The privacy of Data subjects is protected by the regulations of the European Union, as well as by the legislation of the Republic of Croatia.
These General Terms and Conditions were adopted on the basis of and in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
These General Terms and Conditions of Personal Data Protection (hereinafter: General Terms) apply in situations where the Company as the Processor is in a contractual relationship with a third party – a Client having the status of a Controller (hereinafter: the Controller and Processor, together: “Contracting Parties”).
These General Terms shall apply appropriately and when the Processor acts in the capacity of the Second Processor and the Controller in the capacity of the Processor.
10 000 Zagreb
Personal identification number: 86132384544
+385 (0)1 6184 831
Personal data – any information relating to an identified or identifiable natural person (Data subject)
Data subject – one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Processing of personal data – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Controller – the Client, that determines the purpose and means of personal data processing on its own or with others
Processor – the Company that processes personal data for the Controller
User – third party receiving the services from the Company at the Client’s request
Basic Agreement – any agreement, including the acceptance of an offer, order or any other document based on which the Company provides a service at the Client’s-Controller’s request, concluded or accepted between the Contracting Parties for the purpose of providing services from the business scope of the Company for the Client, under which the Company comes or could get in touch with the Personal Data of the Client or user.
Supervisory authority – an independent public authority established by the Republic of Croatia for the purpose of control and ensuring the implementation of the GDPR
Consent – any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
Personal data breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
Pseudonymisation – the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person
The General Data Protection Regulation sets out the following principles for the processing of personal data that the Contracting Parties must apply:
The Company may, acting in the capacity of the Processor during performance of services, view, collect, use, forward and in any other way process personal data of the Controller and/or user, and other persons whose identity can be determined directly or indirectly (hereinafter: Data subjects).
Depending on the nature of the business relationship, the Company may process different types of Data subject’s personal data. This includes identification and contact information, including, but not limited to: name and surname, permanent and/or temporary residence address, personal identification number (PIN), date, place and country of birth, citizenship(s), title and number of the identification document with the title and country of issuing authority.
By concluding the Basic Agreement, the Controller confirms that it fully complies with all legal obligations related to the personal data protection and the General Data Protection Regulation.
The Processor shall provide sufficient guarantees in respect of the implementation of appropriate personal data protection measures, that it possesses the Facility Security Clearance of the security classification level “Confidential” issued by the Croatian Office of the National Security Council, and an integrated quality management and information security system in accordance with the requirements of the norms ISO9001 and ISO27001.
The Controller shall primarily, based on its abilities, make illegible or conceal in any other way all personal data that the Processor may access, in such a way that even theviewing of such data is not considered the processing of personal data.
In case the processing of personal data is required within the scope of the Processor’s obligations under the Basic Agreement, the Controller shall deliver the required information to the Processor before the beginning of processing of personal data by the Processor and ensure the following:
The Controller is not authorised to give access to the personal data via secured access available to the Processor to anyone else; engage another processor who shall access personal data via secured access available to the Processor, nor to independently access personal data via secured access for the Processor.
The Processor shall process the personal data only on documented instructions from the Controller, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
The Processor shall ensure that the Processor’s experts in charge of processing personal data in the scope of fulfilling the Processor’s obligations under the Basic Agreement concluded between the Contracting Parties commit themselves with written statements of confidentiality, that is, subject themselves to legally binding confidentiality obligations
Within the scope of meeting the obligations under the Basic Agreement by the Processor, the Contracting Parties implement appropriate technical and organisational protection measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
The Contracting Parties shall take steps to ensure that any natural person acting under the authority of the Controller or the Processor who has access to personal data does not process them except on instructions from the Controller, unless he or she is required to do so by Union or Member State law.
The Controller provides the Processor with a general written authorisation to engage another processor.
The Processor shall inform the Controller of any intended changes concerning the addition or replacement of other processors, thereby giving the Controller the opportunity to object to such changes.
Where the Processor engages another processor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations shall be imposed on that other processor by way of a contract.
The Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of obligations to respond to requests for exercising the data subject’s rights laid down in Chapter III of the General Data Protection Regulation, for which the Controller commits to pay a fee to the Processor pursuant to the accepted offer of the Processor for providing those services;
The Processor assists the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor, for which the Controller commits to pay a fee to the Processor pursuant to the accepted offer of the Processor for providing those services.
The Processor deletes or returns all the personal data to the Controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data.
The Processor shall make available to the Controller all information necessary for proving the compliance with the determined obligations and information that enable audits, including inspections, performed by the Controller or other auditor authorised by the Controller, and contribute them.
In case that the Processor believes the documented instructions violate the data subjects’ rights, it shall inform the Controller of such instance.
To avoid any doubt, in case the Processor is developing an application code at the Client’s request, the Client shall ensure that the Client meets all obligations related to protection of personal data, especially in relation to application design and architecture.
The Processor shall notify the Controller without undue delay after becoming aware of a breach of personal data being processed under the Basic Agreement.
The provisions of this article apply especially in cases when the Client acts in the capacity of the Processor, and the Company in the capacity of another Processor.
By concluding the Basic Agreement, the Client states that it shall give orders and instructions to the Company in relation to the processing of personal data based on the written instruction of the User as the controller; shall the opposite be determined, the Company is relieved of all responsibility towards the user and Data subject, while the Client is responsible to the Company for all damage incurred.
By concluding the Basic Agreement, the Client states that it has a special or general prior written authorisation issued by the User as the controller in relation to engaging the Company as another Processor. The Client shall immediately inform the Company of each change relating to the above-stated and referring to the Company.
In case that the Client loses its capacity of the processor or the User changes, revokes or delivers a new instruction on the processing of personal data at any moment, the Client shall immediately inform the Company.
The Client shall immediately inform the Company about all important circumstances related to the processing of personal data of the User.
The Client shall immediately inform the Company about all obligations related to the processing of personal data that are imposed to the Client by the User. In case of neglect, the stated obligations do not apply to the Company, and the Client shall compensate the Company for all damage incurred.
The Controller is exclusively responsible for the accuracy, completeness and regular updating of the Controller’s Personal Data.
The Controller is exclusively responsible for the security, confidentiality, passwords and access to the personal data at the Controller’s IT infrastructure.
The Controller is exclusively responsible for the supply and maintenance of the computer equipment it uses, as well as for other equipment required for processing of relevant personal data, not including the rights and obligations of the parties under the Basic Agreement.
The Processor’s liability shall be excluded for any damage incurred due to the use of the Processor’s server, for blackouts, failures, delays, theft, loss of data, computer viruses, alterations and misuse of records, interruption in operation, Controller’s unauthorized behaviour and any consequential damage.
The Contracting Parties agree that the Processor shall be held responsible for the damage only if it processes personal data contrary to the Controller’s instructions.
In case the Processor processed personal data according to the Controller’s instructions, but the damage for the Data subject still incurred and was compensated by the Processor, or the Processor paid a fine or had any other costs or damage, the Controller shall fully compensate that amount to the Processor.
The amount of damage which the Processor may be liable for is limited to a maximum of 500,000.00 HRK.
The Client is authorized to make a written request to the Company requesting personal data of certain experts of the Company for the purpose of fulfilling the obligations of the Company from the Basic Agreement.
In case the personal data of the Company’s experts are delivered to the Client, the rights and obligations of the Processor under these General Terms shall apply to the Client in the appropriate manner.
The personal data of the Company’s experts are delivered to the Client for the purpose of keeping records, assessment of fulfilling the conditions, enabling the access to the Client’s system to a certain expert of the Company and fulfilment of rules and procedures of the Client. In case the personal data of the Company’s experts are delivered in the form of a CV, résumé or certificate issued to an expert, the Client is authorized to process that data solely for the purpose of evaluation in order to authorize the engagement of that Company’s expert.
By concluding the Basic agreement, the Company authorizes the Client to process certain personal data in the following duration, scope and quality:
Duration of processing: maximum 6 (six) months from the day of the receipt of the Company’s experts’ personal data if the expert is not engaged, and if they are engaged – maximum 2 months from the day of the termination of expert’s services
The Company is authorized to deliver to the Client amended or additional instructions or orders for the processing of delivered personal data at any moment.
The Contracting Parties agree that all other personal data, except those stated in point 4 of this article, are considered to be excessively requested personal data and cannot be considered crucial personal data required for the provision of services by the Company under the Basic Agreement; therefore, the Client is not authorized to request that data from the Company or directly from the Company’s experts.
The Croatian law will apply for relationships between the Contracting Parties, and in case of disputes, the competent court shall be the actual competent in Zagreb.
By concluding this Agreement, the Contracting Parties retain all rights and obligations regarding processing of personal data in accordance with the General Data Protection Regulation.
The provisions of these General Terms apply between the Contracting Parties for the whole duration of the Basic Agreement.
In case the Contracting Parties conclude a special agreement in relation to the processing of personal data, the provisions of these General Terms complement that special agreement.
In the event of disagreement with the General Terms of a special agreement concluded between the Parties in relation to the processing of personal data, the provisions of a special agreement shall be binding.