Regulations on the collection, processing, use, and protection of 

personal data of natural persons

Pursuant to the Law on the Implementation of the General Regulation on Data Protection and Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27th 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such dana, and accordant to the Decision on the Implementation of the General Regulation on Data Protection,

Q Experience d.o.o. with its registered office at Palmotićeva 45, 10 000 Zagreb, brings:

REGULATIONS ON THE COLLECTION, PROCESSING AND USE, AND PROTECTION OF PERSONAL DATA OF INDIVIDUALS

Article 1

Q Experience, a limited liability company for services based in Palmotićeva 45, 10 000 Zagreb, and (later in text: Q Experience d.o.o.) pursuant to the Law on the Implementation of the General Regulation on Data Protection and Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27th 2016 is the Head of Personal Data Processing, and is obliged to supervise the collection, processing, use and protection of personal data of all natural persons whose data it takes and uses and processes.

Article 2

Pursuant to the Act Implementing the General Data Protection Regulation and Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27th 2016, Q Experience d.o.o. keeps records of processing activities for which it is responsible. These records contain the following information:

a) Name and contact details of the processing manager
b) Contact person
c) Respondents category description
d) Personal dana category
e) The recipients category to whom personal data have been or will be disclosed, including recipients in third countries, or international organizations
f) Deadlines for deleting different categories of data
g) Description of organizational and technical measures

Processing Manager Q Experience d.o.o. keeps records of processing activities (Article 30) of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27th 2016.

The list of established records on processing activities can be found at the end of the Regulations and it is an integral part of the Regulations on collection, processing and use. and the protection of personal data of natural persons.

Article 3

Name of the processing manager – records of processing activities and its registered office, that is the address:

Q Experience d.o.o. with its registered office at Palmotićeva 45, 10 000 Zagreb

Article 4

Purpose of processing

Personal data is collected for the purpose of fulfilling the legal obligations of Q Experience d.o.o.

Article 5

Legal basis for establishing records of processing activities

The legal basis for the establishment of records on personal data processing activities derives from the law.

Article 6

Method of data collection and storage

Personal data of respondents – employees, clients, external associates, business partners and all other individuals in Q Experience d.o.o. may be collected and further processed if the principles that personal data are:

a) Legally, fairly, transparently processed with respect to the respondent

b) Collected for special, explicit and lawful purposes and may not be further processed in a manner inconsistent with those purposes

c) Appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed

d) Accurate and updated as necessary

e) Kept in a form that allows the identification of respondents only for as long as necessary for the purposes for which personal data are processed; personal data may be stored for longer periods if the personal data are to be processed exclusively for archiving purposes in the public interest, for scientific and historical research purposes or for statistical purposes in accordance with Article 89 (1), subject to appropriate technical and organizational measures prescribed by the Decree for the protection of the rights and freedoms of the respondents

f) Processing in such a way as to ensure adequate security of personal data, including protection against unauthorized and unlawful processing and against accidental loss, destruction or damage by the application of appropriate technical or organizational measures

g) Processing Manager Q Experience d.o.o. is responsible for compliance

 

Article 7

Legality of processing

Processing of personal data in Q Experience d.o.o. is lawful only if and to the extent that it meets at least one of the following:

a) The respondent has given consent to the processing of his data for one or more special purposes

b) Processing is necessary for the execution of the contract to which the respondent is a party or in order to take action at the request of the respondent before concluding the contract

c) Processing is necessary in order to comply with the legal obligations of the processing manager

d) Processing is necessary to protect the interests of the respondent or other natural person

e) There is a legitimate interest in Q Experience d.o.o. provided that this does not seriously violate the fundamental rights and freedoms of the individual (respondent) whose data are processed. If the rights of the person whose data should be processed, have an advantage over the interests of the company, processing cannot be carried out.

 

Article 8

Respondents’ right to access data

The respondent is entitled to receive a confirmation from the processing manager of Q Experience d.o.o. as to whether personal data relating to him are being processed and, if such personal data are being processed, access to personal data and the following information on:

a) Purposes of processing

b) Personal dana category in question

c) Recipients or categories of recipients to whom personal data have been or will be disclosed, in particular recipients in third countries or international organizations

d) If possible, the determined period in which the personal data will be stored or this is not possible by the use criteria for determining that period

e) The existence of the right of the controller to retain the correction or deletion of personal data or the restriction of the processing of personal data relating to the respondent or the right to object to such processing

f) The right to lodge a complaint with the supervisory authority

g) If personal data are not collected from respondents, any available information about their source

If personal data are transferred to a third country or international organization, the respondent has the right to be informed of the appropriate safeguards relating to the transfer. Processing Manager Q Experience d.o.o. provides a copy of the personal data being processed. For any additional copies requested by the respondent, the processing manager may charge a reasonable fee based on administrative costs. If the respondent submits the request electronically and unless the respondent requests otherwise, the information shall be provided in the usual electronic form. The right to obtain a copy must not adversely affect the rights and freedoms of others.

Article 9

Right to correction

The respondent has the right to obtain from the processing manager Q Experience d.o.o. without undue delay. correction of inaccurate data relating to it. Taking into account the purposes of processing, the respondent has the right to supplement incomplete personal data, including giving an additional statement.

 

Article 10

Q Experience d.o.o. is obliged, no later than within 30 days from the submission of the request, to answer each respondent at his request, or to his legal representatives or warrantees:

Provide confirmation of whether personal data relating to him is being processed or not

Provide insight into the records of personal data and insight into personal data contained in the records of personal data related to it and their transcription

Submit excerpts, certificates or printouts of personal data contained in the records of personal data relating to him, which must contain an indication of the purpose and legal basis for the collection, processing and use of such data

Provide a printout of data on who and for what purposes and on what legal basis received the use of personal data relating to him

 

Article 11

Right to delete (“right to forget”)

The respondent is entitled to the processing manager Q Experience d.o.o. obtain the deletion of personal data relating to him without undue delay and the controller has the obligation to delete personal data without undue delay if one of the following conditions is met:

a) Personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed

b) The respondent withdraws the consent on which the processing is based

c) The respondent objects to the processing under REGULATION (EU) 2017/679 Article 21 (1) and the legitimate reasons for the processing do not become stronger or the respondent objects to the processing in accordance with Article 21 (2).

d) Personal data has been processed illegally

e) Personal data must be deleted in order to comply with a legal obligation under Union law or the law of the Republic of Croatia

f) Personal data is collected in connection with the offer of information society services

If the processing manager of Q Experience d.o.o. has publicly disclosed personal data and is obliged to delete that personal data, taking into account the available technology and the cost of implementation. The controller shall take reasonable measures, including technical measures, to inform the controllers processing the personal data that the respondent has requested those controllers to delete all links from them or a copy or reconstruction of that personal data.

Article 12

Right to portability

The respondent has the right to receive his personal data, which was previously provided to the processing manager of Q Experience d.o.o. , in a structured form and in a commonly used and machine-readable format, and has the right to transfer this data to another controller without interference by the controller to whom the personal data are provided, if the processing is carried out automatically and based on consent or contract.

 

Article 13

The right to oppose the making of individual automated decisions

The respondent has the right not to be subject to a decision based solely on automated processing, including the creation of a profile, which produces legal effects relating to him or similarly significantly affecting him, unless such a decision is necessary for the conclusion or execution a contract between the respondent and the controller, if permitted by EU or national law, which prescribes appropriate measures to protect the rights and freedoms and legitimate interests of the respondent or based on the explicit consent of the respondent.

Article 14

The right to object

The respondent has the right to file a complaint to the processing manager of Q Experience d.o.o. in the manner of processing their personal data, and to report to the Agency for Personal Data Protection (AZOP).

 

Article 15

These Regulations enter into force on the day of its adoption and will be published on the notice board and website of Q Experience d.o.o.

 

ESTABLISHED RECORDS OF PROCESSING ACTIVITIES

Pursuant to Article 30 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27th 2016, it is established that the processing manager of Q Experience d.o.o. keeps the following records of processing activities:

1. Records of candidates – self-initiated reporting for the purpose of employment

2. Records of forms-data for employee registration

3. Record of consent of workers-deliveries by e-mail

4. Records of permanent employees

5. Records of employees-students

6. Records of candidates and employees through agencies

7. Records of decisions-rights of workers

8. Records of working hours of workers

9. Records Consent of employees – publication of personal data

10. Salary calculation records

11. Records of calculation of other income

12. Records of travel orders of employees and calculation of travel orders

13. Records of workers-work schedule

14. Records of key employee performance indicators-KPIs

15. Records of the executor-Contract of work

16. Records of lessors-Lease agreement

17. Records Certificate-first aid

18. Records Certificate of training of workers to carry out evacuation and rescue measures

19. Records of the Certificate on the ability of workers to work in a safe manner

20. Records of workers’ knowledge tests – basics of safety at work

21. Video surveillance records

22. Access control records

Data records can be added, modified and deleted depending on business needs.

Q Experience d.o.o. at any time provides the right to access data, and the correction, addition or deletion of personal data upon written request sent to the e-mail address:
gdpr@heloo.com.

The list of established records is an integral part of the Ordinance on the collection, processing and use, and protection of personal data of natural persons.