Regulation on the Processing and Protection of Personal Data

II. Definitions

Article 3.

(1) In accordance with the Regulation, certain terms in this Regulation have the following meanings:

1. "personal data" means any information relating to an identified or identifiable individual ("data subject"); an identifiable individual is one who can be identified directly or indirectly, especially by reference to an identifier such as a name, identification number, location data, online identifier, or by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that individual;
2. "processing restriction" means marking stored personal data for the purpose of limiting their processing in the future;
3. "processing" means any operation or set of operations performed on personal data or sets of personal data, whether automated or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction;
4. "profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, particularly to analyze or predict aspects concerning work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements of that individual;
5. "storage system" means any structured set of personal data accessible according to specific criteria, whether centralized, decentralized, or dispersed on a functional or geographical basis;
6. "data controller" means a natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of processing personal data; where the purposes and means of such processing are determined by Union or Member State law, the data controller or the specific criteria for its nomination may be provided for by Union or Member State law;
7. "data processor" means a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller;
8. "recipient" means a natural or legal person, public authority, agency, or another body to whom personal data are disclosed, whether a third party. Public authorities that may receive personal data in the context of a particular inquiry in accordance with Union or Member State law are not considered recipients; the processing of such data by those public authorities must be in compliance with applicable data protection rules and the purposes of the processing;
9. "third party" means a natural or legal person, public authority, agency, or another body that is not the data subject, data controller, processor, or persons authorized to process personal data under the direct authority of the data controller or processor;
10. "data subject's consent" means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
11. "personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed;
12. "pseudonymization" means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable individual;
13. "genetic data" means personal data relating to inherited or acquired genetic characteristics of an individual providing unique information about the physiology or health of that individual, obtained particularly through the analysis of a biological sample of that individual;
14. "Biometric data" are personal data obtained through special technical processing related to the physical, physiological, or behavioral characteristics of an individual that allow or confirm the unique identification of that individual, such as facial photographs or fingerprint data;
15. "health-related data" are personal data related to the physical or mental health of an individual, including the provision of health services, providing information about their health status;

(2) The meaning of other terms related to the application of the Regulation and the Law is directly applied according to the definition in Article 4, paragraphs 1, points 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, and 26 of the Regulation.

III. Processing of personal data

Article 4.

1. Procode Website J.d.o.o. must collect and process personal data lawfully, fairly, and transparently.
2. The collected personal data must be adequate, relevant, accurate, complete, and up-to-date, limited to what is necessary, and must not be collected to a greater extent than necessary to achieve the specified purpose of data collection.
3. Personal data must be stored in a form that allows the identification of the data subject for no longer than necessary for the purpose for which the data is collected and/or further processed.
4. Sama obrada prikupljenih osobnih podataka mora osiguravati odgovarajuću sigurnost podataka.
5. The processing of collected personal data must ensure appropriate data security. Procode Website J.d.o.o. processes personal data only to the extent that one of the following conditions is met:
   ‍
   1. the data subject has given consent to the processing of their personal data for one or more specific purposes;
   2. processing is necessary for the performance of a contract to which the data subject is a party;
   3. processing is necessary for compliance with legal obligations of Procode Website J.d.o.o.;
   4. processing is necessary to protect vital interests of the data subject or another natural person;
   5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority by Procode Website J.d.o.o.;
   6. processing is necessary for the purposes of the legitimate interests pursued by Procode Website Ltd. or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, especially if the data subject is a child.
6. During the processing of personal data, Procode Website Ltd. provides the data subject with all information related to the processing of their personal data, especially the purpose of data processing, the legal basis for data processing, the legitimate interests of Procode Website Ltd., the intention to transfer personal data to third parties, the period during which personal data will be stored, the existence of the data subject's right to access personal data and to rectify or erase personal data and restrict processing, the right to object, etc.

Article 5.

1. When data collection and processing are carried out through video surveillance, the data controller must indicate that the object or specific room is under video surveillance, and the indication must be visible at the latest upon entering the recording perimeter.
2. The notice or label about video surveillance must contain an image and text providing information to the data subject that the area is under video surveillance, information about the data controller, and contact details through which the data subject can exercise their rights.
3. The video surveillance system must be protected from unauthorized access, and the controller must establish a log system for recording access to recordings, and the recordings may be kept for a maximum of 6 months.
4. If surveillance cameras continuously monitor all movements of employees during the performance of their duties, they can be used only with the written consent of the employees.
5. In the case of using video surveillance, the data controller must specify the locations of surveillance cameras and persons authorized to access video surveillance recordings.

IV. Consent

Article 6.

1. The consent by which the data subject gives consent to Procode Website J.d.o.o. for the processing of personal data concerning them is voluntary, in writing, in an easily understandable, clear, and simple language, clearly indicating the purpose for which it is given and without unfair conditions.
2. If the processing of personal data of a child under the age of 16 is involved, consent in the manner described in paragraph 1 of this article is given by the person with parental responsibility for the child (parent or legal guardian of the child).
3. In cases where the collection and processing of personal data are based on consent, proof in the form of a written statement proving that the data subject has given consent to the processing of their personal data must be provided.
4. In the case of the previous paragraph, the consent form is attached to the general rules and is an integral part of it, and the data subject can withdraw their consent at any time.

V. Rights of data subjects

Article 7.

(1) Procode Website J.d.o.o. will immediately, but no later than one month from the date of the data subject's request or their legal representative or proxy:

1. inform the data subject about the purpose of processing their personal data, categories of personal data processed, recipients or categories of recipients to whom personal data has been disclosed or will be disclosed, the envisaged period for which personal data will be stored, and in case personal data is not collected from the data subject, information about their source;
2. provide the data subject with a printout of personal data contained in the storage system that relates to them;
3. correct inaccurate data or supplement data;
4. carry out the deletion of personal data concerning the data subject, provided that personal data is no longer necessary for the purposes for which it was collected or if the data subject withdraws the consent on which the processing is based.

(2) The deadline in paragraph 1 of this article may be extended by an additional two months, taking into account the complexity and number of requests. Procode Website Ltd. informs the data subject of any such extension within one month of receiving the request, together with the reasons for the delay.

Article 8.

1. Procode Website J.d.o.o. provides information in accordance with Article 7 free of charge.
2. Exceptionally, if the data subject's requests are clearly unfounded or excessive, Procode Website Ltd. may charge a reasonable fee, taking into account the administrative costs of providing information or notification.
3. The data subject who believes that Procode Website J.d.o.o. has violated any of their rights guaranteed by the General Data Protection Regulation has the right to file a request for determining the violation of rights with the Personal Data Protection Agency.

VI. Data Protection Officer

Article 9.

1. Procode Website J.d.o.o. appoints a Data Protection Officer.
2. The Data Protection Officer has appropriate professional qualifications and is appointed from the employees of Procode Website J.d.o.o.
3. The contact details of the Data Protection Officer are available on the website of Procode Website J.d.o.o.
4. The Data Protection Officer performs the tasks of informing and advising the responsible persons of Procode Website J.d.o.o. and its employees who directly process personal data about their obligations under the General Regulation, monitors compliance with the Regulation and other provisions of the Union or Member State on protection, ensures the rights of data subjects, and collaborates with the supervisory authority.
5. The Data Protection Officer is obliged to maintain the confidentiality of all information learned in the performance of his duties.

VII. Disclosure of personal data to third parties

Article 11.

1. To prevent unauthorized access to personal data, data in written form is stored in folders, in locked cabinets, and data on a computer is protected by assigning a username and password known only to employees responsible for data processing.
2. Employees of Procode Website J.d.o.o. are obliged to maintain the confidentiality of data, including personal data of employees, personal data of service users or clients, and business data of Procode Website J.d.o.o.

Article 12.

1. Procode Website J.d.o.o. will, as needed, especially when publishing data that could be attributed to a specific data subject, implement pseudonymization as one of the technical measures to protect personal data.

Article 13.

1. Individuals responsible for processing personal data are responsible for protecting personal data from accidental loss or destruction, unauthorized access, or unauthorized alteration, unauthorized disclosure, and any other misuse.
2. In the event of a personal data breach, the data controller must inform the supervisory authority within 72 hours of becoming aware of it.
3. If there is a high risk to the rights and freedoms of individuals, the data controller must inform the data subject of the personal data breach without undue delay.

IX. Final Provisions

Article 14.

1. In the part related to the protection, supervision of the collection, processing, and use of personal data not regulated by this Regulation, the Regulation and the Law are directly applied.
2. This Regulation enters into force on the day of publication and applies starting from August 2, 2022. It will be published on the website of Procode Website J.d.o.o. or in another appropriate manner.

X. Where can I get more information?e mogu dobiti više informacija?

If you have any questions about our use of cookies or other technologies, please send us an email at info@procode.website.