; Ordinance on the collection, processing and use, and protection of personal data – Marodi International

Ordinance on the collection, processing and use, and protection of personal data

Rules on the collection, processing, use and protection of personal data

Pursuant to the General Data Protection regulation, the company MARODI d.o.o., Nedelišće, Gospodarska ulica 5, OIB 28972867029, hereby adopts the following

RULES

ON THE COLLECTION, PROCESSING, USE AND PROTECTION OF PERSONAL DATA

Article 1

These Rules lay down the manner of harmonising certain technical and organisational measures in order to ensure and be able to ensure that processing is carried out in accordance with Regulation (EU) 2018/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, Official Journal of the European Union, L 119, 4 May 2016. (hereinafter referred to as: “the GDPR”)

Article 2

Types of personal data we collect 

Pursuant to the Personal Data Protection Act and Regulation on the manner of keeping and form of records on the databases (categories) of personal data, the company Marodi d.o.o., Nedelišće, Gospodarska ulica 5, as the Data Controller, processes the following categories (databases) of personal data:

  • personal data of employees
  • personal data of business partners (customers and suppliers)

Data categories can be added, changed, deleted depending on business use.

The Data Controller legally processes personal data on the following legal bases:

– data subjects’ consent;

– necessity in order to perform the contract with the data subject is a party of;

– Data Controller’s legal obligations;

– protection of the key interests of the data subjects or other natural persons;

– legitimate interest of the Data Controller or third party.

Article 3

Purpose of processing

Personal data are collected, organised, used and stored for the following purposes:

  • performance of the legal obligations of the company Marodi d.o.o., Nedelišće, and for the performance of public interest obligations (statistical research, use of human potential, monitoring the quality of professional work and the work of professional services, exercising the rights and performing the obligations arising out of the employment relationship as well as other official purposes);
  • performance of contracts concluded with business partners;
  • recovery of claims – if a business partner defaults on their contractual obligations, in order to protect ourselves as a creditor, we may forward the relevant personal data and use the services of natural persons and legal entities for the recovery of claims (i.e. law firms, debt collection agencies etc.). Before taking such a measure, we will notify our business partners thereof using the contact information you provided to us so that we may give you an opportunity to submit your response;
  • contact purposes – for the duration of the contractual relationship as well as for the period of one year thereafter, we contact our partners via communication tools such as e-mail, telephone or in writing via post.

Article 4

Legal basis for the establishment of a database

The legal basis for the establishment of a database is laid down in the Labour Act, Personal Data Protection Act, Labour ordinance, and Rules on the internal structure and work of the company Marodi d.o.o., Nedelišće.

Article 5

Categories of persons the data relate to

The database relates to employees, clients / business partners, natural persons (adults and minors) and persons who have concluded an employment contract directly with the company Marodi d.o.o., Nedelišće (fixed-term employment contract, employment contract of indefinite duration, temporary service contract, business relationship contract, contract on the sale of products and services).

With a prior consent, personal data may be collected, processed and used at the company Marodi d.o.o., Nedelišće.

All persons may at any time revoke their consent and request that their personal data no longer be processed, except if the data are processed for statistical purposes, when the person the personal data relate to is no longer identifiable.

Article 6

Types of data contained in databases

The databases contain the following types of data:

  • name and surname
  • citizen’s unique identification number (JMBG), personal identification number (OIB), year of birth
  • father’s and mother’s names
  • place and address of residence
  • place of birth
  • health insurance number
  • pension insurance number (pillar I)
  • pension insurance number (pillar II)
  • employment relationship type (fixed-term, indefinite time, temporary service)
  • job
  • professional qualifications (unqualified, secondary education, vocational education, university education)
  • data subject’s profession
  • bank account number
  • prior work experience
  • date of the commencement of the employment relationship
  • date of the termination of the employment relationship, along with the reason
  • employee’s working hours
  • reason for the expiry of the employment relationship (retirement, dismissal, employer’s decision)
  • information about the employment rights exercised (e.g. tax incentives for dependents, maternal leave, injuries at work, special rights and support, sick leave etc.)
  • employed/unemployed status
  • school/profession
  • name and surname of a parent or foster parent
  • parent’s or foster parent’s identity card number.

Article 7

Method of collection and storage of data

Personal data may be collected and further processed exclusively in cases provided for in the Labour Act and Rules on the internal structure and work of the company Marodi d.o.o., Nedelišće.

The General Manager of the company shall adopt a decision on the persons in charge of personal data protection as well as a decision on persons who are authorised for the supervision, collection, processing, use and transmission of personal data apart from the employer.

Prior to any personal data collection, employees of the company Marodi d.o.o., Nedelišće, shall inform the data subject whose data are being collected of the identity of the Data Controller and of the purpose of the intended processing.

Personal data shall be taken directly from the data subjects orally and in writing.

In order to prevent unauthorised access to personal data, data in written form (databases, payrolls) are kept in binders stored in locked file cabinets, while data stored in a computer are protected by assigning a user name and password to the employee processing those data, which are stored to portable memory drives and backup servers for additional security and confidentiality.

Article 8

Periods of time for which data are stored and used

Employee records are kept from the day of the commencement of the employment relationship, and are ceased to be kept on the day of the cessation of the employment relationship. Data on employees represent documentation of permanent value, which is kept pursuant to the Act/Rules.

Records on external associates are kept from the commencement of the employment relationship, and are ceased to be kept once the purpose for which the data are collected has been fulfilled. Data are kept pursuant to the Act/Rules.

Article 9

Making personal data available to other users

Personal data contained in a database can be made available to other users on the basis of a written request if it is necessary for the performance of tasks within the scope of the user’s registered business activities.

Prior to making personal data available to other users, the company Marodi d.o.o., Nedelišće, shall notify the data subject thereof (orally and in writing where necessary).

Special records shall be kept of personal data made available to another user, about the other user and about the purpose the data have been made available for.

Article 10

Rights of users / data subjects

  • right to review the personal data contained in the database which relate to them;
  • to print out the personal data contained in the database which relate to them;
  • right to have incomplete or inaccurate personal data corrected;
  • right to deletion – data subjects may ask for a deletion of all their personal data, except in cases where processing is necessary for the performance of regulatory obligations or public interest;
  • right to restriction of processing – data subjects may ask for the processing of their personal data to be restricted;
  • right to the possibility of data transfer;
  • right to object;
  • right to a complaint;
  • notification in connection with the processing of personal data related to them.

The request shall be submitted in writing.

Article 11

The company Marodi d.o.o., Nedelišće, shall, 30 days from the submission of the request at the latest, at the request of any data subject or their legal representative or attorney-in-fact:

  • submit a certificate of whether the personal data related to them are being processed or not;
  • make available to them the database of personal data as well as the personal data contained in the database which relate to them, including enable their transcription;
  • submit extracts, certificates or transcripts of personal data contained in the database which relate to them, which must contain an indication of the purpose and legal basis for the collection, processing and use of those data;
  • submit a transcript of the information on who was given personal data relating to them for use and for what purpose and on what legal basis.

Any data subject who considers that their right guaranteed under the Personal Data Protection Act has been infringed shall be entitled to submit a request for the determination of the infringement to the Personal Data Protection Agency.

Article 12 

Personal data protection measures

The professional and administrative staff of the company Marodi d.o.o., Nedelišće, which processes personal data, shall take technical, personnel and organisational measures for the protection of personal data which are necessary to protect personal data from accidental loss or destruction, unauthorised access or unauthorised change, unauthorised publication and any other misuse as well as set out the obligations of persons tasked with data processing.

Personal data relating to minors may be collected and further processed in accordance with the law and with special protection measures laid down in special laws.

Article 13 

These Rules shall enter into force on 25 May on the day of their adoption, and shall be published on the bulletin board of the company Marodi d.o.o., Nedelišće, and on the website www.marodi.com.