Personal Data Protection Guidelines within the Law Firm Šooš Maceljski, Mandić, Stanić & Partneri Ltd.

1. These Guidelines define basic principles and rules of personal data protection in accordance with business and safety requirements of the Company, as well as legal regulations, best practices and internationally recognised standards. With the aim of ensuring fair and transparent data processing, the Company would like to provide clear information on processing and protection of personal data it collects and processes and enable easy monitoring and management of personal data and consents.

2. The Company respects the right of every individual (client, employee, supplier and other interested parties) to decide on how his or her personal data shall be used (“informational self-determination”). We shall inform the abovementioned groups of individuals, with the required transparency and unambiguity, on personal data collection, processing, and use.

3. In principle, we process personal data only in the context of explicit and lawful purpose known to the data subject and for related purposes. When you enter your personal data on our websites, send us information, inquiry or request or in case of your explicit consent, only the necessary personal data is being collected and it is done only for the purpose for which they are given. The information on the use of the internet page is collected by means of “cookies”. We use the information about you in order to fulfill the purpose of data collection, respond to your inquiry or to inform you, based on your consent, on relevant business information or events. If you like to do so, you can leave us your contact information so we can contact you quickly and respond to your inquiries.

4. To the extent to which anonymised and pseudonymised data have the same effect, we shall privilege data processing in that form.

5. By applying appropriate measures, we take special care to ensure that the data we store are accurate and up-to-date.

6. Personal data shall be deleted if they are no longer needed to fulfill the purpose of processing or use and if the stipulated time-limits for data retention have expired. The subject has the right to obtain from the Company the erasure of personal data concerning him or her and the Company shall have the obligation to erase personal data without undue delay where one of the following grounds apply:
a. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
b. the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing
c. the data subject objects to the processing and there are no overriding legitimate grounds for the processing and/or retaining the personal data
d. the personal data have been unlawfully processed
e. the personal data have to be erased for compliance with legal obligations.

7. The right to access – the data subject shall have the right to obtain from the Company confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, access to the personal data and the purpose of processing, categories of personal data concerned, potential recipients to whom personal data will be revealed and similar.

8. The right to rectification – the data subject shall have the right to obtain from the Company without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. In addition, data subjects having a business relation with the group have the obligation to update their data.

9. The right to data portability – the data subject shall have the right to receive personal data concerning him or her, which he has provided to the Company, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller. It should be taken into account that the right of data portability applies only to personal data of the data subject.

10. The right to object – the data subject shall have the right to object, on grounds to his particular situation, at any time to processing of personal data concerning him or her. In that situation, the Company shall no longer process the personal data unless it demonstrates compelling legitimate grounds for processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims. In addition, where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

11. The right to restriction of processing – the data subject shall have the right to obtain from the Company restriction of processing where the accuracy of the personal data is contested, where he considers that the processing is unlawful and opposes the erasure of the personal data and requests the restriction of their use instead and if the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
The data subject shall have the right at any time to request the fulfillment of any of the abovementioned rights.

13. In order for the internet page of the Company to work properly, for us to be able to perform further enhancements to the page and for the purpose of improving your experience in viewing the page, the page must store to your computer a restricted amount of information (cookies).
The cookie is an information stored to your computer by the web page that you visit. The cookies usually store your settings, the settings for the web page such as your preferred language or address. Later, when you reopen the same internet page, the browser sends you back the cookies pertaining to that page. This enables the page to show the information adapted to your needs.

14. In order to ensure the safety of data, we implement required most advanced technical and organisational measures. They must enable the accessibility of accurate data at any time as well as the access only for authorised persons. In addition, we ensure that personal data can be added and connected to their source.

15. In our business models, through appropriate rules/privacy statements, we ensure full transparency of processing as well as further use, replenishment and transfer of personal data. We enable self-determination activity within legal requirements.

16. When processing larger, more complex, and in some cases, unstructured quantities of data (big data use), the Company shall periodically verify the admissibility and necessity of processing in order to ensure reliable use of the data in question as well as the protection of rights and interests of affected persons. The Data Protection Officer of the Company plays a crucial role in this process.

17. We endeavour to cooperate only with partners who offer the solutions harmonised with data protection and the provisions of the Regulation, national data protection regulations and other applicable data protection rules. The Company choses its partners having regard to the adequacy of technical and organisational measures they apply.

18. The data are generally safeguarded in Europe, but service providers from the so-called third countries may be included in personal data processing subject to limitations stipulated by the prescribed data protection conditions.

19. The Company endeavours to promote socially acceptable standards for collecting, processing and use of personal data even beyond the stipulated legal requirements though reliable ways of use of personal data. We tend to exchange data with authorities, non-governmental and consumer-protection organisations.

20. The Company shall be responsible and ensures that the managers and the employees adhere to these Guidelines.

21. The Company has designated the Data Protection Officer who is independent and acts in the interest of protecting the rights of data subjects and their personal data. In performing his tasks, the Data Protection Officer has due regard to the risk associated with processing operations, and takes into account the nature, scope, context and purposes of processing. His task is to monitor that the privacy policy and other policies and procedures defining the code of conduct in collecting and processing of personal data are applied.
The Data Protection Officer shall have at least the following tasks in the Company:
– to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to the General Data Protection Regulation and to other Union or Member State data protection provisions;
– to monitor compliance with the General Data Protection Regulation, with other Union or Member State data protection provisions and with the policies of the controller or the processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations and the related audits;
– to provide advice where required as regards the data protection impact assessment and monitor its performance pursuant to Article 35 of the General Data Protection Regulation;
– to cooperate with the Data Protection Agency as the supervisory authority;
– to act as the contact point for the supervisory authority on issues relating to data processing, including prior consultation referred to in Article 36.

Data Protection Officer:
Nikola Berović
Trg žrtava fašizma 6/III