Wet Bescherming Persoonsgegevens – First Property Croatia

FIRST PROPERTY d.o.o. real estate brokerage agency (trading as First Property Croatia) from Bana Berislavića 3, Split, 21000 OIB 38200992035, (hereinafter: the Agency), according to the provisions of the General Data Protection Act – GDPR, and the Law on the implementation of the General Regulation on data protection (Official Gazette 42/18), both in accordance with the Regulation (EU) 2016/679, (hereinafter: the Regulation) on 1st of August 2019 adopts the following:

 

PERSONAL DATA PROTECTION ACT

 

1.OPENING STATEMENTS

Article 1.

(1)Prior to the conclusion of an contractual relationship, during its validity and upon its termination, the Agency is obliged to Process certain data of the Parties involved (Data subjects) for the purpose of reporting, as prescribed by competent authorities. In accordance with the above, and in purpose of responsible business conduct, the Agency brings forth this amended Personal data protection Act (hereinafter: the Act).
(2)The Act defines the rules relating to the protection of natural persons with regard to the Processing of Personal Data collected by the Agency. In accordance with the above, the purpose of this Act is to standardize the protection of the rights and freedoms of the Data subjects by preserving the privacy of their Personal Data in all aspects of the Agency’s operations that include Personal Data.
(3)The Act is published on the Agency’s website https://www.firstpropertycroatia.com/ and exposed in the Agency’s office.
(4)By using the Agency’s website and / or services, the involved Party (Data subject) consents to the Processing of their Personal Data as described in this Act.

 

2.DEFINITIONS

Article 2.

(1)Certain terms in the context of this Act are determined by the Regulation, and have the following meanings:

(A)Personal Data is any information relating to an identified or identifiable natural person (Data subject);
(B)Data subject is a natural person whose Personal Data is being Processed;
(C)Processing is any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
(D)Profiling is any form of automated Processing of Personal data consisting of the use of Personal data to evaluate certain personal aspects relating to a natural person;
(E)Controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data;
(F)Processor is a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller;
(G)Consent of the Data subject is any freely given, specific, informed and unambiguous indication of the Data subject’s wishes by which he/she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her;
(H)Personal Data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Sata transmitted, stored or otherwise Processed;
(I)Supervisory authority means an independent public authority which is established by a Member State;
(J)Child is a natural person under 16 years of age.

 

3.DATA PROTECTION PRINCIPLES

Article 3.

(1)The Agency pledges to follow the Principles of Personal Data protection set forth by the Regulation. Therefore, Personal Data shall be:

(A)Processed lawfully, fairly and in a transparent manner in relation to the Data subject. We will always consider your rights before Processing Personal Data. We will provide you information regarding Processing upon request;
(B)Collected for specified, explicit and legitimate purposes and not further Processed in a manner that is incompatible with those purposes. We will ensure that our Processing activities fit the purpose for which Personal Data was gathered;
(C)Adequate, relevant and limited to what is necessary in relation to the purposes for which they are Processed. We will only gather and Process the minimal amount of Personal Data required for any purpose;
(D)Accurate and, where necessary, kept up to date. We will do our best to ensure that any inaccurate Personal Data is erased or rectified without delay;
(E)Kept in a form which permits identification of Data subjects for no longer than is necessary for the purposes for which the Personal Data are Processed. We will not store your Personal Data for longer than needed;
(F)Processed in a manner that ensures appropriate security of the Personal Data. We will do our best to ensure integrity and confidentiality of your Personal Data.

 

4.RIGHTS OF THE DATA SUBJECT

Article 4.

(1)The Data subject has the following rights:

(A)Right to receive information means that the Controller shall take appropriate measures to provide any information relating to Processing to the Data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a Child;
(B)Right to access means that the Data subject shall have the right to obtain from the Controller confirmation as to whether or not Personal Data concerning him or her are being Processed, and, where that is the case, access to the Personal Data;
(C)Right to rectification means that the Data subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate Personal Data concerning him or her;
(D)Right to erasure (“right to be forgotten”) means that the Data subject shall have the right to obtain from the Controller the erasure of Personal Data concerning him or her without undue delay and the Controller shall have the obligation to erase Personal Data without undue delay;
(E)Right to restriction of Processing means that The Data subject shall have the right to obtain from the Controller the restriction of Processing;
(F)Right to data portability means that the Data subject shall have the right to receive the Personal Data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to a another Controller;
(G)Right to object means that the Data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to Processing of Personal Data concerning him or her;
(H)Right to object to automated individual decision-making means that the Data subject shall have the right not to be subject to a decision based solely on automated Processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

 

5.THE CONTROLLER AND PROCESSOR

Article 5.

(1)The Agency appoints Anja Plazonić Coulson, the executive of the Agency, as the Controller.

 

Article 6.

(1)The Controller shall:

(A)Implement appropriate technical and organisational measures to ensure and to be able to demonstrate that Processing is performed in accordance with the Regulation. Those measures shall be reviewed and updated where necessary;
(B)Implement appropriate technical and organisational measures in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the Regulation and protect the rights of Data subjects;
(C)Implement appropriate technical and organisational measures for ensuring that, by default, only Personal Data which are necessary for each specific purpose of the Processing are processed. That obligation applies to the amount of Personal Data collected, the extent of their Processing, the period of their storage and their accessibility;
(D)Engage only Processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that Processing will meet the requirements of the Regulation and ensure the protection of rights of the Data subject.

 

Article 7.

(1)The Processor shall:

(A)Processes Personal Data by means of instruction given to him or her by the Controller;
(B)Commit themselves to confidentiality when Processing Personal Data;
(C)Assists the Controller by appropriate technical and organisational measures, insofar as this is possible, to ensure compliance with the obligations laid down in this Act;
(D)At the choice of the Controller, delete or return all the Personal Data to the Controller after the end of the provision of services relating to Processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data;
(E)Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Act.

 

6.CONSENT TO DATA PROCESSING AND THE SECURITY OF PERSONAL DATA

Article 8.

(1)Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the Data subject’s agreement to the Processing of Personal Data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the Data subject’s acceptance of the proposed Processing of his or her Personal Data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
(2)Consent should cover all Processing activities carried out for the same purpose or purposes. When the Processing has multiple purposes, consent should be given for all of them. If the Data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

 

Article 9.

(1)To ensure a level of security appropriate to the risk, the Controller and the Processor shall implement appropriate technical and organisational measures, including inter alia as appropriate:
(A)The pseudonymisation and encryption of Personal Data;
(B)The ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
(C)The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
(D)A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.

 

7.PERSONAL DATA BREACH

Article 10.

(1)In the case of a Personal Data breach, that is likely to result in a risk to the rights and freedoms of natural persons, the Controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of the breach notify it to the Supervisory authority competent in accordance.
(2)The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data breach described in paragraph (1) of this Article.

 

Article 11.

(1)The Supervisory authority mentioned in paragraph (1) of Article 10. is the Croatian Personal Data Protection Agency (AZOP).
(2)AZOP is an independent state body. AZOP is autonomous and independent in its work and is responsible for its work to the Croatian Parliament.

 

Article 12.

(1)The notification referred to in paragraph (1) of Article 7. shall at least:

(A)Describe the nature of the Personal Data breach including where possible, the categories and approximate number of Data subjects concerned and the categories and approximate number of Personal Data records concerned;
(B)Communicate the name and contact details of the Controller or other contact points where more information can be obtained;
(C)Describe the likely consequences of the Personal Data breach;
(D)Describe the measures taken or proposed to be taken by the Controller to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.

 

Article 13.

(1)When the Personal Data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall communicate the Personal Data breach to the Data subject without undue delay.
(2)The communication to the Data Subject referred to in paragraph (1) of this Article shall describe in clear and plain language the nature of the Personal Data breach and contain at least the information and measures referred to in points (B), (C) and (D) of Article 12.

 

8.CLOSING PROVISIONS

Article 14.

(1)The Agency is committed to safeguarding your privacy. Contact us at: info@firstpropertycroatia.com if you have any questions or problems regarding the use of your Personal Data and we will gladly assist you.