Under Regulation (EU) 2016/679 of the European Parliament and the Council of 27 December 2016/28. April 2016 on the protection of individuals in connection with the processing of personal data and on the free movement of such data (herein: Regulation), the Law on the Implementation of the General Data Protection Regulation (OG 42/18) and the Law on Attorney's Office (OG 09/94, 117/08, 50/09, 75/09, 18/11) , the law firm BORIĆ & PARTNER d.o.o. from Zagreb, (herein: B&P), 25 May 2018 adopted the following
PERSONAL DATA PROCESSING AND PROTECTION POLICY
Article 1 Apply the Regulations
1. This Regulation applies to the Processing and Protection of Personal Data of all Data subjects by B&P as the Controller, regardless of the source of personal data or the method of Processing, including the Processing of Personal Data both in B&P's ordinary business and through B&P's online, official B&P profile on the LinkedIn social network (herein: Profile)and any other and/or subsequent forms of B&P's online presence if referenced to this Regulation (here onwards jointly or individually: the Website).
3. In the event of amendments to this Regulation, we will inform you in an appropriate manner on the Website and Profile, and the updated Regulations will be published with the date of its application in the header. If any provision of the amended Regulations is unacceptable to you, please do not access our Websites anymore, or contact B&P in any other way, starting from the date of its application.
Article 2 Controller and Data Protection Officer
1.B&P is the Controller in relation to the Processing of Your Personal Data within the meaning of the provisions of Article 1 of this Regulation. You can always contact us via the e-mail address referred to in Article 13, paragraph 2 of this Regulation.
3. Profiling is an automated assessment of personal data with respect to certain personal characteristics of a particular person, in particular for the analysis and forecast of performance, economic situation, health, personal preferences and interests, reliability, residence or change of location. B&P only gives the first profiling if the Data Subject has given explicit consent, such as ads based on user profiles created with the help of automation. Respondents are not required to provide data for profiling purposes and have the right to withdraw the given consent at any time.
4.B&P has appointed a Data Protection Officer to whom you can contact all questions, comments, requests, complaints or other comments regarding our Processing of your Personal Data via the e-mail address specified in Article 13, paragraph 2 of this Regulation.
Article 3 Subject Categories
B&P Processes Personal Data of the following categories of Data subjects:
1. Parties-wicked persons, including craftsmen, i.e. other forms of individual occupations or economic activities
2. Business partners–natural persons, including craftsmen, i.e. other forms of individual professional occupations or economic activities
3. Legal representatives of legal entities (e.g. directors) and/or workers in legal entities that are our Business Partners, Parties or counterparties
4. Third individuals, in particular:
- Anti-party-wicked persons;
- proxy of anti-party-natural persons;
- other participants–natural persons in legal proceedings and other cases;
- judges and other servants and employees in courts and competent state bodies;
- court experts;
- court interpreters;
- notaries; and
- other individuals;
5. Visitor to the Website;
6. B&P employees and persons applying for employment, student work, volunteering, etc.
Article 4 Personal Data Obligation
1. The processing of most personal data is prescribed by appropriate legal regulations in the field of attorney's office, commercial law, accounting, tax law, etc., and is therefore binding, that is, you are obliged to give it to us, and we are obliged to process it in accordance with such regulations. If you refuse to provide us with mandatory Personal Data, we will not be able to provide you with the necessary legal support or establish another business (contractual) relationship, or remain in a business (contractual) relationship.
2. The obligation to provide and process the Data subject's personal data may be a contractual obligation of our Party or Business Partner and a condition necessary for the orderly conduct of mutual business communication. In other words, the provision of the Data subject's personal data in such cases is related to their employment or other appropriate property with our Party or our Business Partner and their business relationship with us.
3. The provision of certain types of Personal Data of the Data subject may be voluntary, i.e. the only consequence of not giving such Personal Data would be the Inability of the Data subject to obtain some benefits that we can offer him on the basis of voluntary and informed consent that he can withdraw at any time. For example, accessing and using the Website is voluntary, i.e. it is voluntary. depends solely on the interest and decision of the Data Subject.
Article 5 Sources of Personal Data
1. We collect personal data directly from the Data subject whenever possible.
2. In certain cases, especially where we are not in direct contact with the Data Subject, for example in the case of Third Individuals or workers of our Parties or Business Partners who are legal entities, we may collect personal data indirectly – from submitted documentation or from public sources, such as public registers, public books, i.e. from competent government bodies and the like.
Article 6 Legal basis for The Processing of Personal Data
1.B&P may process the Data subject's personal data on the basis of one of the following Legal Grounds set out in Article 6(1) of the Regulation:
1.1. conclusion and performance of a contract for the provision of legal services (point (b));
1.2. enforcement of B&P's legal obligations (point (c)). Such Processing may be necessary on the basis of applicable legal regulations, for example in the field of tax, commercial, criminal law, anti-money laundering regulations and more, including in relation to the exercise of supervision by competent state authorities and in the case of legal duty to provide data;
1.3. pursuing the legitimate interests of B&P or third parties (point (f)), for example, acting with due diligence when choosing Business Partners, conducting business and managing relations with the Parties, protecting persons and property, informing about services and the like;
1.4. Protection of the vital interests of the Data subject or other individual (point (d)), i.e. where processing is necessary to protect the interest necessary to preserve the life of the Data subject or other natural person (in the latter case, in principle provided that the Processing clearly cannot be based on another legal basis), for example for humanitarian purposes, in particular in cases of natural and man-made disasters;
1.5. Exceptionally, the consent of the Data subject (point (a)). If the Data Subject gives consent to the Processing of His Personal Data for one or more other purposes not specified in Article 7 of this Regulation, he or she has the right to withdraw his/her consent at all times, but this does not affect the lawfulness of the Processing on the basis of consent prior to its withdrawal. After withdrawing our consent, we will cease processing the Personal Data of that Data subject if there is no other Legal Basis than set out in the previous paragraphs (i) of this paragraph 1 of article 1 for the continuation of the Processing, and we will anonymize, delete or otherwise permanently destroy them within the deadlines set out in Article 12 of this Regulation.
2. Depending on the legal nature of the cases in which we may represent our Parties, in particular in cases relating to misdemeanour or criminal law, on the basis of the Legal Basis referred to in paragraph 1(i) or (ii) of this Article, we may also process data relating to criminal convictions and offences in accordance with the provisions of Article 10. Regulation.
3. Depending on the legal nature of the cases in which we represent our Parties, we may process special categories of Personal Data on the basis of the relevant Legal Basis referred to in Article 9(2). Regulation in relation to the relevant Legal Basis referred to in Article 6(1). regulation described in paragraph 1 of this Article.
Article 7 Processing Purposes
1. We may process personal data of all categories of Data subjects specified in Article 3 of this Regulation for the following business purposes:
1.1. the performance of our professional activity, i.e. the provision of contracted legal services under representation contracts, power of attorney and/or the Law on Attorney's Office, or a decision of the competent authority for the purpose of providing legal assistance, in particular for the Purpose of initiating and conducting proceedings before competent authorities, including courts, drafting documents, general representation and legal advice, all with a view to protecting the rights and legal interests of our Parties;
1.2. Organization and management of our business, execution of business processes, management of our assets, exercise of rights and obligations under concluded contracts, including for the Purposes of choosing Business Partners and managing relations with The Parties and Business Partners, invoicing and payment by accounts, internal analyses, records and reporting, prevention, management and resolution of disputes, storage and similar business Purposes;
1.3. enforcement of legal duties and obligations in relation to the performance of our professional activity and the conduct of our business, including the performance of obligations related to the Processing and Protection of Personal Data and the exercise of the data subject's rights, for example, keeping prescribed records, communicating with Respondents, including responding to their claims for the exercise of rights, providing prescribed Personal Data to supervisory and other competent authorities such as the Personal Data Protection Agency, the Tax Administration, the State Inspectorate and the like;
1.4. Protection of persons and property, including health protection, safety and integrity, in particular for background checks, control of access to business premises and business information and communication equipment, networks and systems;
1.5. Promotional, marketing and advertising Purposes, including in particular the development and improvement of our services, management of relations with the Parties and Business Partners, notification to the Parties of legal news relevant to their cases or business, marketing activities online, primarily the management of websites and the like.
2. We do not process personal data collected for certain Purposes for any purpose other than in cases, under the conditions and in the manner permitted under the Regulation and other applicable legal regulations, primarily if such further processing complies with the Purposes for which personal data were originally collected. In particular, the continuation of the Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical Purposes shall be considered to be harmonised lawful processing. In the event of continued Processing for these other Purposes, we will inform the Data subjects in a timely manner, as well as their rights, including the right to object.
Article 8 Categories of Personal Data
1.B&P processes different categories of Personal Data depending on the subject matter and nature of your relationship with B&P, i.e. depending on the category of Data subjects and the Purposes of Processing, primarily:
1.1. Identification information such as:
- first and last name, i.e. company/name;
- OIB, MBO, ID number, passports and other official identifiers;
- photo, other information contained in an identity card, passport or other identity documents;
- other identification data contained in public registers or official documents;
- network identifiers, including IP address;
1.2. Contact information such as:
- address of residence, residence, residence, residence, i.e. seat, address of the employer;
- e-mail address, including private and/or business e-mail address;
- telephone numbers, including private and/or business mobile and/or landline numbers;
1.3. Employment data such as:
- employer data;
- workplace, i.e. function, position;
1.4. Accounting data such as:
- the name of the bank;
- type and number of credit card;
- other banking, transactional and financial data;
1.5. Special categories of Personal Data:
- biometric data;
- health-related data.
1.6. Data relating to the punishment of the Data subject, namely data relating to criminal convictions and offences or related security measures, including information on reports or charges of committing criminal acts, on pending or ongoing convictions;
1.7. The content of the communication and documentation, including in particular the case files;
1.8. Other Personal Data, such as Cookies on our Website.
2. An overview of the subject matter of the Processing according to the categories of Data subjects and Personal Data and according to the relevant Legal Bases and Purposes of the Processing is contained in Article 10 of this Regulation.
Article 9 Cookies
1. When you visit our Website, we may collect certain information, such as your device identifier, the type of Internet browser you are using, the IP addresses from which you access our Website, and more, using so-called "cookies" or other similar technologies for tracking and storing data and accessing it such as pixels, web beacons and more (here onwards: Cookies). In principle, Cookies do not contain Personal Data. The following types of Cookies are used on our Website according to the following division criteria:
(a) according to purpose or purpose:
1.1. a technically necessary Cookie that is necessary for the proper functioning of the Website and serves to properly display the content available on the Website. This Cookie is stored on your device on the basis of our legitimate interest within the meaning of Article 3(1) of this Regulation if you do not turn it off in your internet browser settings. In doing so, please note that turning it off could affect your user experience on our Website, as this would prevent certain functionalities;
1.2. Analytical Cookies are used to measure and analyze the use of our Website and help us understand the behavior of our visitors and the use of the Website. To set analytical cookies, we need your prior consent, which you give through a banner when accessing the Site by confirming the "Accept all cookies" setting and which you are free to withdraw at any time and turn off the appropriate option to store Cookies in the settings of your internet browser. If you refuse to set such Cookies, your user experience on our Website will not be affected;
(b) according to the source, i.e. depending on who places cookies on your device and who has access to them, our Website uses only Third Party Cookies that can be placed on your device by third parties, i.e. by third parties. providers of certain services we use under the contracts we have concluded with them. In addition to B&P, access to such Cookies is also given to the third party who set them up and may also be subject to privacy and cookie policies and third parties;
(c) according to the duration, i.e. depending on how long the Cookie remains stored on your device, cookies are divided into:
1.1. Session cookies that are stored on your device and last during your visit to our Website and are deleted after you close the browser; and
1.2. temporary Cookies that remain on your device even after you leave our Website and close the browser, up to the deadline set in the Cookie itself, the expiration of which cookies are automatically deactivated.
2. In addition to the technically necessary Cookies that we use based on our legitimate interests in maintaining and optimizing the Website, we also use the following analytical Cookies for promotional and marketing purposes of developing our business:
3. In relation to our Profile, the social network operator LinkedIn may use its own cookies as controller, for example for targeted advertising and profiling that it may perform in relation to users of its social network who also follow our Profile at the same time. Therefore, before joining our Profile, also carefully study all applicable LinkedIn rules, in particular the policies and agreement set out in Article 2(2) of this Regulation.
4. In relation to our Instagram business account, which allows B&P to present on Instagram and communicate with Instagram users, it is used through the Facebook platform. An Instagram business account operator may use its own cookies to provide products, services and advertisements, analyze the use of pages or services, improve the use of services. Before accessing our Instagram business account, carefully study all applicable Facebook and Instagram policies, in particular the policies and conditions set out in Article 2(2) of this Policy.5. Depending on the internet browser you are using, more information about managing cookies is available at the following links:
- Internet Explorer;
- Mozilla Firefox;
- Google Chrome;
Article 10 Recipient Categories
1. We may disclose your Personal Data to the following categories of recipients, i.e. other controllers or processors:
1.1. public authorities, for example courts and other judicial authorities, administrative bodies, agencies, inspections and the like;1.2. our processors who process Personal Data on behalf of B&P as controller, such as bookkeeping service providers, information and communication services, etc.; our Business Partners who process Personal Data as controllers within the services we provide or that we provide to them, or with whom we do business in some other way, for example, third individuals, banks, auditors, tax advisors, etc.
2. Some of the recipients referred to in paragraph 1 of this Article may be located in so-called third countries, i.e. in countries outside the European Economic Area, except Switzerland, which are not considered to provide an adequate level of protection of personal data. In the case of the transfer of Personal Data to such recipients, we will require them to ensure an adequate level of protection under contractual and other mechanisms provided for in the Regulation such as standard contractual clauses adopted by the European Commission and others.
Article 11 Retention period for Personal Data
1. Personal data of the Data subject We process:
1.1. within the time limits prescribed by law, in particular the Law on Attorney's Office, applicable accounting, tax and other legal regulations; or 1.2. if the retention periods of personal data are not set by law, as long as it is necessary to achieve the Purposes for which they were collected, unless you require their destruction before the expiry of a certain period of time in accordance with some of your rights described in Article 14 of this Regulation; in doing so,1.3. certain Personal Data, i.e. the related documentation in which they are contained, may be kept for a maximum of 6 years from the realization of the Purposes for which they were collected, for evidentiary Purposes in case of any subsequent complaints, disputes or proceedings.
2. Within the meaning of the provision of paragraph 1(i) of this Article, pursuant to the provision of Article 11(2). We are obliged to keep files of the Law on Attorney's Office for at least 10 (letters: ten) years after the final conclusion of the proceedings in which we represented a particular Party. Consequently, we process all Personal Data contained in our case files during the representation of the respective Party and, after the final completion of the relevant procedure, store it for the next 10 (letters: ten) years.
If enforcement proceedings are pending in the finally terminated case, proceedings under extraordinary remedies, proceedings for the protection of the rights of the Party before the Constitutional Court of the Republic of Croatia and/or the European Court of Human Rights and the like, then we process our files and personal data contained in them for the duration of such proceedings and subsequently store the following 10 (letters: ten) years, counting from the day when all legal means were exhausted in order to protect the rights and legal interests of the corresponding Party, that is, from the date of cessation of our representation, depending on the case.
3. Within the meaning of the provision of paragraph 1(ii) of this Article, if the Party has entrusted us with the preservation of a particular document, for example, contracts, wills and the like, we store such documents and personal data contained therein on the basis of an order from the Party until it takes them over.
4. After the expiry of the appropriate retention period, we will destroy or anonymise personal data if there are needs and the relevant assumptions are met. anonymised data is no longer Personal Data, as it is not possible to identify individuals.
Article 12 Security and confidentiality
1. We shall take appropriate technical and organisational measures to protect Personal Data from misuse or accidental, unlawful or unauthorised destruction, loss, alteration, disclosure, acquisition or access (here onwards: Data breach), in accordance with applicable legal regulations and accepted technical standards in the field of privacy and data security, including:
1.1. restriction of access to Personal Data to our workers and other authorised persons, to the extent necessary for the performance of their work tasks in order to achieve the relevant Purposes set out in Article 7 of this Regulation;
1.2. physical protection and control of access to our business premises and premises where Personal Data is processed;1.3. protection of our information and communication equipment, systems and network.
2. In accordance with the provisions of Article 13. Law on Attorney's Office and Articles 26-34. With the Code of Legal Ethics, B&P is obliged to keep as a legal secret everything entrusted to it by the Party or otherwise learned in the representation of the Party, and the duty to keep attorney's secrecy applies to both our current and former employees. In all other cases, we keep personal data as a trade secret.
Article 13 Rights of the Data subject
1. Your rights in connection with our Processing of your Personal Data are:
1.1. Access to your Personal Data, i.e. the right to obtain confirmation from us whether the Personal Data relating to you are being processed, and if such Personal Data are processed, the right to access its Personal Data, including the right to obtain a copy of the Personal Data being processed;
1.2. Correction or supplementation of inaccurate Personal Data relating to you without undue delay, including by making an additional statement;
1.3. deletion of personal data relating to you, especially if:
- are no longer necessary in relation to the Purposes for which they were collected or otherwise processed;
- have been illegally processed;
- withdraw, in whole or in part, the consent you have given us for the Processing of your Personal Data for the stated Purposes and if there is no other legal basis for the Processing; or
- must be deleted in compliance with the legal obligation under the applicable legal regulations;
1.4. Restrict processing in the following cases:
- if you dispute the accuracy of your Personal Data, for a period allowing us to verify the accuracy of personal data;
- if the Processing is illegal, but you oppose the deletion of your Personal Data and instead ask for a restriction on their use;
- if we no longer need Personal Data for processing purposes, but you are seeking it to make, exercise or defend legal claims; or
- if you have objected to the Processing of your Personal Data, which we process on the basis of legitimate interests – pending the fact that the legitimate interests of the Employer are more important than your personal interests;
1.5. If we process your certain Personal Data on the basis of consent, you have the right to withdraw your consent at any time, but this does not affect the legality of the Consent-based Processing before it was withdrawn;
1.6. At any time, you have the right to object to the Processing of Your Personal Data for direct marketing purposes, including the prohibition of profiling to the extent related to such direct marketing;
2. If you wish to exercise any of these rights or have any other questions, comments or requests regarding our Processing of your Personal Data, you may contact us at the e-mail address: email@example.com
3. We will reply to you no later than one month after receiving your request or inquiry, i.e. we will inform you of the actions taken or the reasons why we are unable to act on your request. In case of a large number of requests or complexity of your request, we may extend this deadline by another two months, informing you of the reasons for the extension.
4. If your request is manifestly unfounded or excessive, including in the event of frequent recurrence of the claim, we may charge reasonable compensation based on administrative costs or refuse to comply with the request.
5. Imate pravo podnijeti pritužbu u vezi s našom Obradom Vaših Osobnih podataka Agenciji za zaštitu osobnih podataka, Zagreb, Selska cesta 136 (www.azop.hr).