RULEBOOK ON THE PROCESSING AND PROTECTION OF PERSONAL DATA of the company Opereta d.o.o.

On the basis of the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Official Journal of the European Union, L 119/1, 04.05.2016, hereinafter: “General Data Protection Regulation” or “GDPR”) and the Act on the Implementation of the General Data Protection Regulation (Official Gazette 42/2018, hereinafter: “Act”), the management of the company Opereta d.o.o., with registered seat in Zagreb, Božidara Magovca 63, OIB: 24059421894 (hereinafter: “Company”), represented by director Borislav Vujović, who represents the Company independently and individually, hereby adopts on 12 May 2018 the following

I. FUNDAMENTAL PROVISIONS

Article 1

(1) This Rulebook on Data Processing (hereinafter: “Rulebook”) regulates and establishes the rights of individuals with regard to the processing of personal data and the rules related to the free movement of personal data, concerning the personal data collected, processed, stored, and transferred by the Company.

(2) This Rulebook defines the procedures for the processing of personal data within the meaning of the term “processing” as determined herein, and in relation to specific processing activities carried out by the Company in connection with personal data.

(3) The provisions of this Rulebook apply fully and directly to all personal data of individuals processed by the Company.

II. DEFINITIONS

Article 2

(1) The following terms, for the purposes of this Rulebook, shall have the following meanings:

“personal data” means any information relating to an identified or identifiable natural person;
“data subject” means an identified or identifiable natural person, who can be identified directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
“processing” means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction;
“restriction of processing” means the marking of stored personal data with the aim of limiting their processing in the future;
“profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements of that natural person;
“pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
“filing system” means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized, or dispersed on a functional or geographical basis;
“controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law, and for the purposes of this Rulebook refers to the Company;
“processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller, and is appointed by the Company as the data controller for specifically prescribed purposes such as payroll calculation, occupational safety records, etc.;
“recipient” means a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
“third party” means a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data;
“consent of the data subject” means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
“personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed;
“genetic data”, “biometric data”, “data concerning health”, “representative”, “enterprise”, “group of undertakings”, “binding corporate rules”, “supervisory authority”, “relevant supervisory authority”, “cross-border processing”, “relevant and reasoned objection”, and “employee” – retain the same meanings as defined in the GDPR and this Rulebook.

(2) Other terms used in this Rulebook shall have the meaning in accordance with the GDPR and the Act.

III. TYPES OF DATA

Article 3

(1) The Company collects and processes the following types of personal data:

a) data on job applicants – name and surname, date of birth, residential address, telephone number, mobile phone number, e-mail address, level of education, data on previous employment, and other data that the candidate has provided in his/her job application (curriculum vitae, cover letter, copies of certificates, diplomas, and other documents);

b) employee data – name and surname, residential address, OIB (personal identification number), date of birth, contact information (telephone, e-mail), level of education, data on employment contract, position and job title, working hours, salary, bank account number, sick leave records, annual leave records, records of education, training, and professional development, and other data necessary for the exercise of rights and obligations arising from employment;

c) data on business partners – name and surname of contact persons, business address, OIB, telephone, e-mail, data on contractual obligations, and other data necessary for the business relationship;

d) data on clients/customers – name and surname, address, OIB, telephone, e-mail, data on real estate being sold or purchased, financial data if necessary for the transaction, and other data needed for the provision of services;

e) data on potential clients/customers – name and surname, e-mail address, telephone number, and other contact details collected for the purpose of informing about services and offers;

f) video surveillance data – images of persons recorded by surveillance cameras at the Company’s premises, for the purpose of protecting persons and property.

IV. PRINCIPLES RELATING TO PROCESSING

Article 4

(1) The Company ensures that personal data are:

processed lawfully, fairly, and in a transparent manner in relation to the data subject (“lawfulness, fairness, and transparency”);
collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes (“purpose limitation”);
adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”);
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (“storage limitation”);
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (“integrity and confidentiality”).

(2) The Company is responsible for, and must be able to demonstrate compliance with, the principles referred to in paragraph 1 (“accountability”).

V. LEGAL BASIS FOR PROCESSING

Article 5

(1) The processing of personal data by the Company is lawful only if and to the extent that at least one of the following applies:

a) the data subject has given consent to the processing of his/her personal data for one or more specific purposes;
b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the Company is subject;
d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company;
f) processing is necessary for the purposes of the legitimate interests pursued by the Company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

VI. RIGHTS OF DATA SUBJECTS

Article 6

(1) The data subject has the right to obtain from the Company confirmation as to whether or not personal data concerning him/her are being processed, and, where that is the case, access to the personal data and the following information:

the purposes of the processing,
the categories of personal data concerned,
the recipients or categories of recipients to whom the personal data have been or will be disclosed,
the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period,
the existence of the right to request from the Company rectification or erasure of personal data or restriction of processing, or to object to such processing,
the right to lodge a complaint with the supervisory authority,
where the personal data are not collected from the data subject, any available information as to their source,
the existence of automated decision-making, including profiling.

(2) The data subject has the right to obtain a copy of the personal data undergoing processing. For any further copies requested, the Company may charge a reasonable fee based on administrative costs.

Article 7 – Right to Rectification

The data subject has the right to obtain from the Company, without undue delay, the rectification of inaccurate personal data concerning him/her. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Article 8 – Right to Erasure (“Right to be Forgotten”)

(1) The data subject has the right to obtain from the Company the erasure of personal data concerning him/her without undue delay, and the Company has the obligation to erase personal data without undue delay where one of the following grounds applies:

the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
the data subject objects to the processing, and there are no overriding legitimate grounds for the processing;
the personal data have been unlawfully processed;
the personal data have to be erased for compliance with a legal obligation.

(2) This right does not apply to the extent that processing is necessary:

for exercising the right of freedom of expression and information;
for compliance with a legal obligation which requires processing;
for reasons of public interest in the area of public health;
for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing;
for the establishment, exercise, or defense of legal claims.

Article 9 – Right to Restriction of Processing

The data subject has the right to obtain from the Company restriction of processing where one of the following applies:

the accuracy of the personal data is contested by the data subject, for a period enabling the Company to verify the accuracy of the personal data;
the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
the Company no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims;
the data subject has objected to processing pending the verification whether the legitimate grounds of the Company override those of the data subject.

Article 10 – Right to Data Portability

The data subject has the right to receive the personal data concerning him/her, which he/she has provided to the Company, in a structured, commonly used, and machine-readable format, and has the right to transmit those data to another controller without hindrance from the Company, where:

the processing is based on consent or on a contract, and
the processing is carried out by automated means.

Article 11 – Right to Object

The data subject has the right to object, on grounds relating to his/her particular situation, at any time to processing of personal data concerning him/her which is based on the legitimate interests pursued by the Company. In such cases, the Company shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims.

Article 12 – Automated Decision-Making and Profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him/her or similarly significantly affects him/her, unless such decision is:

necessary for entering into, or performance of, a contract,
authorized by law, or
based on the data subject’s explicit consent.

VII. DATA RETENTION AND STORAGE

Article 13

(1) Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

(2) The Company shall define the retention periods depending on the type of data:

Contractual data – stored for the duration of the contractual relationship and for a maximum of 5 years after its termination, unless a longer period is required by law.
Accounting and financial data – stored in accordance with legal requirements (usually 11 years under Croatian law).
Marketing data – stored until the withdrawal of consent or until the data subject unsubscribes, but not longer than 2 years from the last active interaction.
Job applications (CVs) – stored up to 1 year unless consent for longer storage is given.

(3) Upon expiry of the retention period, the Company shall securely delete or anonymize the data.

VIII. DATA SECURITY

Article 14

(1) The Company shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia:

pseudonymization and encryption of personal data where possible,
measures ensuring ongoing confidentiality, integrity, availability, and resilience of systems and services,
procedures for regular testing and evaluation of security measures.

(2) Access to personal data is limited to authorized persons only, under strict confidentiality obligations.

IX. TRANSFER OF DATA TO THIRD COUNTRIES

Article 15

(1) Personal data may be transferred to third countries (outside the EU/EEA) only if adequate safeguards are in place, in line with GDPR, such as:

decision on adequacy by the European Commission,
standard contractual clauses,
explicit consent of the data subject.

(2) The Company will inform the data subject in advance if their data is to be transferred outside the EU/EEA.

X. SUPERVISORY AUTHORITY AND COMPLAINTS

Article 16

(1) The supervisory authority for the Republic of Croatia is:

Agencija za zaštitu osobnih podataka (AZOP)
Selska cesta 136, 10 000 Zagreb
www.azop.hr

(2) The data subject has the right to lodge a complaint with AZOP if they consider that the processing of personal data relating to them infringes the GDPR.

XI. FINAL PROVISIONS

Article 17

(1) This Privacy Policy shall enter into force on the day of its adoption.

(2) The Company reserves the right to amend or update this Policy at any time. In case of significant changes, the Company will notify the data subjects in an appropriate manner (e.g. via website or email).

(3) This Privacy Policy is available on the Company’s website and in the Company’s premises.

Privacy policy

RULEBOOK ON THE PROCESSING AND PROTECTION OF PERSONAL DATA of the company Opereta d.o.o.

I. FUNDAMENTAL PROVISIONS

II. DEFINITIONS

III. TYPES OF DATA

IV. PRINCIPLES RELATING TO PROCESSING

V. LEGAL BASIS FOR PROCESSING

VI. RIGHTS OF DATA SUBJECTS

VII. DATA RETENTION AND STORAGE

VIII. DATA SECURITY

IX. TRANSFER OF DATA TO THIRD COUNTRIES

X. SUPERVISORY AUTHORITY AND COMPLAINTS

XI. FINAL PROVISIONS

OPERETA – NOSITELJ CERTIFIKATA BONITETNE IZVRSNOSTI

KATEGORIJE

ZANIMLJIVOSTI

Opereta velikom proslavom otvorila novu poslovnicu u Splitu

Cijene kvadrata u Splitu rastu brže od broja kupoprodaja, ali potražnja ne posustaje

Povrat poreza pri kupnji nekretnine: Možete dobiti povrat od nekoliko tisuća eura, ali pazite na detalje!

Što se događa s tržištem nekretnina? Brojke za prvih devet mjeseci pokazuju novi trend!

Slobodni blagdani: Kako planirati Božićni budžet da ne ostanete u minusu

AI alati u 2025.

Opereta na MBF 2025: Povezivanje, znanje i vizija budućnosti!

Zašto je kupnja stana u ovoj novogradnji pametna odluka