Privacy policy

Introductory Provisions

This Policy establishes a responsible and transparent framework for ensuring compliance with the General Data Protection Regulation (GDPR). It applies to all organizational units of Clarum d.o.o. (hereinafter referred to as the Data Controller) and to all employees, including contractors and temporary workers, as well as all external associates acting on behalf of the Data Controller.

Policy Statement

The Data Controller is committed to conducting business in accordance with all applicable laws, regulations, and the highest standards of ethical conduct.

This Policy defines the expected conduct of employees and external associates involved in the collection, use, storage, transfer, disclosure, or destruction of any personal data belonging to employees, business partners, or other individuals.

The purpose of this Policy is to standardize the protection of the rights and freedoms of data subjects by safeguarding their personal data across all aspects of the Data Controller’s operations.

Clarum d.o.o. will not disclose personal data to third parties without authorization, nor process such data in a manner that could compromise it.

Principles of Personal Data Processing

The Data Controller applies the following principles when collecting, using, retaining, transferring, and deleting personal data:

Lawfulness, Fairness, and Transparency
Personal data will be processed lawfully, fairly, and transparently. This means that data subjects will be informed about how their data is processed, and such processing will be carried out strictly in line with that information and applicable legal purposes.

Purpose Limitation
Personal data will be collected for clearly defined and legitimate purposes and will not be processed in ways incompatible with those purposes.

Data Minimization
Only personal data that is relevant and necessary for the intended purpose will be collected and processed.

Accuracy
Personal data will be accurate and kept up to date. Procedures will be in place to identify and correct outdated, inaccurate, or unnecessary data.

Storage Limitation
Personal data will not be kept in a form that allows identification of data subjects longer than necessary. Where possible, data will be stored in a way that limits or prevents identification.

Data Security
Personal data will be processed and stored in a manner that ensures appropriate protection against unauthorized or unlawful processing, accidental loss, destruction, or damage. Appropriate technical and organizational measures will be implemented to ensure integrity and confidentiality.

Privacy by Design
When designing new systems or modifying existing ones, all principles of data protection will be incorporated to ensure maximum privacy protection.

Data Retention

Personal data will be retained only as long as necessary for the purpose for which it was collected:

• Employment-related data: in accordance with applicable legal requirements
• Video surveillance recordings: up to 3 months
• Contract-related data: in accordance with contractual provisions

Rights of Data Subjects

All data subjects have the following rights:

Right of Access
Data subjects have the right to obtain a copy of their personal data and information regarding:

• purpose and legal basis of processing
• legitimate interest (if applicable)
• categories of personal data collected
• recipients of the data
• retention period
• source of the data (if not collected directly)

All information will be provided in clear and simple language.

Where disclosure would affect the rights of others, such data will be anonymized or withheld.

Right to Rectification
Data subjects have the right to correct inaccurate or incomplete data.

Right to Erasure (“Right to be Forgotten”)
Data subjects may request deletion of their data where legally permissible.

Right to Restriction of Processing
Data subjects have the right to request restriction of processing where applicable.

Right to Data Portability
Data subjects have the right to receive their data for transfer to another controller.

Right to Object
Data subjects may object to processing, especially where based on legitimate interest.

If a request is denied, the reason will be provided, and the data subject may file a complaint with the competent authority, AZOP.

Legal Basis for Processing

The Data Controller processes personal data based on the following legal grounds:

Legal Obligation
Processing necessary to comply with legal obligations. No consent is required for such processing.

Applicable regulations include:

• Accounting Act
• Value Added Tax Act
• Income Tax Act
• Labour Act
• Employee Records Regulation
• Mandatory Health Insurance Act
• Occupational Safety Act
• Food Act

Contractual Necessity
Processing necessary for the performance of a contract.

Legitimate Interest
Processing based on legitimate interests, as defined below.

Vital Interests
Processing necessary to protect vital interests of the data subject.

Public Interest / Official Authority
Processing carried out in the public interest or under official authority.

Consent
In all other cases, personal data is processed based on the data subject’s consent, which may be withdrawn at any time.

The Data Controller maintains records of given and withdrawn consents.

Legitimate Interest

Video Surveillance
Video surveillance involves the collection and processing of personal data through recorded footage. The premises are clearly marked with appropriate notices in accordance with GDPR requirements. Processing is carried out for the protection of individuals, property, and assets. Data is not used for any other purpose. Access to video data is limited to authorized personnel and competent authorities. The system is protected against unauthorized access. Data subjects have the right to object to processing based on legitimate interest.

Terms and Definitions

General Data Protection Regulation (GDPR)
General Data Protection Regulation is an EU regulation designed to strengthen and unify data protection for individuals within the European Union.

Data Controller
An entity that determines the purposes and means of processing personal data.

Data Processor
An entity that processes data on behalf of the controller.

Supervisory Authority
A public authority responsible for data protection oversight (in Croatia: AZOP).

Data Protection Officer (DPO)
A data protection expert ensuring compliance with GDPR.

Data Subject
An individual whose personal data is being processed.

Personal Data
Any information relating to an identified or identifiable individual (e.g. name, ID number, address, IP address, etc.).

Processing of Personal Data
Any operation performed on personal data (collection, storage, use, transfer, deletion, etc.).

Legal Framework

• General Data Protection Regulation
• Act on the Implementation of the General Data Protection Regulation