Your Language:

Privacy Policy - Document 1


In accordance with the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, pertaining to the protection of natural persons with regard to the processing of personal data, and to the repealing of the Directive 95/46/EC (General Data Protection Regulation) and of the provisions of the Act on the Implementation of the General Data Protection Regulation (Official Gazette of the Republic of Croatia, 42/18),

the company VAPOUR INTERNATIONAL d.o.o. for trade and services, established in Buje, Digitronska 2, PIN: 12135052940 (VAPOUR INTERNATIONAL d.o.o.), represented by the Director Mattia Sparacino from Buje, Digitronska 2, PIN: 68434733388,

on May 24, 2018, adopted the following

 

REGULATIONS ON THE PROTECTION OF PERSONAL DATA

 

INTRODUCTION

I.

The General Data Protection Regulation (hereinafter referred to as: the GDPR) defines the rules pertaining to the protection of natural persons with regard to the processing of personal data, as well as the rules pertaining to the free movement of personal data, namely for the purpose of protecting the fundamental rights and freedoms of natural persons, and in particular their right to personal data protection.

The provisions of the GDPR define that the term "personal data" refers to all data related to an individual whose identity was determined or can be determined. An individual is a person who can be directly or indirectly identified, namely with the aid of different identifiers such as their name, identification number, location information, network identifiers, etc.

The provisions of the GDPR define that the processing of personal data refers to any procedure or set of procedures carried out on personal data or personal data sets, either by automated or non-automated means, such as collection, recording, organization, structuring, storage, adaptation or modifying, recovery, inspection, use, disclosure by transmission, dissemination or making data available in some other way, synchronization or combination, limitation, deletion or destruction.

From said scope of application defined by the General Data Protection Regulation or considering the fact that VAPOUR INTERNATIONAL d.o.o. processes personal data, the following obligation emerges: VAPOUR INTERNATIONAL d.o.o. is required to apply first and foremost the General Data Protection Regulation, and consequently the implementing rules of the General Data Protection Regulation, especially the Act on the Implementation of the General Data Protection Regulation, as well as the substantive laws related to the protection of personal data, either pertaining to the European acquis or to the legislation of the Republic of Croatia – the law in force at the time of the adoption of these Regulations or the amendments to the legislation in the future.

 

 

SUBJECT OF THE REGULATIONS

II.

In recognition of the obligation to apply the legislation as defined in Article I, VAPOUR INTERNATIONAL d.o.o. adopts these Regulations establishing the rights of the Data Subject in relation to which personal data shall be processed and which define the personal data processing procedures.

VAPOUR INTERNATIONAL d.o.o. adopts these Regulations in order to protect personal data pertaining to the persons referred to in the previous paragraph herein, in the light of the legislation referred to in Article I. Said legislation recognizes and protects the right to protection of personal data and considers it to be one of fundamental rights and freedoms of individuals.

 

TERMS AND DEFINITIONS

III.

Certain terms from these Regulations are related to some terms contained in the GDPR and have the same meaning as them. For the purposes of these Regulations, certain terms are defined as follows:

 

-       “The Data Controller” is the company VAPOUR INTERNATIONAL d.o.o.;

-       “The Data Subject” is the person whose personal data are processed by VAPOUR INTERNATIONAL d.o.o. ;

-       “The Data Processor” is the natural or legal person, public authority, agency or some other body processing personal data on behalf of the Data Controller.

 

 

GENERAL INFORMATION ON PERSONAL DATA PROCESSING

IV.

Personal data shall be processed legally, fairly and transparently with respect to the Data Subject.

Personal data shall be collected for specified, explicit and legitimate purposes and may not be processed in a manner inconsistent with said purposes.

Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Personal data shall be correct and, if necessary, up-to-date.

Personal data shall be kept in a format allowing the identification of the Data Subject, but only for as long as that is necessary in order to realize the purposes for which they are processed.

Personal data shall be processed in a way ensuring the protection of personal data, including the protection from unauthorized or unlawful processing, as well as from accidental loss, destruction or damage, namely by applying appropriate technical or organizational measures.

The Data Controller shall acknowledge the obligations referred to in previous paragraphs and:

- process personal data legally, fairly and transparently with respect to the Data Subject;

Legitimate processing by the Data Controller implies processing conditioned by at least one of the following factors:

  • the Data Subject has given their consent for the processing of their personal data for one or more specific purposes;
  • processing is necessary for the realization of a contract involving the Data Subject or in order to act on a request of the Data Subject prior to the conclusion of the contract;
  • processing is necessary for the purpose of compliance with the legal obligations of the Data Controller;
  • processing is necessary in order to protect the key interests of the Data Subject or some other natural person;
  • processing is necessary in order to carry out tasks of public interest or to realize the official authority of the Data Controller;
  • processing is necessary for legitimate interests of the Data Controller or a third party, except whenever interests or fundamental rights and freedoms of Data Subjects requiring the protection of personal data, especially if the Data Subject is a child, are stronger than said interests.

- collect personal data from employees in order to establish employment relationships, as well as from clients and suppliers for the purpose compiling offers for the establishment of business relationships and/or in order to establish business relationships, and exclusively for said purposes;

- collect adequate and relevant personal data, limited to what is necessary for the purposes for which they are processed, as defined in the previous point;

- ensure that personal data are correct and up-to-date and take appropriate measures to ensure that incorrect personal data are deleted or corrected as soon as possible;

- retain personal data for the period necessary to pursue the purposes for which they are collected.

 

 

INFORMING THE DATA SUBJECT

V.

The Data Controller shall obtain personal data pertaining to Data Subjects exclusively from the Subjects themselves.

When collecting personal data from Data Subjects, the Data Controller shall inform them of:

-  the identity and contact information of the Data Controller;

- the purpose of the processing and use of personal data, as well as of the legal basis of processing;

- the legitimate interests of the Data Controller or a third party when processing is necessary for legitimate interests of the Data Controller or a third party;

- the period for which personal data will be retained;

- the right of the Data Subject to request access to personal data from the Data Controller, as well as the right to correction or deletion of personal data or to restriction of processing of the Subject’s data, the right to object to processing and the right to data portability;

- the right to lodge a complaint to the Personal Data Protection Agency as a supervisory body;

- whether providing personal data is a legal or contractual obligation or condition.

 

 

 

 

 

RIGHTS OF THE DATA SUBJECT

VI.

The Data Subject’s right to access

The Data Subject has the right to obtain a confirmation from the Data Controller that personal data pertaining to them are processed, and if said personal data are processed, they have the right to access them and learn the purpose of their processing, as well as the estimated period for which they will be retained.

 

The right to correction

The Data Subject has the right to correction of incorrect personal data pertaining to them, which shall be done by the Data Controller and without unnecessary delay. In relation the purpose of processing, the Data Subject has the right to complete incomplete personal data, inter alia by means of providing additional statements.

 

The right to deletion ("The right to forget")

The Data Subject has right to have personal data pertaining to them deleted by the Data Controller, and the Data Controller is required to delete said personal data without unnecessary delay.

 

The right to limit data processing

The Data Subject has right to limit personal data processing carried out by the Data Controller if is one of the following requirements is met:

- the Subject contests the accuracy of personal data in the period during which the Data Controller is able to check the accuracy of personal data;

- the processing is illegal and the Data Subject is opposed to the deletion of personal data, but instead requests the limitation of their use;

- The Data Controller no longer needs said personal data for processing purposes, but the Subject requests them for the purpose of establishment, realization or defense of legal requirements;

 

The right to object

The Data Subject has the right to object to the processing of the personal data pertaining to them which is carried out by the Data Controller, namely at any time and on grounds relating to his or her particular situation.

 

In the case where the Subject exercises any of the rights provided for in this Article, the Data Controller:

-       shall not refuse to act upon the request of the Data Subject if they successfully identify the Data Subject;

-       shall take the necessary steps to provide the Data Subject with all the information regarding data processing, namely in a concise, transparent, understandable and easily accessible format, using clear and simple language, as well as in writing or by some other means (electronically). Data may be provided in oral form whenever the Data Subject requests it;

-       Upon the Data Subject’s request, the Data Controller provides the Subject with the requested information without unnecessary delay, and no later than one month of receipt of the request. Said deadline may, if necessary, be extended for an additional two months, in relation to the complexity and the number of requests. The Data Controller shall notify the Data Subject of any such extensions within one month of receipt of their request, as well as indicate the reasons for the delay. If the Data Subject submits their request electronically, the notification should be provided electronically (if possible), unless the Data Subject requests otherwise;

-       if the Data Controller does not act upon a request of the Data Subject, they shall notify the Subject of the reasons why they have not acted upon said request, as well as of the possibility of lodging a complaint with the supervisory body and of searching for a legal remedy, namely without delay and no later than one month of the receipt of the request.

In the case referred to in the previous paragraph, the Data Controller provides their services free of charge. If the Subject’s requests are unfounded or excessive, in particular due to their constant repetition, the Data Controller may:

-       charge a reasonable fee, taking into account the administrative costs of providing information or notifications or acting upon the request; or

-       refuse to act upon the request.

 

 

 

REPORT ON PROCESSING ACTIVITIES

VII.

The Data Controller keeps track of the processing activities they are responsible for.

The Report on Processing Activities constitutes a separate document based on this Regulation.

 

 

PERSONAL DATA PROTECTION OFFICER AND FORWARDING OF PERSONAL DATA

VIII.

 

The Data Controller did not appoint an ‘’officer’’ for the protection of personal data, as no such obligation is required in accordance with the applicable legislation. In relation to their business needs, the Data Controller shall conclude a written contract on data processing with individual subjects, namely for the purpose of processing said data outside the scope of the Data Controller’s work (accounting, health monitoring, professional training regarding work safety, etc.). Said data will be processed by an officer authorized by the Data Controller.

At the time of entering into the contract referred to in the previous paragraph, the Data Controller guarantees that the person with whom said contract is concluded is authorized to carry out the activity in relation to which data processing is requested, as well as that they will ensure the protection of personal data at a level which is at least equivalent to that provided by VAPOUR INTERNATIONAL d.o.o. as Data Controller.

When entering into the contract referred to in the previous paragraph, VAPOUR INTERNATIONAL d.o.o. as Data Controller guarantees that personal data transferred to other subjects will not be used for purposes other than the one for which they are forwarded, as well as they will not be forwarded to anyone else.

 

 

 

 

 

SECURITY OF PERSONAL DATA

IX.

The Data Controller shall, in accordance with their abilities, take relevant technical and organizational measures in order to ensure an adequate level of safety, including the following (if necessary):

- pseudonymization and encryption of personal data;

- constant confidentiality, integrity, availability and resistance of processing systems and services;

- re-establish the availability of and access to personal data in a timely manner in the event of a physical or technical incident;

- carry out regular testing, evaluation and assessment procedures related to the effectiveness of technical and organizational measures to ensure the safety of processing.

 

 

PROCEDURE IN CASE OF PERSONAL DATA VIOLATION

X.

Reporting the violation of personal data to the supervisory body

In the case of violation of personal data, the Data Controller shall report it to the Personal Data Protection Agency, namely without unnecessary delay and, if possible, not later than 72 hours of the moment they learn about the violation, unless it is unlikely that said personal data violation will constitute a risk for the rights and freedoms of individuals. If said reporting is not done within 72 hours, it is necessary to provide the reasons for the delay.

Reporting to the Personal Data Protection Agency shall be done in a prescribed form.

The Data Controller shall document all instances of personal data violation, such as facts related to the violation of personal data, their consequences and the measures taken to remedy the damage.

 

 

Notification of the Data Subject regarding personal data violation

In the case of a personal data violation which is likely to lead to a considerable risk for one’s rights and freedoms, the Data Controller shall inform the Data Subject of said violation without unnecessary delay.

 

TRANSITIONAL AND FINAL PROVISIONS

XI.

 

These Regulations shall enter into force on January 2, 2019.

 

Privacy Policy - Document 2


In accordance with the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, pertaining to the protection of natural persons with regard to the processing of personal data, and to the repealing of the Directive 95/46/EC (General Data Protection Regulation) and of the provisions of the Act on the Implementation of the General Data Protection Regulation (Official Gazette of the Republic of Croatia, 42/18),

the company VAPOUR INTERNATIONAL d.o.o. for trade and services, established in Buje, Digitronska 2, PIN: 12135052940 (VAPOUR INTERNATIONAL d.o.o.), represented by the Director Mattia Sparacino from Buje, Digitronska 2, PIN: 68434733388,

on May 24, 2018, adopted the following

I.

REPORT ON PROCESSING ACTIVITIES

This Report on Processing Activities is provided by:

VAPOUR INTERNATIONAL d.o.o. for trade and services, established in Buje, Digitronska 2, PIN: 12135052940 (hereinafter referred to as: "the Data Controller").

The person responsible for the compilation of this Report is the director Mattia Sparacino from Buje, Digitronska 2, PIN: 68434733388.

II.

PERSONAL DATA CATEGORIES

 

The Data Controller shall collect and process:

-       personal data of their employees;

-       personal data of natural persons – clients;

-       personal data of natural persons – suppliers.

 

III.

PURPOSE OF PROCESSING AND TYPES OF DATA

The Data Controller shall collect personal data related to their employees that are necessary for the establishment of the employment relationship, as well as for the fulfillment of the commitments of the Data Controller towards the employees. Said data shall be collected for the aforementioned purpose only.

Said data are for instance (but not only) one’s name and surname, personal identification number (OIB), unique citizen's number (JMBG), date and place of birth, ID number, passport number, father's or mother's name, residence address and/or home address, health insurance number, pension insurance number, name and number of second pillar pension insurance, professional qualification, title, bank account number, type of employment, work place, earlier work experience, date of employment, date and reason for employment termination, the employee’s working hours, data on the rights acquired from employment.

Said data shall be retained for the period necessary to pursue the purposes for which they are collected, and no later than the date of expiry of all legal obligations related to the retention of personal data.

 

The Data Controller shall collect the following personal data from their clients and suppliers:

-       name and surname;

-       address;

-        Personal Identification Number (PIN);

-       phone / mobile phone number;

-       electronic mail address (e-mail) – limited to the cases when the client and/or the supplier requests electronic communication from the Data Controller.

Said data shall be collected for the purpose of compiling offers for the carrying out of the company’s business activities, for the purpose of concluding contracts for the carrying out of  business activities, and for the purpose of resolving complaints and disputes arising from the aforementioned relationships.

Said data shall be retained for the period necessary to pursue the purposes for which they are collected, and no later than the date of expiry of all legal obligations related to the retention of personal data.

IV.

CESSION OF PERSONAL DATA

Personal data that shall be collected and processed and are indicated in previous articles are transferred to third parties by the Data Controller based on the business needs related to the processing of personal data, which fall outside the scope of the Data Controller's work. Data are transferred to certain subjects based on written contracts (accounting, employee health monitoring, professional training pertaining to work safety etc.).

V.

PERSONAL DATA PROTECTION

Personal data that shall be collected and  processed and are indicated in previous articles shall be processed by the Data Controller as follows:

- personal data collected in writing shall be attached to the employee’s file (when it comes to the employee's data) or placed in the related folder (when it comes to the data pertaining to clients and suppliers) and kept in related cabinets intended for storing paper documentation within business premises;

- personal data collected electronically by the Data Controller shall be stored in an internal computer memory or on an external server memory (cloud) protected by a password.