Notice on processing of personal data

This Information on Processing of Personal Data was adopted by Agency for Audit of European Union Programmes Implementation System located at the Alexandera von Humboldta 4/V, 10000 Zagreb, PIN 94432282335. The Agency is a public institution/authority acting as audit authority in the system of European Union funds and as such performs audit tasks among bodies in the EU Funds.

The Agency will timely inform you on the modifications and / or amendments of the information in the Notice through regular communication channels (via electronic mails, official web pages, and likewise).

In case you have any inquiries on this Notice on Processing of Personal Data, or any other questions related to collection, processing and protection of your personal data, please contact Officer for Data Protection via e-mail: sluzbenik.za.zastitu.podataka@arpa.hr or in written form at the following address: Alexandera von Humboldta 4/V, 10000 Zagreb.

In order to fully comprehend and understand the Notice on Processing of Personal Data, please carefully read Definitions of terms, further below. These terms are mentioned in the Notice and are important for comprehension of the information which the Agency provides within the Notice.

·         Notice means this Notice on Processing of Personal Data;

·         General Data Protection Regulation means REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

·         REGULATION (EU) No 1303/2013 means REGULATION (EU) no. 1303/2013 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 17 December 2013 laying down common provisions on the European Regional Development Fund, the European Social Fund, the Cohesion Fund, the European Agricultural Fund for Rural Development and the European Maritime and Fisheries Fund and laying down general provisions on the European Regional Development Fund, the European Social Fund, the Cohesion Fund and the European Maritime and Fisheries Fund and repealing Council Regulation (EC) No 1083/2006 including all amendments

·         processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

·         personal data means any information relating to an identified or identifiable natural person (‘data subject’);

·         Agency means the Agency for Audit of European Union Programmes Implementation System located at the following address: Alexandera von Humboldta 4/V, 10000 Zagreb, PIN 94432282335;

·         institution means any public authority including local (regional) self-government units and bodies in the system of European Funds;

·         identifiable natural person is one who can be identified, directly or indirectly;

·         controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

·         joint controllers mean two or more controllers jointly determining the purposes and means of processing;

·         processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

·         recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not;

·         third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

·         consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

·         personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

·         supervisory authority means an independent public authority which is established by a Member State; in the Republic of Croatia this is Agency for Protection of Personal Data        (AZOP), Selska cesta 136, 10000 Zagreb, Croatia;

·         European Union means inter-governmental and international organisation comprising of 27 European countries whose objectives are economic and political integration of Europe;

·         international organisation means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

In this part of the Notice, the information are provided relating to the persons having the role of identifiable natural person (data subjects) during application or implementation of the project financed under European Union funds.

Data subjects in this procedure may be project beneficiaries, responsible persons of the project beneficiaries, contact persons of the project beneficiaries, project team members, project stakeholders, representatives (parents / custodians / other legal representatives) of stakeholders, project partners, external service providers (suppliers) of the project beneficiary, guarantee providers to the project beneficiary, project evaluators.

In accordance with EU Regulation 1303/2013 and implementing national regulations, the Agency as the audit authority in the system of European funds is responsible for performing audit of EU programmes’ implementation. While performing underlying audit, the Agency has rights and authorities to require project documentation or have an insight in it. During the implementation of audit activities, the Agency also has an insight in computer programmes and systems (applications) used by the institutions, i.e. bodies in the system of European funds, such as the system eFondovi, system ESIF MIS, system for collection of micro-data on participants and likewise. The right to have an insight is exercised as read only right, which means that manipulation of data (modifications, erasures and likewise) is disabled. The Agency is not the owner of the underlying computer systems, but it only exercises the right to have an insight in data bases. Therefore, it is not responsible for actions over data bases which are done by other bodies and stakeholders in the system of EU funds.

All other needed information relating to categories of data subjects may be found further below.

Project beneficiaries, responsible persons of the project beneficiaries, contact persons of the project beneficiaries, project team members, project stakeholders, representatives (parents / custodians / other legal representatives) of stakeholders, project partners, external service providers (suppliers) of the project beneficiary, guarantee providers to the project beneficiary, project evaluators

In case you are the project beneficiaries, responsible persons of the project beneficiaries, contact persons of the project beneficiaries, project team members, project stakeholders, representatives (parents / custodians / other legal representatives) of stakeholders, project partners, external service providers (suppliers) of the project beneficiary, guarantee providers to the project beneficiary, the Agency processes the personal data collected from you directly, or by the person fulfilling project application or being responsible for certain project activities, or receives insight into personal data by a certain responsible authority in the system of EU funds.

The Agency is processing the following categories of your personal data:

·         Identification data: name and surname or title of the holder of family farm, trade or free activity, Personal identification number (PIN)

·         Location data: address (street number, post/zip number/code, city, country).

·         Contact data: telephone and / or mobile phone number, e-mail address, telefax number and likewise.

·         Financial data: data related to project funds (grant amount, eligible expenditure, ineligible expenditure, amounts of salaries, and likewise).

·         Other data: data related to project application or project implementation (MIS code, contract title and status, and likewise).

In addition, if you are a project participant, particularly in the project financed under European Social Fund, then as basic categories of personal data, some other data are also processed: data on education / trainings (e.g. completed education degrees and likewise), data on work experience (e.g. duration of employment and likewise), data on employment relations (e.g. status at labour market, data on personal characteristics / skills (e.g. age), while as special categories of data, data on health condition (e.g. disabled person), data on race or ethnic  origin (e.g. belonging to national minority, migrant status, foreign origin) are also processed.

The Agency is processing the mentioned personal data for the purpose of and on the basis of the following legal grounds:

·         For the purpose of auditing European Union programmes. In the underlying case, the processing is essential in order for the Agency to execute its legal obligations (Article 6 paragraph 1 point c of the General Regulation).

·         For the purpose of meeting legal obligations defined by the Agency’s mandate, i.e. respect of the applicable regulations and cooperation with responsible authorities and services. In the underlying case, processing is necessary in order for the Agency to execute its legal obligations (Article 6 paragraph 1 point c of the General Regulation).

·         The Agency is processing special categories of personal data (data on racial or ethnic origin) for the purpose of implementing audits of European Union programmes. In the underlying case the processing is essential for the needs of significant public interest which is grounded on the European Union law and law of the Republic of Croatia. The essence of the right to data protection is then respected while adequate and special measures are ensured for protection of basic rights and interests of the data subjects (Article 9, paragraph 2, point g of the General Regulation). Significant public interest represents correct implementation of EU programmes in the Republic of Croatia. Namely, through the correct implementation of EU programmes, the EU funds are fairly distributed to various stakeholders according to planned and programmed activities. In case of incorrect implementation of EU funds, financial corrections may be given to the Republic of Croatia. The role of the Agency is to audit EU programmes in order to identify whether they are implemented correctly.  

In case you are the Agency’s external service provider, the Agency is processing the personal data collected directly from you.

The Agency is processing the following categories of your personal data:

·         Identification data: Name, surname (title) of the holder of family farm, trade or free activity, name and surname of natural person, personal identification number (PIN).

·         Financial data: data related to contract value.

·         Other data: data related to engagement of external service provider (contract number, type of procurement subject matter, and likewise).

The mentioned personal data are processed by the Agency for the following purposes and on the basis of the following legal grounds:

·         For the purpose of entering into contractual obligations with the provider. In the underlying case the legal basis for processing your personal data is contract execution, i.e. actions needed for signing of contract (Article 6, paragraph 1, point b of the General Regulation).

·         For the purpose of meeting legal requirements of the Agency, i.e. respect of applicable regulations and cooperation with responsible authorities and bodies. In the underlying case the processing is necessary in order for the Agency to execute its legal obligations (Article 6, paragraph 1, point c of the General Regulation).

In case you are applying to the public vacancy announcement published by the Agency / for performing students' job on the basis of the contract on execution of students' job or if you are using the possibility of transfer from state administration body, then the Agency is processing the personal data which are collected directly from you or based on documentation which you delivered during submission of job application / application for executing students' job / application for transfer.

The Agency is processing the following categories of your personal data (categories and types of personal data in relation to a concrete data subject vary, depending on the type of the data subject; therefore, below stated categories and types of personal data have been stated for example):

·         Identification data: name and surname, gender/sex, date and place of birth, personal registration number and likewise.

·         Location data: address of permanent and temporary residence (street name and number, post / zip code, city, county, state) and likewise.

·         Contact data: telephone and / or mobile phone number, e-mail address and likewise.

·         Data on schooling / education / training: completed training degrees, acquired professional qualifications, profession, title and likewise.  

·         Data on work experience: previous work place, work experience and likewise.

·         Data on personal characteristics / skills: fluency in foreign language, results of testing, interviews and likewise.

·         Data relating to criminal charges and criminal acts: data found in the Records stating that you are not subject to any criminal procedures.

·         Other data: other personal data contained in various accompanying documents.

The mentioned personal data are processed by the Agency for the following purposes and on the basis of the following legal grounds:

·         For the purpose of review, i.e. analysis of your job application / application to a students’ job in order to identify whether you meet conditions of the public vacancy announcement / that you are a satisfactory candidate for performing students’ job. In the underlying case, the processing is essential for the Agency to execute its legal obligations (Article 6 paragraph 1 point c of the General Regulation).

·         For the purpose of signing work contract / students’ job contract with you (in case you are the elected candidate for signing a work contract / contract on students’ job). In the underlying case, legal basis of processing your personal data is the execution of contracts, i.e. actions needed for signing of contract (Article 6 paragraph 1 point b of the General Regulation).  

·         For the purpose of review, i.e. analysis of your job application in order to identify whether you meet requirements for transfer from the state administration body. In the underlying case, the processing is essential in order for the Agency to execute its legal obligations (Article 6 paragraph 1 point c of the General Regulation).

·         For the purpose of signing work contract with you, if you meet the requirements/conditions for the transfer from state administration body, i.e. if the Agency can fulfil the job application based on the possibility of transfer from the state administration body. In the underlying case, legal grounds for processing your personal data is execution of the contract, i.e. actions needed for the signing of the contract (Article 6 paragraph 1 point b of the General Regulation).

·         For the purpose of meeting legal requirements of the Agency, i.e. respect of applicable regulations and cooperation with responsible authorities and services. In the underlying case, the processing is necessary for the Agency to execute its legal obligations (Article 6 paragraph 1 point c of the General Regulation).

·         Special categories of your personal data are processed by the Agency exclusively for the purpose of respecting legal obligations which arise from the position of the Agency as public authority. The Agency is processing special categories of personal data which relate to criminal charges and criminal acts on the basis of the fact that the underlying processing is approved by the right of the Republic of Croatia (Article 10 of the General Regulation).  

Agency as public authority is obliged to perform public vacancy announcements and is not able to recruit, i.e. review and analyse job applications received in the form of open job applications out of the public vacancy announcement procedure or throughout transfer procedure from the state administration body.

In case the Agency receives open job application, you will be informed that you should follow public vacancy announcements which the Agency publishes as prescribed by relevant regulations. Also, the Agency shall inform you that your job application, together with your personal data, shall be erased. Accordingly, the Agency shall no further process your personal data.

If you are visiting the web page http://www.arpa.hr/Default.aspx, the Agency is using certain technologies of tracking such as cookies. You can find more in the Cookie policy which is also available on the mentioned web page.

The Agency currently has open users’ accounts on the following social networks:

·         LinkedIn: https://www.linkedin.com/company/arpa---agency-for-audit-of-european-union-programmes-implementation-system/

All the information and materials which you put at the Agency’s disposal via social networks, as well as all communication which is done through the social network is on your own risk. The Agency is not responsible for the actions done by the users of the social network or for the actions by the social network itself. Your interaction with the social network relating to the processing of your personal data is regulated by the privacy policy of that social network.  You can find more on the privacy policies of the social network used by the Agency at the following link: www.linkedin.com/legal/privacy-policy.

The Agency is currently not using the legitimate interest as legal grounds for the processing of your personal data. If the processing of personal data is done on the basis of legitimate interest as legal grounds, the Agency shall inform you about that and commence with amending this Notice.

In the previously mentioned case, the Agency shall take into account your interests, fundamental rights and freedoms, as well as reasonable expectations on the processing of personal data which you have in relation to the Agency.

Further to the above, in order to prove the existence of a legitimate interest, the Agency will conduct a legitimate interest analysis particularly for each activity of personal data processing where legitimate interest is defined as the legal basis of processing. The analysis of legitimate interest consists of three parts: the test of purposefulness, the test of necessity and the test of balance, whereby all parts must have a positive outcome in order for legitimate interest to be used as a legal basis for processing personal data. The Agency will allow insight into the conducted analyses of legitimate interest, which relate to the processing of your personal data.

If the provision of personal data is a legal or contractual obligation or a necessary condition for concluding a contract, at the point of collection of your personal data, the Agency shall clearly inform you whether the provision of personal data is mandatory or not, and what the possible consequences are if you do not provide personal data.

Current business processes of the Agency in which your personal data are processed do not cover your profiling or automated decision making pursuant to your personal data.

In case of introducing these techniques of processing your personal data, the Agency shall adequately inform you and remind you of your right that you do not have to be subject to decision brought exclusively based on automated processing of your personal data, including creation of the profile, i.e. profiling.

The Agency manages your personal data confidentially and protects them according to applicable regulations (international, European and national), as well as best practice which is in force.

Certain categories of recipients, to which the Agency discloses personal data of data subjects, are processing your personal data. In case when the Agency discloses your personal data to the underlying recipients, it is taken into account that valid legal basis for disclosure exists, and that the business operations of the recipients of your personal data is aligned with the General Regulation and other regulations on personal data protection.  

Categories of the recipients of personal data are stated further below, with a short description of the relations with the Agency, while you may request information on exact titles of all recipients of personal data by sending your request to the following e-mail address: sluzbenik.za.zastitu.podataka@arpa.hr or by sending your inquiry in written form to the following address: Alexandera von Humboldta 4/V, 10000 Zagreb.

Processors as recipients of your personal data

Recipients of your personal data, among others, may also be processors of the Agency. When the processors are processing your personal data on behalf of the Agency, those processors, who to a sufficient extent guarantee for the implementation of adequate technical and organisational measures, are selected. Also, each relation with the processor concerning processing of personal data is regulated by a special contract on processing of personal data.

Processors, who may be the recipients of your personal data, provide to the Agency the services needed for daily proceedings:

·         The processors as external service providers who provide additional operative support (IT service, creation and maintenance of the website and likewise),

·         Occasional processors depending on the needs of the Agency (services of documentation translations, services of performing specialised tasks – assistance to audit of programmes and likewise).

Independent controllers as recipients of your personal data

Recipients of your personal data, inter alia, may also be other independent controllers. With regards to the role of the independent controllers, they are responsible for taking care of your personal data based on applicable regulations, own internal procedures and profession rules.

The independent controllers who may be the recipients of your personal data are providers of certain types of services which are important for the lawful business processes of the Agency, or they are other responsible authorities to whom the Agency discloses data respecting thereby its legal obligations: 

·         Independent controllers as service providers of aligning our business operations with applicable regulations (legal consulting, audits and likewise);

·         Independent controllers as other responsible (public) authorities in the system of European Union funds.

Responsible public authorities as recipients of your personal data

Recipients of your personal data, inter alia, may also be other responsible public authorities who act as legally authorised, and based on those authorisations may process your personal data.

The Agency has legal obligation to disclose your personal data to responsible public authorities as recipients of your personal data (supervision procedures, inspection procedures, laying or defending legal claims, and likewise).

In daily activities of the Agency, in principle there is no transfer of your personal data to third countries or international organisations and the transfer is avoided. All countries which are not member states of the European Union are considered as third countries.

In case your personal data are transferred to third countries or international organisations, the Agency shall timely inform you on all details of the transfer (including the information on which third countries and international organisations are in question), as well as on protection measures which we apply.

In case of transferring your personal data to third countries, the Agency’s internal procedures envisage the two-step procedure, in order to allow the underlying transfer. The first step consists of identifying legal grounds of the transfer (including your consent if there are no any other relevant legal grounds). Within the second step, we ensure additional measures of transfer protection, whereby all is aligned with the provisions of Chapter V of the General Regulation.

At the time of determining the means of processing and at the time of the processing itself, the Agency implements appropriate technical and organizational measures to protect your personal data, while taking into account the latest achievements, the cost of implementation and the nature, scope, context and purposes of the processing. Also, every business process of the Agency that includes the processing of personal data has undergone a risk analysis and, if necessary, an assessment of the impact on data protection, which assesses the risk and seriousness for your rights and freedoms as a data subject in relation to individual processing of your personal data.

Technical and organisational measures applied by the Agency ensure effective application of the principle of protection of personal data, including principle of reduction of data volume, principle of restriction of purpose, principle of completeness and confidentiality, etc.

Technical and organisational measures used by the Agency are divided into three groups: measures to ensure confidentiality, measures to ensure integrity and measures to ensure the availability of personal data and the resilience of the processing system.

Measures ensuring confidentiality of personal data include, but are not restricted to, general physical control of access, general logical control of access, special control of access to personal data, separation of personal data and likewise.

Measures ensuring integrity of personal data include, but are not restricted to, control in case of transfer of personal data, control during the entry of personal data in processing system and likewise.

Measures ensuring availability of personal data and resistance of processing system include, but are not restricted to, control of availability, resistance of our processing systems, pseudonimisation and encryption when possible, periodic audits, assessments and evaluations of proceedings in relation to protection of personal data and likewise.

Periods for storing your personal data may vary depending on the categories of personal data which are processed, purposes, legal base for the processing of your personal data and applicable regulations (criteria for calculation of the period for storing personal data).

Further below general criteria and deadlines for storing personal data may be found; however, deadlines may vary depending on the specific situations of processing.

Detailed periods for storing your personal data are defined by internal bylaws and written procedures of the Agency. If your wish to obtain detailed information on the periods for storing your personal data, you may contact the Agency by sending your request to the following e-mail address: sluzbenik.za.zastitu.podataka@arpa.hr or by sending your inquiry in written form to the following address: Alexandera von Humboldta 4/V, 10000 Zagreb.

Criterion for calculating the storage period

When the applicable regulations define the period in which the Agency is obliged to store your personal data, then the Agency stores the data in the period envisaged by the applicable regulations and shall erase them in the additional period of 1 (one) year, as of the day of expiry of the period defined by applicable regulations.

In case the Agency is processing your personal data based on the legal base of contract execution, and applicable regulations do not define compulsory period for the storage of your personal data, then personal data shall be kept for the whole period of the contractual relationship and shall be erased in the additional period of 1 (one) year, as of the day of termination of contractual relationship.

If the Agency is processing your personal data based on the consent as legal basis, it shall then store personal data until you withdraw your consent. When you withdraw your consent, the Agency shall withdraw your personal data within shortest possible deadline. If you gave your consent for a certain period of time, the Agency shall upon the expiry of the underlying period erase your personal data within shortest possible deadline.

As data subject whose personal data are processed by the Agency, you are entitled with a right to exercise the rights stated further below.

You may exercise your rights by sending the request to the following e-mail address: sluzbenik.za.zastitu.podataka@arpa.hr or by sending your inquiry in written form to the following address: Alexandera von Humboldta 4/V, 10000 Zagreb.

In order for the Agency to provide to you accurate and complete information within shortest possible deadline, we would appreciate if you state in your request the following:

1.    Title of the e-mail or written request: „Request for Exercising Rights of Data Subject“;

2.    Essential information on your identity so that your personal data could be reached (e.g. name, surname, personal identification number and likewise);

3.    Title of the right you would like to exercise (see further below titles and descriptions of the rights);

4.    Information on communication channel (e.g. your e-mail address or residential address) where you would like to receive the reply.

During the submission of request for exercising the rights, in case of reasonable doubts concerning your identity, the Agency has a right to ask for providing of additional information which is essential for identification of your identity.

Upon your request the Agency replies within one month as of the day of receiving your request. The underlying deadline shall be prolonged for additional two months if several your complex requests are in question. You shall be in detail and timely informed on the prolongation of the deadline for reply and about the reasons for this prolongation.

All information provided to you in relation to your request for the exercise of your rights, including your communication with the Agency, shall be provided free of charge. However, if the Agency repetitively receives from you the manifestly unfounded and excessive requests, the Agency retains its right to charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested.

Where by submission of request you exercise your rights, the Agency also processes your personal data in order to meet your request, according to provisions of General Regulation.

Right of access by the data subject

As data subject, you have the right to obtain from the Agency the confirmation whether they process your personal data and if the do process them, access to your personal data and relevant information in relation to those (information on processing purposes, categories of your personal data which are processed, categories of recipients to whom your personal data are disclosed, envisaged periods for storing your personal data, etc.).

Also, the Agency ensures for you a free copy of personal data which are being processed.

Right to rectification

As data subject whose personal data are processed by the Agency, you have the right to obtain rectification of your inaccurate personal data. Taking into account the purpose of the processing, you have the right to request supplementing of your incomplete personal data, among others by giving additional statement.

Right to erasure (‘right to be forgotten’)

As data subject whose personal data are processed by the Agency (controller), you have the right to obtain erasure of your personal data if one of the following conditions is fulfilled:

·         Your personal data are no longer necessary in relation to the purposes for which they are collected,

·         You have withdrawn your consent which was the only legal ground for the processing of your personal data,

·         You have objected to the processing of your personal data and there are no overriding legitimate grounds for the processing, i.e. if processing is done for the needs of direct marketing,

·         Your personal data have been unlawfully processed,

·         Your personal data have to be erased for compliance with a legal obligation arising from the rights of the European Union or the Republic of Croatia.

Right to erasure cannot be used under certain conditions defined in Article 17 paragraph 3 of the General Regulation. If you have any questions in relation to conditions under which you cannot exercise your right to erasure, as well as questions related to obtaining your rights in general, you may contact the Agency by sending your inquiry to the e-mail address: sluzbenik.za.zastitu.podataka@arpa.hr or by sending your inquiry in written form to the following address: Alexandera von Humboldta 4/V, 10000 Zagreb.

If the Agency published your personal data which it is obliged to erase, taking into account the available technology and the cost of implementation, reasonable measures will be taken to erase your personal data which were published and made public, including links to those data, their copies or restructuring/modification. At the same time, the Agency is not responsible for your published personal data on public sources which are not managed by the Agency.

Right to restriction of processing

As data subject whose personal data are processed by the Agency (controller), you have the right to obtain restriction of processing your personal data if one of the following conditions is fulfilled:

·         You contest the accuracy of your personal data for a period in which the Agency verifies the accuracy of your personal data,

·         The processing of your personal data is unlawful, however, you oppose to the erasure of the data,

·         Your personal data are no longer needed to the Agency, but you require them for the establishment, exercise or defence of legal claims,

·         You have objected to processing your personal data pending the verification whether the legitimate grounds of the Agency override yours.

In spite of your request to exercise the right to restrict processing, the Agency may continue to process your personal data with your consent, for the purpose of establishing, exercising or defending legal claims, protecting the rights of other natural or legal persons, and due to the important public interest of the European Union or a member state.

The methods used by the Agency to enable you to exercise your right to restriction of processing include, inter alia, the temporary transfer of your personal data to another processing system/s, especially marking of your personal data in the system/s as those whose processing is currently restricted, temporarily disabling the processing of your personal data, temporary removal of your personal data from publicly available sources of the Agency (for example, the website if applicable) and likewise. The methods applied by the Agency will vary depending on the types of processing your personal data.

Right to data portability

As data subject whose personal data are processed by the Agency, you have the right to receive your personal data in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller in case the processing of your personal data is based on consent or contract and the processing is carried out by automated means. Right to your personal data portability shall not adversely affect the rights and freedoms of others.

In accordance with Article 20, paragraph 3 of the General Regulation, for processing of personal data which the Agency executes while performing mandatory tasks and commitments of public interest, right to data portability cannot be exercised.  

Right to object

As the data subject whose personal data are processed by the Agency, you have the right, on grounds relating to your particular situation to object to processing of your personal data, which are processed while performing tasks of public interest or executing official powers or where the underlying processing is based on legitimate grounds.

Right to withdrawal of consent

As data subject whose personal data are processed by the Agency on the basis of consent as legal grounds, you have right to withdraw your consent at any moment. Withdrawal of consent does not have any impact on legality of processing your personal data on the basis of consent, before its withdrawal.

Right to lodge a complaint with a supervisory authority

As the data subject whose personal data are processed by the Agency, at any moment you have the right to lodge a complaint with an independent public authority for protection of personal data.

The independent public authority in the Republic of Croatia is the Agency for Protection of Personal (AZOP) located at the address Selska cesta 136, 10000 Zagreb, Croatia. AZOP may be contacted via e-mail address azop@azop.hr, via telephone number 00385 (0)1 4609-000 or in written form sent to the mentioned address of the headquarters.

More information on AZOP may be found on the web pages at the following link: www.azop.hr.