Privacy policy and GDPR
Issued: 24 May 2018 — Regulation (EU) 2016/679 and the Law on Implementation of the General Data Protection Regulation
This Policy establishes a responsible and transparent framework for ensuring compliance with the General Data Protection Regulation.
The policy applies to all organizational units of TOTOHOST d.o.o. (hereinafter DATA CONTROLLER) and all employees, including honorary workers and temporary staff, as well as all external associates acting on behalf of the data controller.
The data controller is committed to operating in accordance with all laws, regulations, and the highest standards of ethical business conduct.
This policy sets out expected conduct for employees and external associates who collect, use, store, transfer, publish, or destroy any personal data of employees, business partners, and other natural persons. The policy standardizes the protection of the rights and freedoms of data subjects by preserving the privacy of their personal data in all business aspects involving such information. TOTOHOST d.o.o. will not unlawfully disclose personal data to third parties or act in ways that endanger them.
The data controller adopts the following principles when collecting, using, retaining, transmitting, and destroying personal data:
LAWFULNESS, FAIRNESS AND TRANSPARENCY
Personal data will be processed lawfully, fairly and transparently toward data subjects. The controller will inform subjects how data will be processed (transparency), processing will occur only as stated (fairness), and consistent with applicable data protection law (lawfulness).
PURPOSE LIMITATION
Personal data shall be collected for clearly defined legitimate purposes and not processed in ways inconsistent with those purposes. The controller must clearly specify intended use and limit processing to only necessary activities to achieve stated objectives.
DATA MINIMIZATION
Collected personal data will be relevant and limited to what is necessary for processing purposes. The controller will not collect, process, or store more data than strictly required.
DATA ACCURACY
Collected personal data will be accurate and current, meaning the controller will develop procedures for detecting and resolving outdated, inaccurate, and unnecessary personal data.
STORAGE LIMITATION
Personal data will not be kept in forms enabling subject identification longer than necessary for processing purposes. The controller will store data in ways restricting or preventing subject identification where possible.
DATA SECURITY
Personal data will be processed and stored ensuring appropriate protection against breaches including unauthorized and unlawful processing and accidental loss, destruction, or damage. The controller will implement appropriate technological and organizational measures to ensure data integrity and confidentiality at all times.
PRIVACY BY DESIGN
When designing new and reviewing existing systems and processes, all these principles will guide implementation to maximize privacy protection of data subjects.
All data subjects whose data is collected and processed by the data controller have the following rights:
RIGHT TO INFORMATION ACCESS
Each data subject has the right to a copy of data the controller holds for review purposes. Beyond access to personal data, subjects have rights to information about:
All information must be delivered in clear, simple language ensuring understanding. When providing requested information might reveal details about another person, such data must be anonymized or withheld entirely to protect that person's rights.
RIGHT TO DATA CORRECTION
Each data subject has the right to correct inaccurate or incomplete data held by the controller.
RIGHT TO BE FORGOTTEN
Subjects may request data removal from records. Requests will be considered and granted if not contrary to the legal basis for data processing.
RIGHT TO RESTRICT PROCESSING
Subjects have the right to restrict processing scope where applicable.
RIGHT TO DATA PORTABILITY
Subjects have the right to obtain a copy of data for transfer to another data controller.
RIGHT TO OBJECT
Subjects have the right to object, particularly when processing is based on the controller's legitimate interest. A review of processing purpose and legal basis is then required, and where applicable, subjects must be able to withdraw consent and/or stop processing of their data.
RIGHT TO ASSESSMENT
Subjects have the right to request supervisory authority assessment of regulation and internal policy violations.
RIGHT TO OBJECT TO PROFILING
Subjects have the right to object to automated profiling and other automated decision-making forms.
When the controller refuses a subject's request, the response must state the refusal reason, which subjects may contest with the competent data protection authority (AZOP).
LEGAL OBLIGATION
Laws governing operator activities prescribe required data sets for legal obligation fulfillment. For legally prescribed data collection and processing, the controller will not request subject consent, collecting only law-prescribed data without using it for other purposes. This particularly applies to data collected under:
CONTRACT PERFORMANCE
Personal data necessary for contractual obligation fulfillment will be collected without subject consent, in minimal scope strictly necessary for obligation fulfillment.
LEGITIMATE INTEREST
The controller will subsequently publish a list of legitimate interests on which it collects and processes personal data for service or product enablement and/or improvement.
VITAL INTEREST PROTECTION
The controller may collect and process personal data without subject consent when protecting their vital interests.
PUBLIC INTEREST OR OFFICIAL AUTHORITY EXERCISE
When controller activities involve public interest action or data processing is based on other official authority types, subject notification about personal data collection is not always required.
CONSENT
In all other cases, the controller will request subject consent for data collection and processing with clearly specified processing purposes. Subjects may withdraw consent at any time, automatically requiring data removal and processing cessation.
The controller will maintain records of active and withdrawn consents ensuring operational correctness.
GENERAL DATA PROTECTION REGULATION (GDPR)
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation through which the European Parliament, Council, and Commission intend to strengthen and unify personal data protection processes for all individuals within the European Union (EU). The regulation also applies to personal data transferred outside the EU.
DATA CONTROLLER
The subject that determines personal data processing purposes, conditions, and methods.
DATA PROCESSOR
The subject that performs data processing on behalf of the data controller.
PERSONAL DATA PROTECTION AGENCY
The state agency tasked with protecting data and privacy, overseeing Regulation application processes, and actively implementing the Data Protection Regulation within the European Union.
DATA PROTECTION OFFICER
A data protection expert who acts independently to ensure the business entity operates consistently with Regulation-based policies and procedures.
DATA SUBJECT
The natural person whose personal data is processed by the data controller or processor.
PERSONAL DATA
Any information related to a natural person, meaning the data subject, which can be used for direct or indirect person identification.
PERSONAL DATA PROCESSING
Any activity performed on personal data, automated or not, including collection, use, record creation, and similar activities.
PROFILING
Any automated data processing to assess, analyze, or predict subject behavior.
DATA SUBJECT ACCESS RIGHT
Known as the 'right of access,' it enables data subjects to access personal data concerning them held by the data controller.
Uredba (EU) 2016/679 Europskog parlamenta i Vijeća od 27. travnja 2016. o zaštiti pojedinaca u vezi s obradom osobnih podataka i o slobodnom kretanju takvih podataka te o stavljanju izvan snage Direktive 95/46/EZ (Opća uredba o zaštiti podataka)
Law on Implementation of the General Data Protection Regulation.
TOTOHOST d.o.o.
For all data protection questions: podrska@totohost.hr · 099 427-8888
Ulica 61. br. 17, 20260 Korčula, Hrvatska
TOTOHOST d.o.o., 24 May 2018