Privacy Policy
With this Privacy Policy we wish to provide citizens with information about what personal data is, what basic concepts they need to know, how and why we process their personal data, as well as rights related to their data, all in accordance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the European Union L 119/1) hereinafter the Regulation.
BASIC CONCEPTS:
personal data means any data relating to an identified or identifiable individual; e.g. name and surname, address, tax identification number. Personal data is divided into personal data and special categories of personal data. Special categories of personal data include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data for the purpose of uniquely identifying individuals, data concerning health or data concerning a person's sex life or sexual orientation,
data subject means you, i.e. an individual whose identity can be determined directly or indirectly, in particular by reference to identifiers such as name, identification number, location data or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual,
processing means any operation performed on personal data such as collection, recording, storage, adaptation or alteration, consultation, use, disclosure by transmission, restriction, erasure or destruction,
storage system means any structured set of personal data accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis (e.g. archive),
data controller in this case is US, but it may be a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of data, as well as the means of processing personal data,
recipient means a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not a third party,
consent means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed.
DATA CONTROLLER:
Public Institution "Papuk Nature Park"
Trg Gospe Voćinske 11
Tax ID: 09100391705
Tel: 034 313 030
Director:
represented by director Alen Jurenec (hereinafter the Data Controller).
DATA PROTECTION OFFICER, contact:
SPECIAL NOTES ON PERSONAL DATA PROTECTION DURING THE SARS-CO-V-2 VIRUS PANDEMIC FOR THE PURPOSE OF TRANSPARENT PROCESSING OF PERSONAL DATA
PURPOSE OF PROCESSING
The data controller, upon employees arriving at work and visitors entering the data controller's premises, inspects EU digital COVID certificates or other appropriate proof of vaccination, recovery, or testing, for the purpose of implementing security measures to protect the population from infection and transmission and to suppress COVID-19 disease by early detection of SARS-CoV-2 virus infection.
The data controller may, for the purpose of accelerating the implementation of the security measure, create a list of employees that will contain the employee's first and last name and the validity period of the proof.
LEGAL BASIS
The legal obligation is prescribed by the Decision on the introduction of a special security measure of mandatory testing for the SARS-CoV-2 virus and a special security measure of mandatory presentation of proof of testing, vaccination, recovery from infectious disease COVID 19 for entry into public law bodies' premises CLASS: 810-06/20-01/7, REF. NO.: 511-01-300-22-485 of January 26th and Article 47 of the Law on Population Protection ("Official Gazette" 79/07, 113/08, 43/09, 130/17, 114/18, 47/20, 134/20).
In case of creating an employee list for the purpose of accelerating the security measure, it will only be created with the employee's consent.
RECIPIENT OF PERSONAL DATA
The authorized person for inspecting certificates is obliged to immediately report to the Data Controller and the competent sanitary inspection of the State Inspectorate the entry into public law bodies' premises of a person who refused to present proof, but entered the Data Controller's premises contrary to the prohibition.
If a document is presented for which there is a reasonable suspicion of being falsified, the Data Controller is obliged to inform the competent authorities.
THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS
The data controller does not transfer personal data to a third country or international organization.
STORAGE PERIOD
Personal data of individuals who provided the requested proof for inspection will not be stored.
In case a list is created for the purpose of accelerating the implementation of the security measure, the data from the list must be deleted:
- – upon withdrawal of explicit employee consent
- – upon expiry of the certificate's validity
- – or upon termination of the Decision's validity.
In case of an official note being made, the Data Controller will keep it until the purpose ceases.
PROVISION OF PERSONAL DATA
Employees and visitors who refuse to present an EU digital COVID certificate or other appropriate proof, in accordance with Art. VI of the Decision on the introduction of a special security measure of mandatory testing for SARS-CoV-2 virus and a special security measure of mandatory presentation of proof of testing, vaccination, recovery from infectious disease COVID 19 for entry into public administration premises CLASS: 810-06/20-01/7, NUMBER: 511-01-300-22-485 from January 26, are not allowed to enter the premises of the Data Controller.
All other information for data subjects can be found in the rest of this Privacy Policy and on the website:
PURPOSE OF PROCESSING AND BASIS FOR PROCESSING PERSONAL DATA IN THE PUBLIC INSTITUTION "PAPUK NATURE PARK"
The data controller processes personal data for the purpose of exercising official powers of direct supervision in the protected area in accordance with the rights and obligations defined by the Nature Protection Act.
The data controller processes personal data that are necessary for compliance with the legal obligations of the data controller. Legal obligations include:
- fulfillment of obligations towards UNESCO
- registration of tourists using the E-visitor system
- promotion of Papuk Nature Park using photos and videos of public events
- exercising the right to access information
- exercising the rights of data subjects in personal data protection.
The data controller processes personal data of employees for the purpose of fulfilling obligations and exercising special rights of the data controller or data subjects in the area of labor law and social security and social protection to the extent permitted by Union law, the law of the Republic of Croatia and collective agreements in accordance with the law of the Republic of Croatia and prescribed appropriate safeguards for the fundamental rights and interests of employees.
The data controller processes personal data collected through video surveillance of public areas, which are used exclusively for the purpose of protecting persons and property. The basis for processing personal data through video surveillance of public areas is the performance of tasks and duties of public interest and for the protection of human life and health and property.
The basis for processing personal data through video surveillance of other areas is legitimate interest.
The data controller processes personal data based on consent, for the purpose of:
- communication with citizens via social networks
The data controller processes personal data when it is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, which includes:
- use of the data controller's property
- consent of legal representatives/guardians regarding the use of Adrenaline Park elements by minors
- conducting procurement from craftsmen.
The data controller processes personal data for the establishment, exercise or defense of legal claims.
The data controller processes personal data based on legitimate interest, for the purpose of:
- use of cookies on the website for a better user experience
- use of newsletters
CATEGORY OF PERSONAL DATA
The data controller processes personal data and special categories of personal data. When processing special categories of personal data, the need for them, purpose and legal basis are strictly assessed.
USE OF COOKIES
Cookies are text files that a website you visit stores on your computer. If you visit the website again, your browser sends the cookies belonging to that website back. Cookies allow the website to display data tailored to you. More information about cookies can be found at:
https://www.pp-papuk.hr/uvjeti-koristenja/
USE OF SOCIAL NETWORKS
The municipality uses social networks for open dialogue with citizens. The social networks we use are listed on our website.
METHOD OF PERSONAL DATA COLLECTION
Personal data is collected directly from the data subject, as well as from public sources (public registers). In the form used for direct collection of personal data from the data subject, the purpose and legal basis for the processing of personal data are indicated.
RECIPIENTS OF PERSONAL DATA
We may forward your personal data to third parties, such as public authorities or emergency services, to fulfill legal obligations. We may also forward personal data to service providers (data processors). With each processor, agreements on personal data processing have been concluded that clearly define which personal data are processed and how they are handled. Processors cannot forward personal data to third parties without an order from the Data Controller. Your personal data will not be forwarded to third parties for direct marketing purposes. Personal data collected via video surveillance may be provided upon request to competent authorities if necessary for proceedings based on legal regulations. Personal data collected via video surveillance cannot be transferred to third countries.
RETENTION PERIOD
Personal data collected for a specific purpose is no longer used after that purpose is fulfilled. Personal data may be stored in our archive if required by legal archiving regulations. Personal data collected via video surveillance can be stored for a maximum of 6 months, unless the recordings are exempted due to legal proceedings.
RIGHTS OF THE DATA SUBJECT
Right to access
The data subject has the right to request from the Data Controller confirmation as to whether his or her personal data are being processed and, where that is the case, access to those personal data. The Data Controller is obliged to provide the data subject with the following information:
- the purposes of the processing
- the categories of personal data concerned (whether it is personal data and/or special categories of personal data)
- the recipients to whom the personal data have been or will be disclosed
- the recipients in third countries or international organizations
- where possible, the envisaged period for which the personal data will be stored, or the criteria used to determine that period
- the existence of the right to rectification, erasure, restriction of processing, objection
- the existence of the right to lodge a complaint with a supervisory authority
- where the personal data are not collected from the data subject, any available information as to their source
- the existence of automated decision-making (including profiling), and if so, why it is important for the data subject and how such processing will have consequences for the data subject
- where the Data Controller transfers personal data to a third country or international organization, what safeguards have been put in place.
The Data Controller is obliged to provide a copy of the personal data being processed. The Data Controller may charge a fee based on costs, but only for additional copies. If the request is submitted electronically and the data subject does not request otherwise, the information is provided in the same format.
Right to rectification
If the Data Controller processes personal data that is incomplete or inaccurate, you may request rectification or completion at any time.
Right to erasure
The data subject may request the erasure of his or her personal data if he or she believes that such data processing constitutes an infringement of his or her protected interests. It must be taken into account that there are reasons that prevent immediate erasure, for example in the case of legally prescribed archiving obligations.
The data subject has the right to erasure of personal data, if at least one of the following grounds is met:
- the data subject's personal data are no longer necessary for the purposes for which they were collected or otherwise processed
- personal data have been processed solely on the basis of consent, and the data subject has withdrawn his or her consent
- the data subject has objected to the processing of personal data
- personal data have been unlawfully processed
- personal data must be erased due to compliance with the law of the Republic of Croatia or the EU
- personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the Regulation.
If the data subject's personal data have been made public (e.g. website, social networks), and it is necessary to comply with the request for erasure, then the Data Controller must:
- erase the personal data
- take reasonable steps to inform other Data Controllers who are processing the published personal data that the data subject has requested erasure, and that they are obliged to erase all links to those personal documents, all copies or reproductions of those personal documents.
The Data Controller has the right to take into account the available technology and the cost of implementation when deciding on the steps to be taken.
The right to erasure does not apply to the extent that processing is necessary:
- for exercising the right of freedom of expression and information
- for compliance with a legal obligation which requires processing by Union or Member State law or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- for reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) as well as Article 9(3) of the Regulation
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the Regulation in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing
- for the establishment, exercise or defence of legal claims.
Right to restriction of processing
The data subject has the right to obtain from the controller restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject
- the processing is unlawful and the data subject opposes the erasure of the personal data
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims
- the data subject has objected to processing.
Right to object
If the Data Controller processes personal data for the performance of tasks carried out in the public interest or tasks of public authorities, or relies on its legitimate interests during processing, an objection can be lodged against such data processing if there is an interest in protecting the individual's personal data.
Right to withdraw consent
The data subject may request withdrawal of consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. The data subject is informed of this before giving consent.
Right of access to personal data collected by video surveillance
The data subject has the right to submit a request for access to personal data collected through video surveillance.
Right to data portability
The data subject has the right to receive the personal data concerning him or her which he or she has provided to the Data Controller in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from the Data Controller to whom the personal data have been provided, where the processing is based on consent or is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract or where the processing is carried out by automated means.
When exercising his or her right to data portability, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible.
The exercise of this right does not affect the right to erasure. This right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller.
EXERCISING RIGHTS
If you wish to exercise any of the rights listed above, please contact our Data Protection Officer via the contact details provided. You certainly have the right to lodge a complaint with a supervisory authority, i.e. the Personal Data Protection Agency. Before collecting any personal data, employees are obliged to inform the data subject whose data is being collected about the purpose of the processing for which the data are intended.
PROTECTION OF PERSONAL DATA
The Data Controller implements appropriate technical and organizational measures to protect your personal data. When implementing, care is taken to process only the personal data necessary for each specific purpose of processing. This obligation includes paying special attention to the amount of data collected, the scope of processing, the period for which data are stored, as well as their availability.
The Privacy Policy has been prepared on the basis of a professional and detailed analysis of the system, as part of the preparation of a risk assessment for the security of personal data processing, all in order to achieve security in the processing of personal data and to satisfy the principles of personal data processing (lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and reliability).
All employees undertake to keep personal data confidential by signing a confidentiality statement.
All employees are obliged to comply with the Code of Ethics for Civil Servants.
Officials and employees are obliged to keep confidential all personal and other confidential data they learn in the performance of their duties. This obligation continues even after the cessation of the performance of duties or after the cessation of employment in the municipality.
We note that in certain cases refusal to provide personal data may have certain legal consequences for the data subject, of which you will be warned when collecting personal data. Possible legal consequences depend on the legal basis for taking personal data.
The Privacy Policy is regularly updated to contain accurate information, therefore the right to change the content is reserved.