Personal information protection

WHAT IS THE GENERAL DATA PROTECTION REGULATION (GDPR)?

The General Data Protection Regulation (GDPR) is an act adopted in the EU to protect citizens´ personal data. It has been applied since 25 May 2018 in all EU member states, and it also applies to those business entities outside the EU that offer goods and services or monitor the behaviour of the EU residents.

ON WHAT TYPE OF PERSONAL DATA PROCESSING DOES GENERAL DATA PROTECTION REGULATION (GDPR) APPLY?

It applies to the processing of personal data for business purposes.

 WHO IS THE DATA PROTECTION OFFICER?

In 2023 Croatian Cultural Centre Sušak adopted the Decision on the appointment of a Data Protection Officer by which the official Tereza Korošec Vranjić was appointed as the Data Protection Officer.

For all questions regarding the protection of your personal data by the Croatian Cultural Centre Sušak please refer to the Data Protection Officer:
by email: tereza@hkd-rijeka.hr
on the address: Strossmayerova 1, 51000 Rijeka
by phone: +385 91 435 2646

The Data Protection Officer takes care of the personal data protection and lawfulness of processing personal data with regard to the observance of provisions of the General Data Protection Regulation (GDPR) and other regulations governing the questions of personal data processing. This Officer is obliged to keep confidentiality of all information and data they learn while performing their duties. That obligation shall continue to take effect after the expiry of their mandate as the Data Protection Officer.

You should refer all questions regarding the processing of your personal data to the Data Protection Officer. You also have the right to:

  • Be informed about the processing of your personal data;
  • Obtain access to personal data about yourself;
  • Request the rectification of incorrect, inaccurate or incomplete personal data;
  • Request deletion of personal data when they are no longer necessary or in case of unlawful processing;
  • Object to the processing of your personal data;
  • Request the restriction of processing of your own personal data in specific cases.

WHEN DOES THE GENERAL DATA PROTECTION REGULATION (GDPR) NOT APPLY?

The Regulation does not apply in cases of criminal law activities, such as the prevention of criminal offences or prosecution of the offender, as well as in areas outside the competence of the EU. Furthermore, it does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity.

WHO IS THE DATA SUBJECT WITHIN THE MEANING OF THE GDPR REGULATION?

Any natural person whose data are being collected and processed.

WHO IS THE DATA CONTROLLER?

Any business entity (natural or legal person, association, public authority, agency or other authority) that collects personal data and determines the purpose of their processing.

The Data Controller for personal data collected by the Croatian Cultural Centre Sušak is the Croatian Cultural Centre Sušak, a legal person. The registered seat of the Croatian Cultural Centre Sušak is in Rijeka, Strossamayerova 1.

For example: companies or sole proprietorships, financial institutions, associations, clubs, schools or faculties, hospitals, government bodies or local/regional self-government units, individuals performing certain professional activities, and even natural persons that process personal data beyond the scope of household activities.

 WHO IS THE DATA PROCESSOR?

Any business entity that processes personal data on behalf of a data controller.

The data controller for data collected and processed by the Croatian Cultural Centre Sušak is the business entity that processes personal data on behalf of, i.e. for the Croatian Cultural Centre Sušak under the previously concluded contract or another act in accordance with the General Data Protection Regulation (GDPR).

For example: a processor is a company engaged to perform video monitoring over the objects owned by the Croatian Cultural Centre Sušak to protect people and property.

WHAT ARE PERSONAL DATA?

Any information relating to an identified natural person or a natural person identifiable based on the data.

In other words, all data related to an individual whose identity is identified or can be identified, directly or indirectly, in particular by reference to additional identifiers or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

For example name and last name, home address, email address, personal identification number (PIN/OIB), location data, an online identifier, data on professional qualification, workplace, bank accounts, credit indebtedness, picture, voice, phone number, IP address, medical records, list of favourite works of literature or songs, etc.

WHEN CAN YOUR PERSONAL DATA BE COLLECTED AND PROCESSED?

Personal data can be collected and processed when you are made aware of it and when there is a valid legal basis for data collection.

The valid basis exists in the following cases:

  • You gave consent to the processing of data for one or more specific purposes (e.g. to be included in a loyalty program, for consumer cards).
  • Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract (for example, processing your data when applying to job vacancies, scholarships, submitting applications to exercise different rights, supports, help, etc.).
  • Processing is necessary for compliance with a legal obligation (e.g.: sending employees´ data to the Croatian Health Insurance Fund or the Croatian Pension Insurance Institute).
  • Processing is necessary in order to protect the vital interests of the data subject or of another natural person (e.g. disclosure of one parent´s data to the other parent by the competent authorities for the purpose of child support).
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (e.g. due to the official authority of the Croatian Bureau of Statistics, we are obliged to submit certain personal data to the Bureau).
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (e.g. legitimate interests of a property owner to install a video surveillance system to prevent the real risk to his property).

WHAT ARE “SENSITIVE DATA” AND WHEN DO WE PROCESS IT?

Special categories of personal data (so-called “sensitive data”) are data revealing racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Such data can be collected and processed under the following conditions:

  • You have given explicit consent to the processing of those personal data for one or more specified purposes.
  • Processing is necessary for the purposes of carrying out the obligations and exercising the rights of the data controller or your rights in the field of employment and social security and social protection law.
  • Processing is necessary to protect your vital interests or the vital interests of another natural person where you are physically or legally incapable of giving consent.
  • Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without your consent.
  • Processing relates to personal data which you manifestly made public.
  • Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
  • Processing is necessary for reasons of substantial public interest.
  • Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
  • Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and medicinal products and medical devices.
  • Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

WHAT DOES PERSONAL DATA PROCESSING INCLUDE?

Processing means any operation or set of operations which is performed on personal data.

Examples: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, etc.

DOES CROATIAN CULTURAL CENTRE SUŠAK KEEP RECORDS OF PERSONAL DATA PROCESSING?

Croatian Cultural Centre Sušak is obliged to keep, and it keeps records of personal data processing. Records of processing activities help in monitoring compliance with the General Data Protection Regulation and are in both written and electronic form.

WHICH INFORMATION SHOULD YOU RECEIVE WHEN PROVIDING YOUR PERSONAL DATA?

When providing your personal data, you must, among other information, receive information on:

  • The name of the company or organisation processing your data, including the contact data of the Data Protection Officer;
  • The purposes for which your data will be used;
  • The categories of personal data concerned;
  • The legal basis for the processing of your personal data;
  • The period for which your data will be stored;
  • The other companies/organisations that will receive your data;
  • Whether the data will be transferred outside the EU;
  • Your basic rights in the data protection area (e.g.: right to access and transfer data or to their erasure);
  • The right to lodge a complaint to the data protection authority;
  • the right to withdraw consent at any time if the processing is based on the consent;
  • The existence of automated decision-making, the logic involved, including the consequences.

Information shall be provided in a concise, visible and comprehensive manner and shall be written in clear and simple language.

HOW CAN YOU ACCESS YOUR DATA?

You have the right to ask the Croatian Cultural Centre Sušak whether they have personal data related to you, and you have the right to receive confirmation that the Croatian Cultural Centre has such personal data. If the Croatian Cultural Centre has your personal data, then you have the right to access those data, the right to obtain a copy as well as all the important additional information (such as the reason for processing your personal data, category of used personal data, etc.).

You can send a request to access the data to the Data Protection Officer. When the request is submitted electronically (for example: by email), and unless you demand otherwise, the Croatian Cultural Centre Sušak shall provide you the information in standard electronic form.

This right is not an absolute right, and the use of the right to access your personal data should not affect the rights or freedoms of others.

THE RIGHTS WE PROVIDE IN ACCORDANCE WITH THE GENERAL DATA PROTECTION REGULATION (GDPR)

  • Transparency: Providing information in the course of personal data collection. Croatian Cultural Centre Sušak shall provide you with its identity and contact details, purposes of processing and legal basis for data processing, recipients, storage period and other necessary data.
  • Access to data: You shall have the right to obtain confirmation as to whether your personal data are being processed and, if they are, which data are being processed; furthermore, you shall have the right to access those data and to information on processing, among other things, on the purpose of processing, storage period, transfer of a certain data to third persons, etc.
  • Right to rectification: You shall have the right to demand rectification of incorrect personal data and the right to have the incomplete personal data completed, including by means of providing a supplementary statement.
  • Erasure (“right to be forgotten”): You shall have the right to obtain the erasure of personal data concerning you if, among other things, the personal data are no longer necessary with regard to the purpose of processing, there is the legal obligation if the processing was based on the consent that you have withdrawn, the personal data have been unlawfully processed, etc. This right has restrictions, so, for example, a politician cannot request the erasure of data on themselves given in the context of their political activity.
  • Right to restriction of processing: In certain situations (for example, when the accuracy of the data is contested) you shall have the right to request restriction of processing, with the exception of storage and some other types of processing.
  • Right to portability: You shall have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided if the processing is carried out by automated means, and based on consent or a contract
  • Right to object: You shall have the right to object to the processing of personal data if the processing is based on tasks carried out in the public interest, on the exercise of official authority or legitimate interests; in such cases, the Croatian Cultural Centre Sušak shall not process your personal data unless it demonstrates that the legitimate grounds for the processing override your interests, and to defend legal claims.
  • Right to object to the automated individual decision-making (profiling): You shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you unless such decision is required in cases provided for by the Regulation.

 WHAT HAPPENS IF YOUR DATA “LEAKS”?

A personal data breach occurs when there is a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to, personal data processed. In the case of a personal data breach, we shall without undue delay notify the supervisory authority. If the personal data breach may result in a high risk to your rights and freedoms, and if the risk hasn´t been mitigated, then we shall inform you about the breach.

THE RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY

At any time, you have the right to lodge a complaint about the processing of your personal data if you believe that the Croatian Cultural Centre Sušak has violated Croatian or European personal data protection regulations while processing your personal data. The complaint can be submitted to the supervisory authority – Croatian Personal Data Protection Agency, Martićeva 14, Zagreb, azop@azop.hr

Croatian Cultural Centre Sušak makes significant efforts to reasonably ensure the safety of all processed personal data. Your data is continuously protected from loss, falsification, manipulation, unauthorised access or unauthorised disclosure. Your data is accessible only to persons who necessarily need the data to perform their work. The necessary measures are being implemented to the extent possible, so that all employees and partners act in accordance with the General Data Protection Regulation, respect confidentiality and privacy, and respect your data in the best possible manner.

Croatian Cultural Centre Sušak will regularly update information on transparency, including the potential effects of changes on you, inform you on regular improvement of safeguards, amend instructions on handling personal data and protection of personal data, provide additional information that might be useful to you, reply to answers and inquiries, and, per the accountability principle, provide reminders about the privacy notice.

Additional information:

General Data Protection Regulation
Act on the Implementation of the General Data Protection Regulation
Croatian Personal Data Protection Agency

Skip to content