PROTECTION OF PERSONAL DATA PRIVACY POLICY

• INTRODUCTION

Dada & Rocco d.o.o. with residence in Supetar, Put Križa 15, PIN: 86017244401 (hereinafter: The Company), in their business must collect and use certain data about individuals.

The purpose of this policy is to ensure that the Company completely complies with legal, organizational and technical obligations regarding personal data protection.

All employees of the Company are completely familiar with the content of this policy and are ensuring its application while handling personal data or processing personal data. Employees whose tasks also include personal data handling are adequately educated regarding their tasks related with personal data protection.

This policy refers to all personal data that the Company keeps regarding any person, regardless whether that person was, is at this moment, or will be a client, supplier or a contact.

This policy is made with the goal to prevent potential damage to the Company and its employees and data subjects and to ensure that processing of personal data by the Company completely complies with the law and other regulations.

2. DEFINITION AND APPLICATION

Personal data is considered all information related to an individual who is identified or identifiable, that is, an individual who can be identified directly or indirectly, especially with help of an identifier such as name, identification number, location data, online identifier or with help of one more factors characteristic for physical, physiological, genetic, mental, economic, cultural or social identity of that individual.

Personal data processing means every operation or set of operations which is performed on personal data or on sets of personal data, whether it be by automated or non-automated means such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, spreading, publishing or otherwise making available, alignment or combination, restriction, erasure or destruction and performance of mathematical and other operations with that data.

The Company collects and processes personal data first and foremost for providing services of its business. Therefore, the Company has the need to collect and process certain types of data on individuals who come in contact with the Company (data subjects). The Company acts adequately with that personal data, regardless of the way that data were collected, recorded, stored and used – on paper or on other material.

At the moment of delivering data subject’s data to the Company, the data subject accepts that the Company processes his/her personal data, according to the specified purpose. Data privacy protection of data subject is permanent, and at any time the data subject can use his/her rights listed and explained below.

The Company collects and processes data subject’s personal data according to the Personal Data Protection Act (NN 103/03, 118/06, 41/08, 130/11, 106/12), other Croatian regulations, the Directive 95/46/EC and General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27^th April 2016).

Collected data are stored by Company in adequate manner and ensures their confidentiality. The Company shall not forward collected data to third persons without the data subject’s permission, apart from the cases when this is necessary for implementing legal obligations of the Company, in cases when this is necessary for fulfilling tasks being carried out in the public interest or in cases where data subjects disclosed that data themselves as well as in other cases determined by relevant regulations.

Data subject, regarding the personal data processed by the Company for him/her, has the following rights:

• Right to be informed

At any time, the data subject has the right to ask for information whether his/her personal data are being processed and for what purpose, who is the Controller, contact information of the Data Protection Officer, which categories of the personal data are being processed, for which period are they being processed, that is, stored, who is the source for obtaining his/her personal data, who are the recipients of his/her personal data, as well as the right to be informed of his/her other rights stated in this policy (right to access, right to rectification, right to erasure, right to restriction of processing and others).

• Right of access

The data subject has the right to obtain from the Company the confirmation that the personal data referring to him/her are being processed, and to gain access to that data information on:

• the purpose of processing,
• categories of personal data that are being processed;
• recipients or categories of recipients to whom the data were disclosed or shall be disclosed;
• if possible, on the data storage period, that is, on the criteria that enable determining that period;
• to ask the Company to rectify or erasure or personal data, or restriction of processing personal data referring to the data subject or the right to object to such processing;
• the right to lodge a complaint with a supervisory authority;
• if personal data are not collected from the data subject, on any available information about their source;
• the existence of automated decision-making, which includes profiling, with consequences.

 

• Right to rectification

The data subjects have the right to obtain from the Company rectification of inaccurate personal data referring to them, without unnecessary delay. The data subject has the right to supplement incomplete personal data, among others, also by giving an additional statement.

• Right to erasure / right to be forgotten

The data subject has the right that the personal data referring to him/her are erased by the Company, without delay, if that personal data are no longer necessary regarding the purposes they were collected for or processed in other way, if the data subject withdraws the consent under which the processing is based on, and there is no other legal grounds of processing, if the data subject objects to processing, if personal data have been processed unlawfully, if personal data have to be erased in order to comply with the legal obligation of the Union law, or the law of the Member State to which the Company is subject, if personal data were collected in connection with offering information society services to a child.

The above stated is not applied if the processing is necessary (and to the extent necessary) for realizing the right to freedom of expression and information, for complying with the legal obligation that requires processing in the Union law or in the law of the Member State the Company is subject to, or for carrying out public interest tasks or for executing official authority of the Company, due the public interest in the field of public health, for the purposes of archiving in the public interest, for the purpose of scientific or historical research, for the purpose of establishing, achieving or defending the legal requirements.

• Right to lodge a complaint with a supervisory authority

The data subject has the right to object on grounds relating to his/her particular situation, at any time, to processing of personal data concerning him/her, including profiling, if processing is necessary for the performance of a task carried out for reasons of public interest or for executing official authority of the Company, that is, if the processing is necessary for the needs of Company’s or third person’s legitimate interests. The Company must no longer process personal data unless the Company proves that there are convincing legitimate reasons for processing that override interests, rights and freedoms of data subjects or for establishing, exercising or defending legal claims.

If personal data are processed for the needs of direct marketing, the data subject at any time has the right to object to processing of personal data concerning him/her for such marketing, which includes profiling to the extent related to such direct marketing.

• Right to data portability

The data subjects have the right to receive personal data referring to them, which they provided to the Company in a structured, commonly used and machine-readable format and have the right, without being obstructed by the company, to transfer that data to another controller if the processing is based on their consent and the processing is conducted in automated manner. The data subject has the right to direct transmission from the Company to another controller if this is technically doable and this right must not negatively affect the rights and freedoms of other persons.

• Rights related to automated decision-making and profiling

The data subjects have the right that a decision based solely on automated processing, does not refer to them, including profiling, which has legal effects that refer to them or significantly affect them in a similar manner, unless that decision is necessary for concluding or executing a contract between data subject and the Company, except if it’s allowed by the Union law or by the law of the Member State that the Company is subject to, or is based on explicit data subject’s consent.

• Right to withdraw consent

The data subject’s consent is one of the legal grounds for data processing that refers to the data subject. The data subject has the right to withdraw the given consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

• Right to restriction of processing

The data subject has the right to ask restriction of his/her personal data processing: if the data subject is contesting accuracy of his/her personal data – for a period necessary for the Company to verify said accuracy, if his/her personal data processing is unlawful, and the data subject does not ask for erasure, just the restriction of processing, if the Company no longer needs his/her personal data, but they are required by the data subject for the exercise of legal claims, if he objected to processing he has the right to ask for restriction of processing pending the verification whether the legitimate reasons of the Company for processing, override his/her objection reasons.

For exercising his/her rights, the data subject should contact the data protection officer by sending a written notification, that is, request to the data protection officer of Dada & Rocco d.o.o., by e-mail using e-mail address provided by Dada i Rocco d.o.o. or by post mail on the address: Put Križa, 21400 Supetar or by delivering personal statement directly to the business premises of the Company, with previous announcement on the phone number +385 .. .. .. .., with identification by current personal document.

3. DATA PROTECTION OFFICER

Dada&Rocco d.o.o. appointed the data protection officer:

• Danira Glavinić
• Phone: +38591 6135-433
• e-mail address: info@dadaandrocco.com

All questions regarding personal data protection are to be directed to the personal data protection officer.

4. PERSONAL DATA PROTECTION PRINCIPLES

The Company finds that lawful and proper treatment of personal data is very important and therefore ensures that personal data are treated lawfully and properly. For that purpose, the Company completely supports and complies with Principles of data protection.

Principles of data protection require that the personal data:

• have to be processed lawfully and fairly and particularly must not be processed if the conditions specified by regulations are not fulfilled;
• are collected just for one or more specified and legitimate purposes and must not be processed further in any manner incompatible with those purposes;
• processing must be adequate, relevant and not excessive in relation to the purpose or purposes for which that data is processed, and the data must be accurate and up to date;
• must not be kept longer than require for the applicable purpose;
• must be processed in accordance with the rights of the data subject according to current regulations;
• responding technical and organizational measures must be taken against unauthorized or unlawful processing of personal data and against accidental loss, destruction or damaging of the personal data;
• must not be transferred to a country or a territory outside of the EU, unless that country or a territory does not ensure adequate level of protection of rights and freedoms of the data subject regarding the personal data processing.

5. ACTIVITIES OF POTESTAS RELATING DATA PROCESSING

The Company takes the following actions relating to data processing:

• completely obeys the conditions of fair collecting and processing of personal data;
• fulfils the obligation to specify the purpose for which the personal data is processed;
• collects and processes adequate personal data only to the extent necessary for complying with operational purposes or according to all legal requirements;
• delivers all necessary data to Personal Data Protection Agency;
• conducts a strict verification of the time of personal data storage;
• ensures that the rights of persons whose personal data are processed, can be completely exercised according to personal data protection;
• takes adequate technical and organizational measures for personal data protection;
• ensures that the personal data are not transferred abroad without securing protection;
• treats all persons fairly and honestly regardless of their age, religion, disability, sex, sexual orientation or ethnicity, when acting related to their requests for being informed;
• determines clear procedures for responding to requests for requests to be informed.

 

The Company can publish the content of cookies on its website for advertising and tracking traffic statistics based on interests and information of visitors of the Company’s websites from social networks. If the data subject uses the content on social networks of the Company or in applications, the cookie from stated networks and applications might be stored on the data subject’s device he/she uses to access the Company’s website.

The visitors have to right to turn off cookies. Web browsers are usually programmed in a manner that acceptance of cookies is their default setting, but data subjects can easily adjust this by changing their browser settings. If the data subject wishes to restrict or block all cookies that include web-sites/applications of the Company (which can disable the use of certain parts of web-sites) or other web-sites/applications, the data subject can do this in the browser’s settings.

In case of personal data breach which would probably cause high risk for rights and freedoms of the data subject, the Company, without unnecessary delay informs the data subject on the breach of personal data, unless the Company has taken adequate technical and organizational measures of protection and those measures are applied on personal data affected by the personal data breach, particularly those that make personal data non-understandable to any person who is not authorized to approach them, that is, if the Company has taken subsequent measures that ensure that the high risk for rights and freedoms of the data subject is not probable, that is, if this would require a disproportionate effort, in which case the Company shall apply public form of informing or similar measure which informs all data subjects equally efficiently.

6. VIEW AND REVIEW

The Company has the right to update this policy if necessary, in order to maintain the best practice and to ensure compliance with all the changes or alterations regarding personal data protection.