Firmus grupa d.o.o.
Emila Antica 53
51266 Selce
OIB: 65092215454
Introductory provisions
This Policy establishes an accountable and transparent framework for ensuring compliance with the General Data Protection Regulation. The policy applies to all organizational units of “Firmus grupa doo” (hereinafter PROCESSING MANAGER) and to all employees, including part-time employees and temporary workers, as well as to all external associates acting on behalf of the processing manager.
Policy statement
The processing manager is dedicated to business in accordance with all laws, regulations and the highest standards of ethical business. This policy sets out the provisions for the expected treatment of employees of the processing manager and his external associates involved in the collection, use, storage, transfer, publication or destruction of any personal data belonging to employees, business partners of the processing manager and other individuals. The purpose of the policy is to standardize the protection of the rights and freedoms of the respondent by preserving the privacy of his personal data in all aspects of the business of the controller, which include personal data. This policy stipulates that the PROCESSING MANAGER will not unauthorisedly disclose personal data to third parties, nor act in a manner that endangers them.
Principles of personal data processing
The data controller adopts the following principles that will be adhered to when collecting, using, retaining, transferring and destroying personal data:
LEGITIMACY, FAIRNESS AND TRANSPARENCY
Personal data will be processed legitimately, fairly and transparently towards the data subject. This means that the head of processing will inform the respondent in all relevant situations how he will process the data (transparency), and the processing will be performed exclusively in accordance with what has been said (fairness) and in accordance with the purpose prescribed in applicable law on protection. personal data (legitimacy).
PURPOSE LIMITATION
Personal data will be collected for clearly defined and legitimate purposes and will not be processed in any way that is incompatible with those purposes. This means that the controller must clearly state what the collected data will be used for and limit the processes of personal data processing to only those processes that are necessary to achieve these purposes.
DATA MINIMIZATION
The personal data collected will be relevant and limited to what is necessary to achieve the purpose of their processing. This means that the controller will not collect, process or store more personal data than is strictly necessary.
DATA ACCURACY
The collected personal data will be accurate and up-to-date, which means that the controller will have developed procedures for detecting and resolving outdated, inaccurate and unnecessary personal data.
CAREFUL DATA STORAGE
Personal data will not be kept in a form that allows identification of the data subject for longer than is necessary for the purposes of the processing. This means that the controller will, wherever possible, store personal data in a way that restricts or prevents the identification of respondents.
DATA SECURITY
Personal data will be processed and stored in a way that ensures adequate protection against violations such as unauthorized and illegal processing and accidental loss, destruction or damage of data. The controller will implement the appropriate technological and organizational measures described in the Personal Data Security Policy in order to ensure the integrity and confidentiality of personal data at all times.
PRIVACY BUILT INTO SYSTEM DESIGN
When designing new and when reviewing and expanding the existing systems and processes of the data controller, care will be taken to apply all these principles in order to protect the privacy of the respondents as much as possible.
Principles of personal data processing
All respondents whose data is collected and processed by the data controller have the following rights:
RIGHT TO ACCESS INFORMATION
Each data subject has the right to a copy of the data that the controller holds in its archives for inspection purposes. In addition to the right to inspect their own data, the respondent also has the right to information on:
the purpose of the processing and the legal basis for the processing
legitimate interest, if the processing is based on it
types and categories of personal data collected
third parties to whom the data is forwarded
data retention period
the source of personal data, if it was not collected from the respondent
All information should be provided to the respondent in clear and simple language, to ensure understanding, and must be clearly indicated and visible so that the respondent does not overlook it. There is a possibility that providing the requested information to the respondent may reveal information about another person. In such cases, it is necessary to anonymize or completely deny this information in order to protect the rights of that person.
RIGHT TO CORRECTION OF DATA
Each data subject has the right to have inaccurate or incomplete data that the controller holds in its archives corrected.
RIGHT TO BE FORGOTTEN
Respondents can request that their data be removed from the archive. The request will be taken into consideration and will be granted if it does not contradict the legal basis for the processing of personal data.
RIGHT TO RESTRICTION OF PROCESSING
Data subjects have the right to limit the scope of processing, in cases where this is applicable.
RIGHT TO DATA TRANSFER
Data subjects have the right to a copy of their data for transfer to another data controller.
RIGHT TO OBJECT
Respondents have the right to object, especially in the case when the processing is based on the legitimate interest of the controller. It is then necessary to review the purpose of the processing and establish its legal basis and, where applicable, allow the respondent to withdraw consent to the processing of the data and / or to stop processing his data.
RIGHT TO ASSESSMENT
Respondents have the right to request from the supervisory authority an assessment of violations of the provisions of the Regulation and the internal policies of the data controller.
RIGHT TO OBJECT TO PROFILING
Respondents have the right to object to automatic profiling and other forms of automated decision-making. In the event that the controller rejects the respondent's request, the answer will state the reason for the rejection, which the respondents may complain to the competent authority for personal data protection (AZOP).
Legal basis
The legal bases for collecting and processing personal data of respondents are as follows:
LEGAL OBLIGATION
Laws regulating the business operations of taxpayers prescribe data sets that are necessary for the fulfillment of legal obligations. For the collection and processing of data prescribed by law, the controller will not seek the consent of the respondents, but will only collect data prescribed by law and will not use them for other purposes. This especially refers to the data collected on the basis of the following laws and their regulations, among which we single out:
Accounting Law
Accounting Law
Value Added Tax Law
Income Tax Law
Labor Law
Rulebook on the content and method of keeping records on workers
EXECUTION OF CONTRACTUAL OBLIGATION
The data controller will collect personal data necessary to fulfill the contractual obligation without the consent of the data subject, in the minimum amount necessary to fulfill the obligation.
LEGITIMATE INTEREST
In the following text, the data controller will publish a list of its legitimate interests based on which it collects and processes personal data for the purpose of enabling and/or improving its services or products.
PROTECTION OF THE VITAL INTERESTS OF RESPONDENTS
The controller may collect and process personal data without the consent of the data subject if this is for the purpose of protecting his or her vital interests.
PUBLIC INTEREST OR EXECUTION OF OFFICIAL AUTHORITY OF THE CONTROLLER
In cases where the controller's activity involves acting in the public interest or the data processing is based on another type of official authority, it is not always necessary to inform the data subject about the collection of personal data.
CONSENT
In all other cases, the controller will request consent from the data subject for the collection and processing of personal data, in which the purpose of the processing will be clearly stated. The respondent can withdraw his consent at any time and thus his data must be automatically removed and processing interrupted. The processing manager will keep records of active and withdrawn consents in order to ensure the correctness of operations.
Legitimate interest
The controller declares the following legitimate interests:
PERSONAL DATA PROTECTION GDPR
Data subjects have the right to object to the processing of personal data based on these legitimate interests.
Terms and definitions
GENERAL DATA PROTECTION REGULATION (GDPR)
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify the processes for protecting the personal data of all individuals within the European Union (EU). The regulation also applies to the export of personal data outside the EU.
PROCESSING MANAGER
The entity that determines the purpose, conditions and method of processing personal data.
PROCESSING PERSON
The entity that carries out data processing on behalf of the controller.
PERSONAL DATA PROTECTION AGENCY
A state agency tasked with protecting data and privacy, overseeing the implementation processes of the Regulation, and actively enforcing the Regulation on the Protection of Personal Data within the European Union.
DATA PROTECTION OFFICER
A data protection professional acting independently to ensure that the business entity operates in accordance with the policies and procedures set out under the Regulation.
EXAMINEE
A natural person whose personal data is processed by a data controller or processor.
PERSONAL DATA
Any information related to a natural person, i.e. respondent and which can be used to directly or indirectly identify a person.
PERSONAL DATA PROCESSING
Any activity performed on personal data, whether or not automated, which includes collection, use, creation of records, etc.
PROFILING
Any automated processing of data for the purpose of evaluating, analyzing or predicting the behavior of the data subject.
RESPONDENT'S RIGHT OF ACCESS
Known as the 'right of access', it allows the data subject to access personal data concerning them held by the controller.
Legal regulations
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation)
Law on the Implementation of the General Regulation on Data Protection.
