PRIVACY POLICY

Recider projekt d.o.o.
Cultural & Travel Advisory and Travel Agency
Rapska 44
HR-10000 Zagreb
ID Number: 98063863907
Person Responsible: Luka Jakopčić, CEO

RULEBOOK ON THE PROCESSING AND PROTECTION OF PERSONAL DATA

  1. INTRODUCTION

Article 1

RECIDER PROJEKT d.o.o., headquartered in Zagreb, Rapska 44, OIB: 98063863907 (hereinafter: “Recider projekt”), is obligated to comply with Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter: the “General Data Protection Regulation” or “GDPR”).

In line with the principle of transparency, this Rulebook on the Processing and Protection of Personal Data (hereinafter: the “Rulebook” or “Rules”) is intended for data subjects so they have accurate and complete information about which of their personal data are collected, used, made available, or otherwise processed by Recider projekt and to what extent such personal data are being or will be processed.

  1. GENERAL PROVISIONS

Article 2

Pursuant to Article 4 of the GDPR, Recider projekt is the data controller of personal data, which alone or jointly with others determines the purposes and means of the processing of personal data in accordance with national legislation or the law of the European Union (hereinafter: the “EU” or the “Union”).

Article 3

Under the GDPR, certain terms in this Rulebook have the following meanings:

  • “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
  • “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction;
  • “filing system” means any structured set of personal data which is accessible according to specific criteria, whether centralized, decentralized, or dispersed on a functional or geographical basis;
  • “controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
  • “processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller;
  • “recipient” means a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not;
  • “third party” means a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data;
  • “data subject’s consent” means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
  • “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored, or otherwise processed;
  • “pseudonymization” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Article 4

Recider projekt processes personal data lawfully, fairly, and in a transparent manner.

Recider projekt processes only adequate and relevant personal data, exclusively for specific, explicit, and lawful purposes and does not further process them in a manner incompatible with those purposes.

The personal data Recider projekt processes are accurate and, where necessary, kept up to date. Any inaccurate personal data are erased or rectified without delay.

Recider projekt stores personal data in a form which permits the identification of data subjects only for as long as necessary for the purposes for which the personal data are processed.

Exceptionally, personal data may be stored for longer periods but only if they will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.

Recider projekt processes personal data in a way that ensures appropriate security of the data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, by using appropriate technical or organizational measures.

III. PERSONAL DATA PROCESSING

Article 5

Recider projekt processes personal data only and to the extent that at least one of the following conditions is met:

  • The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • The processing is necessary for the performance of a contract to which the data subject is party;
  • The processing is necessary for compliance with a legal obligation of Recider projekt;
  • The processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • The processing is necessary for the purposes of the legitimate interests pursued by Recider projekt or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Article 6

The consent given by the data subject to process personal data concerning him or her must be voluntary, provided in writing in clear, simple, and comprehensible language, clearly indicating the purpose for which it is given, and without any unfair conditions.

Article 7

In the course of personal data processing, Recider projekt shall adequately (in writing or directly orally) provide the data subject with all relevant information regarding the processing of his or her personal data, particularly information about the purpose of the data processing, the legal basis for the processing, the legitimate interests pursued by Recider projekt, whether personal data will be disclosed to third parties, the period for which personal data will be stored, the existence of the data subject’s right of access to personal data, the right to rectification or erasure, the right to restrict processing, the right to object, and other relevant rights.

  1. RIGHTS OF THE DATA SUBJECT

Article 8

A data subject has the right to inspect the personal data held in Recider projekt’s filing system that relate to him or her.

A data subject has the right to obtain a printout of the personal data contained in the filing system that relate to him or her.

Upon the data subject’s request, Recider projekt shall rectify any inaccurate data relating to him or her without delay or, at the data subject’s request, complete any incomplete personal data.

Upon the data subject’s request, Recider projekt shall erase personal data relating to him or her without delay, provided those data are no longer necessary in relation to the purposes for which they were collected, or if the data subject withdraws consent on which the processing is based.

A data subject who believes that any of his or her rights guaranteed by the GDPR have been violated has the right to submit a request to the competent authority to determine whether such a violation has occurred.

Article 9

For the purpose of data protection, Recider projekt, whenever possible—and especially when publicly disclosing information under the Act on the Right of Access to Information—carries out pseudonymization of data.

  1. FILING SYSTEM

Article 10

Recider projekt collects and processes the following types of personal data:

  • Personal data of Recider projekt employees;
  • Personal data of job applicants involved in recruitment procedures;
  • Personal data of business partners and external associates;
  • Personal data of individuals for the delivery of marketing materials.

Article 11

For the personal data specified in Article 10 of this Rulebook, Recider projekt keeps records of processing activities.

These records of processing activities include at least the following information:

  • Name and contact information;
  • Purpose of the processing;
  • A description of the categories of data subjects and the categories of personal data;
  • The categories of recipients to whom the personal data have been or will be disclosed;
  • The envisaged time limits for erasure of the different categories of data;
  • A general description of the technical and organizational security measures used to protect the data.

Article 12

The Director of Recider projekt shall issue a decision appointing the persons responsible for processing and protecting the personal data referred to in Article 10 of this Rulebook.

  1. MEASURES FOR THE PROTECTION OF PERSONAL DATA

Article 13

To prevent unauthorized access to personal data, data in written form are stored in files in locked cabinets, and data on computers are protected by assigning a username and password known to the employees responsible for data processing. For additional safety and confidentiality, data may also be stored on portable storage devices.

Article 14

Persons entrusted with personal data processing shall take the technical, personnel, and organizational measures necessary to protect personal data from accidental loss or destruction, from unauthorized access or unauthorized alteration, unauthorized disclosure, and any other misuse.

Article 15

This Rulebook is published on Recider projekt’s website and enters into force on September 1, 2018.

For Recider projekt,
Luka Jakopčić, CEO