Skip to content Skip to footer
Close

Introduction

GDPR is the General Data Protection Regulation , which came into effect on 25 May 2018 and represents the most significant change to data protection in two decades. It is designed and implemented to fully meet the needs of the digital age.
The 21st century brings with it a wider use of technology in everyday life, as well as new definitions of personal data. The aim of the GDPR is to standardize data protection laws across the European Union, thereby giving individuals greater and more consistent rights to access and control their personal information.

Our commitment to data protection

Fine'sa Conceptus doo (referred to in the text as we, ours) is fully committed to providing security and protection of the personal data of users that are processed, as well as to providing its users with a consistent approach to data protection. We have always strived to have a robust and effective data protection program that is in line with current laws, as well as basic data protection principles. Nevertheless, we recognize the need for its improvement in order to fully meet the guidelines of the GDPR and the laws of the Republic of Croatia.

How we are preparing for the GDPR

Fine'sa Conceptus doo has a consistent level of data protection policies and processes at all organizational levels, but in order to be fully compliant with GDPR guidelines by May 25, 2018, we have implemented the following steps:

  • Information audit – an audit of the collected personal data was conducted at all organizational levels, i.e. their content, the way they were collected, why they are processed and to whom they are disclosed were checked.
  • Policy and procedures – revisions were carried out and new data protection policies and procedures were introduced that meet all the requirements of the GDPR and all related laws and include the following:
    • Data protection - the main data protection policy and procedure document has been revised to meet GDPR standards and requirements. Responsibilities and governance measures are in place to ensure that we understand, adequately disseminate and demonstrate our obligations and responsibilities with a particular focus on design privacy and the rights of individuals
    • Data Retention and Deletion - We have updated our retention policies and schedule to ensure that we meet the principles of "data minimization" and "storage limitation" and that personal data is stored, archived and destroyed ethically and in accordance with them. We have specific erasure procedures to meet the new "right to erasure" obligation and are aware of when other data subject rights apply - along with any exceptions, response timeframes and notification responsibilities
    • Breach Management – Our breach management procedures are safeguards and procedures to identify, assess, investigate and report personal data breaches as quickly as possible. Our procedures are robust and accessible to all employees, and are a series of specific steps to be followed.
    • International data transfers and disclosure to third parties – where Fine'sa Conceptus dd stores or transfers personal data outside the EU, robust procedures and safeguards are in place to ensure that data is secured, encrypted and its integrity is maintained. Our procedures include an ongoing review of countries with sufficient adequacy decisions, as well as provisions for binding corporate rules, as well as standard data protection clauses or approved codes of conduct for those countries without such decisions. We conduct rigorous due diligence checks with all recipients of personal data to assess and confirm that they have adequate safeguards in place to protect the information, ensure enforceable rights over the data in question and have effective legal remedies for data subjects where applicable.
    • Subject Access Request (SAR) – We have revised our SAR procedures to accommodate the revised 30-day timeframe for providing requested information and to make this provision free of charge. Our new procedures detail the data validation, the steps taken to process access requests, what exemptions apply, and a range of response templates to ensure that communications with data subjects are compliant, consistent, and appropriate.
  • Legal basis for processing – we review all processing activities to determine the legal basis for processing and ensure that each base is appropriate for the activity to which it relates. Where applicable, we also keep records of processing activities, ensuring that obligations under Article 30 of the GDPR and Annex 1 of the Data Protection Act are met.
  • Privacy Notice and Policy – We have amended our privacy notices to comply with GDPR, ensuring that all individuals whose personal data is processed are informed about why we need the data, how it is used, what their rights are and what safeguards are in place to protect the data.
  • Obtaining consent – We have revised our consent mechanisms for collecting personal data, ensuring that individuals understand what they are providing, why and how we use it, and providing clear and defined ways for them to consent to the processing of their personal information. We have developed strict procedures for recording consent, ensuring that we can prove a positive opt-in, along with the time and date of the record. This way, it is easy to see and access how to withdraw consent at any time.
  • Direct Marketing – We have revised our direct marketing text and procedures and included clear opt-in mechanisms for direct subscription marketing (newsletter), as well as a clear notice and method of removal and provision of unsubscribe features on all subsequent marketing materials.
  • Data Protection Impact Assessments (DPIA) – where we process personal data considered to be high risk, including large-scale processing or data on special categories/criminal convictions, we have developed rigorous procedures and assessment templates for conducting impact assessments that are fully compliant with the requirements of Article 35 of the GDPR. We have implemented documentation processes that record each assessment, enable us to assess the risk posed by the processing and implement mitigation measures to reduce the risk to the subject matter.
  • Outsourcing agreements – where we use a third party to process personal data on our behalf (e.g. payroll, recruitment, hosting, etc.), we have put in place appropriate process agreements and due diligence procedures to ensure that everything is in line with our and their obligations under the GDPR. These measures include initial and ongoing audits of the service provided, the necessity of the processing activity, technical and organisational measures and compliance with the GDPR.
  • Special category data – in situations where we obtain and process special category data, all procedures are in accordance with the requirements of Article 9 and high-level encryption and protection is present over all data of this type. Special category data is processed only where it is necessary and is processed only when we have first identified the appropriate basis of Article 9, Paragraph 2 or the condition of Schedule 1 of the Data Protection Act. Where we rely on consent for processing, it is explicitly confirmed by signature, with the right to amend or remove consent clearly indicated

Rights of the person whose data was collected

In addition to the above-mentioned policies and procedures to ensure individuals have their data protection rights, we provide access through our website to an individual's right to access all personal data that Fine'sa Conceptus doo processes about them. Individuals whose data has been collected have the right to request information about:

  • All personal data we hold about them
  • Purposes of data processing
  • Categories of personal data being processed
  • To all parties who will have access to personal data
  • How long will personal data be stored?
  • The data source, unless we collected the data directly from them
  • The right to correct incomplete or incorrect data about them, as well as the process for initiating the correction and supplementing of data
  • The right to request the deletion of personal data or the request to restrict data processing in accordance with all relevant data protection laws and the right to object to any form of direct marketing against them and to obtain insight into all automated direct marketing processes by which it was carried out
  • The right to lodge a complaint or seek legal redress and who to contact in these situations

Information security and technical/organizational measures

Fine'sa Conceptus takes the privacy and security of individuals and their personal data seriously and takes all reasonable measures and precautions to ensure that the data it processes is protected. There are robust security policies and procedures in place to protect personal data from unauthorized access, alteration, disclosure or destruction that have several layers of security measures, including:

  • SSL
  • Access control
  • Password rules
  • Coding
  • Pseudonymization
  • Practices
  • Limitations
  • IT
  • Authentication

GDPR roles and employees

On behalf of Fine's Conceptus doo , ___________________ has been designated as the person responsible for data security and a group has been formed responsible for the implementation of rules and procedures in accordance with the GDPR. The group is responsible for promoting awareness of the GDPR in the organization, employee understanding and ongoing compliance with the GDPR. An employee training program has been implemented and will be available to all employees before May 25, 2018, and is part of the annual training program at the level of the entire organization.