REGULATION ON THE PROCESSING AND PROTECTION OF PERSONAL DATA

I GENERAL PROVISIONS

Article 1.

In the process of processing personal data and protecting individuals with regard to the processing of personal data and rules related to the free movement of personal data, PROMOSAPIENS Ltd. (hereinafter: PROMOSAPIENS Ltd.) is subject to the application of the General Data Protection Regulation (EU) 2016/679 (hereinafter: General Regulation).

Article 2.

PROMOSAPIENS Ltd. is, in accordance with Article 4 of the General Regulation, the data controller who alone or jointly with others determines the purpose and means of processing personal data in accordance with national legislation or EU law.

Article 3.

In accordance with the General Data Protection Regulation, certain terms in this Regulation have the following meanings:

• “personal data” means any information relating to an identified or identifiable individual (“data subject”); an identifiable individual is a person who can be identified directly or indirectly, especially by an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that individual.
• “processing” means any operation or set of operations performed on personal data or sets of personal data, whether automated or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• “data storage system” means any structured set of personal data accessible according to specific criteria, whether centralized, decentralized, or dispersed on a functional or geographical basis.
• “data controller” means a natural or legal person, public authority, agency, or other body which alone or jointly with others determines the purposes and means of processing personal data; where the purposes and means of such processing are determined by Union law or the law of a Member State, the data controller or specific criteria for its appointment may be provided for by Union law or the law of a Member State.
• “recipient” means a natural or legal person, public authority, agency, or other body to whom personal data are disclosed, whether or not they are a third party.
• “third party” means a natural or legal person, public authority, agency, or other body that is not the data subject, data controller, processor, or persons who, under the direct authority of the data controller or processor, are authorized to process personal data.

Article 4.

PROMOSAPIENS Ltd. processes personal data lawfully, fairly and transparently.

PROMOSAPIENS Ltd. processes only appropriate and relevant personal data, exclusively for specific, explicit and lawful purposes, and they are not further processed in a manner that is incompatible with those purposes.

The personal data processed by PROMOSAPIENS Ltd. are accurate and updated as needed. Data that are not accurate are promptly deleted or corrected by PROMOSAPIENS Ltd.

PROMOSAPIENS Ltd. keeps personal data in a form that allows the identification of the data subjects only for as long as necessary for the purposes for which the personal data are processed. Exceptionally, personal data may be stored for longer periods, but only if they will be processed exclusively for archiving purposes in the public interest, for scientific or historical research, or for statistical purposes.

PROMOSAPIENS Ltd. processes personal data in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing, and against accidental loss, destruction or damage, by implementing appropriate technical and organizational measures.

II DATA PROTECTION OFFICER

Article 5.

PROMOSAPIENS Ltd. appoints a data protection officer. The data protection officer is appointed from among the employees of PROMOSAPIENS Ltd.

The contact details of the data protection officer of PROMOSAPIENS Ltd. are published on the notice board, and the supervisory authority is informed about the person appointed as the officer.

The data protection officer performs the tasks of informing and advising the responsible persons of PROMOSAPIENS Ltd. and its employees who are directly involved in the processing of personal data about their obligations under the General Data Protection Regulation, monitors compliance with the Regulation and other Union or Member State provisions on protection, ensures the rights of data subjects, and cooperates with the supervisory authority.

The data protection officer is obliged to maintain the confidentiality of all information obtained in the performance of his duties.

III PROCESSING OF PERSONAL DATA

Article 6.

PROMOSAPIENS Ltd. processes personal data only and to the extent that one of the following conditions is met:

• the data subject has given consent to the processing of their personal data for one or more specific purposes
• the processing is necessary for the performance of a contract in which the data subject is a party
• the processing is necessary for compliance with legal obligations of PROMOSAPIENS Ltd.
• the processing is necessary to protect the vital interests of the data subject or another natural person
• the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority of PROMOSAPIENS Ltd.

or

• the processing is necessary for the legitimate interests of PROMOSAPIENS Ltd. or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data, especially if the data subject is a child.

Article 7.

The consent by which the data subject gives consent to PROMOSAPIENS Ltd. for the processing of personal data relating to them must be voluntary, given in writing in an easily understandable, clear, and simple language, clearly indicating the purpose for which it is given and without unfair conditions.

If the processing of personal data of a child under the age of 16 is involved, the consent as described in paragraph 1 of this article is given by the holder of parental responsibility over the child (parent or legal guardian of the child).

Article 8.

In the process of processing personal data, PROMOSAPIENS Ltd. provides the data subject with all information related to the processing of their personal data in an appropriate manner (in writing or orally), especially regarding the purpose of data processing, the legal basis for data processing, the legitimate interests of PROMOSAPIENS Ltd., the intention to transfer personal data to third parties, the period for which personal data will be stored, the existence of the data subject’s rights to access personal data and to rectify or erase personal data and restrict processing, the right to object, etc.

IV RIGHTS OF THE DATA SUBJECT

Article 9.

The data subject has the right to access personal data contained in the PROMOSAPIENS d.o.o. storage system that relates to them.

The data subject has the right to obtain a copy of personal data contained in the storage system that relates to them.

PROMOSAPIENS d.o.o. will promptly correct any inaccurate data relating to the data subject upon request, or supplement them based on the data subject’s request.

PROMOSAPIENS d.o.o. will promptly, upon the data subject’s request, delete personal data relating to them provided that the personal data are no longer necessary for the purposes for which they were collected, or if the data subject withdraws the consent on which the processing is based.

The data subject who believes that any right guaranteed by the General Data Protection Regulation has been infringed has the right to lodge a complaint with the competent authority.

The data subject has the right to obtain confirmation as to whether personal data relating to them are being processed, and if so, access to the personal data and the following information: the purpose of the processing, the categories of personal data concerned, recipients or categories of recipients of the personal data, the period for which the personal data will be stored, information about their rights and the sources of data if not collected from the data subject.

If data is transferred and processed outside the EU, the data subject has the right to information about appropriate safeguards.

Where possible, the data subject may obtain a copy of the personal data being processed.

Article 10.

For the purpose of protecting personal data, PROMOSAPIENS d.o.o., in all cases where possible, especially when publicly disclosing information in accordance with the Law on the Right to Access Information, carries out data pseudonymization.

V DATA STORAGE SYSTEM

Article 11.

PROMOSAPIENS Ltd. collects and processes the following types of personal data:

• personal data of PROMOSAPIENS Ltd. employees
• personal data of service users – business partners of PROMOSAPIENS Ltd.
• personal data of candidates participating in the recruitment process for employment
• personal data of external collaborators.

Article 12.

For the personal data listed in Article 11 of this article, PROMOSAPIENS Ltd. keeps a record of processing activities which is attached to this Regulation and is considered as its integral part.

The record of processing activities contains at least the following data:

• name and contact details of PROMOSAPIENS Ltd., representative of PROMOSAPIENS Ltd. and data protection officer;
• purpose of processing
• description of categories of data subjects and categories of personal data;
• categories of recipients to whom personal data have been or will be disclosed
• anticipated deadlines for deletion of different categories of data
• general description of technical and organizational security measures for data protection.

Article 13.

The director of PROMOSAPIENS Ltd. makes a decision on the persons responsible for processing and protecting personal data from Article 11 of this Regulation.

VI MEASURES FOR PROTECTION OF PERSONAL DATA

Article 14.

In order to prevent unauthorized access to personal data, data in written form is kept in files, in locked cabinets, and data on computers are protected by assigning a username and password known to employees responsible for data processing, and for further security and confidentiality, they are stored on portable memories.

Article 15.

Persons responsible for processing personal data are required to take technical, personnel, and organizational measures to protect personal data necessary to protect personal data from accidental loss or destruction, unauthorized access or unauthorized alteration, unauthorized disclosure, and any other misuse.

Article 16.

This Regulation was published on the notice board of PROMOSAPIENS Ltd. on May 24, 2018, and comes into force on May 24, 2018.

Promosapiens Ltd.
by director Dalibor Šumiga