Data Protection Notice

Data protection notice

 DATA PROTECTION NOTICE FOR DATA SUBJECTS

1.    INTRODUCTORY - WHAT IS THE DATA PROTECTION NOTICE AND WHICH DATA SUBJECTS DOES IT APPLY TO?

    1.1.    Personal data are all data relating to an individual whose identity has been or can be established (hereinafter: the Data Subject), whereby an individual whose identity can be established is a person who can be identified, whether directly or indirectly, in particular by means of an identifier (e.g. name , identification number).

    1.2.    In the course of its business, the company RETURN TO BUSINESS d.o.o. za poslovne usluge, PIN: 41614576274, Selska cesta 90/A, Zagreb (hereinafter: Company), whose primary activity is the repurchase and collection of overdue receivables, processes personal data of various categories of Data Subjects.

    1.3.    The company processes the personal data of Data Subjects in accordance with all applicable regulations on personal data protection, primarily in the manner prescribed by the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter: Regulation) and the Act on Implementation of General Data Protection Regulation (Official Gazette No. 42/2018; hereinafter: the Act).

    1.4.    The Data Subject’s Data Protection Notice Data Subject (hereinafter: the Notice) and the Data Subjects to which the Notice relates provides information: 

            a)    on the identity and contact details of the Company;
            b)    on the manner of collecting personal data;
            c)    on the categories of personal data in question;
            d)    on the purposes of processing personal data as well as on the legal basis for processing;
            e)    on the legitimate interests of the Company or third parties for the processing of personal data;  
            f)    on the period in which the personal data will be stored or, if this is not possible, the criteria by which that period was determined; 
            g)    on the recipients of personal data; 
            h)    on the transfer of personal data to third countries or international organizations;
            i)    on the rights of Data Subjects; 
            j)    on the sources of personal data;
            k)    on the security of personal data.

    1.5.    This Notice applies to the following categories of Data Subjects:

            a)    previous, current and potential clients of the Company, 
            b)    previous, current and potential opposing parties, witnesses, experts and other persons whose personal data need to be processed in connection with the proceedings in which the Company takes part, 
            c)    previous, current and potential external associates of the Company,
            d)    previous, current and potential business partners of the Company and employees of the business partners of the Company,
            e)    judicial and other officials, civil servants and employee of the court,
            f)    debtors of the Company or other natural persons (e.g. co-debtors, guarantors, pledge debtors, etc.) from whom the Company collects receivables on the basis of appropriate legal grounds,
            g)    third parties who settle debts in the name and on behalf of the Company's debtors,
            h)    natural persons/candidates who apply for vacancies in the Company or who are contacted by the Company or who contact the Company themselves for employment opportunities,
            i)    natural persons, legal representatives or company owners in accordance with special regulations (e.g.  the Prevention of Money Laundering and Terrorist Financing Law).
            j)    all other Data Subjects whose personal data are processed by the Company for the purpose of lawful processing, and who are not employees of the Company.

    1.6.    The terms used in this Notice have the same meaning as in the Regulation, unless otherwise expressly provided for in this Notice.

2.    IDENTITY AND CONTACT DATA OF THE COMPANY - WHO IS PROCESSING PERSONAL DATA?

    2.1.    As a rule, the Company processes personal data as the controller (primarily personal data of persons with whom the Company has an obligatory legal relationship); independently determining the purposes and means of personal data processing. 

    2.2.    As an exception, the Company may perform processing as:

            a)    the processor - if the purpose and means of processing have been determined by another controller 
            or
            b)    joint controllers - if the purpose and means of processing have been determined by the Company jointly with another processor

    2.3.    This Notice applies to any processing of personal data performed by the Company in relation to any Data Subject, regardless of whether the Company is the controller, the processor or the joint controller in relation to a particular processing of personal data.

    2.4.    The identification and contact details of the Company are as follows:

            a)    Company name: RETURN TO BUSINESS d.o.o. za poslovne usluge;
            b)    Address: Selska cesta 90/A, 10 000 Zagreb;
            c)    Telephone: +385 1 6189 513;
            d)    Fax: +385 1 6189 517;
            e)    E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.;
            f)    Website: www.r2b.hr.

    2.5.    For all and any questions that the Data Subject may have regarding this Notice or regarding the processing of personal data to which the Notice applies, the Data Subject may contact the Company via the above contact information. 

3.    CATEGORIES OF PERSONAL DATA - WHICH DATA IS PROCESSED?

    3.1.    For the purposes stated below in this Notice, the Company processes the following personal data of the Data Subjects from item 1.5. of the Notice:

            a)    identification data on the basis of which the identity of the Data Subject can be established and verified, such as, but not limited to: name and surname, date of birth, personal identification number, identity card number, passport number, scans of identification documents and the like;
            b)    contact details such as, but not limited to: telephone number, e-mail address, permanent and/or habitual residence address, mobile phone number, contact details of the Data Subject's employer and/or the company in which the Data Subject is a member and/or member of the body and/or any other information that enables and/or facilitates contact with the Data Subject and the like;
            c)    data regarding legal affairs of the Data Subject such as, for example, but not limited to: data on legal transactions in which the Data Subject is a party or otherwise relates to the Data Subject, addresses of legal parties, date of conclusion, place of a conclusion, rights and obligations arising from legal affairs and the like;
            d)    data on the assets of the Data Subjects, such as, but not limited to: data on the real estate of the Data Subjects, data on bank accounts, movables, creditworthiness and liquidity of the Data Subjects, data on the origin of the assets and the like; 
            e)    information on judicial, extrajudicial, administrative and other proceedings in which the Data Subject is a party, interested person, expert witness, witness, regulating judge, presiding judge, or in any other way related to the Data Subject such as, for example, but not limited to: information on the reg. number of the proceedings, the parties to the proceedings, the subject matter of the proceedings, the court, the public body and/or any other person before whom the proceedings are being conducted and the like;
            f)    other data related to the purpose for which the Company processes the personal data of the Data Subjects, such as, but not limited to: data on the family and/or business partners of the Data Subjects, employment, social status, and status of the Data Subjects and the like.

    3.2.    The company may process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and may process genetic data, biometric data for the purpose of uniquely identifying an individual, health-related data, or data on the sexual activity or orientation of the individual, if this processing is necessary for the establishment, realization or defense of legal claims of Data Subjects and/or third parties and in all other prescribed cases.

    3.3.    The Company will store personal data in a way that ensures that the personal data is accurate, complete, and up to date. The personal data that are processed are limited to what is necessary to achieve the purposes for which they are processed.

4.    PURPOSE AND LEGAL BASIS OF PERSONAL DATA PROCESSING - HOW, WHY AND ON WHAT BASIS ARE DATA PROCESSED? 

    4.1.    The Company processes personal data in accordance with applicable laws and regulations and only for special, explicit, and lawful purposes.

    4.2.    The Data Subject' personal data are processed for the following purposes and on the basis of the following legal grounds:

           

PURPOSE OF PROCESSING

LEGAL BASIS

performance of the contract concluded by the Company with the party

performance of contracts/legitimate interests/compliance with legal obligations

analysis of the financial condition of the Data Subjects and sources of income in order to be able to determine the conditions for debt repayment that correspond to the individual situation of the Data Subjects

performance of contracts/legitimate interests/compliance with legal obligations

conducting legal (court) proceedings for the collection of receivables (e.g. enforcement, consumer bankruptcy proceedings, initiating and/or entering into other legal proceedings to protect our rights) and finding favorable solutions for all parties involved, which leads to the settlement of the debts of Data Subjects

performance of contracts/legitimate interests/compliance with legal obligations

performance of the business cooperation agreement concluded by the Company with the business partner and/or external associate

performance of contracts/legitimate interests/compliance with legal obligations

acting in accordance with the order of the court and/or public body, processing of data requested by public bodies and other entities

performance of contracts/legitimate interests/compliance with legal obligations

verification of the identity and/or property of the Data Subjects and processing necessary to meet all legal, professional and other obligations related to the activities of the Company

performance of contracts/legitimate interests/compliance with legal obligations

keeping archives, statistical and other records of the Company

legitimate interests/compliance with legal obligations

assessment of whether the Company will establish a contractual relationship or conclude a transaction (e.g. assessment of the risk associated with the conclusion of a contract of sale, submission of bids / participation in the auction procedure) including checks to prevent money laundering, terrorist financing and fraud

performance of contracts/legitimate interests/compliance with legal obligations

operational reasons, such as increasing efficiency, employee education, quality control and the like

legitimate interests


    4.3.    The legitimate interest of the Company for the processing of personal data is, as a rule, the improvement of the regular operations of the Company.

    4.4.    The legitimate interest of third parties in the processing of personal data carried out by the Company is, as a rule, the setting, realization or defense of claims against Data Subjects.

    4.5.    Personal data processed by the Company may be processed for the purpose of a legitimate interest except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject.

    4.6.    The company uses the consent of the Data Subjects as a legal basis for processing only in exceptional cases, if there is no other legal basis on which personal data are processed, and there is a need for personal data processing. If the processing is based on consent and the Company has requested the consent of the Data Subjects, the consent will state the categories of personal data and the purpose for which they are processed.

    4.7.    In the Company, decisions that produce legal effects relating to the Data Subjects, or that significantly affect the Data Subject in a similar way, are not made automatically or based solely on automated processing, including profiling. 

    4.8.    As a rule, the Company will not process personal data for purposes other than the purposes for which the data were originally collected. Such processing is possible only exceptionally in the case of: 

            a)    additional processing being consistent with the purposes for which the personal data were originally collected, and prior to that additional processing the Data Subject was provided with information regarding the other purpose and all other relevant information in accordance with applicable personal data protection regulations; 
            or
            b)    the Data Subject giving express prior consent for further processing.

5.    PERSONAL DATA STORAGE PERIOD - HOW LONG ARE THE DATA STORED?

    5.1.    As a rule, the Company retains the personal data of Data Subjects for up to 10 years after the termination of the relationship on the basis of and/or in connection with which the data were collected, taking into account regulations governing the Company, tax regulations, regulations governing the prevention of money laundering and terrorist financing, as well as limitation periods according to the regulations governing obligatory legal relations. In the case of data processing for accounting purposes, the data of the Data Subjects will be stored for at least 11 years, in accordance with the legal regulations on accounting.

    5.2.    Depending on the type of personal data and the purpose for which it is collected, the Company may retain personal data for longer than specified in the previous point of this Notice. 

    5.3.    In any case, the Company will not keep the personal data of a Data Subject longer than necessary to fulfill the purpose for which the personal data are processed.

    5.4.    After fulfilling the purpose for which personal data are processed, the Company will erase and/or destroy personal data.

6.    CATEGORIES OF RECIPIENTS - TO WHOM IS PERSONAL DATA DISCLOSED?

    6.1.    Recipients of personal data processed by the Company in accordance with this Notice are, as a rule: 

        a)    employees of the Company and other persons performing work for the Company;
        b)    creditors from whom the Company acquired a claim against the Data Subject;
        c)    the accounting service of the Company;
        d)    the Bank of the Company;
        e)    service providers that help the Company improve services or develop, implement or manage business systems, infrastructure or operational processes (for example, auditors, consultants, analysts, etc.);
        f)    persons who maintain the technical and organizational systems of the Company (information technology (IT) experts, etc.);
        g)    external associates and business partners of the Company, especially business partners of the Company to whom the Company assigns receivables towards Data Subjects;
        h)    courts, attorneys, notaries, administrative, judicial and other public and/or supervisory bodies;
        i)    expert witnesses and other experts;
        j)    other legal and natural persons to whom personal data needs to be disclosed in order to achieve the purpose for which personal data is processed and/or on the basis of contracts and/or regulations.

    6.2.    The Company will provide personal data to recipients, i.e. provide access to personal data only when necessary, with appropriate personal data protection measures in accordance with the Company's policies and applicable regulations governing the protection of personal data. In this case, the delivery of personal data or access to personal data will be limited only to personal data that are necessary to achieve the purpose for which the data is provided or for which access is allowed.

7.    TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS

    7.1.    As a rule, the Company will process personal data exclusively in the Member States of the European Union (EU) and/or in the Member States of the European Economic Area (EEA). 

    7.2.    Exceptionally, the Company may transfer personal data from the countries where the data were originally collected to third countries or international organizations, if necessary. 

    7.3.    The transfer of personal data to a third country or international organization shall not be permitted if it does not comply with the special conditions laid down in the provisions of Articles 44 – 50 of the Regulation and/or any provisions of other regulations governing the protection of personal data. 

8.    DATA SUBJECTS' RIGHTS - THE CONTENTS OF THE RIGHTS AND HOW THEY ARE EXERCISED

    8.1.    In connection with the processing of personal data performed by the Company, the Data Subject may exercise the following rights:

    

The right of access

The Data Subject has the right to access personal data, the right to one free copy of the personal data being processed, and the right to access the following information regarding:

-     the purpose of processing;

-     the categories of personal data in question;

-     the recipients or categories of recipients to whom personal data have been or will be disclosed, in particular recipients in third countries or international organizations;

-     if possible, the intended period during which the personal data will be stored or, if this is not possible, the criteria used to determine that period;

-     the existence of the right to request the Company to correct or delete personal data or to restrict the processing of personal data relating to the Data Subject or the right to object to such processing;

-     the right to lodge a complaint with the supervisory authority;

-     any available information on the source of personal data, if personal data are not collected from Data Subjects;

-     the existence of automated decision-making, which includes profiling and, at least in these cases, meaningful information on the logic involved, as well as the importance and foreseeable consequences of such processing for the Data Subject.

 

For each additional copy of personal data requested by the Data Subject when exercising his/her right of access, the Company will charge the Data Subject a fee of administrative costs in the amount of HRK 100.00, which should be increased by the corresponding amount of value added tax (VAT) on the date of invoice. The administrative costs of making an additional copy include:

-         the time spent by the Company's employees or other persons authorized to process personal data performed by the Company;

-         material costs of making additional copies.

The right to rectification

The Data Subject has the right to, without undue delay, obtain a correction or supplement to inaccurate, incomplete, or out-of-date personal data relating to him/her.

The right to erasure (“the right to be forgotten”)

The Data Subject has the right to obtain the erasure of personal data relating to him without undue delay in the following cases:

-      if personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

-      if the Data Subject has withdrawn the consent on which the processing is based and there is no other legal basis for the processing;

-      if the Data Subject objects to the processing in the manner described below;

-      if the personal data of the Data Subjects have been illegally processed;

-      if the personal data of the Data Subjects must be deleted in order to comply with the legal obligation under the rights of the European Union or the laws of the Republic of Croatia;

-      if personal data has been collected in connection with the provision of information company services to a child.

 

However, the Company may refuse to erase personal data if the processing of such data is necessary:

-        in order to exercise the right to freedom of expression and information;

or

-        to comply with a legal obligation requiring processing within the law of the European Union or the laws of the Republic of Croatia or to achieve purposes in the public interest;

or

-        for the purposes of public interest in the field of public health, for archiving purposes in the public interest, for the purposes of scientific or historical research or for statistical purposes;

or

-           for the purpose of setting, realizing or defending legal claims.

Right to restriction of processing

The Data Subject has the right to restrict the processing of personal data in the following cases:

-        if it disputes the accuracy of the personal data being processed, for a limited period of time allowing the Company to verify the accuracy of the personal data;

-         if the processing is illegal and the Data Subject objects to the erasure of personal data and instead requests a restriction on their use;

-         if the Company no longer needs personal data for the purposes of processing, but the Data Subject requests them in order to set, realize or defend legal claims;

-         if the Data Subject objects to the processing pending confirmation as to whether the legitimate reasons of the Company outweigh the reasons of the Data Subject.

If the Data Subject exercises the right to a restriction of processing, s/he will be notified before the processing restriction is lifted.

The right to object

As a rule, the Data Subject has the right to object to the processing of his/her personal data at any time by stating justifiable reasons for it relating to his/her particular case.

 

If such an objection is justified, the Company will no longer process the personal data in question, unless it proves that there are compelling legitimate reasons for processing that go beyond the interests, rights and freedoms of Data Subjects or that processing is necessary to establish, exercise or defend legal claims.

Right to data portability

 

The Data Subject has the right to receive personal data relating to him/her, which s/he provided to the Company in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller in the following cases:

-      if the processing is based on the consent of the Data Subject or on a contract in which the Data Subject is a party

-      if the processing is carried out by automated means.

 

When exercising his/her rights to data portability in accordance with the above, the Data Subject has the right to request a direct transfer from the Company to another controller, if technically feasible.

 

However, the Company may reject a Data Subject's request to exercise the right to data portability if the processing in question is necessary to perform a task in the public interest or if fulfilling such a request could adversely affect the rights and freedoms of others.

The right to withdraw consent

If the processing of personal data is based on the consent of the Data Subject, the Data Subject has the right to withdraw his/her consent at any time. In doing so, the withdrawal of the consent does not affect the lawfulness of the processing based on the consent before it was withdrawn.

The right to lodge a complaint with the supervisory authority

The Data Subject has the right to lodge a complaint with the competent supervisory authority, in particular in the Member State of the European Union in which s/he has a habitual residence, in which his/her place of work or the place of the alleged breach of personal data protection rules is located.

 

The supervisory authority in the Republic of Croatia is the Personal Data Protection Agency (AZOP). AZOP's contact details are available on AZOP's website at www.azop.hr.


    8.2.    The Data Subject can exercise all of the above rights by submitting a written request to the Company to exercise the rights via an e-mail to the address: This email address is being protected from spambots. You need JavaScript enabled to view it., whereby it is necessary to submit the following alongside the request:

            a)    identification data of the Data Subject in order for the Company to be able to identify him/her (e.g. name and surname, personal identification number and address, etc.);
            b)    proof of the identity and address of the Data Subject (e.g. scan of an ID card, passport, etc.);
            c)    information on which of the aforementioned rights the Data Subject wishes to exercise;
            d)    other information that the Company needs to fulfill the Data Subject's request, depending on which right the Data Subject wants to exercise and in what way.

9.    SOURCES OF PERSONAL DATA - HOW ARE PERSONAL DATA COLLECTED?

    9.1.    The company usually collects personal data of Data Subjects in the following ways:

            a)    directly from the Data Subjects or, in certain cases, from other persons, primarily related to the collection of receivables and the return of any overpaid amounts; 
            b)    from publicly available sources and services such as the court register, land registry system, e-Court Notice Board and other websites and the like;
            c)    from courts, administrative and other public bodies as well as third parties that process Data Subject 'data such as the employer and/or the bank of the Data Subject, his/her advisors, experts, doctors, other professionals and the like;
            d)    from business partners and external associates of the Company who perform the activity of collecting and processing personal data;  
            e)    from banks, credit institutions and other financial institutions with which Data Subjects have concluded a loan agreement and/or a contract related to another financial/banking service, and which have assigned their claims to the Company;
            f)    from persons authorized to communicate with the Company in the name and on behalf of the Data Subjects (e.g. attorneys);
            g)    from public institutions and government authorities or other persons or persons performing a service in the public interest (such as a notary public);
            h)    using publications and databases that are publicly available or based on a contractual relationship (external sources), to ensure continuous updating of the Company's data on the Data Subjects or to enable the Company to assess the ability to repay receivables. External sources include public institutions and government authorities, public registers, electronic databases, information available on social media and on the Internet;
            i)    when you access the Company's website, records of the visit are automatically created. These records usually include the IP address, upload number, website from which the Data Subject is logging in, and other information. More information under item 11 of this Notice [title - COOKIES). ].
            j)    from other sources available to the Company, when necessary for the purpose for which personal data are collected; 

    all in accordance with applicable regulations governing the protection of personal data.

10.    SECURITY OF PERSONAL DATA - WHERE AND HOW IS DATA STORED?

    10.1.    As a rule, the Company processes the personal data of the Data Subjects in printed and/or electronic form and stores them in an appropriate manner in the Company's business premises.

    10.2.    The Company, to the possible, reasonable and necessary extent, by special rules, requirements, decisions, policies, procedures, and in other similar ways, prescribes and implements appropriate technical and organizational measures to ensure an appropriate level of safety with respect to risk. In doing so, the Company takes into account the latest achievements, implementation costs and the nature, scope, context and purposes of personal data processing, as well as the risk of different levels of probability and seriousness for the rights and freedoms of the Data Subjects.

    10.3.    The Company has prescribed procedures for dealing with personal data breaches and will act in accordance with applicable regulations governing the protection of personal data in the event of personal data breaches. 

11.    COOKIES 

    11.1.    In order to maintain its website and ensure its functionality, the Company uses a type of technology known as "cookies".

    11.2.    Cookies are small files that the Company sends to the Data Subject' computer and to which it gains access.

    11.3.    Cookies can be temporary or permanent and use, among others, JavaScript or Flash technology. 

    11.4.    With the help of cookies from the Company's website, the Data Subject is able to use the website, and the Company obtains statistical information that shows the Company what is of interest to Data Subjects who visit the Company's website, which allows the Company to improve the use of the Company's website.

    11.5.    The types of cookies used on the Company's website are:

            a)    strictly necessary cookies - are necessary to technically ensure the efficient operation of the website; 
            b)    tracking cookies - statistical cookies that collect information on how the Data Subject uses the Company's websites such as Google Analytics cookies and the like;

    11.6.    The Company's website communicates with cookies stored on the Data Subject's computer when the Data Subject visits the Company's website.

    11.7.    Data processing via cookies is done solely on the basis of consent. By visiting the website and agreeing to the use of cookies, the Data Subject consents to the collection of data via cookies. If the Data Subject wishes to give or withdraw consent to the use of cookies, s/he can do so by selecting the appropriate settings in his/her browser. However, some of the functions of the Company's website may not work without cookies.

    11.8.    If the Data Subject wants to delete cookies that are already on his/her computer, s/he can do so through his/her browser (e.g.  Firefox, Chrome, Edge, Internet Explorer, etc.) by following the instructions of the browser s/he uses, and Data Subjects are advised to check their browser documentation to achieve this. 

12.    ENTRY INTO FORCE AND CHANGES TO THE NOTICE

    12.1.    This Notice shall enter into force and apply from May 25, 2018, and it is available on the Company's website at www.r2b.hr.

    12.2.    The Company may unilaterally amend and/or supplement this Notice in any way, and the current version of the Notice will always be published on the Company's website. 

In Zagreb May 25, 2018
RETURN TO BUSINESS d.o.o. za poslovne usluge