The personal data to which this Policy applies are all data relating to an individual whose identity, directly or indirectly, has been determined or can be determined (the respondent).
The processing and protection of personal data processed by the company is carried out in accordance with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND COUNCIL of April 27, 2016 on the protection of individuals in connection with the processing of personal data and on the free movement of such data and on the repeal of the Directive 95/46/EC (General Regulation or GDPR), the Law on the Implementation of the General Regulation on the Protection of Personal Data and other positive regulations and this Policy.
2. ABOUT US
Virtualne Tehnologije d.o.o., personal identification number (OIB): 85164125516, is registered in the Court Register of the Commercial Court in Zagreb under the registration subject number (MBS): 00934607.
In relation to the processing of personal data to which this Policy applies, the company acts as a data controller, which means that it independently determines the purposes and means of personal data processing.
3. PERSONAL DATA WE COLLECT
When providing legal assistance services that we perform for our clients, as well as in situations where applicable regulations require us to do so, Virtualne Tehnologije d.o.o. processes personal data that we need to fulfill the stated obligations. We also process the personal data of our business partners with whom we cooperate when fulfilling the above obligations, as well as the personal data of persons working or applying for work in our company.
The personal data we need is collected to the minimum necessary extent and always in accordance with the purpose for which it was collected, as well as that these data are kept for the shortest possible time and that they are always adequately protected during processing and storage.
The processing of personal data is necessary for the execution of services, as well as for the actions of Virtualna Tehnologija d.o.o. in accordance with the applicable regulations, without which the company will not be able to provide services.
In the continuation of this point, the personal data that Virtualne Tehnologije d.o.o. processes.
4. PURPOSE OF PROCESSING YOUR PERSONAL DATA
Virtualne Tehnologije d.o.o. processes personal data for the purposes of:
- Provision of services;
- Execution of own legal obligations;
- Facilitating the regular business of our company;
- Maintaining business contacts;
- Recruitment of new workers and other persons in company;
- Provision of notifications to our customers and business partners (e.g. notifications about changes in applicable regulations or practices of competent authorities);
- Contacting respondents when necessary and appropriate (e.g. when respondents send inquiries about the provision of our services);
5. RECEIVER OF YOUR PERSONAL DATA
Virtualne Tehnologije d.o.o. will not forward, enable viewing or otherwise make available personal data of respondents to third parties, with the exception of the persons listed in this Policy and in the case where it is mandatory to act in accordance with binding regulations. In the event that some of the recipients act as processors, which means that they are not authorized to process personal data without our order, the company will conclude contracts with them in which the handling of personal data is prescribed in detail.
The company can submit personal data to:
- Courts and other public authorities, arbitration bodies, authorized translators, experts, tax advisors, the Financial Agency, the other party in court or other proceedings or the representative/attorney of the other party in the proceedings, all for the purpose of providing Legal Assistance Services;
- To the Financial Inspectorate of the Ministry of Finance and other competent authorities for the purpose of fulfilling the company’s obligations related to the prevention of money laundering and terrorist financing, as well as the obligation to inform the said authority of suspicious transactions;
- Courts and other public authorities, the Financial Agency, companies dealing with the collection and/or redemption of claims and third parties, in connection with the collection of the company’s claims;
- To IT service providers engaged for the maintenance and protection of information technology and information systems of the company and for the maintenance of the website;
- To persons hired to perform accounting and/or bookkeeping services;
6. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS
In case of transfer of personal data to countries or international organizations outside the European Union or the European Economic Area, we will ensure an adequate level of protection of personal data of respondents (e.g. application of standard clauses on the protection of personal data) in accordance with the General Regulation.
7. PERIOD FOR WHICH WE STORE PERSONAL DATA
We process personal data until the purpose for which personal data is processed is fulfilled.
After fulfilling the purpose, we store personal data in accordance with the relevant legal regulations. In accordance with the Spatial Planning and Construction Act, we are obliged to keep files for at least ten years. The ten-year period also applies to the storage of documentation collected for the purpose of fulfilling our obligations in accordance with the Law on Prevention of Money Laundering and Financing of Terrorism. We are obliged to keep accounting documentation for a period of eleven years.
After personal data no longer needs to be stored, we will destroy or anonymize them so that it will no longer be possible to identify the respondents to whom the collected data refers.
8. YOUR RIGHTS RELATED TO THE PROCESSING OF PERSONAL DATA
In connection with the processing of personal data, respondents have the following rights:
- The right to request confirmation as to whether we process your personal data, and if we do, the right to access that personal data, with the possibility of obtaining a copy of the personal data being processed (Respondent’s right to access personal data);
- The right to request the correction of incorrect personal data and/or the addition of incomplete personal data (Right to correction);
- The right to demand the deletion of personal data without undue delay (Right to be forgotten), if: – personal data are no longer necessary for the purposes for which they were collected, – you have withdrawn the consent on which the processing is based, and there is no other legal basis for the processing; – you have objected to the processing of data collected for legitimate purposes, – the illegal processing of personal data has been established, – the data must be deleted in order to comply with the company’s legal obligations prescribed by applicable law;
Except from the above, you are not able to request the deletion of your personal data if it is necessary:
- in order to exercise the right to freedom of expression and information,
- in order to comply with a legal obligation in accordance with the applicable law and for the needs of the public interest, especially in the field of public health,
- for the purposes of archiving in the public interest, scientific or historical research, for statistical purposes, with the mandatory application of personal data protection measures,
- in order to establish, realize or defend legal claims;
- The right to withdraw consent for the processing of personal data, if consent was the legal basis for the processing of personal data, provided that the withdrawal of consent does not affect the legality of processing that was based on consent before it was withdrawn;
- The right to request a restriction of the processing of your data, in the event of (i) your disputing the accuracy of the data for the period in which the company is enabled to verify the accuracy of the personal data, (ii) illegal data processing without requesting their deletion, (iii) if you object to the processing based on our legitimate interests until we confirm that our legitimate processing interests exceed your interests, rights and freedoms (iv) and if personal data are no longer necessary for processing, but you require them to fulfill/defend legal claims (Right to restriction of processing);
- The right to transfer personal data to another data controller if the processing is based on your consent or a contract to which you are a party, by direct transfer between the company and another data controller if this is technically feasible (Right to data portability);
- The right to object to the processing of your personal data, if the processing is based on our legitimate interest (Right to object);
- The right to submit a complaint to the supervisory authority responsible for the application and compliance with regulations on personal data protection (Agency for the Protection of Personal Data – AZOP);
- The right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects that relate to you or significantly affect you in a similar way, unless the decision: (i) is necessary for the conclusion or execution of a contract between you and the company, (ii) permitted by the law of the European Union or the law of the Republic of Croatia and which also prescribes appropriate measures to protect the rights and freedoms and legitimate interests of the respondents, (iii) is based on your express consent. In the cases specified in this point under (i) and (iii), the company will implement appropriate measures to protect your rights, freedoms and legitimate interests by ensuring in any case the right to human intervention by company employees, the right to express your point of view and the right to challenging the decision of the company.
If the respondent decides to exercise one of the aforementioned rights, the company will act on the request of the respondent without undue delay, but certainly within one month of submitting the request of the respondent. This period can be extended, if necessary, by an additional two months, taking into account the complexity and number of requests. The company will inform the respondent of any such extension within one month of receiving his request, along with the reasons for the delay. If the company has justified doubts regarding the identity of the individual submitting the request, it may request the provision of additional information necessary to confirm the identity of the respondent.
The company provides information provided in accordance with the request of the respondent free of charge, but if the requests of the respondent are clearly unfounded or excessive, especially due to their frequent repetition, the company may:
- charge a reasonable fee taking into account the administrative costs of providing the information or notification or acting on the request;
- refuse to comply with the request.
9. SECURITY OF YOUR PERSONAL DATA
When processing, we take appropriate technical and organizational measures to protect personal data necessary to protect personal data from accidental loss, destruction, unauthorized access, unauthorized change, unauthorized publication and any other misuse.
We ensured the protection of our computer system by using antivirus, antispam, antispyware and antimalware programs, as well as an appropriate firewall. Also, access to certain personal data is provided only to those persons of the company who are authorized to process it.
We have also ensured personal data protection measures, which include: placing equipment in protected rooms with limited access, the existence of computer data backup systems, the engagement of IT experts who maintain and evaluate the effectiveness of technical personal data protection measures, using passwords on computers used in business and others.
All employees of the company have been informed and educated about the provisions of the applicable regulations on the protection of personal data, about the obligation to comply with them and the manner of their implementation, and are obliged to preserve the confidentiality of these data.
10. FURTHER PROCESSING OF PERSONAL DATA FOR OTHER PURPOSES
In the event that there is a need to process personal data for a purpose other than that specified in this Policy, before the start of such processing, the company will deliver a new notice in which it will provide all information about the processing for that other purpose.
11. VIOLATIONS, COMPLAINTS AND INQUIRIES
In the event of a breach of personal data (accidental or illegal destruction, loss, modification, unauthorized sharing or access to personal data), the company will assess the risk to personal data caused by the breach and, without undue delay and, if feasible, no later than 72 hours after learning about it breach, report to AZOP about the breach of personal data, unless the risk assessment has determined that it is unlikely that the breach of personal data will cause a risk to your rights and freedoms. When assessing the existence and level of risk, the company will take into account the type of breach, the type, sensitivity and amount of data covered by the breach, especially whether the breach may lead to identity theft, how easy it is to identify the respondent through the data covered by the breach, how severe are the consequences of the breach for of the respondent, especially depending on whether it is sensitive data and the type of breach (accidental or intentional), as well as depending on the characteristics of the respondent and their number covered by the breach and the characteristics of the company, as the data controller.
In the event of a breach of personal data which, according to the risk analysis carried out, is likely to cause a high risk to your rights and freedoms, the company will also notify you of the breach of personal data, unless:
- adequate technical and organizational protection measures have been taken and these measures have been applied to the personal data affected by the personal data breach, especially those that make the personal data unintelligible to any person who is not authorized to access it, such as encryption,
- follow-up measures have been taken to ensure that it is no longer likely that a high risk to the rights and freedoms of the data subject will occur (the company managed to take actions that prevented the use and further sharing of the violated personal data),
- would require a disproportionate effort to notify the data subject (e.g. the subjects’ contacts were lost due to the breach, and this was made public or communicated to the data subjects).
When necessary, notification of the violation will be transmitted to you by direct communication (e-mail, letter), separated from other notifications, or if this is not possible due to the violation, public notification or a similar measure will be carried out by which the respondents are informed in an equally effective way.
In case of any queries, requests and complaints, feel free to contact our company via the following contact details:
- address VIRTUALNA TEHNOLOGIJE d.o.o., Pavla Hatza 23/2, Zagreb, Croatia
- e-mail: firstname.lastname@example.org
- phone: +385 98 468 080
Also, for additional questions, we refer you to the contact information of AZOP:
- address Personal Data Protection Agency, Selska cesta 136, 10000 Zagreb, Croatia
- e-mail email@example.com
- phone: +385 01 4609 000
- fax: 00 385 01 4609 099