Klimaoprema d.d. is committed to maintenance a mutual trust relationship by respecting and protecting your privacy and your personal information in accordance with GDRP.
Klimaoprema d.d. (hereinafter refferd to as 'the Company') provides a simple and comprehensible notification of the processing of personal data through the Notice on the Processing and Protection of Personal Data, and will make every reasonable effort to ensure that persons whose personal data are processed by the Company are informed of the identity of the Data protection Officer, the purposes of processing, sharing of data with third parties and any other relevant information.
This Privacy and Personal Data Protection Policy briefly describes the personal data protection policies and measures which the Company applies when collecting, using, sharing and protecting personal infomartion, and explains your rights and choices regarding how we share your personal information and how we communicate with you, how you can request acces to and ask for rectification of your personal information and other important issues related to the protection of personal data.
1. Glossary
Personal data – means any information relating to an identified or identifiable natural person ( 'data subject' ); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, identification number, location information, network identifier, or by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Specific categories of personal data – data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, biometric information to identify an individual, health of gender related information, or an individual's sexual orientation.
Processing – means any operation or set of operations which is perfomed on personal data or on sets of personal data, whether by automated or non-automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making avaliable, alignment or combination, restriction, erasure or destruction
GDPR – means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC ( General Protection Regulation Data )
Pseudonymisation – means the processing of personal data in such a manner that the persons data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical or organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person
Recipient (meaning You) – a natural person to whom the personal data being processed relates ( When the Company processes your personal data, you are Recipient, and the Company is Processor )
Processor – means a natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of processing personal data
Consent – means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
2. The principles of processing personal data
- The principles of data processing that the Company manages when processing personal data are:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integritiy and confidentiality
- Accountability
What requirements arise from the above principles?
- Lawfulness, fairness and transparency of processing: Lawfulness means that processing must comply with a specific lawful basis; The principle of fair and transparent processing requires that the individual is informed about processing and its purposes and the Processor is obliged to provide the Recipient with any additional information necessary to ensure fair and transparent processing, considering the particular circumstances and context of the processing of personal data. Furthermore, the Recipient should be informed about the process of profile creation and about the consequences of such design if profiling is carried out;
- Purpose limitation: means that the data should be collected for specific, explicit and lawful purposes and should not be further processed in a manner inconsistent with those purposes; but further processing is possible for archival research in the public interes, for scientific or historical research or for statistical purposes;
- Data minimisation: means that the data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accuracy: means that the data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data thar are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
- Storage limitation: means that the personal data must be kept in a form which permits identification of Recipient for no longer than necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with the implementation of appropriate measures required by the Regulation;
- Integrity and confidentiality: means that data must be processed in such way to ensure an adequate level of security. including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage
- Accountability: means that the Company is responsible for compliance with the principles and that the burden of proof of compliance with the applicable data protecion regulations on the Company.
3. Security of personal data
The principles of personal data protection apply to all information in the possession on the Company relating to an Individual whose identity is identified or identifiable.Personal data are handled in a manner that respects security and confidentiality, including the prevention of unauthorized access to personal data and equipment used in the processing of data. Special attention and efforts are devoted to the protection of the specific categories of personal data at the Company's disposal.. The Company uses organizational and technical security measures designed to protect personal data from accidental, unlawful or unauthorized destruction, loss, modification, access, disclosure or use. Personal data that is pseudonymized and attributable to an Individual using additional information is considered to be identifiable information about the Individual. Data protection principles do not apply to anonymous information. Personal data in the Company may only be accessed by persons authorized to access such personal data.
3.1 Technical measures of data protection
Some of the technical measures implemented by the Company for data protection are:
- Password protection – a procedure for laptop and computer security;
- Automatic device lock in idle mode;
- Virus scanning software and firewall;
- Authorization to access certain data sets, including authorizations granted to temporary staff;
- Local, wireless and wide area network security measures;
- Application of appropriate safety standards relevant to the Company, etc.
3.2 Organizational measures of data protection
Some of the organizational measures implemented by the Company are as follows:
- Appropriate levels of training on personal data protection;
- Establishment of disciplinary measures and liability on case of personal data breach;
- Monitoring compliance with appropriate safety standards;
- Control of physical access to electronic and paper records;
- Adoption of a personal data protection policy;
- Storing paper records in locked fireproof cabinets;
- Restriction of use the portable electronic devices brought out of the workplace;
- Restriction of use of employees' personal devices for buisness purposes
- Adoption of password rules;
- Regular backups of personal data, etc.
The personal data protection measures applied by the Company have been selected on the basis of identified risks to personal data security, relevant international security standards and published recommendations and practices regarding data protection.
Furthermore, in order to ensure an adequate level of protection, the measures of personal data protection applied in the Company are subject to change and their updating is foreseen.
In case of personal data breach, the employees are obliged to act and document the breach of personal data in accordance with the envisaged and adopted Procedure for breach of personal data, which all employees and persons in possession of the Company's data are familiar with.
4. Sharing of personal data
Except as described in the Privacy Notice and this Privacy Policy, the Company does not share your personal data with anyone without your consent. It is possible that the Company will be obliged to share personal data in order to fulfill its legal obligations, when it is necessary to protect the Company, employees of the Company or other persons.
All employees, respectively persons in possession of information held by the Company, are obliged to use special caution when sharing personal data with any third party, and are autohrized to share information only when necessary and only those data that are relevant.
5. Your rights
The Company endeavors to provide you with all reasonable options to exercise your right to choose, in connection with the collection, use and sharing your personal information. We provide You with the right of access and the right to correct Your personal data and, inter alia, whenever possible, we give you control over how communication with you will take place.
The right to recieve information in a concise, transparent, understandable and easily accesible manner
- among other things, get information about what Your data is, how and for what purpose it is processed
Right to access, correction, deletion
- obtain form the Company confirmation that personal data relating to you is being processed and if such personal data is being processed, access to your personal data and information, among other things, about the processed personal data, the purpose of processing, storage time, transfer to third countries, etc;
- you have right to request the correction of inaccurate personal data relating to you, and taking into account the purposes of the processing, right to supplement incomplete personal data, including making an statement;
- if you no longer want your personal data to be processed for a specific purpose (eg. processing for the purpose of sending marketing message, when you withdraw your consent or when personal data are not longer necessary for the purpose of processing), and provided that here are no other legitimate reasons for their further processing, you will be able to request deletion of your data
The right to limit processing
- in certain situations (eg. when data accuracy is challenged) you have the right to request that processing be restricted with the exception of storage and some other types of processing that are necessary
Right to data transfer
- includes the ability to transfer our data collected or digitally saved to another processing manager
Right to object
- you have the right to object to the processing of personal data if it is based on the legitimate interests of the Company ( including profiling), in such a situation, the Company may no longer process personal data unless it proves that its legitimate interests for processing prevail and to protect legal claims
- also, if you oppose processing for direct marketing purposes, your personal data may no longer be processed;
The right to object to automated individual decision making, including profile creation
- automated decision making refers to the automatic computer processing of data without human intervention, in the event that the Company carries out such processing of your personal data, under certain conditions, you have right not to be affected by the decision so made (including profile creation), also you can object to such decision and require human intervention. The Company does not create respondents profiles or have an automated decision-making system.
If you wish to exercise any of the rights set out above, please contact us as follows:
Send us an e-mail on:
szop@klimaoprema.com
Call us on:
+385 1 3362513
You may write to us at:
Klimaoprema d.d.
Gradna 78A
10430 Samobor