On 25th May 2018, the General Regulation on Data Protection of the European Parliament and the Council of Europe became binding for all EU member states. Agroproteinka d.d. in this regard, has taken measures to protect personal data and found an appropriate way of informing interested parties. For this purpose, we have prepared a Notice on the protection of personal data together with the accompanying attachments that you can receive via e-mail. We have appointed a personal data protection officer who you can contact at e-mail zastita-osobnih-podataka@agroproteinka.hr
PERSONAL DATA PROTECTION NOTICE
This Personal Data Protection Notice (hereinafter: Notice) refers to the provision of information on the protection and processing of your personal data, as a respondent whose personal data is collected, processed and shared by AGROPROTEINKA d.d. (hereinafter: Company) during the course of its business.
The processing and protection of your personal data by our Company is carried out in accordance with this Notice and in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data; and repealed Directive 95/46/EC (General Data Protection Regulation, GDPR) and the Act on the Implementation of the General Data Protection Regulation, as well as other applicable regulations on personal data protection.
PERSONAL DATA WE COLLECT DURING PROVISION OF OUR SERVICES
During provision of our Services, we primarily collect personal data of our business partners (customers and users of our Services), individuals and directors, other agents, employees, associates and advisors of our customer and partners, legal entities and other persons related to them (e.g. their shareholders, members as well as persons associated with those persons). The personal data we collect from these persons relate to: their name and surname, address of residence (domicile) or registered office, personal identification, registration or other appropriate number under which they are entered in the official registers, place and date of birth or establishment, functions performed , telephone, mobile or fax numbers, e-mail addresses, bank account information, as well as all other information relevant to the particular transaction in connection with which we provide the Services.
Also, in connection with the provision of Services, we collect certain personal data of third parties, in order to be able to provide the Services in an adequate manner or in order to be able to exercise our rights towards business partners. These third parties include: officials, accountants, bookkeepers, auditors, tax advisors, certified translators, experts, lawyers, IT service providers, visitors to our premises, customers of our customers, as well as their directors, other agents, employees, contact persons, carriers , associates, advisors, shareholders and members and related persons. The personal data we collect from these persons relate to: their name and surname, address of residence or registered office, personal identification, registration or other appropriate number under which they are entered in the official registers, functions they perform, telephone, mobile or fax numbers , e-mail addresses, as well as all other information relevant to the provision of our Services.
PERSONAL DATA WE COLLECT DURING THE COURSE OF THE COMPANY'S BUSINESS OPERATIONS
In order to ensure the operational functionality of our Company, which is necessary for the efficient provision of our services, in our business we enter into relationships with third parties which provide us with certain services needed for successful business conduct. Such third parties include accountants, bookkeepers, auditors, tax advisors, lawyers, IT service providers, translators, experts, consultants and other business partners. In case we cooperate with legal entities these parties include their directors, other agents, employees, contact persons, carriers, associates and advisors, those persons and other persons associated with them (e.g. their shareholders, members, as well as persons connected with these persons). The personal data we collect from the above persons relate to: their name and surname, address of residence or registered office, personal identification, registration or other appropriate number under which they are entered in the official registers, functions they perform, telephone, mobile or fax numbers , e-mail addresses, bank account information and other information required to pay for services, as well as all other information relevant to the business relationship with an individual business partner.
PURPOSE OF PERSONAL DATA COLLECTION AND PROCESSING
The Company processes the aforementioned categories of personal data for the following purposes:
Provision of services;
Execution of legal obligations of the Company;
Facilitation of Company's regular business operations;
Maintaining business contacts;
Fulfilment of the Company's obligations from labour relations and relations with members of the Company's Management Board;
Employment of new employees and other persons in the Company;
Student scholarships;
Advertising and providing information to our business partners;
Distribution of donations and provision of sponsorships;
Contacting respondents when necessary and appropriate (e.g. when respondents send inquiries about the provision of our Services);
Collection of trade receivables for performed Services.
LEGAL BASIS FOR PROCESSING PERSONAL DATA
The legal basis for the processing of your personal data, in order to perform the aforementioned purposes, includes:
Processing of personal data necessary for the fulfilment of the Company's contractual obligations towards the respondent, or for performing certain actions at the request of the respondent before concluding contracts (e.g. in case of providing Services, in case of execution of other contracts to which the Company is a party, including contract negotiation process).
Processing of personal data for the purpose of fulfilling legal obligations that the Company is obliged to comply with (e.g. keeping accounting data, keeping data necessary for exercising employees' rights in relation to employment (records on employees, records on working hours, etc.) which also applies to members of the Management Board);
Legitimate interest of the Company (e.g. contacting persons with whom the Company should cooperate in connection with the provision of Services; maintaining business contacts; setting, establishing and defending against legal claims; prevention, investigation, detection or prosecution of criminal offenses);
Explicit consent of respondents (e.g. in the case of potential employees who give their consent to the processing of their personal data for future job vacancies);
Processing of personal data necessary for the performance of a task of public interest or in the exercise of official authority of the controller (e.g. for the disposal of animal by-products which, if left unattended, pose a danger to human and animal life and health and are harmful for the environment).
RECIPIENT OF YOUR PERSONAL DATA
Our Company will not forward, provide insight or otherwise make available the personal data of respondents to third parties, with the exception of persons listed in this Notice and in the event that this act is mandatory due to binding legal regulations.
YOUR RIGHTS UNDER THE REGULATIONS ON THE PROTECTION OF PERSONAL DATA
As a respondent whose personal data we process for the purposes defined in point 4 of this Notice, with the following exceptions determined by the regulations on personal data protection, we inform you that regarding the processing of your personal data you have the following rights which you can exercise through forms attached to this Notice:
The right to request confirmation of whether we process your personal data, and if we process them, the right to access such personal data, with the possibility of obtaining a copy of personal data processed (Respondents' right to access personal data), in accordance with the form in Annex 1 to this Notice;
The right to request the correction of inaccurate personal data and/or the addition of incomplete personal data (Right to rectification), in accordance with the form in Annex 2 to this Notice. Please use this form or contact details listed under item 13 of this Notice to inform us of any changes to your personal data that we process;
The right to request the deletion of personal data without delay (Right to erasure), in accordance with the form in Annex 3 to this Notice, if:
personal data are no longer necessary for the purposes for which they were collected,
you withdraw your consent to the processing of personal data, and there is no other legal basis for the processing of that data,
you have filed an objection to the processing of data based on our legitimate interest, except in cases specifically provided for by the regulations in force in the Republic of Croatia,
illegal processing of personal data has been established,
the data must be deleted in order to comply with the legal obligation of the Company prescribed by applicable law.
Notwithstanding the foregoing, you may not request the deletion of your personal information if this information is required:
in order to exercise the right to freedom of expression and information,
in order to comply with a legal obligation in accordance with applicable law and for the needs of the public interest, particularly in the field of public health,
for the purpose of archiving in the public interest, scientific or historical research, for statistical purposes, with the mandatory application of personal data protection measures,
for the purpose of setting, realizing or defending legal claims.
The right to withdraw consent for the processing of personal data, if your consent was the legal basis for the processing of your personal data, provided that the withdrawal of consent does not affect the lawfulness of processing based on consent before it was withdrawn, in accordance with the form given by the Company;
The right to request a restriction on the processing of your data, in the event of (i) your dispute of the accuracy of the data for the period in which the Company is allowed to verify the accuracy of personal data, (ii) unlawful processing of data without requesting their deletion; (iii) objection to processing based on our legitimate interests, until the confirmation that our legitimate interests of processing go beyond your interests, rights and freedoms (iv) and if personal data are no longer required for processing, but you request them to meet/defend legal claims (Right to Restriction of Processing), and in accordance with the form in Annex 4 to this Notice;
The right to transfer personal data to another controller if the processing is based on your consent or contract to which you are a party, by direct transfer between the Company and another controller if technically feasible (Right to data portability), and in accordance with the form in Annex 5 to this Notice;
The right to object to the processing of your personal data if the processing is based on our legitimate interest (Right to object). In that case, the Company will continue to process data only if there are compelling legitimate reasons for processing that go beyond the interests, rights and freedoms of the respondents or for the purpose of setting, realizing or defending legal claims;
The right to file a complaint to Croatian Personal Data Protection Agency as the supervisory body responsible for the application and compliance with regulations on personal data protection.
The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects relating to you or affects you in a similar way, unless the decision: (i) is necessary for the conclusion or the performance of a contract between you and the Company, (ii) is permitted by European Union law or the law of the Republic of Croatia and which also prescribes appropriate measures to protect the rights and freedoms and legitimate interests of respondents, (iii) is based on your express consent. In the cases referred to in this item under (i) and (iii), the Company will implement appropriate measures to protect your rights, freedoms and legitimate interests by ensuring in any case the right to human intervention of the Company's employees, the right to express your views and the right to challenge Company's decisions.
If the respondent decides to exercise any of the aforementioned rights, the Company will, at the request of the respondent, without undue delay, but certainly within one month of submitting the request, provide the respondent with information on the actions taken. That period may, if necessary, be extended by a further two months, considering the complexity and number of applications. The Company shall notify the respondent of any such extension within one month upon reception of the request, together with the reasons for the delay. If the Company has reasonable doubts as to the identity of the applicant, it may request the provision of additional information necessary to verify the identity of the respondent.
The information provided in accordance with the respondent's request is provided by the Company free of charge, but if the respondent's requests are obviously unfounded or excessive, especially due to their frequent repetition, the Company may:
charge a reasonable fee taking into account the administrative costs of providing information or notification or acting upon the request;
refuse to act upon request.
SAFETY OF YOUR PERSONAL DATA
In order to fulfil our obligations in accordance with applicable regulation on personal data protection, we take technical and organizational measures to protect personal data from accidental loss, destruction, unauthorized access, unauthorized alteration, unauthorized disclosure and any other misuse.
To ensure safety of personal data, we have implemented mechanisms to protect our computer system from computer viruses and other harmful programs for which we use antivirus, antispam, antispyware and antimalware programs, as well as appropriate firewalls. Also, access to certain personal data (e.g. data on Company's employees, data on job candidates) is provided only to authorized persons of the Company, i.e. access to these data is physically disabled to employees who are not employed in certain departments which use personal data (e.g. data required by the procurement department, cannot be accessed by bookkeepers).
We have also taken physical measures to protect computer and telecommunications equipment with which we store, process and transmit personal data, including: placement of such equipment in protected rooms with limited access, protection of computer systems using passwords on business computers, backup of computer data systems, engagement of IT experts who maintain and evaluate the effectiveness of technical measures for personal data protection, availability of fire extinguishers with instructions for use in the immediate vicinity of these rooms, video surveillance of certain rooms, alarm system to protect certain rooms.
All Company's employees are informed and educated about the provisions of applicable regulations on personal data protection, the manner of their implementation and obligations that arise for the Company.
FURTHER PROCESSING OF PERSONAL DATA FOR OTHER PURPOSES
In the event that there is a need to process your personal data for a purpose other than the purpose for which the data was collected, before the start of such processing, our Company will provide you with information about that other purpose and other relevant information, and, if in accordance with relevant legal regulations required, will also ask for your explicit consent to the processing of personal data for other purpose.
BREACH, COMPLAINTS AND INQUIRIES
In the event of personal data breach (situation of personal data protection breach leading to accidental or unlawful destruction, loss, alteration, unauthorized sharing or access to personal data transmitted, stored or otherwise processed) the Company will assess the risk to personal data caused by the breach and, without undue delay and, if practicable, no later than 72 hours after learning of the breach, notify CPDPA of the personal data breach, unless the risk assessment has determined that the personal data breach is unlikely to pose a risk to your rights and freedoms.
During the risk assessment, the Company will take into account the type of breach (loss or unauthorized access and/or copying of data), type, sensitivity and amount of data covered by the breach, especially whether the breach may lead to identity theft, how easy it is to identify respondents through the data covered by the violation, how severe the consequences of the breach are for the respondent, especially depending on whether it is sensitive data and the manner of breach that may be accidental by the controller or intentional by a third party, and depending on the characteristics of the respondent and their number covered by the violation and the characteristics of the Company, as the controller
In the event of a personal data breach which, according to the risk assessment, poses significant risk to your rights and freedoms, the Company will notify you, without undue delay, of the personal data breach, unless:
appropriate technical and organizational protection measures have been undertaken and applied to personal data affected by the breach; particularly those which make personal data incomprehensible to any unauthorized person, such as encryption,
subsequent measures have been taken to ensure that a high risk to the rights and freedoms of respondents are highly unlikely to repeat again (the Company was able to take action to prevent the use and further sharing of breached personal data),
informing respondents would require a disproportionate effort (e.g., contacts of subjects were lost due to breach, and it was made public or communicated to respondents). In this case, public information or a similar measure will be implemented.
When necessary, the notification of the violation will be transmitted to you by direct communication (e-mail, letter), separate from other notifications. If this is not possible due to the breach, a public notification or similar measure will be performed to inform the respondents in an equally effective manner.
The Company will document all personal data breaches, including the facts related to the personal data breach, its consequences and the measures undertaken to repair the damage.
In case of any inquiries, requests and complaints, please contact our Company or directly our personal data protection officer.