Privacy Policy

We inform customers about how the collected data will be used, and we regularly offer customers the option to choose how their data is used, including the decision on whether or not they want their name removed from lists used for marketing campaigns.

All user data is strictly guarded and is accessible only to employees who need it to perform their duties. All our employees and business partners are responsible for adhering to privacy protection principles.

STATEMENT ON THE PROTECTION OF PERSONAL DATA TRANSMISSION

Privacy Policy 09.08.2024

INTRODUCTORY PROVISIONS

This Policy establishes a responsible and transparent framework to ensure compliance with the General Data Protection Regulation (GDPR). The Policy applies to all organizational parts of ADRIAPASS d.o.o. (hereinafter referred to as the CONTROLLER) and all employees, including part-time employees and temporary workers, as well as all external collaborators acting on behalf of the controller.

PRIVACY POLICY STATEMENT

The controller is committed to operating in accordance with all laws, regulations, and the highest standards of ethical business. This policy outlines the expected conduct of the controller’s employees and external collaborators who engage in the collection, use, storage, transmission, disclosure, or destruction of any personal data belonging to employees, business partners of the controller, and other natural persons. The purpose of the policy is to standardize the protection of the rights and freedoms of data subjects by preserving the privacy of their personal data in all aspects of the controller’s business involving personal data.

This policy establishes that ADRIAPASS d.o.o. will not disclose personal data to third parties without authorization, nor will it act in a way that could compromise such data.

The controller adopts the following principles to be adhered to in the collection, use, retention, transmission, and destruction of personal data:

1. LAWFULNESS, FAIRNESS, AND TRANSPARENCY: Personal data will be processed lawfully, fairly, and transparently in relation to the data subject. This means that the controller will inform the data subject in all relevant situations about how their data will be processed (transparency), and the processing will be conducted solely in accordance with what has been communicated (fairness) and for the purpose prescribed by applicable data protection law (lawfulness).
2. PURPOSE LIMITATION: Personal data will be collected for specified, explicit, and legitimate purposes and will not be processed in a manner incompatible with those purposes. The controller must clearly state the intended use of the collected data and limit the processing of personal data to processes necessary to achieve those purposes.
3. DATA MINIMIZATION: Collected personal data will be relevant and limited to what is necessary for the purpose of processing. The controller will not collect, process, or store more personal data than is strictly necessary.
4. DATA ACCURACY: Collected personal data will be accurate and up to date. The controller will have procedures in place to identify and address outdated, inaccurate, and unnecessary personal data.
5. SAFE DATA STORAGE: Personal data will not be stored in a form that allows identification of data subjects longer than necessary for the processing purpose. Where possible, the controller will store personal data in a way that limits or prevents identification of data subjects.
6. DATA SECURITY: Personal data will be processed and stored in a manner that ensures appropriate protection against unauthorized and unlawful processing and accidental loss, destruction, or damage. The controller will implement appropriate technical and organizational measures described in the Personal Data Security Policy to ensure the integrity and confidentiality of personal data at all times.
7. PRIVACY BY DESIGN: When designing new systems, reviewing, and expanding existing systems and processes, the controller will consider the application of all these principles to maximize the protection of the data subject’s privacy.

Data Subject Rights

All data subjects whose data is collected and processed by the controller have the following rights:

1. RIGHT OF ACCESS: Each data subject has the right to a copy of the data the controller holds in their archive for inspection. Besides the right to access their own data, the data subject has the right to information about:
   • The purpose of the processing and legal basis for the processing.
   • The legitimate interest if the processing is based on it.
   • Types and categories of collected personal data.
   • Third parties to whom the data is forwarded.
   • Data retention period.
   • The source of personal data if not collected from the data subject.

   All information must be provided to the data subject in clear and simple language to ensure understanding and must be clearly indicated and visible so that the data subject does not overlook it. If there is a possibility that providing the requested information to the data subject might reveal information about another person, those data should be anonymized or completely withheld to protect that person’s rights.

2. RIGHT TO RECTIFICATION: Each data subject has the right to correct inaccurate or incomplete data held by the controller in their archive.
3. RIGHT TO BE FORGOTTEN: Data subjects can request that their data be removed from the archive. The request will be considered and granted if it does not contradict the legal basis for personal data processing.
4. RIGHT TO RESTRICT PROCESSING: Data subjects have the right to restrict the scope of processing where applicable.
5. RIGHT TO DATA PORTABILITY: Data subjects have the right to a copy of the data for transfer to another controller.
6. RIGHT TO OBJECT: Data subjects have the right to object, especially when processing is based on the controller’s legitimate interest. A review of the processing purpose and its legal basis is then required, and where applicable, the data subject must be allowed to withdraw consent for data processing and/or halt the processing of their data.
7. RIGHT TO ASSESSMENT: Data subjects have the right to request the supervisory authority’s assessment of violations of the Regulation and the controller’s internal policies.
8. RIGHT TO OBJECT TO PROFILING: Data subjects have the right to object to automated profiling and other forms of automated decision-making. If the controller refuses the data subject’s request, the response must state the reason for the refusal, which the data subject can appeal to the relevant data protection authority (AZOP).

Legal Basis

The legal bases for the collection and processing of personal data of data subjects are as follows:

1. LEGAL OBLIGATION: Laws governing the business of the controller prescribe the data sets necessary to fulfil legal obligations. For collecting and processing data prescribed by law, the controller will not seek consent from the data subject but will only collect the data prescribed by law and not use it for other purposes. This specifically applies to data collected under the following laws and their corresponding regulations, among which are:
   • Accounting Act.
   • Value Added Tax Act.
   • Income Tax Act.
   • Labour Act.
   • Regulation on the Content and Manner of Keeping Records on Workers.
2. CONTRACTUAL OBLIGATION: Personal data required to fulfil a contractual obligation will be collected by the controller without the data subject’s consent, to the minimum extent necessary to fulfil the obligation.
3. LEGITIMATE INTEREST: The controller will publish a list of its legitimate interests based on which it collects and processes personal data to enable and/or improve its services or products.
4. PROTECTION OF VITAL INTERESTS OF THE DATA SUBJECT: The controller may collect and process personal data without the data subject’s consent if it is for the purpose of protecting their vital interests.
5. PUBLIC INTEREST OR EXERCISE OF OFFICIAL AUTHORITY OF THE CONTROLLER: When the controller’s activities involve acting in the public interest or data processing is based on another type of official authority, it is not always necessary to notify the data subject about the collection of personal data.
6. CONSENT: In all other cases, the controller will seek consent from the data subject for the collection and processing of personal data, clearly stating the purpose of the processing. The data subject can withdraw their consent at any time, and their data must be automatically removed, and the processing stopped. The controller will keep a record of active and withdrawn consents to ensure business compliance.

Terms and Definitions

GENERAL DATA PROTECTION REGULATION (GDPR): The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union, and the European Commission intend to strengthen and unify data protection processes for all individuals within the European Union (EU). The Regulation also applies to the transfer of personal data outside the EU.

CONTROLLER: The entity that determines the purpose, conditions, and means of processing personal data.

PROCESSOR: The entity that processes data on behalf of the controller.

AGENCY FOR THE PROTECTION OF PERSONAL DATA: The state agency responsible for protecting data and privacy, overseeing the implementation of the Regulation, and actively enforcing the Data Protection Regulation within the European Union.

DATA PROTECTION OFFICER: A data protection expert who operates independently to ensure that the business entity complies with policies and procedures established based on the Regulation.

DATA SUBJECT: A natural person whose personal data is processed by the controller or processor.

PERSONAL DATA: Any information related to a natural person, i.e., a data subject, that can be used to directly or indirectly identify the person.

PROCESSING OF PERSONAL DATA: Any activity performed on personal data, automated or not, including collection, use, recording, and similar activities.

PROFILING: Any automated processing of data intended to evaluate, analyze, or predict the behaviour of the data subject.

RIGHT OF ACCESS: Known as the ‘right to access’, it allows the data subject to access personal data concerning them held by the controller.

Legal Regulation

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Act on the Implementation of the General Data Protection Regulation. (NN 42/2018)