- who the controller of personal data is,
- what the principles of personal data collection and processing are,
- which personal data are collected,
- which data are not collected and processed,
- manner of personal data collection,
- purposes and reasons for collecting personal data,
- manner of personal data processing,
- keeping personal data,
- sharing personal data,
- data on the data protection officer,
- measures of protection of personal data,
- rights of the data subjects.
(3) The protection and safety of personal data of our buyers, clients and business partners are our priority. Therefore, please read the following text carefully!
(1) ProService d.o.o. (hereinafter “Controller”), Josipa Račića 1, 10000 Zagreb, Tax ID no. (OIB): 64625966417 is a data controller under the GDPR, the law and other personal data protection regulations.
(2) The Controller respects privacy and protects personal data collected and processed during the regular course of its business.
(3) Pursuant to legal and regulatory requirements, if you have any questions regarding personal data processing or the realization of your personal data protection rights, you may contact us at firstname.lastname@example.org or by phone: +385/(0)14673669.
PERSONAL DATA COLLECTED
In the course of its business, i.e. the performance of its registered business activity, the “Controller” may collect and process the following personal data depending on data subject categories (buyers, users, clients, etc.) and the services provided. Basically, these data are a requisite for service provision, and include as a minimum:
- basic personal data (name and surname, tax ID no. and similar)
- basic contact data (address, phone number, e-mail address)
- data relating to the use of the www.ssw.hr website
- data relating to the web shop (payment method, account no., etc.)
- data necessary for the conclusion of the consumer credit contract
- other personal data necessary for the realization of a client’s rights under consumer protection regulations.
PERSONAL DATA COLLECTION AND USE
(1) The “Controller” may collect personal data in different ways:
- as part of our business processes, in the framework of meeting our legal obligations or obligations stemming from our registered business activity;
- by written communication;
- by filling out our questionnaires;
- by applying for ads and taking offers;
- and in other ways.
(2) Cookies and monitoring activities on the Internet
(3) The Controller uses visit analysis and buyer habit tracking services like Google Analytics in its web shop. The service provider may monitor user’s visits to our and other websites by using cookies, and display paid ads or ads of other service users on the basis thereof. Users may stop the display of ads on the website of the service providers displaying the ads.
PURPOSES OF PERSONAL DATA COLLECTION AND PROCESSING
(1) The “Controller” may process personal data for the following purposes:
- performance of its registered business activity,
- sale and purchase of products and services offered in the course of its business activity,
- dispute resolution and court proceedings,
- keeping legally prescribed records.
(2) Where necessary, we will request additional express consent of the user for certain purposes.
(3) If personal data required by the “Controller” to enter into a legal transaction and realize contractual rights or provide our services are not provided, the contract might not be concluded.
SHARING PERSONAL DATA
(1) The “Controller” may share the collected personal data with third parties exclusively in the following cases:
- in case of a legal obligation or express legal authorization;
- if another person is hired for the performance of particular tasks as contractor, i.e. Processor, acting exclusively as instructed by the “Controller”, provided the “Controller” ensures the same data protection level as if such tasks were conducted by the “Controller”;
- if data need to be forwarded to third parties to execute the contract with the data subject;
- in case of change in its ownership structure, the “Controller” may transfer personal data to its new affiliates or third parties to perform its business activity based on the consent of the data subject;
- if data are used for bookkeeping and accounting purposes.
(2) Third parties, within the meaning of the preceding paragraph, are legal, supervisory and regulatory bodies in and outside the territory of the Republic of Croatia, courts, state attorney’s offices, governmental bodies and institutions competent for the resolution of requests processed by the “Controller”.
(3) When transferring the data of data subjects, the “Controller” shall strictly observe the processing limitation principle by transferring the minimum quantity of data required to realize the service requested, as well as all other principles relevant for data protection.
(4) The “Controller” personally performs its registered activity, but might entrust the performance of parts thereof to its associates (subcontractors, IT services, carrier, etc.) and share with such persons the following personal data required for task (order) execution, namely:
- personal data of clients (name, surname, e-mail address, mobile phone number, etc.),
- personal data necessary for contract execution (e.g. name, surname, e-mail address, IBAN, etc.),
- personal data required for order execution, representation before court of law, etc.
(5) The “Controller” hired an accounting office for the provision of bookkeeping services in compliance with the Accounting Act and thus shares with that office personal data necessary for task (order) execution, namely personal data of its clients (e.g. name, surname, e-mail address, IBAN, account no., etc.), data necessary to meet legal requirements, accounting and financial data, etc.
KEEPING PERSONAL DATA
(1) Personal data are kept only while necessary for the purposes for which they were collected, i.e. to meet our contractual or legal obligations.
(2) Personal data collected to meet our legal and regulatory obligations are kept during the prescribed time periods. Personal data collected for the purpose of performance of our registered business activity are stored during the term of the contractual relationship and in compliance with the GDPR and the law.
(3) Personal data are erased following the cessation of the contractual relationship, but no later than following the expiry of all legal keeping obligations, except where a court or similar proceedings have been initiated which require the data to be kept. Upon expiry of the time limits for keeping data, the data are either eliminated from the system and the archives or anonymized to prevent any possibility of tracing such data back to you.
(4) If data are processed based on your consent, they will be kept until such consent is withdrawn.
PERSONAL DATA SUPERVISION AND PROTECTION
(1) The “Controller” will ensure that any personal data collected and processed are made available to the minimum possible number of its employees, depending on their scope of work and competencies, and undertakes to implement the appropriate technical or organizational measures ensuring their protection against unauthorized or illicit processing, loss, destruction or damage.
(2) The “Controller” applies appropriate technical and organizational standards of protection, methods of data access supervision, etc.
(3) The “Controller” will conclude a confidentiality contract/statement with its employees, associates and business partners to whom personal data are available or who collect and process personal data, whereby such persons will undertake an ongoing confidentiality obligation.
(4) The Controller will implement appropriate measures to be applied to and by employees in their everyday work with buyers and clients with respect to the protection of their personal data. Such measures, among other things, include:
- choosing incumbents,
- giving instructions on the manner of handling personal data,
- organizing training,
(6) If external associates (Processors) process the data collected on behalf and for the account of the principal (Controller), they must enter into a contract on the processing of personal data regulating the issue of protection of personal data.
RIGHTS OF THE DATA SUBJECTS AND DEADLINES
(1) The “Controller” respects the right to privacy, collects and processes data only where there is legal basis for processing and the data subjects have certain rights with respect to the processing of their data at all times.
(2) When collecting data from the data subjects, the Controller will provide the following applicable information:
- identity and contact data of the Controller,
- purpose of processing for which the personal data will be used and the legal basis for processing,
- legitimate interests,
- recipients or categories of recipients of personal data,
- how long the data will be kept or the criteria on which such time limit depends,
- rights with respect to consents,
- and the existence of the rights described in further text.
(3) Where the data are not collected directly from the data subject, the source of personal data must also be indicated.
(4) Where proscribed by law, the data subject, buyer, has the following rights:
- Right to data access – the right to information from the “Controller” whether his/her personal data are being processed, and if they are, the right to access such personal data and information on the purpose of processing, data categories, potential recipients to whom such data might be disclosed, etc.
- Right to rectification – the right to have the incorrect personal data of the “User” rectified without undue delay. Depending on the purpose of processing, a data subject is entitled to complete incomplete personal data, including by making an additional statement. Additionally, data subjects are obligated to update their personal data in business relations with the group.
- Right to data portability – the right to receive one’s own personal data provided to the “Controller” in a structured, normally used and machine-readable format and have such data transferred to another controller. Please note that the right to data portability applies exclusively to the personal data of the data subject.
- Right to object – based on the data subject’s specific situation, at any time, object to the processing of his/her personal data. In this event, the “Controller” is required to discontinue the processing of personal data, unless the “Controller” proves that there are legitimate reasons for processing exceeding the interests, rights and freedoms of the data subject or that it needs the data to initiate, realize or defend legal claims.
- Right to limit processing – a data subject is entitled to request that the “Controller” limits processing if he/she disputes the accuracy of personal data or considers processing illegal, but is against the deletion of personal data and requests their use to be limited instead, and if the data subject objected to processing and is awaiting confirmation whether the legitimate reasons of the “Controller” exceed the reasons of the data subject.
- The data subject is entitled to request the realization of any of the above rights at any time.
(5) If you believe our processing of personal data represents a violation of the personal data protection regulations, please inform us thereof in writing to address: ProService d.o.o., Ulica Josipa Račića 1, 10000 Zagreb or by e-mail: email@example.com. You may also submit your objection to the supervising body – the Personal Data Protection Agency, Zagreb, Martićeva 14, and as of 25 May 2018 to the supervising body in the EU.
Consent given for a particular purpose of processing may be withdrawn at any time, in which case your personal data collected based on your consent will cease to be used for the stated purpose.
EXPENSES AT THE REQUEST OF THE DATA SUBJECT
The “Controller” reserves the right to charge a reasonable fee based on administrative costs or refuse to act as instructed by the data subject based on his rights if the requests of the data subject are unfounded or excessive, and especially if repeated frequently.
(2) You will be notified of any amendment hereof in due time, on www.ssw.hr.
On behalf of ProService d.o.o.
If you have any questions regarding the manner of use of your personal data, you may contact us by phone, e-mail or mail as follows:
- by e-mail to firstname.lastname@example.org
- in written form to address: Proservice d.o.o., Josipa Račića 1, 10000 Zagreb
- by web form available at www.ssw.hr
- by contacting our contact centre at +385/(0)14673669