General terms and conditions of personal data protection
- The privacy of Data subjects is protected by the regulations of the European Union, as well as by the legislation of the Republic of Croatia.
- These General Terms and Conditions were adopted on the basis of and in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
- These General Terms and Conditions of Personal Data Protection (hereinafter: General Terms) apply in situations where the Company as the Processor is in a contractual relationship with a third party – a Client having the status of a Controller (hereinafter: the Controller and Processor, together: “Contracting Parties”).
- These General Terms shall apply appropriately when the Processor acts in the capacity of the Second Processor and the Controller in the capacity of the Processor.
- Company information:
10 000 Zagreb
Personal identification number: 86132384544
+385 (0)1 6184 831
Notions and their meaning
Personal data – any information relating to an identified or identifiable natural person (Data subject)
Data subject – one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Processing of personal data – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Controller – the Client, that determines the purpose and means of personal data processing on its own or with others
Processor – the Company that processes personal data for the Controller
User – the third party receiving the services from the Company at the Client’s request
Basic Agreement – any agreement, including the acceptance of an offer, order, or any other document based on which the Company provides a service at the Client’s-Controller’s request, concluded or accepted between the Contracting Parties for the purpose of providing services from the business scope of the Company for the Client, under which the Company comes or could get in touch with the Personal Data of the Client or user.
Supervisory authority – an independent public authority established by the Republic of Croatia for the purpose of control and ensuring the implementation of the GDPR
Consent – any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her
Personal data breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed
Pseudonymization – the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person
Principles relating to the processing of personal data
- The General Data Protection Regulation sets out the following principles for the processing of personal data that the Contracting Parties must apply:
- a) Personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject;
- b) Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes and according to the provisions of the General Data Protection Regulation that regulate safeguards and derogations related to archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, which shall not be considered to be incompatible with the initial purposes;
- c) Personal data shall be adequate, relevant, and limited to what is necessary for relation to the purposes for which they are processed;
- d) Personal data shall be accurate and every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- e) Personal data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- f) Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures;
- g) The Controller shall be responsible for compliance with the above-stated principles and able to prove so.
- The basis for processing and the type of personal data
- The Company may, acting in the capacity of the Processor during the performance of services, view, collect, use, forward, and in any other way process personal data of the Controller and/or user, and other persons whose identity can be determined directly or indirectly (hereinafter: Data subjects).
- Depending on the nature of the business relationship, the Company may process different types of Data subject’s personal data. This includes identification and contact information, including, but not limited to: name and surname, permanent and/or temporary residence address, personal identification number (PIN), date, place, and country of birth, citizenship(s), title and number of the identification document with the title and country of issuing authority.
Controller’s and Processor’s mutual relationship
- By concluding the Basic Agreement, the Controller confirms that it fully complies with all legal obligations related to personal data protection and the General Data Protection Regulation.
- The Processor shall provide sufficient guarantees in respect of the implementation of appropriate personal data protection measures, that it possesses the Facility Security Clearance of the security classification level “Confidential” issued by the Croatian Office of the National Security Council, and an integrated quality management and information security system in accordance with the requirements of the norms ISO9001 and ISO27001.
- The Controller shall primarily, based on its abilities, make illegible or conceal in any other way all personal data that the Processor may access, in such a way that even the viewing of such data is not considered the processing of personal data.
- In case the processing of personal data is required within the scope of the Processor’s obligations under the Basic Agreement, the Controller shall deliver the required information to the Processor before the beginning of the processing of personal data by the Processor and ensure the following:
- a) the Processor’s expert who is accessing data is authorized in such a way that it can undoubtedly be determined that it is the same Processor’s expert (separate account, log in, no joint accounts for system login);
- b) the system being accessed supports the logging of access and operations (at least: login account, time stamp login, and log-off; data viewing logging, data alteration logging);
- c) in case the data is processed at the Controller’s location, a separate secured room where the Processor’s expert would process personal data
- The Controller is not authorized to give access to the personal data via secured access available to the Processor to anyone else; engage another processor who shall access personal data via secured access available to the Processor, nor to independently access personal data via secured access for the Processor.
- The Processor shall process the personal data only on documented instructions from the Controller unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
- The Processor shall ensure that the Processor’s experts in charge of processing personal data in the scope of fulfilling the Processor’s obligations under the Basic Agreement concluded between the Contracting Parties commit themselves with written statements of confidentiality, that is, subject themselves to legally binding confidentiality obligations
- Within the scope of meeting the obligations under the Basic Agreement by the Processor, the Contracting Parties implement appropriate technical and organizational protection measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymization and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
- The Contracting Parties shall take steps to ensure that any natural person acting under the authority of the Controller or the Processor who has access to personal data does not process them except on instructions from the Controller unless he or she is required to do so by Union or Member State law.
- The Controller provides the Processor with general written authorization to engage another processor.
The Processor shall inform the Controller of any intended changes concerning the addition or replacement of other processors, thereby giving the Controller the opportunity to object to such changes.
Where the Processor engages another processor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations shall be imposed on that other processor by way of a contract.
- The Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of obligations to respond to requests for exercising the data subject’s rights laid down in Chapter III of the General Data Protection Regulation, for which the Controller commits to pay a fee to the Processor pursuant to the accepted offer of the Processor for providing those services;
- The Processor assists the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor, for which the Controller commits to pay a fee to the Processor pursuant to the accepted offer of the Processor for providing those services.
- The Processor deletes or returns all the personal data to the Controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires the storage of the personal data.
- The Processor shall make available to the Controller all information necessary for proving compliance with the determined obligations and information that enable audits, including inspections, performed by the Controller or other auditors authorized by the Controller, and contribute them.
- In case the Processor believes the documented instructions violate the data subjects’ rights, it shall inform the Controller of such an instance.
- To avoid any doubt, in case the Processor is developing an application code at the Client’s request, the Client shall ensure that the Client meets all obligations related to the protection of personal data, especially in relation to application design and architecture.
- The Processor shall notify the Controller without undue delay after becoming aware of a breach of personal data being processed under the Basic Agreement.
Details relating to the processing of personal data
- By concluding the Basic Agreement, unless concluded differently between the parties, the Controller shall give a written instruction to the Processor with the following details relating to processing:
- a) Nature, Purpose, and Object of Processing: Personal data are processed in order to fulfill the contracted obligations of the Processor under the Basic Agreement.
- b) The duration of processing: It corresponds to the duration of the Basic Agreement concluded between the parties.
- c) Categories of data subjects / processed data: personal data of employees of the Client (including volunteers, trainees, students, pensioners, and the like), personal data of employees of the Client’s branches (including volunteers, trainees, students, pensioners and the like), (potential) customers of the Client, other persons in relationship with the Client, employees of (potential) customers of the Client, employees of other persons in relationship with the Client, business partners of the Client, employees of other partners of the Client, visitors to the Client, personal data of some other controller, suppliers and subcontractors of the Client, suppliers, and subcontractors of some other controller, employees of the Client’s suppliers and subcontractors, employees of suppliers and subcontractors of some other controller, the Client’s agents, consultants, and other experts, and other experts of some other controller.
- d) Type of personal data: basic data (name and surname), other basic data (address, title, qualification, date of birth), e-mail address, other contact information (phone number, mobile phone number, fax number, address), basic data from the Agreement, history of the Client, access/user/authorization data.
- e) Special categories of personal data: special categories of personal data are not processed.
- f) Detailed description of the processing of personal data: by non-automated and automated means, at the Client’s location, at the user’s location, if applicable, and at the Processor’s location.
- g) The Controller is authorized to collect, record, organize, structure, store, adapt or alter, retrieve, view, use, disclose by transmission, dissemination, or otherwise make available, align or combine, restrict, erase or destroy.
- In case the Processor cannot meet its obligations under the Basic Agreement because the instructions on how to process the Controller’s personal data do not enable the Processor to do so, or the Controller did not ensure appropriate conditions for processing, this is not considered the Processor’s delay, failure or neglect to meet the obligations of the obligations under the Basic Agreement.
- Special provisions in case the Company acts as another Processor
The provisions of this article apply especially in cases when the Client acts in the capacity of the Processor, and the Company in the capacity of another Processor.
- By concluding the Basic Agreement, the Client states that it shall give orders and instructions to the Company in relation to the processing of personal data based on the written instruction of the User as the controller; shall the opposite be determined, the Company is relieved of all responsibility towards the user and Data subject, while the Client is responsible to the Company for all damage incurred.
- By concluding the Basic Agreement, the Client states that it has a special or general prior written authorization issued by the User as the controller in relation to engaging the Company as another Processor. The Client shall immediately inform the Company of each change relating to the above-stated and referring to the Company.
- In case the Client loses its capacity of the processor or the User changes, revokes, or delivers a new instruction on the processing of personal data at any moment, the Client shall immediately inform the Company.
- The Client shall immediately inform the Company about all important circumstances related to the processing of the personal data of the User.
- The Client shall immediately inform the Company about all obligations related to the processing of personal data that are imposed on the Client by the User. In case of neglect, the stated obligations do not apply to the Company, and the Client shall compensate the Company for all damage incurred.
- The Controller is exclusively responsible for the accuracy, completeness, and regular updating of the Controller’s Personal Data.
- The Controller is exclusively responsible for the security, confidentiality, passwords, and access to the personal data at the Controller’s IT infrastructure.
- The Controller is exclusively responsible for the supply and maintenance of the computer equipment it uses, as well as for other equipment required for processing relevant personal data, not including the rights and obligations of the parties under the Basic Agreement.
- The Processor’s liability shall be excluded for any damage incurred due to the use of the Processor’s server, for blackouts, failures, delays, theft, loss of data, computer viruses, alterations and misuse of records, interruption in operation, Controller’s unauthorized behavior, and any consequential damage.
- The Contracting Parties agree that the Processor shall be held responsible for the damage only if it processes personal data contrary to the Controller’s instructions.
- In case the Processor processed personal data according to the Controller’s instructions, but the damage for the Data subject still incurred and was compensated by the Processor, or the Processor paid a fine or had any other costs or damage, the Controller shall fully compensate that amount to the Processor.
- The amount of damage that the Processor may be liable for is limited to a maximum of 500,000.00 HRK.
Processing of personal data of the Company by the Client
- The Client is authorized to make a written request to the Company requesting personal data of certain experts of the Company for the purpose of fulfilling the obligations of the Company from the Basic Agreement.
- In case the personal data of the Company’s experts are delivered to the Client, the rights and obligations of the Processor under these General Terms shall apply to the Client in the appropriate manner.
- The personal data of the Company’s experts are delivered to the Client for the purpose of keeping records, assessing of fulfilling the conditions, enabling access to the Client’s system to a certain expert of the Company, and fulfillment of rules and procedures of the Client. In case the personal data of the Company’s experts are delivered in the form of a CV, résumé, or certificate issued to an expert, the Client is authorized to process that data solely for the purpose of evaluation in order to authorize the engagement of that Company’s expert.
- By concluding the Basic agreement, the Company authorizes the Client to process certain personal data in the following duration, scope, and quality:
- Duration of processing: maximum 6 (six) months from the day of the receipt of the Company’s experts’ personal data if the expert is not engaged, and if they are engaged – maximum 2 months from the day of the termination of the expert’s services
- Categories of data subjects/data: personal data of the Company’s experts
- Type of personal data:
O name and surname, qualification, workplace, date of birth
O contact information – mobile phone number, e-mail address
O other – other data in the expert’s CV, resume or certificate issued to an expert
- Special categories of personal data are not processed
- Way of processing data:
o by non-automated and automated means
o at the Client’s location
- The Client is authorized to:
O erase or destroy after the termination of authorization for the processing of personal data
- The Company is authorized to deliver to the Client amended or additional instructions or orders for the processing of delivered personal data at any moment.
- The Contracting Parties agree that all other personal data, except those stated in point 4 of this article, are considered to be excessively requested personal data and cannot be considered crucial personal data required for the provision of services by the Company under the Basic Agreement; therefore, the Client is not authorized to request that data from the Company or directly from the Company’s experts.
- Croatian law will apply for relationships between the Contracting Parties, and in case of disputes, the competent court shall be the actual competent in Zagreb.
- By concluding this Agreement, the Contracting Parties retain all rights and obligations regarding the processing of personal data in accordance with the General Data Protection Regulation.
Standard contractual clauses are available on the link: https://commission.europa.eu/system/files/2021-06/1_en_annexe_acte_autonome_cp_part1_v5_0.pdf shall apply in the appropriate way to these general terms and conditions and be considered to be part of them.
- The provisions of these General Terms apply between the Contracting Parties for the whole duration of the Basic Agreement.
- In case the Contracting Parties conclude a special agreement in relation to the processing of personal data, the provisions of these General Terms complement that special agreement.
- In the event of disagreement with the General Terms of a special agreement concluded between the Parties in relation to the processing of personal data, the provisions of a special agreement shall be binding.