Legal Terms

Notice on the Processing of Personal Data (“Notice”)

Legal Terms

Notice on the Processing of Personal Data (“Notice”)

Central Finance and Contracting Agency

Version 1, December 2020

Zagreb, Republic of Croatia

Introduction

This Notice was adopted by Central Finance and Contracting Agency with seat at the address Ulica grada Vukovara 284, 10 000 Zagreb, Croatian PIN (“OIB”) 11548277852 (hereinafter: “Agency”).

In case you have any inquiries on this Notice, or any other questions related to the collection, processing, and protection of your personal data, please contact Data Protection Officer via e-mail: .

Definitions

In order to fully comprehend and understand the Notice, please carefully read the definitions of the terms, further below:

General Regulation means REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
personal data means any information relating to an identified or identifiable natural person (‘data subject’);
data subject is one who can be identified, directly or indirectly;
controller means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
joint controllers mean two or more controllers jointly determining the purposes and means of processing;
processor means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller;
recipient means a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not;
supervisory authority means an independent public authority that is established by a Member State; in the Republic of Croatia, this is the Croatian Personal Data Agency (AZOP), Selska cesta 136, 10000 Zagreb, Croatia.

Data Subjects in the Procedure of Applying And/or Implementing a Project Financed by European Union Funds

In this part of the Notice, the information is provided relating to the persons having the role of data subjects during the application or implementation of the project financed by European Union funds.

Data subjects in this procedure may be project beneficiaries, responsible persons of the project beneficiaries, contact persons of the project beneficiaries, project team members, project partners, external service providers (suppliers) of the project beneficiary, and guarantee providers to the project beneficiary.

In the system of European funds, respectively in the Operational Programme “Competitiveness and Cohesion” the Agency is acting as intermediate body level 2.

The Agency and the Ministry of Regional Development and EU Funds (“Ministry”) are acting as joint controllers in relation to the data subjects in the application and/or implementation process of the project financed by European Union funds. Based on the applicable regulations and the specific agreement, part of the functions of the Ministry are delegated to the Agency which acts as intermediate body level 2 and performs certain processing of personal data in the accordance with delegated functions.

Since the Agency acts as intermediate body level 2, while performing the delegated functions the Agency is using the following information solutions owned by the Ministry: eFunds system and MIS system.

In case of need, the Agency and the Ministry inform, cooperate, and help each other in order to fulfil your request.

Project beneficiaries, responsible persons of the project beneficiaries, contact persons of the project beneficiaries, project team members, project partners, external service providers (suppliers) of the project beneficiary, and guarantee providers to the project beneficiary

In case you are the project beneficiaries, responsible persons of the project beneficiaries, contact persons of the project beneficiaries, project team members, project partners, external service providers (suppliers) of the project beneficiary, and guarantee providers to the project beneficiary, the Agency processes the personal data collected from you directly, or from the person fulfilling project application or being responsible for certain project activities.

In case you are the team member who submitted the project application or is maintaining the project activities, the Agency processes the personal data collected from you directly, or from the project beneficiary.

The Agency is processing the following categories of your personal data (categories and types of the personal data in relation to the specific data subject vary depending on the type of the data subject, so the categories and types of personal data listed below are listed as exemplary):

Identification data: e.g., name and surname, name of the carrier of the craft, personal identification number (Croatian PIN).
Location data: e.g., address (name of the street and number, post/zip code, city, country).
Contact data: e.g., telephone and/or mobile phone number, e-mail address, telefax number.
Financial data: data related to project funds (grant amount, eligible expenditure, ineligible expenditure, amounts of salaries, and likewise).
Other data: data related to project application or project implementation (MIS code, contract title and status, position, information on the PoA, unique partner number, and likewise).

The mentioned personal data are processed by the Agency for the following purposes and on the basis of the following legal grounds:

For the purpose of selection of the projects which are applied for EU financing. In that case, the processing is essential in order for the Agency to execute its legal obligations (Article 6 paragraph 1 point c of the General Regulation).
For the purpose of correct maintenance/implementation of the projects which are funded by EU financing. In that case, the processing is essential in order for the Agency to execute its legal obligations (Article 6 paragraph 1 point c of the General Regulation).
For the purpose of meeting legal obligations defined by the Agency’s mandate, i.e., respect of the applicable regulations and cooperation with responsible authorities and services. In that case, the processing is necessary in order for the Agency to execute its legal obligations (Article 6 paragraph 1 point c of the General Regulation).

Participants in the Education

In case you are a participant in the education or in the info training, the Agency is processing the personal data collected directly from you.

The Agency is processing the following categories of your personal data:

Identification data: e.g., name and surname.
Contact data: e.g., telephone and/or mobile phone number, e-mail address, telefax.
Other data: e.g., participant’s institution/organization.

The mentioned personal data are processed by the Agency for the following purposes and on the basis of the following legal grounds:

For the purposes of recording the participant’s attendance in the education or the info training so that can be proven that education or info training was held. In that case, the processing is necessary in order for the Agency to execute its legal obligations (Article 6 paragraph 1 point c of the General Regulation).
For the purpose of meeting legal obligations defined by the Agency’s mandate, i.e., respect of the applicable regulations and cooperation with responsible authorities and services. In that case, the processing is necessary in order for the Agency to execute its legal obligations (Article 6 paragraph 1 point c of the General Regulation).

Job Applicants / Applicants for Students’ Jobs

In case you are applying to the public vacancy announcement published by the Agency / for performing students’ job on the basis of the contract on the execution of students’ job or if you are using the possibility of transfer from state administration body, the Agency is processing the personal data which are collected directly from you or based on documentation which you delivered during submission of job application/application for executing students’ job/application for transfer.

Identification data: e.g., name and surname, gender/sex, date and place of birth, personal identification number (Croatian PIN).
Location data: e.g., address of permanent and temporary residence.
Contact data: e.g., telephone and/or mobile phone number, e-mail address.
Data on schooling/education/training: e.g., completed training degrees, acquired professional qualifications, profession, title.
Data on work experience: e.g., previous workplace, length of service.
Data on personal characteristics/skills: e.g., fluency in a foreign language, results of testing and interviews, marital status, status of a single parent, Croatian veteran status, housing status.
Data relating to criminal charges and criminal acts: if you are selected for the job, then the Agency also collects the information found in the Records stating you are not subject to any criminal procedures.
Other data: other personal data contained in various accompanying documents.

The mentioned personal data are processed by the Agency for the following purposes and on the basis of the following legal grounds:

For the purpose of review, i.e., analysis of your job application/application to a student’s job in order to identify whether you meet the conditions of the public vacancy announcement / that you are a satisfactory candidate for performing the student’s job. In that case, the processing is essential for the Agency to execute its legal obligations (Article 6 paragraph 1 point c of the General Regulation).
For the purpose of signing an employment contract/students’ job contract with you (in case you are the elected candidate for signing an employment contract/contract on students’ jobs). In that case, the legal basis of processing your personal data is the execution of contracts, i.e., actions needed for the signing of the contract (Article 6 paragraph 1 point b of the General Regulation).
For the purpose of review, i.e. analysis of your job application in order to identify whether you meet requirements for transfer from the state administration body. In that case, the processing is essential in order for the Agency to execute its legal obligations (Article 6 paragraph 1 point c of the General Regulation).
For the purpose of signing an employment contract with you, if you meet the requirements/conditions for the transfer from the state administration body, i.e., if the Agency can fulfil the job application based on the possibility of transfer from the state administration body. In that case, legal grounds for processing your personal data are the execution of the contract, i.e., actions needed for the signing of the contract (Article 6 paragraph 1 point b of the General Regulation).
For the purposes of contacting you for future workplaces in the Agency, but only under the condition that you applied for the transfer from the state administration body and that such transfer hasn’t resulted in a job in the Agency (the Agency cannot approve your application, or you have refused the terms and conditions offered by the Agency). In that case, the legal ground for processing your personal data is your consent (Article 6 paragraph 1 point an of the General Regulation).
For the purpose of meeting legal requirements of the Agency, i.e., respect for applicable regulations and cooperation with responsible authorities and services. In that case, the processing is necessary for the Agency to execute its legal obligations (Article 6 paragraph 1 point c of the General Regulation).
Special categories of your personal data are processed by the Agency exclusively for the purpose of respecting legal obligations which arise from the position of the Agency as a public authority. The Agency is processing special categories of personal data which relate to criminal charges and criminal acts on the basis of the fact that the underlying processing is approved by the laws of the Republic of Croatia (Article 10 of the General Regulation).

Senders of Open Job Applications

The Agency as a public authority is obliged to perform public vacancy announcements and is not able to recruit, i.e., review and analyse job applications received in the form of open job applications out of the public vacancy announcement procedure or throughout the transfer procedure from the state administration body.

In case the Agency receives an open job application, you will be informed that you should follow public vacancy announcements that the Agency publishes as prescribed by relevant regulations. Also, the Agency shall inform you that your job application, together with your personal data, shall be erased and accordingly, the Agency shall no further process your personal data.

External Service Providers (Suppliers) to the Agency

In case you are the Agency’s external service provider, the Agency is processing the personal data collected directly from you.

The Agency is processing the following categories of your personal data:

Identification data: e.g., name of the carrier of the craft, name and surname of the natural person, Personal identification number (Croatian PIN).
Financial data: e.g., data related to the contract value.
Other data: e.g., data related to engagement of external service provider (contract number, type of procurement subject matter, and likewise).

The mentioned personal data are processed by the Agency for the following purposes and on the basis of the following legal grounds:

For the purpose of entering into contractual obligations with the supplier. In that case, the legal basis for processing your personal data is contract execution, i.e., actions needed for the signing of the contract (Article 6, paragraph 1, point b of the General Regulation).
For the purpose of carrying out the rights and obligations arising from the contractual relationship. In that case, the legal basis for the processing your personal data is contract execution (Article 6, paragraph 1, point b of the General Regulation).
For the purpose of meeting legal requirements of the Agency, i.e., respect for applicable regulations and cooperation with responsible authorities and bodies. In that case, the processing is necessary in order for the Agency to execute its legal obligations (Article 6, paragraph 1, point c of the General Regulation).

Visitors of Web Pages

If you are visiting the web page https://www.safu.hr/hr, the Agency is using certain technologies of tracking such as cookies. You can find more in the Cookie Policy which is also available on the mentioned web page.

The Agency currently has users’ accounts on the following social networks:

All the information and materials which you put at the Agency’s disposal via social networks, as well as all communication that is done through the social network is at your own risk. The Agency is not responsible for the actions done by the users of the social network or for the actions of the social network itself. Your interaction with the social network relating to the processing of your personal data is regulated by the privacy policy of that social network. You can find more on the privacy policies of the social networks used by the Agency at the following links:

Obligation to Provide Personal Data

If the provision of personal data is a legal or contractual obligation or a necessary condition for concluding a contract, at the point of collection of your personal data, the Agency shall clearly inform you whether the provision of personal data is mandatory or not, and what the possible consequences are if you do not provide personal data.

Profiling and Automated Decision-Making

Current business processes of the Agency in which your personal data are processed do not cover your profiling or automated decision-making pursuant to your personal data.

In case of introducing these techniques of processing your personal data, the Agency shall adequately inform you and remind you of your right that you do not have to be subject to decisions exclusively based on automated processing of your personal data, including the creation of the profile, i.e., profiling.

Categories of Recipients of Personal Data

Certain categories of recipients, to which the Agency discloses personal data of data subjects, are processing your personal data. In case when the Agency discloses your personal data to the underlying recipients, it is taken into account that a valid legal basis for disclosure exists and that the business operations of the recipients of your personal data are aligned with the General Regulation and other regulations on personal data protection.

Categories of the recipients of personal data are stated further below, with a short description of the relations with the Agency, while you may request information on the exact titles of all recipients of personal data by sending your request to Data Protection Officer using the information stated in the Introduction.

Processors as recipients of your personal data

Processors, who may be the recipients of your personal data, provide to the Agency the services needed for daily proceedings:

The processors as external service providers who provide additional operative support (IT service, and likewise),
Occasional processors depending on the needs of the Agency (e.g., services of performing specialized tasks as evaluation of Operational Programs and likewise).

Independent controllers as recipients of your personal data

The independent controllers who may be the recipients of your personal data are providers of certain types of services that are important for the lawful business processes of the Agency:

Independent controllers as service providers of aligning our business operations with applicable regulations (legal consulting, audits, and likewise);
Independent controllers as other responsible (public) authorities in the system of European Union funds.

Responsible public authorities as recipients of your personal data

Public authorities act within the scope of their legal powers and can process your personal data based on them.

The Agency has a legal obligation to disclose your personal data to responsible public authorities as recipients of your personal data (supervision procedures, inspection procedures, laying or defending legal claims, and likewise).

The Agency as a joint controller

In relation to data subjects who are doing the application and/or implementation process of the EU project, the Agency is acting as a joint controller together with the Ministry.

Transfers of Personal Data to Third Countries or International Organisations

Processors as recipients of your personal data

Processors, who may be the recipients of your personal data, provide to the Agency the services needed for daily proceedings:

The processors as external service providers who provide additional operative support (IT service, and likewise),
Occasional processors depending on the needs of the Agency (e.g., services of performing specialized tasks as evaluation of Operational Programs and likewise).

Independent controllers as recipients of your personal data

The independent controllers who may be the recipients of your personal data are providers of certain types of services that are important for the lawful business processes of the Agency:

Independent controllers as service providers of aligning our business operations with applicable regulations (legal consulting, audits, and likewise);
Independent controllers as other responsible (public) authorities in the system of European Union funds.

Responsible public authorities as recipients of your personal data

Public authorities act within the scope of their legal powers and can process your personal data based on them.

The Agency as a joint controller

In relation to data subjects who are doing the application and/or implementation process of the EU project, the Agency is acting as a joint controller together with the Ministry.

Retention Periods for Personal Data

Further below general criteria and deadlines for retention of personal data may be found; however, retention periods may vary depending on the specific situations of processing.

Detailed periods for retention of your personal data are defined by internal acts and written procedures of the Agency. If your wish to obtain detailed information on the retention periods for your personal data, you may contact the Agency by sending your request to the Data Protection Officer by the information stated in the Introduction.

The criterion for calculating the retention period

When the applicable regulations define the period in which the Agency is obliged to store your personal data, then the Agency stores the data in the period envisaged by the applicable regulations and shall erase them in the additional period of 1 (one) year, as of the day of expiry of the period defined by applicable regulations.

In case the Agency is processing your personal data based on the legal base of contract execution, and applicable regulations do not define a compulsory period for the storage of your personal data, then personal data shall be kept for the whole period of the contractual relationship and shall be erased in the additional period of 1 (one) year, as of the day of termination of the contractual relationship.

If the Agency is processing your personal data based on consent as the legal basis, it shall then store personal data until you withdraw your consent. When you withdraw your consent, the Agency shall withdraw your personal data within the shortest possible deadline. If you gave your consent for a certain period of time, the Agency shall upon the expiry of the underlying period erase your personal data within the shortest possible deadline.

Your Rights

As a data subject whose personal data are processed by the Agency, you are entitled to exercise the rights stated further below.

You may exercise your rights by sending the request to the following e-mail address: .

In order for the Agency to provide you with accurate and complete information within the shortest possible deadline, we would appreciate it if you stated in your request the following:

Title of the e-mail or written request: „Request for Exercising Rights of Data Subject”;
Essential information on your identity so that your personal data could be reached (e.g., name, surname, personal identification number (Croatian PIN), and likewise);
Title of the right you would like to exercise (see further below titles of the rights);
Information on the communication channel (e.g. your e-mail address or residential address) where you would like to receive the reply.

Also, in order to make it easier for you to exercise your rights, you can find a form on our website with already defined fields that need to be filled out when submitting a request for exercising your rights. You can also request the relevant form from the Data Protection Officer.

Upon your request, the Agency replies within one month of the day of receiving your request. The underlying deadline shall be prolonged for additional two months if several of your complex requests are in question. You shall be in detail and timely informed on the prolongation of the deadline for the reply and about the reasons for this prolongation.

When you exercise your rights by submitting a request, the Agency also processes your personal data in order to comply with your request, all in accordance with the provisions of the General Regulation

List of the rights you can exercise

Right of access;
Right to rectification;
Right to erasure (“right to be forgotten”);
Right to restriction of processing;
Right to data portability;
Right to object;
Right to withdrawal of consent;
Right to lodge a complaint with a supervisory authority.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".cookielawinfo-checkbox-analytics
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.