Privacy Policy

Protecting Your Personal Information
M Chanaan ltd respects your privacy and handles your personal information in accordance with the General Data Protection Regulation (GDPR Regulation EC 2016/679 ).

We store your personal information electronically, and for the purpose of protection we apply the appropriate technical and organizational measures procedures and the protection of personal data in order to prevent unauthorized access to your personal information.

Your personal information that you make available to us is only kept for a period that is sufficient to meet the initial purpose of collecting them. You are authorized at any time to request information about which personal information you have in our email base, as well as request that we change all or some personal information (Right to Correction) or delete it (Right to Forgive).

You will do so by contacting us via the contact address info@m-chanaan.hr and provide us with a notification of your request that we will act within the statutory deadline. We do not deliver your personal information to other recipients except by the statutory principle and your explicit consent.

 


 

Pursuant to EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free

movement of such data, and repealing Directive 95/46/EC – General Data Protection Regulation (Official Journal of the European Union L 119/1 of 04 May 2016, hereinafter GDPR and applicable laws of the Republic of Croatia governing data protection, the Management Board of the Company M. Chanaan d.o.o. Poreč, Istarskog razvoda 7, OIB: 64240260474, in the role of Head of Personal Data, on 15 May 2018 issues the

 

INTERNAL ORDINANCE ON THE PROTECTION OF PERSONAL DATA 

 

Article 1

PURPPOSE

The purpose of this Ordinance is to standardize and prescribe the rules related to the protection of natural persons with regard to the processing of personal data and rules related to the free movement of personal data within the company, in order to protect fundamental rights and freedoms of natural persons, especially their right to personal data protection.

 

Standardization and prescribing of procedures refer to the procedures of collecting, processing, storing, adapting or modifying, forwarding and/or destroying personal data of data subjects, the rights and obligations of the manager and executor of processing and rights of data subjects.

 

Article 2

MEANING OF TERMS AND PRINCIPLES 

(1)  Meaning of terms

Certain terms used in the drafting of this Ordinance and accompanying acts have the following meanings:

„Personal data” – means all data relating to a natural person whose identity has been or can be established.

„Data subject” – natural person whose identity can be established is a person who can be identified directly or indirectly, in particular by means of identifiers such as name, identification number, location data, network identifier or by one or more factors specific to physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

„Processing” – means any operation or set of operations performed on personal data or on sets of personal data, whether automated or non-automated, such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, inspection, use, transmission, disseminating or otherwise making available, harmonizing or combining, restricting, deleting or destroying;

„Records of processing activities“ (hereinafter: Records) – each controller and executor of the processing keeps a Record of personal data at his or her disposal and with which he is in contact. Each Processing Manager and Executor should keep the Records under his or her responsibility in order to prove compliance with the GDPR Regulation, cooperate with the supervisory body and provide it, upon request, with access to the Records.

„Restriction of processing” – means the marking of stored personal data with the aim of limiting their processing in the future.

„Profiling” – means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements of that natural person. 

„Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. 

„Filing system” means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis. 

„Controller” –  means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. 

„Processor” – means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;.

„Recipient” – means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing. 

„Third party” – means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

„Consent” of the data subject – means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Data subject has the right to withdraw his or her consent at any time. The conditions of consent are laid down in Article 7 of the GDPR Regulation.

„Legitimate interests“  – means the legitimate interest of the controller may be the legal basis for processing and represent activities related to the sale of goods or services on the market and the need to collect data to identify potential customers or service users, direct marketing activities where it collects personal data, provided that the interests or the fundamental rights and freedoms of the data subject do not take precedence, taking into account the reasonable expectations of the data subject based on their relationship with the controller.

„Personal data breach” – means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

„Genetic data” – means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.

„Biometric data” – means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.

„Dana concerning health” –  means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;.

„Main establishment’ ” – means: 

(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment; 

(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Ordinance;.

„Representative” – means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Ordinance;.

„Enterprise” – means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity.

„Group of undertakings” – means a controlling undertaking and its controlled undertakings.

„Binding corporate rules” – means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity.

 „Supervisory authority” means an independent public authority which is established by a Member State pursuant to Article 51 of the GDPR Regulation.

„Concerned supervisory authority” means a supervisory authority which is concerned by the processing of personal data because: 

(a) the controller or processor is established on the territory of the Member State of that supervisory authority; 

(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or

(c) a complaint has been lodged with that supervisory authority.

„Cross-border processing” – means either: 

(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or

(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.. 

„Relevant and reasoned objection” – means an objection to a draft decision as to whether there is an infringement of this Ordinance, or whether envisaged action in relation to the controller or processor complies with this Ordinance, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union. 

„Information society service” means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council (1).

„International organisation” means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

 

(2) Meaning of principles

 

Principles relating to processing of personal data should respect the fundamental rights and freedoms of the natural person, and in particular the right of the natural person to the protection of personal data regardless of the nationality or residence of the natural person.

 

Pursuant to the Art. 5, the GDPR Regulation binds to the following principles in the processing of personal data:

  1. a) lawfulness, fairness and transparency, whereas processing shall be lawful only if and to the extent that at least one of the following applies:
    • The data subject has given consent to the processing of his or her personal data for one or more specific purposes,
    • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract,
  • processing is necessary for compliance with a legal obligation to which the controller is subject,
  • processing is necessary in order to protect the vital interests of the data subject or of another natural person,
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller,
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

 

The principle of lawfulness of processing – legal obligation to process personal data for which no special consent of the data subject is required (e.g. records on employees that the employer is obliged to keep according to the provisions of the Labour Act and other records that include data prescribed by applicable laws of the Republic of Croatia such as: data on exercising the right of natural persons to pension and health insurance, data determining tax and other obligations and sim.).

 

  1. b) Purpose limitation, is the principle meaning that personal data must be collected for specific, explicit and lawful purposes and may not be further processed in a way that is not in accordance with those purposes.

 

  1. c) Data minimisation is the principle meaning that personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

 

  1. d) Accuracy, is the principle meaning that every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

 

  1. e) Storage limitation, personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR Regulation in order to safeguard the rights and freedoms of the data subject.

 

  1. f) Integrity and confidentiality, personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

 

  1. g) Accountability is the principle meaning that the controller shall be responsible for, and be able to demonstrate compliance with all the above-mentioned principles.

 

Article 3

RIGHTS OF THE DATA SUBJECT

The data subject has the right to inspect the collection of personal data. The most important data subject rights are as follows:

  • transparency (Art. 12–14 of the GDPR Regulation): providing information when collecting personal data when the Controller must, among other information, inform the data subject about his identity and contact data, purposes of processing and legal basis for data processing, Recipients, export to third countries, storage period, withdrawal, deletion and destruction of data,
  • access to personal data (Art. 15 of the GDPR Regulation): obtain confirmation from the controller whether personal data relating to him or her are being processed and, if so, access to personal data and information, inter alia, on personal data processed, purpose of processing, storage period, export to third countries, deletion and data destruction,
  • right to rectification (Art. 16 of the GDPR Regulation): the data subject has the right to request the correction of inaccurate personal data relating to him, and taking into account the purposes of processing, the data subject has the right to supplement incomplete personal data, including by giving an additional statement;
  • erasure – right to be forgotten (Art. 17 of the GDPR Regulation): data subject has the right to obtain from the controller the deletion of personal data relating to him without undue delay and the Controller has the obligation to delete personal data without undue delay if, inter alia, personal data are no longer necessary for the purpose of processing, data subject has withdrawn consent for processing, personal data have been illegally processed and sim.
  • right to restriction of processing (Art. 18 of the GDPR Regulation): in certain situations (for example when the accuracy of the data is disputed or when the right to delete the data subject wants the Controller to keep his data) the data subject has the right to request that processing be limited to storage and some other types of processing;
  • right to data portability (Art. 20 of the GDPR Regulation): the data subject has the right to receive his personal data, previously provided to the controller, in a structured form and in a commonly used and machine-readable format, and has the right to transfer this data to another controller without interference by the controller to whom personal data are provided, if processing is carried out automatically and based on consent or contract;
  • right to object (Art. 21 of the GDPR Regulation): data subject has the right to object to the processing of personal data if it is based on tasks of public interest, the exercise of official powers of the controller or the legitimate interests of the controller (including profiling), then the Controller may no longer process personal data unless proves that his legitimate reasons for processing go beyond the interests of the data subject and to protect legal claims, also if the data subject opposes processing for direct marketing purposes, personal data may no longer be processed;
  • right to object to automated individual decision-making – profiling (Art. 22 of the GDPR Regulation): the data subject has the right not to be subject to a decision based solely on automated processing, including the creation of a profile, which produces legal effects relating to him or similarly significantly affecting him, unless such a decision is necessary for the conclusion or execution of the contract between the data subject and the data controller, if permitted by EU or national law, which prescribes appropriate measures to protect the rights and freedoms and legitimate interests of the data subject or based on the express consent of the data subject.

 

With this Ordinance, the Controller acquaints the data subject with the scope of collection and purposes of personal data processing, risks, principles of personal data processing, rules, safeguards and rights related to personal data processing and how to exercise his or her rights regarding processing.

 

Article 4

The Controller, all its employees, natural and legal persons working for and on behalf of, undertake to comply with the GDPR Regulation and this Ordinance relating to all activities involving the processing of personal data including data on users of goods and services, customers, employees, suppliers and other partners, as well as all other data processed by the Controller from any source.

 

A third party cannot access personal data that is processed without a previously concluded contract/confidentiality statement.

 

The Controller may select a Processor with whom he is obliged to enter into a contract on the processing of personal data which clearly defines the obligations of the Processor and which is in accordance with the GDPR Regulation

 

Article 5

SCOPE OF PERSONAL DATA COLLECTION

Personal data is collected solely on the basis of the purpose limitation principle and the legitimate right of the Controller and may not be collected and processed in a manner inconsistent with those purposes.

 

The processed personal data will be used exclusively for the following purposes:

  • Salary calculation, employee records, bookkeeping, accounting and tax purposes,
  • Execution of contracts,
  • Legitimate interest, and
  • Consent.

Special categories of data do not need neither are allowed to be collected.

 

Article 6

The processing of personal data implies the identification of the legal basis before the processing of personal data. Processing is lawful if and to the extent that at least one of the following is met:

  • The data subject has given consent to the processing of his or her personal data for one or more special purposes,
  • Processing is necessary for the execution of the contract to which the data subject is a party or in order to take action on the data subject’s request before concluding the contract,
  • Processing is necessary in order to comply with the legal obligations of the Controller,
  • Processing is necessary to protect the key interests of the data subject or other natural person,
  • Processing is necessary for the legitimate interests of the Controller or a third party, except when those interests are stronger than the interests or fundamental rights and freedoms of the data subject that require the protection of personal data, especially if the data subject is a child.

 

Article 7

STORAGE AND PROCESSING OF PERSONAL DATA

The controller must not keep personal data that can identify an individual longer than the time required to fulfill the purpose for which the data was collected and the time specified by law.

The head of personal data will store the processed personal data in accordance with the legal obligation to keep documentation, after which he will delete personal data (automated processing) and destroy (written records).

Processing can be manual (written record) and automated (PC and IT infrastructure).

 

Article 8

SECURITY OF PROCESSING

The controller of personal data, for the purpose of security of processing and storage, takes appropriate organizational and technical measures.

All employees of the controller and other persons working for and on behalf of the Controller are responsible for the security of all personal data that the Controller owns and processes.

 

Data should be kept in a secure place that prevents unauthorized access to personal data.

For this reason, all personal information must be kept:

  • In a locked room with controlled access,
  • In a locked drawer or closet,
  • In the case of digital data, it must be password protected, and
  • Stored on encrypted computer media.

Written records must not be left in rooms accessible to unauthorized persons and may not be removed from the safe area without written permission.

Hard disks (HD) of computers that are no longer in use must be destroyed.

 

Article 9

DEFINING ORGANIZATIONAL AND TECHNICAL MEASURES

It is the responsibility of the Controller to ensure accurate and up-to-date data of the data subject. Data kept by the Controller must be regularly updated and must not be kept if not accurate and up-to-date.

 

Personal data must be fit for purpose, relevant and limited in accordance with the framework necessary for processing according to defined obligations.

 

The controller does not collect data that is not necessarily necessary to fulfil the purpose for which it was collected.

 

The controller is obliged to provide organizational and technical measures to protect data from unauthorized access. Organizational measures are the procedures by which data are collected and processed, and technical measures are the procedures for storing personal data.

 

Organizational and technical measures The controller defines and records in the Record of processing activities by categories of data subject after the categorization and risk analysis.

 

The following documents are an integral part of this Ordinance:

  1. Categorization and analysis of the current situation,
  2. Risk analysis,
  3. List of measures,
  4. Records of processing activities,
  5. Consent form,
  6. Confidentiality Statement.

 

  1. Categorization and analysis of the current situation – in order to comply with the GDPR Regulation, the responsible person of the Processing Manager or the person to whom the delegation is delegated should make a categorization and analysis of the current situation in which at least the following should be identified; 
  • Data processing category,
  • Source and basis of data collection,
  • Method of recording,
  • Type of processing,
  • Method of processing and shelf life, and
  • Data Forwarding and Recipients.
  1. Risk analysis – a document that should contain a clear description of the processing operations that the Controller estimates may be risky.
  2. List of measures – is a document that should contain a list of risk points of processing, if any, and organizational and technical measures for each category of data processing.
  3. Records of processing activities is a key document, derived from the previously described procedures 1-2-3, which the Controller constantly monitors throughout the year and, if necessary, supplements the organizational and technical measures if he assesses that the rights of the data subject may be endangered.
  4. Consent form is a document by which the Controller receives written consent from the data subject for the processing of his data relating to employees, customers and suppliers and parents.
  5. Confidentiality Statement – is a document prepared by the Controller for employees within the company who directly collect and process personal data and who sign the statement.

 

Article 10

Privacy policy

The controller undertakes to protect personal data under the GDPR Regulation, recognizing the importance of protecting the privacy, security and data protection of service users and all persons who come into contact with the controller.

 

Purpose of collecting personal data

In accordance with the principle of limited purpose, personal data is collected solely to ensure the provision of the requested data subject service and the most efficient response to inquiries and for business purposes.

 

Data covered by the Privacy Policy system

The data covered by the privacy policy are as follows: Name and surname, date of birth, residential address, e-mail, telephone and/or fax number, personal identification number (OIB). Other data may be collected only with the written consent of the data subject.

 

Confidentiality of data

All personal data remains confidential, including data provided by the data subject by e-mail by which identification is possible. Such data is used only for the purpose of fulfilling the requirements of the data subject and the Controller is obliged to keep it secret in the storage system in accordance with the principle of storage restriction. The protection of the data of the data subject is permanent.

 

Legitimate interest

The controller defines its legitimate interest as the right to collect available data from potential customers from the Internet and other publicly available sources, respecting the principles of limiting the purpose and reducing the amount of data, provided that the interests or fundamental rights and freedoms of the subject matter to request the data subject, delete the collected data from its records.

 

The legitimate interest we pursue is:

  • Marketing, and
  • Performing our activity.

 

Article 11

RESPONSIBILITY OF THE CONTROLLER

The responsibilities of the controller are as follows:

  • implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR Regulation and, accordingly, carry out the activities referred to in Article 4 of this Ordinance,
  • Respect and enforce the data subject referred to in Article 3 of this Ordinance,
  • Instruct the processor to act in accordance with the provisions of this Ordinance, including additional restrictions if any, by a special legal act regulating the relationship with the processor.
  • Adhere to the principles of personal data processing specified in Art. 2 Par. 2 of this Ordinance.
  • Implement the privacy policy.

 

Article 12

PENAL PROVISIONS

This Ordinance regulates penal provisions only in the part related to the violation of the provisions of the Confidentiality Statement signed by the employees of the company.

 

In case of violation of the provisions of the Privacy Statement by the employee, the responsible person of the personal data controller may impose a fine on the employee in the amount of 1/3 of the net salary.

 

In case of gross or repeated violation of the provisions of the Confidentiality Statement by the employee, the responsible person of the Personal Data Manager may give the employee written notice and terminate the employment contract.

 


 

Rights of the data subject

In accordance with the GDPR Regulation EC 2016/679, we have regulated the rights of data subjects with whom we hereby introduce you.

 

The data subject has the right to inspect the collection of personal data. The most important data subject rights are as follows:

  • transparency (Art. 12–14 of the GDPR Regulation): providing information when collecting personal data when the Controller must, among other information, inform the data subject about his identity and contact data, purposes of processing and legal basis for data processing, Recipients, export to third countries, storage period, withdrawal, deletion and destruction of data,
  • access to personal data (Art. 15 of the GDPR Regulation): obtain confirmation from the controller whether personal data relating to him or her are being processed and, if so, access to personal data and information, inter alia, on personal data processed, purpose of processing, storage period, export to third countries, deletion and data destruction,
  • right to rectification (Art. 16 of the GDPR Regulation): the data subject has the right to request the correction of inaccurate personal data relating to him, and taking into account the purposes of processing, the data subject has the right to supplement incomplete personal data, including by giving an additional statement;
  • erasure – right to be forgotten (Art. 17 of the GDPR Regulation): data subject has the right to obtain from the controller the deletion of personal data relating to him without undue delay and the Controller has the obligation to delete personal data without undue delay if, inter alia, personal data are no longer necessary for the purpose of processing, data subject has withdrawn consent for processing, personal data have been illegally processed and sim.
  • right to restriction of processing (Art. 18 of the GDPR Regulation): in certain situations (for example when the accuracy of the data is disputed or when the right to delete the data subject wants the Controller to keep his data) the data subject has the right to request that processing be limited to storage and some other types of processing;
  • right to data portability (Art. 20 of the GDPR Regulation): the data subject has the right to receive his personal data, previously provided to the controller, in a structured form and in a commonly used and machine-readable format, and has the right to transfer this data to another controller without interference by the controller to whom personal data are provided, if processing is carried out automatically and based on consent or contract;
  • right to object (Art. 21 of the GDPR Regulation): data subject has the right to object to the processing of personal data if it is based on tasks of public interest, the exercise of official powers of the controller or the legitimate interests of the controller (including profiling), then the Controller may no longer process personal data unless proves that his legitimate reasons for processing go beyond the interests of the data subject and to protect legal claims, also if the data subject opposes processing for direct marketing purposes, personal data may no longer be processed;
  • right to object to automated individual decision-making – profiling (Art. 22 of the GDPR Regulation): the data subject has the right not to be subject to a decision based solely on automated processing, including the creation of a profile, which produces legal effects relating to him or similarly significantly affecting him, unless such a decision is necessary for the conclusion or execution of the contract between the data subject and the data controller, if permitted by EU or national law, which prescribes appropriate measures to protect the rights and freedoms and legitimate interests of the data subject or based on the express consent of the data subject.

 


Contact details of the controller:
The controller: M. Chanaan d.o.o.  Poreč, Istarskog razvoda 7, OIB:  64240260474  
Responsible person of the controller:  Justyna Aleksandra Vukušić, director 
Tel: +385 (0)52-433-370
E-mail: info@m-chanaan.hr