is stored for a reasonable period keeping in mind the category of data and the purpose for which it was collected. The data collected for a particular purpose shall only be used for that purpose and after the expiry of a reasonable period and after the fulfillment of that purpose, it will no longer be actively stored. Anonymisied data can be used for statistical and marketing purposes, for the purposes of archiving and other analytical purposes. When providing this data, you will be familiarized with the storage period, i.e. the criteria by which the storage period for this data is determined.
6. Rights of the data subject
6.1. Concerning the processing of your personal data, we ensure you the following rights:
(i) right to access to personal data
(ii) right to rectification or supplementation of data
(iii) right to erasure (‘right to be forgotten’)
(iv) right to the restriction of processing
(v) right to object concerning the processing of personal data
(vi) right to data portability
6.2. The request for exercising your rights from the previous item can be submitted via email: firstname.lastname@example.org or to the address CanDo d.o.o. for trade and services, Oriovac, Zagrebačka 52. Your requests and inquiries will be processed without undue delay and in accordance with the legal provisions and we will inform you of the measures we have undertaken.
6.3. For the purposes of exercising and protecting their rights, the users have the right to lodge a complaint to the supervisory authority – Croatian Personal Data Protection Agency at Martićeva 14, Zagreb.
On the basis of the provisions of the Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: Regulation) and the Act on the Implementation of the General Data Protection Regulation (OG 42/2018, hereinafter: Act), the company CanDo d.o.o. for trade and services, Oriovac, Zagrebačka 52, VAT no.: 56531095048 (hereinafter: Controller), adopts the following
RULES ON PERSONAL DATA PROTECTION
(1) The Controller, as obliged person to apply the Regulation with this Rules regulates the protection of individuals (natural persons) concerning the processing of their personal data.
(2) These Rules do not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.
Meaning of terms used in these Rules
(1) For easier understanding of the Rules and the terms used within, the definitions of particular expressions are listed, in accordance with the Regulation and the Act.
(2) Particular expressions have the following meaning:
1) “personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2) “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
3) “pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
4) “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
5) “processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
6) “recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
7) “third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
8) “consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
9) “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
10) “data protection officer” is the person appointed by the controller of the processing of personal data who takes care of the legality of the processing of personal data and the exercising of the right to personal data protection.
The Controller processes the following categories of personal data:
– personal data of workers of the Controller (working hours records, workers’ salaries, etc.)
– personal data of customers, suppliers and business partners of the Controller
– other personal data collected in accordance with Article 6 of the Regulation.
PROCESSING AND ENCRYPTION OF PERSONAL DATA
(1) The data subject’s personal data in processed by the Controller in adherence with the basic principles of personal data processing envisaged by the Regulation:
(2) The data subject’s personal data in processed by the Controller in a lawful, fair and transparent manner. Only appropriate and relevant personal data is processed and exclusively for special, explicit and legal purposes and are not further processed in a manner that is not in accordance with these purposes.
(3) Personal data processed by the Controller are accurate and updated if necessary. Incorrect personal data is deleted or corrected without undue delay.
(4) The Controller processes personal data exclusively in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
(5) The Controller stores the personal data only for as long as is necessary for the purposes the personal data is processed. As an exception, personal data can be stored for longer period, but only if they are processed exclusively for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
(6) In order to ensure that the personal data are not kept longer than necessary, the Controller shall periodically review the further need for data storage in relation to the purpose of data processing, for the purpose of taking necessary steps (e.g. erasing personal data if there is no legislative barries to do so).
Legal basis for processing of personal data
The Controller processes personal data only and to the extent that one of the following conditions is met:
– the data subject has given consent to the processing of his or her personal data for one or more specific purposes
– the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract,
– the processing is necessary for compliance with a legal obligation to which the Controller is subject,
– the processing is necessary in order to protect the vital interests of the data subject or of another natural person,
– the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller,
– the processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
(1) If the Controller processes personal data for which a consent of the data subject is necessary, the consent can be given on a form provided for that purpose, with the data subject’s signature on the form.
(2) The consent form from the previous paragraph is made in a way that it ensures the application of the provisions of the Regulation concerning the regulation of giving consent, and the written form serves the purpose of proving that the data subject gave their consent for processing of their personal data.
(3) In addition to the mentioned form, any statement or affirmative action in written or electronic shape given to the Controller by the data subject, which in its content signifies a clear expression of the data subject’s free, specific, informed and unambiguous consent for personal data processing related to them, shall also be considered a consent.
(4) The Controller processes personal data also based on a oral consent (statement) by the data subject, but only under the condition that the Controller can prove that the data subject gave their consent for processing of their personal data in that form.
5) The consent by which the data subject agrees to the processing of personal data related to them must be voluntary.
(6) The data subject shall have the right to withdraw his or her consent at any time and the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. The data subject shall be informed of this before giving their consent.
(7) Withdrawal of consent can be done orally, electronically or in written form.
(8) For processing of personal data of a minor, the consent and the withdrawal of the consent is given or approved by the parent/legal guardian, pursuant to previous paragraphs or pursuant to the provisions of the Regulation.
(9) The data subject has the right to withhold their consent.
(19) Where processing is based on consent, the Controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
Processing of special categories of personal data
(1) The Controller shall not process particularly sensitive data such as:
(2) The Controller processes data on the health of data subjects, this processing being necessary for the purpose of fulfilling obligations and exercising special rights of the Controller or the data subject, and pursuant to the Mandatory Health Insurance Act, Labour Act, Occupational Health and Safety Act, as well as other relevant regulations from the area of labour law and social security law, as well as social protection falling within the competence of the European Union or the Republic of Croatia.
(3) The Controller processes biometric data of the employees/fingerprint for the purpose of recording the working hours as a manner of recording working hours that is alternative to entering into the record sheet, and such data are later transferred to the official records of working hours in the company. Biometric data of the employees are processed exclusively with the employee’s consent, who are not obliged to give such consent.
(4) When processing other personal data from the category of particularly sensitive data, such processing can be based exclusively on the grounds envisaged by the Regulation.
RIGHTS OF THE DATA SUBJECTS
In the process of processing personal data, the Controller provides the data subject with all of the information related to the processing of their personal data, and particularly about the purpose of the processing, the legal basis for the processing of data, the legitimate interests of the Controller, the intention to submit the personal data to third parties, the period in which the personal data will be stored, the existence of the right of the data subject to access personal data and to rectify or erase personal data and restricting the processing, the right to object and about all other information foreseen for the data subject pursuant to the provisions of the Regulation.
Pursuant to the Regulation, the Controller ensures the data subjects to exercise the following rights:
(1) The Controller shall immediately, and at the latest within one month from the day of receiving the request from the data subject or their legal representative or attorney:
– enable the data subject to access their personal data and inform them of the purposes of the processing of their personal data, the categories of their personal data that is processed, the recipients or categories of recipients that their personal data has been disclosed to or will be disclosed to, the expected period (that is, the criteria for determining the period) in which the personal data will be stored and in the event when the personal data is not collected from the data subject, their source,
– inform the data subject of their right to request rectification or deletion of personal data (right to be forgotten) or restriction of processing of personal data, the right to lodge a complaint to the Croatian Personal Data Protection Agency,
– rectify incorrect personal data or, taking into account the purposes of the processing, complete the incomplete personal data (for example by providing a supplementary statement) regarding the data subject,
– conduct the deletion of personal data regarding the data subject, under the condition that the personal data is no longer necessary for the purpose it has been gathered for or if the data subject withdraws their consent (if the processing is done based on the data subject’s consent) or if the data is unlawfully processed or if such obligation is determined by the European Union law or the law of the Republic of Croatia,
– restrict the processing of the data subject’s personal data, under the condition that the data subject contests the accuracy of the personal data (for the period in which the Controller conducts a check of the accuracy of the personal data) or if the processing is unlawful (but the data subject does not request deletion, rather only the restriction of their usage) or the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims,
– submit to the data subject the list of personal data contained in the filing system related to them, directly or via email,
– halt the processing of the data subject’s personal data that is processed based on public interest and the legitimate interest of the Controller or a third party, except in the event when there are reasonable grounds for processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
(2) The requests are submitted in writing to the Controller or to the data protection officer if one has been appointed.
A data subject who believes a right guaranteed to them under the Regulation or the Act has been breached, has the right to lodge a claim for determining the breach of rights to the Croatian Personal Data Protection Agency.
DATA PROTECTION OFFICER
(1) Pursuant to Article 37 of the Regulation, the Controller can issue a decision to designate a data protection officer.
(2) The decision on designating a data protection officer is issued in writing.
(3) In the event of the designation of a data protection officer, the Controller shall inform the Croatian Data Protection Agency on the designation within one month of issuing the decision, and make the official contact details of the data protection officer publicly available on their website or in other suitable manner.
(4) A person against whom a proceeding is open for breach of official duty, i.e. misconduct, that is the subject to an breach of official duty, i.e. misconduct measure, or that is the subject of a breach of ethical codes norms or other rules of conduct issued by the Controller measure.
Obligations of the data protection officer
(1) The data protection officer is obligated to:
1) monitor the application of the principles of personal data processing prescribed by the Regulation,
2) warn the Controller who carries out the processing on the necessity to apply the regulations governing personal data protection
3) warn all employees who carry out the processing of personal data of their obligations for the purpose of personal data protection
4) enable the data subject to exercise their rights
5) cooperate with the Croatian Personal Data Protection Agency
6) safeguard the confidentiality of all information and data obtained in performing their duties, which they are obligated to do even after they cease to conduct the duties of the data protection officer.
(2) Complaints, requests for deletion, update or rectification of personal data and other issues related to the processing of personal data shall be addressed to the data protection officer or to the Controller if no officer has been designated.
TECHNICAL AND ORGANISATIONAL MEASURES FOR PERSONAL DATA PROTECTION
(1) The Controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
1) the pseudonymisation and encryption of personal data,
2) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services,
3) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident,
4) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
(2) In order to prevent any unauthorised access to data or their loss, the data stored in paper form are kept in filing folders in locked cabinets and in rooms that can only be accessed by authorised workers, and data stored in electronic format are kept on a server and are protected by security programs and by assigning a unique username and password, known only to the worker processing the personal data.
LEGAL MECHANISMS OF PERSONAL DATA PROTECTION
(2) A personal data breach is reason for the termination of the employment contract, and in the event of gross breach it is reason for extraordinary termination of the employment contract, as well as grounds for damages.
Notification of a personal data breach
(1) If it is probable that the personal data breach will cause a risk to the rights and freedoms of data subjects, the Controller must without undue delay notify the Croatian Data Protection Agency of the breach no later than 72 hours from learning of the breach.
(2) The notification must contain a description of the breach and the information on the data subjects and the personal data, the description of the probably consequences of the breach and the contact point of the Controller.
(3) If it is probable that the personal data breach will cause a high risk for the rights and freedoms of data subjects, the Controller is obligated to inform the data subjects of the personal data breach.
Transitional and final provisions
(1) These Rules shall enter into force on the day of its adoption.
(2) By entering into force of these Rules, all provisions of previous acts that in any way regulate the issues described in these Rules shall become void.