Dilogic d.o.o. strives to comply with all relevant legal provisions and regulations relating to personal dana. This document sets out the basic principles according to which Dilogic d.o.o. processes personal data of users, business associates, employees, suppliers and others and determines the roles and responsibilities in all parts and organizations when processing personal data.

This policy applies to Dilogic d.o.o. which processes the personal data of the above categories of respondents within the Republic of Croatia and the European Union.

The beneficiaries of this document are all employees of Dilogic d.o.o. for an indefinite or definite period of time, as well as all third parties that Dilogic d.o.o. engages.



Basic terms

The definitions given in this document are defined in Art. 4. f General Data Protection Regulation:

Personal data: all data relating to an individual whose identity has been established or can bestablished;

Respondent: a person who can be identified directly or indirectly, in particular by means of identifiers such as name, identification number, location data, network identifier or by one or more factors specific to physical, physiological, genetic, mental, economic, cultural or the social identity of that individual;

Sensitive personal data: personal data, which by their nature is particularly sensitive in terms of fundamental rights and freedoms, deserve special protection because its processing could lead to significant risks to fundamental rights and freedoms. These personal data include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed by special technical means enabling the unique identification of an individual, health data or sexual orientation of the individual;

Processing controller: a natural or legal person, public authority or other body, which alone or together with others, determines the purposes and means of processing personal data;

Processor: a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller;

Processing: any operation or set of operations performed on personal data or on sets of personal data, by automated or non-automated means such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, insight, use, transmission detection, by disseminating or otherwise making available, harmonizing or combining, restricting, deleting or destroying;

Anonymization: irreversibly processed personal data in such a way that a person cannot be identified within a reasonable time, cost, or technology, either by the controller or some other person who could identify that individual. The principles of personal data processing do not apply to anonymized data;

Pseudonymization: the processing of personal data in such a way that personal data can no longer be attributed to a particular respondent without the use of additional information, provided that such additional information is kept separate and subject to technical and organizational measures to ensure that personal data cannot be attributed to the individual whose identity has been established or can be established. Pseudonymization reduces, but does not completely eliminate, the association of personal data with the respondent. As pseudonymization still constitutes personal data, the processing of pseudonymized data should be in accordance with the principles of personal data processing;

Supervisory body: an independent public authority established by a Member State in accordance with Art. 51. General Data Protection Regulation;

Leading supervisory authority: the supervisory authority primarily responsible for cross-border data processing, for example when the respondent objects to the processing of personal data; is also responsible for receiving notifications on personal data breaches, on risky actions in processing, and has full authority in the process of harmonization with the provisions of the General Data  Protection Regulation;

Local supervisory authority: will be competent in its territory and will monitor any local processing of data concerning respondents or processing carried out by an EU or non-EU manager or enforcement agent when their target respondents reside in its territory. Their tasks and powers include conducting investigations and enforcing administrative measures and penalties, promoting public awareness of risks, rules, safeguards and rights regarding the processing of personal data, and ensuring access to all facilities of managers or executors, including all equipment and facilities;

Main controller’s place of business: regarding the controller with establishments in more than one Member State, the place of his central administration in the EU, unless decisions on the purposes and means of personal data processing are taken at another controller’s place of business in the EU, and establishment listed below is authorized to enforce such decisions, in which case the  establishment within which such decisions are taken should be regarded as the Main controller’s place of business;

Main processor’s place of business: in the case of a processor established in more than one Member State, the place of its central administration in the EU, or, if the processor does not have an EU central administration, the establishment of the processor where the main processing activities take place;

The group of entrepreneurs includes the entrepreneur in a dominant position and his subordinate entrepreneurs.



Basic principles of personal data processing

Data protection principles define the main responsibilities within the organization that handles personal data. Art. Paragraph 5 of the General Data Protection Regulation stipulates that “the controller is responsible for compliance with paragraph 1 and must be able to prove the same (reliability).”

Legal, fair and transparent processing

Personal data in Dilogic d.o.o. is processed in a lawful, fair and transparent manner in relation to the respondent.

Limitation of purpose

Personal data is collected in accordance with the legal obligations and legitimate interests of Dilogic d.o.o., and may not be processed in any way that is not in accordance with these purposes.

Minimum amount of data

Personal data is appropriate and limited to the topic necessary to fulfill the purpose of processing. When defining the purpose of processing Dilogic d.o.o.  applies anonymization and pseudonymization of personal data, if possible, in order to reduce the risk for the respondent.

Accuracy

Personal information is accurate and updated as necessary. If some inaccurate data appears during processing, Dilogic d.o.o. as the processing controller takes measures to delete or correct this data without delay.

Storage time limit

Personal data is stored only to the extent necessary to fulfill the purpose for which it is processed. Data retention periods and procedures are defined in the Data Retention Policy of Dilogic d.o.o.

Inviolability and confidentiality

Taking into account technological advances and other available security measures, implementation costs and various probabilities of serious data protection risk, Dilogic d.o.o. has implemented appropriate technical and organizational measures to ensure that the processing of personal data takes place in a manner that ensures the security of personal data and protection against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.

Reliability

Dilogic d.o.o. is a serious organization and is at all times able to demonstrate compliance with the principles set out above.

Informing respondents

The General Data Protection Regulation prescribes the methods of informing and communicating with the respondent about his personal data (Articles 12 and 13 and Articles 15-22) and notification of data breaches (Article 34).

Art. 12. Requests in particular that information and communication with the respondent must be carried out in such a way as to follow the following rules:

  • it must be precise, transparent, unambiguous, and easy to understand
  • communicated in clear and simple language
  • must be in writing (electronic or paper)
  • where requested by the respondent must be informed both orally and
  • must be free

Respondent’s choice and consent

Paragraph 4 of Article 11 stipulates that the consent of the respondent must be freely given, specific, informed and unambiguous, and by which he gives consent for the processing of personal data relating to him.

Gathering

Dilogic d.o.o. collects the least possible amounts of personal data. If personal data is collected from a third party, Dilogic d.o.o. must, in preparing and defining the purpose of the processing, ensure that the collection is carried out in a lawful manner.

Use, storage and disposal

The purpose, methods, storage limitation and retention period of personal data must be consistent with the information contained in the Privacy Statement. Dilogic d.o.o. can preserve the accuracy, integrity, confidentiality and relevance of personal data based on the purposes of the processing it has in its operations. Appropriate security mechanisms aimed at protecting personal data are used to prevent theft, infringement or misuse of personal data. Dilogic d.o.o. fully ensures compliance with these requirements.

Disclosure to third parties

In cases when and if Dilogic d.o.o. engages the Processor, a third party or a business partner to process personal data, is obliged to ensure that the Processor takes security measures to protect personal data that correspond to the possible risks that may arise during processing. For this purpose, the Questionnaire on compliance with the General Data Protection Regulation is used.

Dilogic d.o.o. the contractually defines and requires the supplier or business partner to ensure the same level of data protection represented in Dilogic d.o.o. The supplier or business partner may only process personal data when it is fulfilling its contractual obligations to Dilogic d.o.o. or by order of Dilogic d.o.o. When Dilogic d.o.o. processes personal data together with an independent third party, it will explicitly specify its own as well as the responsibilities of the third party, through an appropriate contract or any other legally binding document.

Respondents’ rights to access data

When in the role of Processing controller, Dilogic d.o.o. is obliged to provide respondents with an acceptable mechanism for access to their personal data. Respondents are also provided with option for updating, correcting, deleting or transmitting personal data if applicable or prescribed by law.

Data portability

Respondents have the right, upon request, to obtain a copy of their data provided by Dilogic d.o.o. processes, in a structured format, and right to transfer this data free of charge to another processing controller. Dilogic d.o.o. is competent to ensure that such requests are processed within 30 (thirty) days, that they are not excessive and that they do not affect the personal data protection rights of other individuals.

The right to forget

Upon request, respondents are entitled to request Dilogic d.o.o. the deletion of their personal data. When Dilogic d.o.o. at the same acts as Processing controller, the responsible person must take the necessary actions (including technical measures) to inform third parties who use or process this data, of the need to comply with the request.

Guidelines for fair data processing

Personal data may only be processed if they have been explicitly approved by the responsible person.

When defining the processing, Dilogic d.o.o. must decide whether to apply the Data Protection Impact Assessment for each data processing activity, in accordance with the Data Protection Impact Assessment Guidelines.

Notifications to respondents

During or before the collection of personal data for any type of processing; including products for sale, services or marketing activities; responsible person in Dilogic d.o.o. is responsible for properly informing respondents about the following: type of personal data collected, purpose of processing, processing methods, rights of respondents in the context of their own personal data, retention period, possible international data transfer, possible sharing with third parties and security measures Dilogic d.o.o. on the protection of personal data. This information is contained in the Privacy Statement.

Dilogic d.o.o., depending on the processing activity and the categories of collected personal data, creates various notifications that differ according to the processes within the processing (e.g., for sending letters or for sending shipments).

When personal data is shared with a third party, the responsible person in Dilogic d.o.o. must ensure that respondents are notified through a Privacy Statement.

When personal data is transferred to a third country in accordance with the Cross-Border Data Transfer Policy, Dilogic d.o.o. clearly states in the Privacy Statement where and to which institution the personal data is transferred.

Obtaining consent

When the processing of personal data is based on the consent of the respondent or on some other legal basis, the responsible person in Dilogic d.o.o. is obliged to ensure adequate keeping of records of the consents in question. Also, Dilogic d.o.o. is obliged to provide the respondent with the option to give consent and to inform him and ensure that his consent (whenever used as a legal basis for processing) can be withdrawn at any time.

When the collection of personal data relates to a child under the age of 16, the responsible person in Dilogic d.o.o. is required to secure parental consent prior to the start of collection using the Parental Consent Form.

In the event of a request for correction, supplementation, or destruction of personal data records; Dilogic d.o.o.  must ensure that such requests are dealt with within a reasonable time and that any such requests are recorded.

Personal data in Dilogic d.o.o. are processed only for the purposes for which they were originally collected. If Dilogic d.o.o. wants to process the collected personal data for another purpose, it always seeks the permission of its respondents in a clear and unambiguous written manner. Each such request shall include the original purpose for which the data were collected, as well as a new or additional purpose (or purposes). The request also includes the reason for the change of purpose. Data Protection Officer is responsible for compliance with the rules set out in this chapter. Dilogic d.o.o. has ensured that collection methods are in accordance with relevant law, good business practices and applicable safety standards.

Organization and responsibilities

The responsibility for providing appropriate data processing lies with everyone who works for Dilogic d.o.o. or with Dilogic d.o.o. and has access to personal data provided by Dilogic d.o.o. processes.

The main areas of responsibility for the processing of personal data are in the following organizational roles:

Director makes decisions or approves the general strategies of Dilogic d.o.o. to protect personal data.

Data Protection Officer is responsible for the management of data protection programs, and for the development and promotion of personal data protection policy from its first to the last element as defined in the Job Description of the Data Protection Officer.

The responsible person monitors and analyzes personal data laws, changes in regulations, designs compliance requirements and assists business departments in achieving personal data goals.

Procedure in case of personal data breach

When Dilogic d.o.o. suspects or learns that a personal data breach has occurred, the responsible person in Dilogic d.o.o. must undertake an internal investigation and initiate corrective action to repair the damage. If it is determined that there are any risks to the rights and freedoms of the respondents, Dilogic d.o.o. must without delay, and within a maximum of 72 hours from the time the risk or incident is detected, notify the supervisory body or the Agency for Personal Data Protection.