15
Empowering Your Financial Future
Menu

Privacy policy

We value your privacy and place great importance on protecting your personal data. With this document, we aim to clarify how we handle the personal data we process.

Introductory Provisions

We collect and process your data solely for the purpose of providing high-quality services in a lawful, fair, and transparent manner. We process only the data necessary to provide a specific service, ensuring its appropriate protection.

Such personal data primarily relates to individuals with whom Sustav de Ruche d.o.o. has a business relationship or a legitimate interest in contacting (clients, suppliers, business contacts, employees, etc.).

When the need for processing your personal data ceases, we delete all personal data or anonymize it using appropriate technical measures for exclusive statistical purposes.

We collect and process personal data in accordance with our values and principles, this privacy policy, and applicable European and Croatian regulations on personal data protection.

This privacy policy applies equally to personal data in digital or electronic form and to personal data in printed (paper) form, whether it originates from a digital or electronic record.

Terms used in this privacy policy that carry gender-specific meanings apply equally to all genders.

Principles

When processing personal data, we adhere to the principles and rules established by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation).

In processing personal data, we observe the obligation to maintain professional confidentiality as governed by the laws of the European Union and the Republic of Croatia.

We process personal data:

  • lawfully, fairly, and transparently;

  • for specific, explicitly defined, and lawful purposes;

  • using only accurate, up-to-date, adequate, and relevant data limited to the purpose of processing;

  • only as long as necessary to achieve the purpose of processing; and

  • protecting it against unauthorized or unlawful processing, accidental loss, destruction, or damage.

Personal data of individuals under the age of 16 is processed only with the consent of a parent or guardian and only to the extent and scope for which consent has been given.

Confidentiality and Security

We handle all personal data with confidentiality, ensuring an appropriate level of security and protection. Under no circumstances do we collect, process, or use personal data in an unauthorized manner.

The employees of Sustav de Ruche d.o.o. treat personal data as a business secret, even after their employment has ended.

Employees of Sustav de Ruche d.o.o. process only the data they are authorized to access, in the manner and within the scope of their authorization, and solely for the purpose for which the data was collected or is being processed.

In handling personal data, we adhere to the "need-to-know" principle to ensure that only authorized employees have access to specific personal data and only for a defined period.

Before introducing new technologies that may be used for personal data processing, we conduct a thorough analysis and adjust technical and organizational measures to ensure compliance with the highest standards of personal data protection.

Guidelines for Employee Conduct

Employees of Sustav de Ruche d.o.o. adhere to this privacy policy and applicable regulations regarding personal data protection in their daily work.

Access to personal data is granted exclusively to employees of Sustav de Ruche d.o.o. who require such access to perform their job duties or complete assigned tasks. Personal data is not shared informally among employees. Instead, every access must be requested from the person responsible for the specific task or the one who issued the assignment.

Sustav de Ruche d.o.o. organizes training sessions at least once a year or otherwise educates its employees about their obligations and the regulations related to personal data protection. It also ensures the application of best practices for data protection in line with recommendations from the Croatian Personal Data Protection Agency and other relevant bodies within the European Union and Croatia.

Employees take appropriate organizational and technical measures to minimize risks to personal data as much as possible, particularly:

  • Using strong passwords known only to them and not sharing them with third parties.

  • Regularly verifying the accuracy and relevance of personal data. If personal data is no longer needed or cannot be updated, it is deleted or anonymized.

  • Locking computers used for personal data when left unattended.

  • Ensuring that personal data they access is not disclosed to or shared with unauthorized persons, regardless of whether they are employees of Sustav de Ruche d.o.o. or external parties.

  • Seeking advice or assistance from the responsible person when in doubt about any aspect of personal data protection.

Data Storage

We pay close attention to how data is stored, whether in paper, digital, electronic, or other forms.

Personal data stored on paper, whether printed from digital or electronic formats:

  • When not in use, it is kept in a locked drawer or filing cabinet accessible only to authorized personnel.

  • All employees are responsible for ensuring such documents are not left in visible places where unauthorized persons could access the personal data.

  • When no longer needed, documents are destroyed using a shredder or another technically acceptable method and are properly disposed of.

Personal data stored in digital or electronic form is protected against unauthorized access, accidental alteration or deletion, or unauthorized system intrusions:

  • By using strong passwords that are regularly updated, known only to authorized personnel, and not shared with third parties.

  • If personal data is stored on portable media (e.g., CD, DVD, USB stick, external HDD), such media is stored in a secure location accessible only to authorized personnel.

  • Data is stored exclusively on official media and servers or in selected cloud services that implement appropriate organizational and technical protection measures.

  • Servers containing personal data are located in secure locations accessible only to authorized personnel.

  • Regular data backups are performed to ensure the integrity, accuracy, and completeness of the data, in accordance with this privacy policy and applicable personal data protection regulations.

  • Personal data will not be directly stored on mobile devices (e.g., tablets, smartphones) unless necessary for contract execution or agreed-upon services, and only for the duration and scope required.

  • Employees do not store personal data on their personal computers or other personal devices or media that they use or may use for work purposes.

  • All servers and computers containing personal data are protected with appropriate technical measures, such as encryption programs, firewalls, and similar safeguards.

Data Processing

We process all personal data lawfully, adhering to the conditions, principles, and standards of the General Data Protection Regulation (GDPR) and national legislation. Processing is primarily based on explicit consent, the execution of contractual obligations, or compliance with legal requirements.

We do not process special categories of personal data unless it involves employee data, for which employees have provided explicit consent or the data is processed to protect and fulfill employee rights and interests in the areas of labor law, social security, and social protection.

Sustav de Ruche d.o.o. does not use automated processing of personal data, including profiling, to make decisions that produce or could produce legal effects concerning the data subject or otherwise significantly affect their rights.

We ensure that personal data is primarily collected directly from the data subject. When collecting personal data, the data subject is always informed of the reason, purpose, and legal basis for the processing.

For every transfer of personal data, we apply appropriate protective measures that match the category of personal data and the risks associated with such categorization, considering the specifics of each individual transfer case.

Personal data may be transmitted digitally or electronically with the implementation of appropriate security measures, taking into account technical capabilities, data categories, and risk assessment. Special measures are taken to prevent unauthorized access to personal data.

Your data will never be disclosed to third parties without your explicit request and clearly given, unambiguous, and specifically defined consent.

Exceptionally, we may disclose your personal data to relevant international, state, and public authorities if it is necessary to fulfill legal obligations, protect your vital interests, or the vital interests of other individuals. Additionally, upon court request and for judicial proceedings (regardless of the stage of the process), we may disclose your personal data to the extent and within the limits of the judicial order.

When Sustav de Ruche d.o.o. acts as a data processor on behalf of a data controller, we guarantee the implementation of appropriate technical and organizational measures in accordance with the GDPR and this privacy policy, ensuring the protection of the data subject's rights.

Such data processing is governed by a written contract or another legal act in accordance with EU or Croatian law, defining the subject and duration of the processing, the nature and purpose of the processing, the type of personal data, and the categories of data subjects, as well as the controller’s obligations and rights.

In this capacity, Sustav de Ruche d.o.o. processes personal data only under the explicit and clearly defined instructions or orders of the data controller. We do not process personal data independently, even if we have access to it, unless explicitly requested by the data controller, and even then, only in the manner and scope requested.

The same principle applies when providing services such as maintaining or updating websites, applications, or other systems that may contain personal data.

By using technical protection methods, such as encryption, and adhering to this privacy policy, we ensure that our employees do not access or otherwise come into contact with personal data unless necessary for providing the agreed service.

International Transfer of Personal Data

We do not transfer personal data to third countries or international organizations (international transfer) except in exceptional, legally prescribed cases or at your explicit request with clearly provided, unambiguous, and specific consent.

Any transfer of personal data to a third country or international organization is based solely on:

  • A list of countries and international organizations ensuring an adequate level of protection, in accordance with a publicly published decision by the European Commission.

  • Appropriate safeguards, such as binding corporate rules, instruments of public authorities, approved codes of conduct accompanied by binding and enforceable commitments by the data controller or processor in the third country to apply appropriate safeguards consistently.

  • The availability of adequate institutional and legal protection for data subjects in the third country.

Any court judgments or decisions by administrative authorities in third countries requiring the transfer or disclosure of personal data do not bind us, nor will we comply with them unless they are based on an international agreement binding on the Republic of Croatia, such as a mutual legal assistance treaty.

Accuracy and Updating of Personal Data

The accuracy and currency of personal data are of utmost importance for achieving the purpose of processing and for safeguarding your rights and the protection of personal data. We implement appropriate technical and organizational measures to ensure the accuracy and currency of personal data, tailored to their category and significance for the purpose of processing.

Employees of Sustav de Ruche d.o.o. take reasonable, proportional, and justified steps in their daily work to ensure that the personal data they process is as accurate and up-to-date as possible.

To maintain accuracy and currency, personal data will be stored in as few locations as possible (only where necessary), and employees will not create or use unnecessary copies, additional databases, datasets, or other means of grouping personal data.

Sustav de Ruche d.o.o. ensures that data subjects can update their personal data in a simple and accessible manner, using best practice examples.

If, during the processing or use of personal data, it is determined that certain data is inaccurate or outdated and cannot be updated, or if such updating would involve disproportionate efforts or costs, such data will be deleted.

Retention and Deletion of Personal Data

In accordance with the principles of our privacy policy, we process your personal data only as long as necessary to fulfill the purpose of processing or as required by law or regulations. Once the data is no longer needed, we delete or anonymize it.

If we cannot determine a specific retention period, personal data is retained indefinitely or until deletion, with access restricted exclusively to authorized personnel.

We conduct biannual reviews and audits of the personal data we process to ensure that any data for which the purpose has been fulfilled, or that is no longer needed, is deleted or anonymized. This process is particularly relevant for data retained indefinitely or until deletion.

The review is performed by an authorized employee, who is required to prepare a report and provide recommendations if personal data is identified that no longer has a valid retention purpose.

Exceptionally, we may retain your personal data for longer periods if necessary to comply with a court order or directive from an authorized body, to fulfill legal obligations, or to protect your vital interests or those of other individuals.

Exercising Data Subject Rights

The rights of data subjects whose personal data we process are of utmost importance to Sustav de Ruche d.o.o. We take the exercise of these rights very seriously, adhering to the requirements of the General Data Protection Regulation (GDPR) and the principles of this privacy policy.

For clarity and ease of understanding, the overview of your rights in this policy is simplified. However, GDPR and national legislation provide detailed guidelines on the procedures for exercising these rights. We recommend that you familiarize yourself with the relevant regulations for a comprehensive description of your rights and how to exercise them.

Data subjects have the right to confirm whether their personal data is being processed. If processing is taking place, they may request access to their personal data, along with information on the purpose of processing, the categories of personal data involved, and any recipients to whom the data has been or will be disclosed (based on valid legal grounds).

Data subjects have the right to request the correction or deletion of their personal data or to restrict the processing of their personal data.

If an application or product developed by us uses third-party software or applications:

  • If registration or login is required to use such third-party software or applications, you should contact the manufacturer of that software or application to exercise your rights.

  • If the use of such third-party software or applications does not require registration or login, you can contact us for assistance in exercising your rights.

The exercise of data subject rights with Sustav de Ruche d.o.o. does not affect your right to contact the Croatian Personal Data Protection Agency at Selska cesta 136, Zagreb.

You may withdraw your consent at any time in a simple and transparent manner and request that we stop processing your personal data for marketing and promotional purposes.

Additionally, you can request the deletion of your personal data without undue delay if:

  • The personal data is no longer necessary for the purposes for which it was collected, or

  • The data must be deleted to comply with EU or Croatian regulations.

If you believe that your personal data is not being handled appropriately or suspect that its processing violates GDPR or national legislation, you have the right to contact the Croatian Personal Data Protection Agency.

This privacy policy is updated as necessary, at least once a year, to reflect best practices and developments in the field of data protection.

Zagreb, January 1st, 2025.