Privacy policy
Personal Data Protection Policy
Fijačko & Barović law firm, GP
1. INTRODUCTION
In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Official Journal of the European Union L 119, 4.5.2016., hereinafter: "General Regulation"), which has been fully applicable since 25 May 2018 in the Republic of Croatia and all EU member states, as well as the Implementation of the General Data Protection Regulation Act ("Official Gazette" No. 42/18), and in accordance with the overall legal framework for personal data protection in the Republic of Croatia and the European Union, and best European practices,
FIJAČKO & BAROVIĆ law firm, GP, with registered seat in Zagreb, Radnička cesta 1A, registered in the court register of the Commercial Court in Zagreb under registration number (MBS): 081618295, personal identification number (OIB): 61602978308 (hereinafter: "FB.LAW"), as the data controller of personal data of its service users and other natural persons in accordance with specific legal relationships and business processes, has drafted this Personal Data Protection Policy as a unilaterally binding legal act based on fundamental principles of personal data processing. This document regulates which personal data is collected, how such data is processed, on what legal basis, for what purposes it is used, and other matters related to personal data processing (hereinafter: "Policy"). The purpose of this Policy is also to inform natural persons about their rights concerning the collection and further processing of personal data, all in order to protect their privacy.
2. GENERAL INFORMATION AND DEFINITIONS
FB.LAW's business, in terms of collecting and processing personal data of natural persons, is fully compliant with the provisions of the General Regulation, ensuring the protection of individuals' privacy. Any person who believes that FB.LAW is processing their personal data unlawfully, in addition to the rights they have directly with FB.LAW, has the right to lodge a complaint with the competent supervisory authority.
This Personal Data Protection Policy is based on the following fundamental principles of personal data processing that FB.LAW must adhere to in its business operations:
· Principle of lawfulness, fairness, and transparency – every processing of personal data must be based on a specific legal basis, and individuals must be informed about the processing procedure and its purposes. The data controller is required to provide the data subject with all additional information necessary to ensure fair and transparent processing, taking into account the specific circumstances and context of the personal data processing;
· Principle of purpose limitation – personal data must be collected for specific, explicit, and legitimate purposes and must not be further processed in a manner incompatible with those purposes. However, further processing for archival purposes in the public interest, scientific or historical research purposes, or statistical purposes is allowed;
· Principle of data minimization – personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
· Principle of accuracy – personal data must be accurate and, where necessary, kept up to date. Every reasonable measure must be taken to ensure that inaccurate personal data are rectified or erased without delay;
· Principle of storage limitation – personal data must be stored in a form that allows the identification of data subjects only for as long as necessary for the purposes for which the personal data is processed. Longer retention periods are allowed only if the data will be processed solely for archival purposes in the public interest, scientific or historical research purposes, or statistical purposes with appropriate protection measures prescribed by the General Regulation;
· Principle of integrity and confidentiality – personal data must be processed in a manner that ensures an appropriate level of security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage;
· Principle of accountability – FB.LAW, as the data controller, is responsible for compliance with the aforementioned principles and must be able to demonstrate such compliance.
This Policy applies to all business activities of FB.LAW and aims to clearly and transparently inform all individuals whose personal data is being processed about the procedures of personal data processing, their rights, the purposes for which their data is used, and the legal basis for processing.
FB.LAW is fully committed to ensuring the continuous and effective implementation of this Policy and expects the same from its employees and business partners. Any violation of this Policy may result in appropriate disciplinary measures or business sanctions.
In accordance with the definition from Article 4, Point 7 of the General Regulation, FB.LAW is the data controller that determines the purposes and means of personal data processing in accordance with national and/or EU legislation.
The provisions of this Policy shall apply accordingly to cases where FB.LAW acts as a data processor on behalf of another data controller.
Definitions used in this Policy:
· "Personal data" – any information relating to an identified or identifiable natural person (‘’Data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. In accordance with the above, personal data includes, for example, first and last name, OIB (Personal Identification Number), residential address, e-mail address, data contained in a court or other file of the respondent as a party, photograph, etc.;
· "Data Subject" – an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
· "Processing" – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
· "Data Breach" – A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored, or otherwise processed;
· "Recipient" – A natural or legal person, public authority, agency, or another body to which personal data is disclosed, whether a third party or not.
· "Consent of the Data Subject" – Any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them;
· "Third Party" – a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
· "Processor" – A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
3. LAWFULNESS OF PERSONAL DATA PROCESSING
FB.LAW processes personal data only to the extent that at least one of the following conditions is met:
· the data subject has given consent for the processing of their personal data for one or more specific purposes;
· processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
· processing is necessary for compliance with a legal obligation to which the data controller is subject;
· processing is necessary to protect the vital interests of the data subject or another natural person;
· processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller;
· processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require the protection of personal data, particularly if the data subject is a child.
When determining a legitimate interest for processing personal data (e.g., establishing a video surveillance system), FB.LAW is required to conduct an adequate assessment of the existence of a legitimate interest as a legal basis, based on a "balancing of interests" principle, in order to establish compliance with the conditions prescribed by the General Regulation, which will be documented accordingly.
If the legal basis for processing personal data is the consent of the data subject, such consent must be given voluntarily, in writing, using clear and simple language, and with a clearly stated purpose. The consent must include a note on the method of withdrawal, which must be as simple as giving consent. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
When receiving emails containing personal data that can be used to identify a data subject, whether as a question, comment, or a specific form submitted via email, FB.LAW will process such data exclusively for the purpose of addressing the request, unless a different purpose for processing is required.
4. PERSONAL DATA WE PROCESS AND PURPOSES OF PROCESSING
FB.LAW collects and processes the following categories of personal data:
a) Personal data of FB.LAW employees: full name, residential/permanent address, personal identification number (OIB), date of birth, nationality, educational background, and other personal data required by law or arising from the employment relationship (salary details, workplace, working hours, annual leave records, etc.).
PURPOSE OF PROCESSING: Fulfilling rights and obligations arising from the employment relationship between FB.LAW and its employees (lawyers, trainee lawyers, and other staff). Providing this data is a legal and contractual obligation of the data subject and is a prerequisite for establishing and maintaining the employment relationship.
b) Personal data of individuals participating in recruitment or selection processes (open applications) for employment at FB.LAW: full name, residential/permanent address, personal identification number (OIB), date of birth, and other data provided by the applicant during the recruitment or selection process.
PURPOSE OF PROCESSING: Hiring new employees at FB.LAW. Providing this data is a requirement for potential employment.
c) Personal data of clients, opposing parties, their representatives, witnesses, expert witnesses, and other individuals involved in legal or other proceedings where FB.LAW exercises its legal rights and obligations: full name, residential/permanent address, personal identification number (OIB), relationship with other persons, and other personal data contained in legal and other documents.
PURPOSE OF PROCESSING: Execution of legal rights and obligations. Providing this data is a contractual obligation necessary for the proper execution of legal rights and duties.
d) Personal data of individuals with whom FB.LAW maintains other business collaborations as part of its professional activities: full name, date of birth, personal identification number (OIB), residential address, bank account number, and other data related to the fulfillment of mutual contractual and legal obligations.
PURPOSE OF PROCESSING: Acquisition of goods and services in legal transactions and fulfillment of rights and obligations arising from such legal relationships. Providing this data is a legal and contractual obligation of the data subject and is necessary for contract conclusion.
e) Personal data published on the FB.LAW website (www.fb-law.eu): full name, photograph, professional experience, educational background, area of expertise, etc., in relation to FB.LAW employees.
PURPOSE OF PROCESSING: Public disclosure of detailed information about the professional team employed at FB.LAW. Providing this data is neither a legal nor a contractual obligation, and data subjects will not suffer negative consequences if they choose not to provide consent.
FB.LAW processes personal data solely for the purposes listed above and will not use or process them for other (incompatible) purposes.
Exceptionally, if the processing of personal data for a purpose different from the one for which they were initially collected is not based on the data subject's consent, EU law, or Croatian law, FB.LAW will assess whether the intended processing is compatible with the original purpose, taking into account:
· the relationship between the purpose of the initial data collection and the intended further processing;
· the context in which the personal data was collected, particularly regarding the relationship between the data subject and the data controller;
· the nature of the personal data;
· potential consequences of further processing for data subjects;
· the existence of appropriate safeguards, which may include encryption or pseudonymization.
If FB.LAW intends to further process personal data for a purpose different from the one for which they were originally collected, it will provide the data subject with information about this new purpose and any other relevant details required under the General Regulation before proceeding with such processing.
5. LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA
In accordance with the provisions of the General Regulation, FB.LAW processes the above-mentioned personal data based on the following legal grounds, which exist individually or cumulatively in the specific case of personal data processing:
· Personal data listed under 4.a) – Processing is necessary for the performance of a contract to which the data subject is a party / processing is necessary for compliance with legal obligations of the data controller (regulations on employment, health and pension insurance, tax regulations, regulations on legal services, etc.);
· Personal data listed under 4.b) – Processing is necessary to take actions at the request of the data subject prior to entering into a contract;
· Personal data listed under 4.c) – Processing is necessary for the performance of a contract to which the data subject is a party or to take actions at the request of the data subject prior to entering into a contract / processing is necessary for compliance with legal obligations of the data controller (regulations on legal services) / processing is necessary for the purposes of legitimate interests pursued by the data controller or a third party / processing is necessary to protect the vital interests of the data subject or another person;
· Personal data listed under 4.d) – Processing is necessary for the performance of a contract to which the data subject is a party / processing is necessary for compliance with legal obligations of the data controller (accounting regulations, etc.) / processing is necessary for the purposes of legitimate interests pursued by the data controller or a third party;
· Personal data listed under 4.e) – The data subject has given consent for the processing of their personal data for a specific purpose.
In other cases, the data subject has provided consent for the processing of their personal data for one or more specific purposes.
In the case of sending offers for legal services, opinions, etc., based on inquiries or existing business cooperation with clients, consent is not required, as this is considered our legitimate interest in accordance with point 47 of the preamble to the Personal Data Protection Regulation.
In addition to the above legal grounds, FB.LAW may process personal data in cases prescribed by law or decisions of the competent public authority. FB.LAW processes the aforementioned personal data exclusively in a manner consistent with the purpose for which they were collected and will not process them for other purposes.
6. PERSONS AUTHORISED TO PROCESS PERSONAL DATA
In the context of performing its daily business processes and carrying out its legal activities, FB.LAW, as the data controller, processes the aforementioned personal data through its employees and authorized representatives.
The processing of personal data within the scope of their job and in the context of performing their daily work duties at FB.LAW is carried out by, and may be carried out by:
a) authorised representatives of FB.LAW (company's members);
b) attorneys-at-Law;
c) legal associates;
d) administrative secretary;
e) other employees with appropriate authorisations.
On behalf of FB.LAW as the data controller, in certain cases, personal data is processed by a data processor (e.g., accounting or IT service). FB.LAW is required to enter into a written agreement with such processors, in which the processor commits to applying all data protection standards prescribed by the General Regulation in relation to the protection of the personal data in question. Additionally, the processor is not authorised to engage another processor (sub-processor) without the prior specific or general written consent of FB.LAW.
7. PERSONAL DATA'S RECIPIENTS
If required by the purpose of processing personal data or if there is a legal obligation, in certain cases FB.LAW discloses (forwards) personal data to other individuals or legal entities, public authorities, agencies, or other bodies. In all other cases, FB.LAW does not disclose personal data to third parties.
For full transparency, the following is a description of the categories of recipients of specific personal data held by FB.LAW:
1. Personal data listed under 4.a) are disclosed to:
· external accounting services and IT specialists with whom FB.LAW has entered into an appropriate written agreement in accordance with the provisions of the General Regulation;
· the Tax Administration;
· the Croatian Health Insurance Fund;
· the Croatian Pension Insurance Institute;
· the Croatian Bar Association;
· the business bank where the employee has an account;
· other public authorities when there is such a legal obligation.
2. Personal data listed under 4.b) are not disclosed to other recipients, unless explicitly requested by the job candidate, and if there is such an interest from FB.LAW.
3. Personal data listed under 4.c) are disclosed to:
· courts;
· public authorities;
· substitute Attorneys-at-Law, if applicable;
· other legal and natural persons in accordance with the purpose of providing legal services.
4. Personal data listed under 4.d) are not directly disclosed to other recipients.
5. Personal data listed under 4.e) are publicly available on the website www.fb-law.eu and are not directly disclosed to other recipients.
In fulfilling its obligations related to the "right of access to personal data and additional information" (here under 10.B), FB.LAW provides specific information about the recipients of personal data for each individual data subject.
8. DATA SUBJECT'S RIGHTS
FB.LAW ensures the exercise of the following rights for individuals whose personal data it processes (regulated by Articles 12 – 22 of the General Regulation):
A. Transparency;
B. Access to personal data and additional information;
C. Right to rectification;
D. Right to erasure ("Right to be forgotten");
E. Right to restriction of processing;
F. Right to data portability;
G. Right to object.
In addition to the aforementioned rights that a data subject can exercise with FB.LAW, the data subject also has the right to file a complaint with the competent supervisory authority. In the Republic of Croatia, the competent authority is the Personal data protection agency.
A. TRANSPARENCY:
FB.LAW is obligated to provide the data subject with information upon collection of personal data, including, among other things, the identity and contact details of the controller, the purposes of processing, the legal basis for processing the data, the recipients, any transfer to third countries, retention periods, the possibility of withdrawing consent, and other information in accordance with the provisions of the General Regulation.
One way to comply with this obligation is by familiarizing the data subject with the provisions of this Privacy Policy, thereby fulfilling the requirements of Article 13 of the General Regulation (Information to be provided when personal data are collected from the data subject). This can be done, for example, by providing a link to the text of this Policy on a website.
If FB.LAW does not collect personal data directly from the data subject, it is still required to provide the aforementioned information, unless otherwise specified by Article 14 of the General Regulation.
B. ACCESS TO PERSONAL DATA AND ADDITIONAL INFORMATION:
FB.LAW must, upon request, provide the data subject with information about whether personal data related to them are being processed. If such data is being processed, FB.LAW must grant access to personal data as well as provide information, including, but not limited to, the processed personal data, the purposes of processing, the retention period or the criteria used to determine that period, any transfer to third countries, and other information as required by the General Regulation.
In this case, FB.LAW will provide a copy of the personal data being processed related to the data subject. For any additional copies requested by the data subject, FB.LAW may charge a reasonable fee based on administrative costs. If the data subject makes the request electronically, and unless the data subject requests otherwise, the information will be provided in the commonly used electronic format.
The right to obtain a copy of the processed personal data must not adversely affect the rights and freedoms of other individuals.
C. RIGHT TO RECTIFICATION:
FB.LAW is obligated to allow the data subject to correct inaccurate personal data relating to them and to complete any incomplete personal data, including by providing an additional statement.
D. RIGHT TO ERASURE ("RIGHT TO BE FORGOTTEN"):
The data subject has the right to request the erasure of personal data related to them, and FB.LAW is obligated to erase the personal data without undue delay if at least one of the following conditions is met:
· The personal data is no longer necessary for the purposes of processing;
· The data subject has withdrawn consent for processing, and there is no other legal basis for processing the data;
· The data subject objects to processing in accordance with Article 21(1) of the General Regulation, and there are no overriding legitimate grounds for processing the data;
· The personal data has been unlawfully processed;
· The personal data must be erased to comply with a legal obligation under EU or Croatian law.
E. RIGHT TO RESTRICTION OF PROCESSING:
The data subject has the right to obtain restriction of the processing of their personal data if one of the following conditions is met:
· The data subject contests the accuracy of the personal data, for a period enabling FB.LAW to verify the accuracy of the personal data;
· The processing is unlawful, and the data subject objects to the erasure of the personal data and instead requests the restriction of its use;
· FB.LAW no longer needs the personal data for the purposes of processing, but the data subject requests it for the establishment, exercise, or defense of legal claims;
· The data subject has objected to processing based on Article 21(1) of the General Regulation, pending verification of whether the legitimate grounds of FB.LAW override the interests of the data subject.
If processing is restricted in the manner described above, the personal data may only be processed with the data subject's consent, except for storage of such personal data, or for the establishment, exercise, or defense of legal claims, or to protect the rights of another individual or legal entity, or for reasons of important public interest.
FB.LAW will inform the data subject before the restriction of processing is lifted.
F. RIGHT TO DATA PORTABILITY:
The data subject has the right to receive their personal data, which they have provided to FB.LAW, in a structured, commonly used, and machine-readable format. They also have the right to transmit those data to another data controller without obstruction from FB.LAW, provided that the processing is carried out by automated means and is based on consent or a contractual obligation.
G. RIGHT TO OBJECT:
The data subject has the right to object to any processing of personal data based on legitimate interest pursued by FB.LAW (including profiling).
In the case of an objection, FB.LAW must cease processing the personal data unless it demonstrates compelling legitimate grounds for the processing that override the interests of the data subject or are necessary for the establishment, exercise, or defense of legal claims.
The data subject has the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, unless such a decision is necessary for entering into or performing a contract between the data subject and FB.LAW, is authorized by law, or is based on the explicit consent of the data subject.
FB.LAW is obligated to inform the data subject of the right to object at the earliest opportunity during the first communication, in a clear and separate manner from any other information. This applies if the legal basis for the specific processing of personal data is the legitimate interest of FB.LAW.
9. PROCEDURE FOR EXERCISING THE RIGHTS OF THE DATA SUBJECT:
The data subject can submit requests to exercise their rights verbally or in writing, including via electronic communication. If an individual submits a request concerning any of the aforementioned rights of the data subject, FB.LAW will review each such request in accordance with the applicable data protection regulations.
If FB.LAW has reasonable doubts about the identity of the individual submitting the request to exercise their rights, it may, in that case, request additional information necessary to confirm the identity of the data subject.
FB.LAW will provide the data subject with information on the actions taken in response to the request without undue delay and, in any case, within one month of receiving the request. This period may be extended by an additional two months, taking into account the complexity and number of requests. FB.LAW will inform the data subject of any such extension within one month of receiving the request, along with the reasons for the delay. If the data subject submits a request electronically, the information will be provided electronically, if possible, unless the data subject requests otherwise.
If the data subject’s requests are clearly unfounded or excessive, particularly due to their repetitive nature, FB.LAW may:
· charge a reasonable fee based on the administrative costs of providing the information or notifications or acting upon the request; or
· refuse to act on the request.
10. LOCATION AND DURATION OF STORAGE AND PROCESSING OF PERSONAL DATA:
FB.LAW processes personal data within the territory of the Republic of Croatia.
Personal data in physical form (written documentation) are stored and otherwise processed in the business premises of FB.LAW in Zagreb, unless the purpose of the processing or a legal obligation requires otherwise.
Personal data in electronic form are stored and otherwise processed within the IT infrastructure available to FB.LAW, unless the purpose of the processing or a legal obligation requires otherwise.
FB.LAW stores the personal data it holds for a period determined by the purpose of processing specific personal data or the legal obligation to which the processing is subject. Accordingly, FB.LAW promptly deletes all personal data once the purpose of processing has been fulfilled (ceased).
Regarding legal obligations for storing personal data, FB.LAW is required to comply with regulations governing, for example, the provision of legal services, accounting activities, tax obligations, the recording of certain facts related to employment relationships, and all other legal relationships that FB.LAW enters into within the scope of its business.
In fulfilling its obligations under the "right of access to personal data and additional information" (outlined in section 10. B), FB.LAW will, among other things, provide the data subject with information about the anticipated period during which the personal data will be stored or, if this is not possible, the criteria used to determine that period.
11. TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES
In the event that the purpose of processing personal data or a legal obligation requires it, FB.LAW may transfer personal data to a third country only in accordance with the provisions of the General Regulation. In such cases, FB.LAW will always inform the data subject about the intention to transfer their personal data to a third country. Personal data may only be transferred to those third countries for which the European Commission has issued an adequacy decision (transfers based on an adequacy decision). The European Commission compiles and publicly publishes a list of third countries that provide an adequate level of protection for personal data, to which personal data can be transferred without further restrictions.
If it is necessary to transfer personal data to a third country that is not on the European Commission’s list, such transfer is only possible in the manner prescribed by the GDPR.
In fulfilling its obligations under the "right of access to personal data and additional information" (outlined in section 10. B), FB.LAW will provide specific information about the potential transfer of personal data to third countries, as well as the appropriate protective measures taken in such cases.
12. ORGANIZATIONAL MEASURES FOR THE PROTECTION OF PERSONAL DATA
In order to ensure the proper implementation of the provisions of this Policy, as well as other internal acts related to the protection of personal data, FB.LAW is committed to raising awareness among its employees regarding the rights and obligations arising from the provisions of the General Regulation.
Individuals responsible for processing personal data are accountable for protecting personal data from accidental loss or destruction, unauthorized access or unlawful processing, unauthorized disclosure, and any other misuse. They are required to sign an appropriate confidentiality agreement.
Access to personal data is granted only to individuals specifically authorized by FB.LAW, or when the processing actions are inherent to the employee’s job position. Unauthorized access to personal data, as well as attempts to transmit or modify data, are strictly prohibited.
By a special decision, FB.LAW may appoint a Data Protection Officer (DPO) based on professional qualifications, particularly expertise in the law and practices related to data protection, as well as the ability to perform tasks prescribed by the General Regulation.
13. TECHNICAL MEASURES FOR THE PROTECTION OF PERSONAL DATA
Considering the latest technological advancements, the cost of implementation, as well as the nature, scope, context, and purposes of processing, and the risks associated with varying degrees of likelihood and severity to the rights and freedoms of individuals arising from data processing, FB.LAW implements appropriate technical measures, such as pseudonymization, to effectively apply the principles of data protection. This includes reducing the amount of data and incorporating protective measures into the processing to meet the requirements of the General Regulation and safeguard the rights of data subjects.
FB.LAW is required to assess the appropriate level of security, taking into account, in particular, the risks associated with data processing. This includes risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access to personal data that is transferred, stored, or otherwise processed.
For personal data stored under the supervision of FB.LAW, the following technical protection measures are implemented:
· locking of workspaces;
· storage of physical documentation in filing cabinets;
· locking of cabinets containing the filing cabinets;
· accessibility to unlocking tools exclusively for authorised personnel;
· antivirus protection;
· passwords for access to computers and other devices;
· other technical measures that are appropriate for the current risks to the rights and freedoms of data subjects.
FB.LAW also establishes a specific "IT Infrastructure Security Policy" as an internal document outlining the concrete technical measures for the protection of personal data.
14. OTHER PROVISIONS
If there is a likelihood that a certain type of processing, especially through new technologies and considering the nature, scope, context, and purposes of the processing, will result in a high risk to the rights and freedoms of individuals, FB.LAW is required to conduct an assessment of the impact of the intended processing operations on the protection of personal data before carrying out the processing. A single assessment may refer to a series of similar processing activities that present similar high risks. When conducting a data protection impact assessment, FB.LAW seeks advice from the data protection officer if one has been appointed. The impact assessment should include a description of the processing operations and their purpose, an evaluation of the necessity and proportionality, a risk assessment, and a description of measures to mitigate the risks of processing.
FB.LAW maintains and, upon the request of the supervisory authority, submits to it a record of processing activities that includes the following essential elements of the processing of personal data for which such an obligation exists under the provisions of the General Regulation:
· the name and contact details of the data controller and the data protection officer (if applicable);
· the purpose of the processing;
· a description of the categories of data subjects and categories of personal data;
· the legal basis for the processing;
· the recipients of the data;
· transfers of data to third countries, if applicable;
· the expected retention periods for the data;
· a general description of the technical and organisational security measures implemented.
15. CONTACT INFORMATION
For any questions regarding the processing of personal data and the exercise of data subject rights, please feel free to contact us using the following contact details:
· Radnička cesta 1A, HR-10000 Zagreb
· Phone: +385 92 455 35 80
· Email: info@fb-law.eu
· Website: www.fb-law.eu
16. FINAL PROVISIONS
This Privacy Policy is published on the website of the law firm and in physical form at the registered seat.
The Privacy Policy comes into effect on the date of publication.
Any changes and/or amendments to the provisions of the Privacy Policy will be published in the same manner. For this reason, it is important to regularly check the current provisions to ensure that data subjects and employees of FB.LAW are properly informed of their rights and obligations.