Who we are
Head of personal data processing: MLAD Consulting d.o.o., OIB: 49742779134,
Address: Sajmišna 19, 42000 Varaždin, Croatia
Data Protection Officer: Phone: +385 (0) 95 605040 1;
Company MLAD Consulting d.o.o. (here in after: “Company”, i.e.: “controller”) is processing personal data based on the application of the General Regulation on Personal Data Protection (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. on the protection of individuals regarding the processing of personal data and movement of such data (hereinafter: the Regulation) and the Act on the Implementation of the General Regulation on Data Protection (OG 42/2018) and repealing Directive 95/46/EZ data)
The rules of data protection policy apply to all employees of the Company as well as to all third parties who work for or on behalf of the Company in connection with the processing of personal data of natural persons owned by the Company.
Certain terms as defined in Regulation (EU) 2016/679 have the following meaning:
- “Personal data” means all data relating to an individual whose identity has been established or can be established (“respondent”); an identifiable individual is a person who can be identified directly or indirectly, in particular with the help of identifiers such as name, identification number, location data, network identifier or the help of one or more factors specific to physical, physiological, genetic, mental, the economic, cultural or social identity of that individual;
- “Processing” means any operation or set of operations carried out on personal data or sets of personal data, whether automated or by non-automated means such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, inspection, use, detection of transmission, dissemination or otherwise making available, harmonization or combination, restriction, deletion or destruction;
- “Storage system” means any structured set of personal data available according to specific criteria, whether centralized, decentralized, or dispersed on a functional or geographical basis;
- “Controller” means a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union law or the law of a Member State; the controller or the specific criteria for his appointment may be provided for by Union law or the law of a Member State;
- “Processor” means a natural or legal person, public authority, agency, or any other body which processes personal data on behalf of the controller;
- “Recipient” means a natural or legal person, public authority, agency, or any other body to which personal data are disclosed, whether a third party or not. However, public authorities who may receive personal data in the context of a particular investigation following Union or Member State law shall not be considered recipients; the processing of such data by those public authorities must comply with the applicable data protection rules according to the purposes of the processing;
- “Third-party” means a natural or legal person, public authority, agency, or any other body other than the data subject, the controller, the processor, or any person authorized to process personal data under the direct authority of the controller or processor;
- “Consent” of the respondent means any voluntary, special, informed and unambiguous expression of the respondent’s wishes by which he gives consent to the processing of personal data relating to him by a statement or clear affirmative action;
- “Personal data breach” means a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data transmitted, stored, or otherwise processed.
III. MANAGER, PROCESSOR, AND DATA PROTECTION OFFICER
Under the definition of the term “processing manager” contained in Article 4. Regulations The Company is considered the head of the processing of personal data of individuals it processes.
If necessary, the Company, as the controller, may entrust the processing of personal data to the controller. In this case, under this data protection policy, the Company will conclude a special contract with the processor on the processing of personal data following the provisions of the Regulation and national legislation.
In cases where the Company conducts processing on behalf of another controller, it is considered the executor of personal data processing and is obliged to conclude a contract with the controller of personal data processing following the provisions of the Regulation and national legislation.
After fulfilling the conditions of Article 37. of the General Regulation, the Company will appoint a personal data protection officer who is independent and as such acts in the interest of protecting the rights of respondents and their data, and the appointed person is obliged to sign a confidentiality statement.
In case of appointment of a data protection officer, the “Company” informs the competent national Agency for Personal Data Protection about the appointed person and will publish the contact details of the data protection officer on its official website and/or board.
IV. COLLECTION AND PROCESSING OF PERSONAL DATA
Personal data is processed primarily to fulfil the Company’s legal obligations, to perform the Company’s activities, fulfil contractual obligations, and protect the legitimate interests of the Company, and if necessary for other purposes (statistical research, development, and research plans, optimal use of human resources, monitoring the quality of work, work of professional services, the realization of rights and obligations of employees from employment and other purposes).
As a rule, personal data is collected directly from the respondents, and by inspecting the written documents they submit.
IV. 1. PRINCIPLES OF PERSONAL DATA PROCESSING
- Treated lawfully, fairly, and transparently concerning the respondent and their rights. The Company will process personal data following applicable laws and respect all the rights of respondents. Transparency of personal data processing provides respondents with all the necessary information on processing, basis, and legality. The respondent will be informed about all his rights and relevant information promptly, i.e. before the collection.
- For a limited purpose “ personal data must be collected for specific, explicit, and lawful purposes, and may not be further processed in a manner inconsistent with those purposes unless there are other processing required by law or necessary for quality providing service;
- Processed with a reduction in the amount of data the data collected are appropriate, relevant, and limited to what is necessary for the purposes for which they are processed (reduction in the amount of data);
- Accurate and, where appropriate, up-to-date reasonable measures shall be taken to ensure that personal data which are inaccurate, taking into account the purpose for which they are processed without delay, are deleted or erased. Respondents have the right at any time to request a correction of their data that we process;
- Processed with a storage restriction“ kept in a form that allows the identification of the subject only for as long as is necessary for the purposes for which the personal data are processed. Exceptionally, the data may be stored for a longer period, but there must be a clear purpose for this, in terms of a legal obligation or a legitimate interest (e.g. in the case of a court case).
- Processed in a manner that ensures adequate security of personal data“ (integrity and confidentiality), including protection against unauthorized or unlawful processing, and accidental loss, destruction, or damage through the application of appropriate technical or organizational measures.
IV. 2. LEGALITY OF PROCESSING
The company holds the personal data of the respondents as their property and treats them accordingly. However, to comply with legal obligations, provide services to respondents or act upon their request, and conclude and implement contracts from our business, it is necessary to process a minimum set of necessary personal data. Accordingly, the lawful processing of personal data is considered only if and to the extent that at least one of the following is met:
- The respondent has consented to the processing of his or her data for one or more specific purposes;
- Processing is necessary for the performance of the contract to which the respondent is a party or to take action at the request of the respondent before the conclusion of the contract;
- Processing is necessary to comply with the legal obligations of the controller;
- Processing is necessary to protect the key interests of the respondent or other natural person;
- Processing is necessary for the performance of a task in the public interest or the exercise of the official authority of the controller;
- Processing is necessary for the legitimate interests of the controller or a third party, except where those interests outweigh the interests or fundamental rights and freedoms of the respondent which require the protection of personal data, in particular, if the respondent is a child.
The key and legally prescribed activity of the processing manager refers to the processing of health data and data related to the health of respondents’ clients who, according to Article 9. The General Regulation constitutes a special category of personal data. We do not process other types of special data, such as data relating to religious or ethnic origins, political opinions, religious or philosophical beliefs, and the like. We process special categories of personal data in the following cases:
- The respondent has expressly consented to the processing of such personal data for one or more specific purposes unless Union law or the law of a Member State provides that the respondent may not lift the prohibition referred to in paragraph 1 of Article 9. of the General Regulation;
- Processing is necessary for enforcing the obligations and exercising the special rights of the controller or the respondent in the field of labour and social security and social protection law to the extent permitted under Union law or the law of a Member State or collective agreement with the law of a Member State prescribing appropriate safeguards for the fundamental rights and interests of respondents;
- Processing relates to personal data which are obvious to have been published by the respondent;
- Processing is necessary for the establishment, exercise, or defence of legal claims or whenever the courts are acting in a judicial capacity;
- Processing is necessary for reasons of significant public interest based on Union law or the law of a Member State which is proportionate to the desired objective and which respects the essence of the right to data protection and ensures appropriate and specific measures to protect the fundamental rights and interests of respondents;
- Processing is necessary for preventive medicine or occupational medicine to assess the working capacity of employees, medical diagnosis, provision of health or social care or treatment or management of health or social systems and services under Union or Member State law or contract with a healthcare professional and following the conditions and protective measures referred to in paragraph 3 of Article 9. of the General Regulation.
IV. 3. CONSENT
Where the processing of personal data is based on consent, it must be given voluntarily, in writing, in an understandable and easily accessible form using clear and simple language.
Personal data relating to minors are collected and further processed with the consent of legal representatives or proxies.
The respondent has the right to withdraw his consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Before giving consent, the respondent shall be informed. The respondent may withdraw his consent orally in the Company, about which a record is made or a written statement.
IV. 4. INFORMING RESPONDENTS
Before the collection of personal data directly from the respondent electronically or in writing in the form of an information statement, the controller provides all relevant data regarding the processing, in particular:
- Identity and contact details of the processing manager;
- Contact details of the data protection officer if appointed;
- Purposes of processing for which personal data are used as well as the legal basis for processing;
- If the processing is based on Article 6 (1) (f) of the Regulation, the legitimate interests of the controller or a third party;
- Recipients or categories of recipients of personal data, if any;
- The period in which the personal data will be stored or, if this is not possible, the criteria by which that period was determined;
- Existence of the right to request the controller to access personal data and to correct or delete personal data or to restrict;
- Processing relating to the respondent or the right to object to the processing of such data and the right to data portability;
- If the processing is based on Article 6 (1) (a) of the Regulation or Article 9 (2) (a) of the Regulation, the existence of the right to withdraw consent at any time without prejudice to the lawfulness of the processing which was based on consent before it was withdrawn;
- Right to complain about the supervisory authority;
- Information on whether the provision of personal data is a legal or contractual obligation or condition necessary for the conclusion of the contract and whether the respondent must provide personal data and what the possible consequences of such data are not provided;
- Existence of automated decision-making
In case the data is not collected directly from the respondents, the source of personal data is stated next to the stated data.
If the controller intends to further process personal data for a purpose other than that for which the personal data were collected, the controller shall provide the respondent with information on that other purpose and any other relevant information before that additional processing.
If the Company decides to introduce and collect data through the video surveillance system, a special Ordinance on the use of the video surveillance system will be adopted.
V. JOB CANDIDATES
MLAD Consulting d.o.o. as a potential employer collects, processes, and stores data of candidates for employment in Mlad Consulting d.o.o. based on their voluntary applications via web applications, via e-mail, by request sent to the company address, by applying candidates to a published vacancy notice or otherwise.
Data on candidates in Mlad Consulting d.o.o. can also be obtained indirectly, from domestic and foreign employment agencies in case the agencies must inform the candidate about the processing of their data by MLAD Consulting d.o.o. Candidates send their job applications as:
- Open applications, log in to the company’s website or email or send a request to the company address. In this case, we process the data to contact the candidate regarding employment for 5 years;
- Applications for specific tenders that have a specified deadline. In that case, we process the data during the competition and 5 months from the end of the competition to contact the candidate regarding employment, and these applications are archived for 5 years.
If candidates who apply to specific vacancies that have a specified deadline give special consent, processing the data to contact the candidate regarding employment for 5 years, the same as for open applications.
MLAD Consulting d.o.o. has a legitimate interest in using the obtained e-mail addresses, as well as other submitted contact information to contact the candidate for possible employment. For example, after applying, candidates may receive an automatic reply that their application has been received and that candidates whose qualifications and experience are in line with those required for the individual job will be contacted; they can get a message on their phone number with the proposed date of the interview, a message stating the documentation required for employment and likewise. Also, Mlad Consulting d.o.o. has a legitimate interest in contacting persons for employment who have already worked in a company for a certain period, for example through a student service.
The data kept is provided by the candidates themselves, but MLAD Consulting d.o.o. based on the legitimate interest of securing the best candidates, creates personal data related to employment activities, such as the results of job interviews, tests, and assessments, and collects personal data from third parties, primarily by verifying data obtained during the recruitment process by contacting relevant third parties. employment, education and training providers) or by using publicly available sources.
On the official website mlad.com.hr; cookies – text files that are placed on the user’s computer by an Internet server (server); through which the Internet service provider (ISP) displays the web page; are created when the browser on the user’s devices visits a network destination, which then sends the data to the browser that creates the text URL (cookie). The browser retrieves and sends a cookie to the server’s website when the user returns to it.
Cookies used on our site:
- Technical cookies (mandatory cookies, cannot be excluded) that are necessary for the functioning of the website
- Functional, performance, statistical, marketing, and other cookies may be excluded
More information can be found at the following link: mlad.com.hr/en/cookies
VII. RIGHTS AND PROTECTION OF RESPONDENTS
The company, as the controller, processes personal data by the Regulation on the rights guaranteed to respondents, and this refers to:
- Right of access to data:
This right authorizes the respondent to request confirmation from the controller whether his data are processed, and the right to access the data processed about him, the purpose of processing, data categories, potential recipients, and other information prescribed by Article 15. Regulations.
- Right to correction:
The respondent has the right to obtain correction of inaccurate personal data relating to him without undue delay. Taking into account the purpose of processing, the respondent has the right to supplement incomplete data, including by giving a statement.
- Right of deletion:
The respondent has the right to obtain the deletion of personal data relating to him, and the controller must delete personal data without undue delay if one of the following conditions is met:
– if personal data are no longer necessary for the purpose for which they were collected or otherwise processed;
– if the respondent withdraws the given consent and there is no other legal basis for processing;
– if the respondent objects to the processing and the legitimate reasons for the right to erasure carry more weight than the legitimate reasons of the processing manager for processing and/or storage of personal data;
– they have been processed illegally or;
– personal data must be deleted to respect the legal basis, and following the prescribed reasons referred to in Article 17. Regulations.
- Right to limit the processing:
The respondent has the right to request a restriction on the processing of his data individually:
– If the data is disputed during a period that allows the controller to verify the accuracy of that data;
– If the data processing was illegal but refuses to delete and instead requests a restriction on the use of the data;
– If the controller no longer needs the data for the intended purposes, but the respondent is still needed to set, implement or defend legal claims, or;
– If the examiner has filed an objection due to the processing of these data according to Art. 21st.1 of the Regulation, expecting whether the legitimate reasons of the controller exceed the reasons of the respondents,
and the reasons prescribed by Article 18. Decrees and valid legislation of the Republic of Croatia.
- Obligation to notify:
The controller shall communicate any correction or erasure of personal data or restriction of processing carried out under Article 16 (right of correction), Article 17. Paragraph 1 (right of deletion) and Article 18 (right of restriction of processing) of the Regulation to any recipient to whom personal data have been disclosed, unless this proves impossible or requires a disproportionate effort. The processing manager informs the respondent of these recipients if the respondent so requests.
- The right to transfer data:
The respondent has the right to receive personal data relating to him, which he provided to the controller in a structured, commonly used, and machine-readable format, and to transfer this data to another controller. The right of transfer refers to the personal data of the respondents. The request is submitted in writing to the controller.
- Right to object
Based on his/her special situation, the respondent has the right to object at any time to the processing of personal data relating to him/her. In such a case, the controller may no longer process the data unless he proves that there are compelling reasons for the processing which go beyond the interests, rights, and freedom of the respondent or to set, exercise, or defend legal claims.
The respondent has the right to complain to the supervisory authority (Personal Data Protection Agency) in the event of an incident involving his data or if considers that the controller violates his rights under the Regulation. In addition, the respondent has the right to request that he is not subject to a decision based solely on automated processing, which produces legal effects that relate to it or in a similar way significantly affect it unless that decision is necessary for concluding or executing a contract with the respondent, permitted by law or based on the express consent of the respondent.
The head of personal data processing is obliged to determine the merits of the request and, if it is founded, to act on it. If the processing manager does not act on the request within one month from the date of receipt of the request is obliged to inform the respondent of the reasons and the possibility of filing a complaint to the supervisory authority and seeking redress.
The respondent has the right to request information regarding the actions taken in connection with the submitted requests under Art. 15 to 22 of the Decree and the processing manager is obliged within one month from the receipt of the request to notify the applicant of the actions taken. In case of complexity and number of requests, this deadline may be extended to two months with the obligation of the processing manager to notify the applicant in advance of the reasons and extension.
This notification must be given before the expiry of the period from one month from receipt of the request.
VIII. RECORD OF PROCESSING ACTIVITIES
Under the fulfilment of the conditions of Article 30. of the General Regulation, the Company will keep a record of personal data processing activities for which it is responsible, ie in cases when it is in the role of controller.
Records of personal data processing activities must be in the form of a letter, including an electronic form, containing at least the following information:
- Name and contact details of the controller and data protection officer;
- Processing purposes;
- Description of the category of respondents and the categories of personal data;
- Categories of recipients to whom personal data have been or will be disclosed, including primaries in third countries or international organizations;
- Where applicable, transfer personal data to a third country or international organization;
- If possible, the envisaged deadlines for deleting different categories of data;
- If possible, a general description of the technical and organizational security measures referred to in Article 32 (1). Regulations.
IX. DATA CONFIDENTIALITY
All personal data in the data records kept by the Company, all documentation containing personal data, written verbal communications, or information containing personal data are considered secret. This information may not be unauthorisedly disclosed to third parties or made available to unauthorized persons.
Authorized persons for access to personal data within the Company are exclusively employees (which includes professional associates, volunteers within the internship, and persons in vocational training) with the head of personal data processing who need this data to perform their jobs or work tasks, as well as contract associates who have access only to those data and only to the extent necessary for them to perform the contracted work or to perform the function.
Access to personal data may be granted to state or other bodies and natural and legal persons authorized to do so by law, or if it is necessary to perform activities within the statutory activities of the recipient, based on a written request which must contain the purpose, type of data required and legal basis for use, following the regulations on personal data protection.
Access to personal data may be granted to natural and legal persons engaged by the Company as a processor, external bookkeeping service, and providers of information and communication services with which the Company has contracts in detail prescribing the handling of data, and in cases of legitimate interests.
Personal data and documents at the disposal of the controller may be given to the persons to whom they relate based on an appropriate request, or to other persons if they have a power of attorney of the data subject, with prior identification of the applicant.
By acting contrary to the law and the provisions of this Ordinance and non-compliance with the established measures for the protection of classified information, the employee commits a particularly serious breach of duty and is liable under the Labor Act for any damage caused to the employer.
- SECURITY MEASURES FOR THE PROTECTION OF PERSONAL DATA
Following the personal data protection policy, the Company undertakes technical, personnel, and organizational measures to protect against unauthorized access to the collected personal data. Organizational measures include all work procedures determined by the instructions and standards of the processing manager, as well as supervision and control measures, measures to maintain the information system in function, which are taken to prevent the risk of downtime of all or part of IT equipment, ie all activities and procedures which provide technical and other working conditions, including preventive measures and regular maintenance of the information system.
To protect against unauthorized access to the collected personal data, the collected personal data in paper form must be kept in the registers in a locked closet in the premises where access to unauthorized persons is prevented.
The room where the computer and the binder with personal data are located must be locked when leaving the room during working hours and when leaving work. It is forbidden to take out documentation, IT equipment, and data carriers from the room without the permission of the responsible person (with mandatory record-keeping).
Data in digital form is stored on information media using methods that guarantee the security and confidentiality of personal data thus stored. It is forbidden to send or share passwords by e-mail, or their public disclosure. All computers must have antivirus protection. It is forbidden to connect via computer to risky sites.
XI. PERIOD OF STORAGE OF PERSONAL DATA
The Company processes personal data until the purpose of personal data processing is fulfilled. After the cessation of the purpose for which they were collected, the personal data of the respondents are no longer used but remain in the storage system of the Company and are kept as long as required by law on the preservation of archives. All papers containing personal data after they are no longer needed for use for any reason, and are not returned to the respondent and are not subject to the obligation to keep it legally, are destroyed by physical cutting before disposal, to ensure protection.
XII. OTHER PROVISIONS
All employees have a duty in the event of an incident related to personal data protection (loss, theft, damage, unauthorized access, etc.) to immediately report the incident to the responsible persons.
In the part on protection, supervision over the collection, processing, and use of personal data, the rights of respondents, and all issues that are not regulated here, the Regulation and national legislation apply.
Last update: 25th August 2023