Personal data protection policy

1. INTRODUCTORY PROVISIONS

Pursuant to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of individuals in connection with the processing of personal data and on the free movement of such data, and on the repeal of Directive 95/46/EC (Official Journal of the European Union L 119, 4 May 2016, hereinafter: “General Regulation”), which in full application from 25. May 2018 in the Republic of Croatia and all member states of the European Union, as well as the Act on the Implementation of the General Regulation on Data Protection (“Official Gazette” No. 42/18), i.e. in accordance with the entire legal framework for the protection of personal data in the Republic of Croatia and the European Union and the best European practice ,
CROATIAN COPYRIGHT AGENCY – CENTER FOR INTELLECTUAL PROPERTY doo, with headquarters in Zagreb, Ribnjak 40, registered in the court register of the Commercial Court in Zagreb under registration subject number (MBS): 080062810, personal identification number (OIB): OIB: 93451064376 (hereinafter to the text: “practice,
CROATIAN COPYRIGHT AGENCY”),

as the manager of personal data processing of users of its services and other natural persons in accordance with special legal relationships and business processes, has created the Personal Data Protection Policy as a unilaterally binding legal act based on the fundamental principles of personal data processing, which act regulates which personal data is collected , how such data is processed, based on which legal basis, for what purposes it is used and other issues related to the processing of personal data (hereinafter: “Policy”). The aim of this Policy is to familiarize natural persons with their rights in the collection and further processing of personal data, all for the purpose of protecting their privacy.

2. GENERAL AND DEFINITIONS

The operation of the CROATIAN COPYRIGHT AGENCY, with regard to the collection and further processing of personal data on natural persons, is fully harmonized with the provisions of the General Regulation, and accordingly everyone is guaranteed the protection of their privacy. A person who believes that the CROATIAN COPYRIGHT AGENCY is processing his personal data in an illegal manner, in addition to the rights he has directly against the CROATIAN COPYRIGHT AGENCY, has the right to submit a complaint to the competent supervisory authority.

The personal data protection policy is based on the following principles of personal data processing, which the CROATIAN COPYRIGHT AGENCY must adhere to in its operations:

• The principle of legality, fairness and transparency of processing – any processing of personal data must be in accordance with a certain legal basis, and individuals are provided with information about the processing procedure and its purposes, and the controller is obliged to provide the subject with all additional information necessary to ensure fair and transparent processing taking into account the special circumstances and context of personal data processing;
• Principle of purpose limitation – personal data should be collected for specific, explicit and lawful purposes and may not be further processed in a manner inconsistent with these purposes; but further processing is possible for the purposes of archiving in the public interest, for the purposes of scientific or historical research or for statistical purposes;
• The principle of reducing the amount of data – personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
• Principle of accuracy – personal data must be accurate and, if necessary, up-to-date; every reasonable measure must be taken to ensure that personal data that is inaccurate, taking into account the purposes for which it is processed, is deleted or corrected without delay;
• The principle of storage limitations – personal data must be stored in a form that allows the identification of the subject only for as long as is necessary for the purposes for which the personal data is processed; longer storage periods are possible only if personal data will be processed exclusively for archiving purposes in the public interest, for the purposes of scientific or historical research or for statistical purposes with the implementation of appropriate protection measures prescribed by the General Regulation;
• The principle of integrity and confidentiality – personal data must be processed in a way that ensures an adequate level of security, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage;
• The principle of reliability – the CROATIAN COPYRIGHT AGENCY, as the data controller, is responsible for compliance with the previously mentioned principles, which it must be able to prove.

This Policy applies to the entire operation of the CROATIAN COPYRIGHT AGENCY, whereby the goal of the Policy is to inform all persons whose personal data is concerned about the procedures for processing their personal data, their rights and the purposes for which their data is processed in a clear and transparent manner, as and the legal basis for processing personal data.

CROATIAN COPYRIGHT AGENCY is fully committed to ensuring the continuous and effective establishment of this Policy, and expects the same from its employees and business partners. Any violation of the provisions of this Policy may result in appropriate disciplinary measures or business sanctions.

According to the definition from Article 4. dots. 7. General Regulations, CROATIAN COPYRIGHT AGENCY is the manager of personal data processing who determines the purpose and means of personal data processing in accordance with national legislation and/or EU law.

The provisions of this Policy are applied appropriately to cases in which the CROATIAN COPYRIGHT AGENCY acts as a processor on behalf of another processor.

The meaning of certain definitions used in this Policy:

• “Personal data” means any data relating to an individual whose identity has been determined or can be determined (“the respondent”); an identifiable individual is a person who can be identified directly or indirectly, in particular with the help of identifiers such as name, identification number, location data, online identifier or with the help of one or more factors inherent to physical, physiological, genetic, mental , economic, cultural or social identity of that individual. According to the above, personal data are e.g. first and last name, ID number, residential address, e-mail address, data contained in the court or other file of the respondent as a party, photo, etc.;
• “Respondent” is an individual whose identity can be determined directly or indirectly, in particular with the help of identifiers such as: name, identification number, location data, network identifier or with the help of one or more factors specific to physical, physiological, genetic, mental, the economic, cultural or social identity of that individual;
• “Processing” means any process or set of processes performed on personal data or sets of personal data, by automated or non-automated means such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, inspection, use, disclosure by transferring, disseminating or otherwise making available, matching or combining, restricting, erasing or destroying;
• “Personal Data Breach” means a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of personal data that has been transmitted, stored or otherwise processed;
• “Recipient” is a natural or legal person, public authority, agency or other body to which personal data is disclosed, regardless of whether it is a third party;
• “Respondent’s consent” is any voluntary, specific, informed and unambiguous expression of the wishes of the respondent by which he gives his consent to the processing of personal data relating to him by a statement or a clear affirmative action;
• “Third party” is a natural or legal person, public authority, agency or other body other than the respondent, personal data collection manager or personal data processor and persons directly authorized by the processor to process personal data;
• “Processor” is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.

3. LEGALITY OF PERSONAL DATA PROCESSING

CROATIAN COPYRIGHT AGENCY processes personal data only to the extent that one of the following conditions is met:

• the respondent has given his consent for the processing of his personal data for one or more specific purposes;
• the processing is necessary for the performance of a contract to which the respondent is a party or in order to take actions at the request of the respondent before concluding the contract;
• processing is necessary to comply with the legal obligations of the controller;
• processing is necessary to protect the key interests of the data subject or other natural person;
• the processing is necessary for the performance of a task of public interest or in the exercise of the official authority of the data controller;
• processing is necessary for the purposes of the legitimate interests of the controller or a third party, except when these interests are stronger than the interests or fundamental rights and freedoms of the data subject that require the protection of personal data, especially if the data subject is a child.

When determining a legitimate interest in the processing of personal data (e.g. the establishment of a video surveillance system), the CROATIAN AUTHOR’S AGENCY is obliged to make an adequate assessment of the existence of a legitimate interest as a legal basis, based on the principle of “weighing interests” with the aim of determining the assumptions prescribed by the General Regulation, about which it will draw up an appropriate documentation.

If the legal basis for the processing of personal data is the consent of the respondent, such consent must be given voluntarily, in written form with easy-to-understand, clear and simple language and a clearly indicated purpose for which it is given. Consent is determined by the purpose of processing personal data and contains a note on the method of withdrawal, which must be as simple as giving it. Withdrawal of consent does not affect the legality of the processing done before its withdrawal.

When receiving e-mail with personal data that can be used to identify the respondent, regardless of whether it is questions, comments, or a special form that you send to us by e-mail, the CROATIAN COPYRIGHT AGENCY will process this data exclusively for the purpose of solving the aforementioned requests of the respondent, unless the purpose of personal data processing requires otherwise.

4. PERSONAL DATA WE HAVE AND THE PURPOSES FOR WHICH WE PROCESS THEM

CROATIAN COPYRIGHT AGENCY collects and processes the following categories of personal data:

1. a) personal data about employees of the CROATIAN COPYRIGHT AGENCY: first and last name, address of residence/residence, OIB, date of birth, citizenship, information on professional training and other personal data for which the processing is prescribed by law or results from the employment relationship (salary data, place of work, working hours, vacation records, etc.).

PURPOSE OF PROCESSING: execution of rights and obligations arising for the CROATIAN COPYRIGHT AGENCY from the employment relationship with its employees (lawyers, law trainees and other employees), and the provision of such data is a legal and contractual obligation of the respondent and is a condition for the establishment and further course of the employment relationship;

1. b) personal data on persons participating in tenders or other procedures (open applications) in connection with establishing an employment relationship with the CROATIAN COPYRIGHT AGENCY: first and last name, address of residence/residence, OIB, date of birth and other information provided by the said person in connection with a tender process or another process.

PURPOSE OF PROCESSING: recruitment of new persons to a position in the CROATIAN COPYRIGHT AGENCY, and the provision of this data is a condition for possible employment of the respondent;

1. c) personal information about the parties of the CROATIAN COPYRIGHT AGENCY: name and surname, address of residence/residence, OIB, relationship with other persons and other personal information contained in the documents.

PURPOSE OF PROCESSING: facilitating the work of the CROATIAN COPYRIGHT AGENCY, i.e. the possibility of providing services to its clients;

1. d) personal data about persons with whom the CROATIAN COPYRIGHT AGENCY maintains other business cooperation as part of the performance of its activities: name and surname, date of birth, ID number, residential address, account number and other data related to the performance of mutual contractual obligations and legal obligations which result from it

PURPOSE OF PROCESSING: acquisition of goods and services in legal transactions and the execution of rights and obligations arising from such legal relations, and the provision of such data is a legal and contractual obligation of the respondent and a necessary condition for concluding a contract;

1. e) personal data about the exact time and the person who unlocks the entrance door of the work premises at the address Ribnjak 40 in Zagreb, using the appropriate pass assigned to the employees of the CROATIAN COPYRIGHT AGENCY and other legal and natural persons who use the mentioned business premises.

PURPOSE OF PROCESSING: legitimate interest in protecting personal data by allowing access to the premises of the CROATIAN COPYRIGHT AGENCY only to a narrow circle of authorized persons.

1. f) personal data published on the website of the CROATIAN COPYRIGHT AGENCY (https://haa.hr/): name and surname, photo, work experience, information on COPYRIGHT , narrow field of work, etc. in relation to the employees of the CROATIAN COPYRIGHT AGENCY.

PURPOSE OF PROCESSING: public release of more detailed information about the professional team employed at the CROATIAN COPYRIGHT AGENCY, and the provision of this information is not a legal or contractual obligation, and the respondent will not suffer adverse consequences in case of refusal to grant consent;

CROATIAN COPYRIGHT AGENCY processes the personal data at its disposal exclusively for the above-mentioned purposes, and will not use them for other (incompatible) purposes or process them in any other way.

Exceptionally, if the processing of personal data for a purpose that is different from the purpose for which the data was collected is not based on the consent of the data subject, on European Union law or Croatian law, the CROATIAN COPYRIGHT AGENCY, with the aim of determining whether the processing for another purpose is in accordance with the purpose in which the personal data was initially collected, takes into account, among others:

• any connection between the purpose of collecting personal data and the purpose of the intended continuation of processing;
• the context in which the personal data was collected, especially with regard to the relationship between the data subject and the controller;
• the nature of personal data;
• possible consequences of the intended continuation of processing for the respondents;
• the existence of appropriate security measures, which may include encryption or pseudonymization.

If the CROATIAN COPYRIGHT AGENCY intends to additionally process personal data for a purpose that is different from the one for which the personal data was collected, before such additional processing it provides the respondent with information about that other purpose and all other relevant information prescribed by the General Regulation.

5. LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA

In terms of the provisions of the General Regulation, the CROATIAN COPYRIGHT AGENCY processes the above-mentioned personal data in accordance with the following legal bases, which in the specific case of personal data processing exist individually or cumulatively:

• personal data listed under 4.a) – processing is necessary for the execution of a contract to which the respondent is a party / processing is necessary to comply with the legal obligations of the controller (regulations on employment, health and pension insurance, tax regulations, regulations on lawyers, etc. );
• personal data listed under 4.b) – processing is necessary in order to take actions at the request of the respondent before concluding the contract;
• personal data specified under 4.c) – processing is necessary for the execution of a contract in which the respondent is a party or in order to take actions at the request of the respondent before concluding the contract / processing is necessary to comply with the legal obligations of the data controller (regulations on lawyers) / processing is necessary for the legitimate interests of the controller or a third party / processing is necessary to protect the key interests of the data subject or other natural person;
• personal data listed under 4.d) – processing is necessary for the execution of a contract to which the respondent is a party / processing is necessary to comply with the legal obligations of the controller (accounting regulations, etc.) / processing is necessary for the legitimate interests of the controller or a third party ;
• personal data listed under 4.e) – processing is necessary for the legitimate interests of the controller or a third party;
• personal data listed under 4.f) – the respondent has given his consent for the processing of his personal data for a special purpose;

In other cases, the respondent has given his consent for the processing of his personal data for one or more special purposes.

In the case of sending offers, opinions, etc., and based on inquiries or existing business cooperation with clients, consent is not required, but it is considered our legitimate interest in accordance with point 47 of the preamble of the Regulation on Personal Data Protection.

Apart from the aforementioned legal grounds, the CROATIAN COPYRIGHT AGENCY may process personal data in cases specified by law or by a decision of a competent public body. CROATIAN COPYRIGHT AGENCY processes said personal data exclusively in a manner that is consistent with the purpose of their collection and will not process them for other purposes.

6. PERSONS AUTHORIZED FOR THE PROCESSING OF PERSONAL DATA

In the context of carrying out its daily business processes, and in carrying out its legal activities, the CROATIAN COPYRIGHT AGENCY, as the manager of personal data processing, processes the aforementioned personal data through its employees and persons authorized to represent them.

The processing of personal data within the framework of their workplace, and in the context of performing their daily work duties at the CROATIAN COPYRIGHT AGENCY, is carried out by:

• a) persons authorized to represent the CROATIAN COPYRIGHT AGENCY (director);
• b) head of department;
• c) administrative secretary;
• e) other workers with appropriate authorizations.

On behalf of the CROATIAN COPYRIGHT AGENCY, as the data controller, in some cases personal data is processed by the processor (eg accounting or IT service). HRVATSKA AUTORSKA AGENCIJA obligatorily enters into an appropriate written contract with such processors, whereby the processor undertakes, among other things, with regard to the protection of the personal data in question, to apply all data protection standards prescribed by the General Regulation. Also, the processor is not authorized to engage another processor (sub-processor) without prior special or general written approval of the CROATIAN COPYRIGHT AGENCY.

7. RECIPIENTS OF PERSONAL DATA

If the purpose of personal data processing dictates it or there is such a legal obligation, in certain cases the CROATIAN COPYRIGHT AGENCY discloses (forwards) personal data to other natural or legal persons, public authorities, agencies or other bodies. In all other cases, the CROATIAN COPYRIGHT AGENCY does not disclose personal data in its possession to third parties.

For the sake of complete transparency, below is a presentation of the categories of recipients of individual personal data at the disposal of the CROATIAN COPYRIGHT AGENCY:

1. Personal data listed under 4.a) are disclosed:

• external accounting service and IT specialists with whom the CROATIAN COPYRIGHT AGENCY has entered into a corresponding written agreement in terms of the provisions of the General Regulation;
• To the Tax Administration;
• HZZO;
• HZMO;
• the business bank where the employee has an account;
• to other public authorities when there is such a legal obligation.

2. The personal data specified under 4.b) are not disclosed to other recipients unless the candidate for the position expressly requests it, and there is such an interest of the CROATIAN COPYRIGHT AGENCY.
3. Personal data specified under 4.d) are not disclosed directly to other recipients.
4. Personal data listed under 4.e) are disclosed, as necessary, exclusively to recipients who use the business premises at Ribnjak 40 in Zagreb.
5. The personal data specified under 4.f) are publicly published on the website https://haa.hr/ , and are not disclosed directly to other recipients.

When fulfilling its obligations from the “right to access personal data and additional information” (here under 10. B), the CROATIAN COPYRIGHT AGENCY, among other things, provides specific information about the recipients of personal data of an individual respondent.

8. RIGHTS OF RESPONDENTS

CROATIAN COPYRIGHT AGENCY ensures the exercise of the following rights for persons whose personal data it disposes of (standardized by Articles 12-22 of the General Regulation):

• A. Transparency;
• B. Access to personal data and additional information;
• C. Right to rectification of data;
• D. Right to deletion (“Right to be forgotten”);
• E. The right to limit data processing;
• F. Right to Data Portability;
• G. Right to object;

In addition to the aforementioned rights that the respondent exercises according to the CROATIAN COPYRIGHT AGENCY, the respondent has the right to file a complaint with the competent authority. In the Republic of Croatia, the competent authority is the Personal Data Protection Agency.

1. TRANSPARENCY:

CROATIAN COPYRIGHT AGENCY is obliged to provide the Respondent with information when collecting personal data and, among other things, to inform him about his identity and contact information, purposes of processing and legal basis for data processing, recipients, possible transfer to third countries, storage period, possibility of withdrawal consents and other information in accordance with the provisions of the General Regulation.

One of the ways of acting in accordance with the previous obligation is to acquaint the respondent with the provisions of this Policy, which achieves the effects prescribed in Article 13. General regulations (Information to be submitted if personal data is collected from the data subject). This can be done e.g. by sending a web link containing the text of this Policy.

If the CROATIAN COPYRIGHT AGENCY does not collect personal data directly from the respondent in an individual case, it is nevertheless obliged to provide him with the above-mentioned information in an appropriate manner, unless otherwise prescribed by the provisions of Article 14. General regulations.

1. ACCESS TO PERSONAL DATA AND ADDITIONAL INFORMATION:

The CROATIAN COPYRIGHT AGENCY is obliged to provide information to the respondent at his request as to whether personal data relating to him are being processed and, if such personal data are being processed, to provide access to personal data, as well as information, among other things, about the processed personal data, about the purpose of the processing , the storage period or the criteria used to determine that period, possible transfer to third countries and other information in accordance with the provisions of the General Regulation.

In this case, the CROATIAN COPYRIGHT AGENCY provides a copy of the personal data that is being processed and concerns the respondent in question. For all additional copies requested by the respondent, the CROATIAN COPYRIGHT AGENCY may charge a reasonable fee based on administrative costs. If the respondent submits a request electronically, as well as in other cases unless the respondent requests otherwise, the information is provided in the usual electronic form.

The right to obtain a copy of processed personal data must not have a negative impact on the rights and freedoms of other persons.

1. RIGHT TO CORRECTION OF DATA:

CROATIAN COPYRIGHT AGENCY is obliged to enable the respondent, at his request, to correct incorrect personal data relating to him, and the respondent has the right to supplement incomplete personal data, among other things, by providing an additional statement.

1. RIGHT TO DELETE (“RIGHT TO BE FORGOTTEN”):

The respondent has the right to obtain from the CROATIAN COPYRIGHT AGENCY the deletion of personal data relating to him and the CROATIAN COPYRIGHT AGENCY has the obligation to delete personal data without undue delay if at least one of the following conditions is met:

• personal data are no longer necessary in relation to the purpose of processing;
• the respondent has withdrawn consent for processing, if there is no other legal basis for processing the personal data in question;
• the respondent lodges an objection to the processing in accordance with Article 21. paragraph 1. General Regulations, and there are no stronger legitimate reasons for processing the personal data in question;
• personal data were illegally processed;
• personal data must be deleted in order to comply with the legal obligation arising from the law of the European Union or Croatian law.

1. THE RIGHT TO LIMIT DATA PROCESSING:

The respondent has the right to obtain from the CROATIAN COPYRIGHT AGENCY the restriction of the processing of personal data relating to him if one of the following is met:

• the respondent disputes the accuracy of personal data, for the period during which the CROATIAN COPYRIGHT AGENCY is enabled to check the accuracy of personal data;
• the processing is illegal and the respondent opposes the deletion of personal data and instead requests the restriction of their use;
• CROATIAN COPYRIGHT AGENCY no longer needs personal data for processing purposes, but the respondent requests them in order to establish, realize or defend legal claims;
• the respondent filed an objection to the processing of personal data based on Article 21. item 1. General regulations, awaiting confirmation whether the legitimate reasons of the CROATIAN COPYRIGHT AGENCY exceed the reasons on the part of the respondent.

If the processing is limited as described, the subject personal data may only be processed with the consent of the data subject, with the exception of the storage of such personal data, or for the establishment, realization or defense of legal claims or the protection of the rights of another natural or legal person or for important public interest.

The subject who obtained the limitation of processing of his personal data shall be notified by the CROATIAN COPYRIGHT AGENCY before the limitation of processing is lifted.

1. RIGHT TO PORTABILITY:

The respondent has the right to receive his personal data collected from him by the CROATIAN COPYRIGHT AGENCY, in a structured form and in a commonly used and machine-readable format, and has the right to transfer this data to another data controller without interference from the CROATIAN COPYRIGHT AGENCY, provided that the processing is carried out automated means, based on consent or contractual obligation.

1. RIGHT TO OBJECT:

The respondent has the right to file an objection to any processing of personal data based on the existence of a legitimate interest of the CROATIAN COPYRIGHT AGENCY (including creating a profile).

In the event of an objection, the CROATIAN COPYRIGHT AGENCY may no longer process the personal data of the subject, unless it proves that the legitimate reasons for processing personal data exceed the interests of the subject, or the processing is important for the establishment, realization or defense of legal claims.

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects that relate to him or similarly significantly affect him, unless such a decision is necessary for the conclusion or execution contract between the respondent and the CROATIAN COPYRIGHT AGENCY, if it is permitted by law prescribing appropriate measures to protect the rights and freedoms and legitimate interests of the respondent or based on the express consent of the respondent.

The CROATIAN COPYRIGHT AGENCY is obliged, at the latest at the moment of the first communication with the respondent, to draw attention to the right to object and must do so in a clear manner and separately from any other information. This applies if the legal basis for the specific processing of personal data is the legitimate interest of the CROATIAN COPYRIGHT AGENCY.

9. PROCEDURE FOR EXERCISE OF THE RESPONDENT’S RIGHTS

The respondent submits requests for the realization of rights orally or in writing, including electronic communication. If an individual submits a request related to any of the above-mentioned rights of the respondent, the CROATIAN COPYRIGHT AGENCY will consider each such request in accordance with the applicable norms on the protection of personal data.

If the CROATIAN COPYRIGHT AGENCY has justified doubts regarding the identity of the individual who submits a request for the exercise of rights, it may in that case request the provision of additional information necessary to confirm the identity of the respondent.

The CROATIAN COPYRIGHT AGENCY shall, at his request, provide the respondent with information on the actions taken without undue delay and in any case within one month of receiving the request. This deadline can be extended by an additional two months if necessary, taking into account the complexity and number of requests. CROATIAN COPYRIGHT AGENCY informs the respondent of any such extension within one month of receiving the request, along with the reasons for the postponement. If the data subject makes a request electronically, the information shall be provided electronically if possible, unless the data subject requests otherwise.

If the requests of the respondents are clearly unfounded or excessive, especially due to their frequent repetition, the CROATIAN COPYRIGHT AGENCY may:

• charge a reasonable fee taking into account the administrative costs of providing the information or notification or acting on the request; or
• refuse to comply with the request.

10. PLACE AND PERIOD OF PERSONAL DATA STORAGE AND PROCESSING

CROATIAN COPYRIGHT AGENCY processes personal data on the territory of the Republic of Croatia.

Personal data that is in material form (written documentation) is stored and otherwise processed in the business premises of the CROATIAN COPYRIGHT AGENCY in Zagreb, unless the purpose of processing or a legal obligation requires otherwise.

Personal data in the form of electronic records are stored and otherwise processed within the IT infrastructure at the disposal of the CROATIAN COPYRIGHT AGENCY, unless the purpose of the processing or a legal obligation requires otherwise.

CROATIAN COPYRIGHT AGENCY stores the personal data at its disposal for a period that depends on the purpose of processing individual personal data or the legal obligation to which the processing is subject. In accordance with the above, the CROATIAN COPYRIGHT AGENCY deletes without delay all personal data for which the purpose for processing has been fulfilled (ceased).

As for the legal obligations to store personal data, in this sense, the CROATIAN COPYRIGHT AGENCY must act in accordance with the regulations that regulate, for example, provision of legal services, accounting operations, tax obligations, recording of certain facts related to the employment relationship, as well as all other legal relationships entered into within the scope of its operations CROATIAN COPYRIGHT AGENCY.

When fulfilling its obligations from the “right to access personal data and additional information” (here under 10. B) CROATIAN COPYRIGHT AGENCY, among other things, provides the respondent with information about the expected period during which personal data will be stored or, if this is not possible, the criteria used to determine that period.

11. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

In the event that the purpose of personal data processing or a legal obligation dictates it, the CROATIAN COPYRIGHT AGENCY may transfer personal data to a third country only in accordance with the provisions of the General Regulation, whereby it will always inform the subject of the intention of such transfer. Personal data can only be transferred to those third countries for which an adequacy decision has been issued (transfers based on an adequacy decision). The European Commission compiles and publicly publishes a list of third countries that provide an adequate level of personal data protection and to which personal data can be transferred without further restrictions.

If it is necessary to transfer personal data to a third country that is not on the list of the European Commission, then the transfer is possible exclusively and only in the manner determined by the General Regulation.

When fulfilling its obligations from the “right to access personal data and additional information” (here under 10. B), the CROATIAN COPYRIGHT AGENCY, among other things, provides specific information on the possible transfer of personal data to third countries, as well as on the appropriate protective measures taken in the process .

12. ORGANIZATIONAL MEASURES FOR THE PROTECTION OF PERSONAL DATA

With the aim of properly implementing the provisions of this Policy as well as other internal acts in the field of personal data protection, CROATIAN COPYRIGHT ‘ AGENCY undertakes to adequately raise the awareness of its employees about the rights and obligations arising from the provisions of the General Regulation.

Persons in charge of processing personal data are responsible for protecting personal data from accidental loss or destruction, from unauthorized access or illegal processing, unauthorized publication and any other misuse, and sign an appropriate confidentiality statement.

The right to access personal data is available only to persons who are specifically authorized by the CROATIAN COPYRIGHT AGENCY, or the execution of personal data processing actions results from the workplace where they are employed. Unauthorized access to personal data and attempts to send or modify data are strictly prohibited.

By special decision, the CROATIAN COPYRIGHT AGENCY may appoint a data protection officer on the basis of professional qualifications, especially professional knowledge of law and practices in the field of data protection, and the ability to perform tasks prescribed by the General Regulation.

13. TECHNICAL MEASURES FOR THE PROTECTION OF PERSONAL DATA

Taking into account the latest achievements, the cost of implementation and the nature, scope, context and purposes of processing, as well as risks of different levels of probability and severity for the rights and freedoms of individuals arising from data processing, the CROATIAN COPYRIGHT AGENCY, both at the time of determining the means of processing and at the time of the processing itself , implements appropriate technical measures, such as pseudonymization, to enable the effective application of data protection principles, such as the reduction of the amount of data, and the inclusion of protective measures in the processing in order to meet the requirements of the General Regulation and protect the rights of the data subject.

CROATIAN COPYRIGHT AGENCY must perform an assessment of the appropriate level of security and take into account, in particular, the risks posed by data processing, and in particular the risks of accidental or illegal destruction, loss, alteration, unauthorized disclosure of personal data or unauthorized access to personal data that have been transferred, stored or otherwise processed.

In relation to personal data stored under the supervision of the CROATIAN COPYRIGHT AGENCY, technical protection measures are implemented, which include:

• locking of work premises;
• storage of material documentation in binders;
• locking of cabinets containing binders;
• availability of means of unlocking exclusively to authorized persons;
• antivirus protection;
• passwords for accessing computers and other devices;
• other technical measures that are appropriate to the current risks for the rights and freedoms of the respondents.

On concrete measures for the technical protection of personal data, the CROATIAN COPYRIGHT AGENCY adopts a special “Information Infrastructure Security Policy” as an internal document.

14. OTHER PROVISIONS

If there is a probability that some type of processing, especially through new technologies and taking into account the nature, scope, context and purposes of the processing, will cause a high risk for the rights and freedoms of individuals, the CROATIAN COPYRIGHT AGENCY is obliged to carry out an assessment of the impact of the planned processing procedures on personal data protection. A single assessment may refer to a number of similar processing operations that pose similar high risks. When conducting a data protection impact assessment, the CROATIAN COPYRIGHT AGENCY seeks advice from the data protection officer, if appointed. The impact assessment should contain a description of the processing procedures and its purpose, an assessment of necessity and proportionality, an assessment of risk and a description of measures that reduce the risk of processing.

CROATIAN COPYRIGHT AGENCY keeps, and upon the request of the supervisory authority, submits to it a record of processing activities that contains the following essential elements of the processing of those personal data in relation to which there is such an obligation in accordance with the provisions of the General Regulation:

• the name and contact information of the data controller and data protection officer,
• purpose of processing,
• description of the respondent category and personal data category,
• legal basis of processing,
• data recipients,
• data transfers to third countries, if applicable,
• anticipated data retention periods,
• a general description of technical and organizational security measures implemented.

15. CONTACT INFORMATION

For all questions related to the processing of personal data and exercising the rights of respondents, feel free to contact us according to the following contact information:

• Ribnjak 40, HR-10000 Zagreb
• phone: + 385 1 4828 060
• e-mail: info@haa.hr
• website: https://haa.hr/

16. FINAL PROVISIONS

The personal data protection policy is published on the website of the CROATIAN COPYRIGHT AGENCY on 25 May 2018

The personal data protection policy comes into force on the day of publication.

All possible changes and/or additions to the provisions of the Personal Data Protection Policy will be published in the same way. For this reason, it is necessary to regularly check the currentness of its provisions, so that respondents and employees of the CROATIAN COPYRIGHT AGENCY are properly informed of their rights and obligations.

In Zagreb, on the 25th May 2018