(1) Data subject is a natural person (individual) whose identity can be established directly or indirectly, particularly on the basis of name, identification number, location data, network identifier or by using one or more features specific to the person’s physical, physiological, mental, economic, cultural or social identity.
(2) HBOR, as controller, processes, on the basis of relevant laws regulating the operations of HBOR (primarily the Act on Hrvatska banka za obnovu i razvitak, the State Aid Act, the Public Procurement Act, the Anti Money Laundering and Terrorist Financing Act, the Act on Archival Documentation and Archives, the Act on the Right of Access to Information and other applicable laws that regulate banking operations), personal information of clients, associated persons and third parties of clients and business partners for the purpose of entering into contractual relationships or implementing contracts with regard to HBOR’s products, mandate activities, procurement activities, goods, works, services and protection of property and people.
(3) Pursuant to relevant laws, HBOR processes personal data of HBOR’s employees and decision-making bodies.
(4) HBOR processes personal data related to HBOR’s promotional activities primarily on the basis of consent or another legal basis.
(5) HBOR processes personal data of HBOR’s clients also for the purpose of offering similar products.
(6) HBOR may transmit the personal data referred to in the above activities and purposes to the recipients or categories of recipients of personal data as follows:
a) State institutions based on laws and/or contractual obligations (ministries, agencies and other state bodies such as HAMAG-BICRO, local (regional) government units, the Export Credit Insurance Committee, etc.),
b) Special financial institutions with which HBOR has contractual relationships (European Investment Bank, European Investment Fond, World Bank, Central European Bank, European Bank for Reconstruction and Development, International Bank for Reconstruction and Development, etc.), in which case personal data may be transmitted to recipients in countries outside the European Union,
c) Institutions providing the services of publishing embargo lists (e.g. EU, OFAC and UN lists),
d) Financial institutions with which HBOR co-operates (commercial banks, leasing companies),
e) State audit, supervisory and regulatory bodies, audit firms and rating agencies.
(7) Transfers to third countries and international organisations may only be carried out in full compliance with the Regulation . HBOR shall take care that a minimum set of data be transmitted that is allowed to be processed for specified, explicit and legitimate purposes. A transfer can take place only if, subject to the other provisions of the Regulation, the conditions laid down in the provisions of the Regulation relating to the transfer of personal data to third countries or international organisations are complied with by the controller or processor.
(8) Contact details of the data protection officer:
a) Email address: firstname.lastname@example.org
b) HBOR’s website: www.hbor.hr.
(9) Personal data storage period and limitation:
HBOR ensures that personal data of data subjects are stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (e.g. labour legislation, pension and health-care legislation, accounting legislation, banking legislation, etc.). HBOR may store personal data of data subjects longer provided that there is a clear purpose for that in terms of legal obligations (e.g. pursuant to the Act on Archival Documentation and Archives) or a legitimate interest (e.g. in case of a court dispute). Data collected on the basis of a consent shall be stored by HBOR until the consent is withdrawn.
(10) HBOR ensures that data subjects have all rights that are provided for in the personal data protection laws.
(11) Notwithstanding the above provisions, access to personal data can be granted on the basis of the provisions of the Right of Access to Information Act.
Rights of Data Subjects
(12) For the purpose of ensuring confidentiality and protection of personal data, HBOR ensures that, on the occasion of processing such data, data subjects have the following rights:
a) Right to information on personal data undergoing processing and right to access own personal data – the data subject shall have the right to contact HBOR’s data protection officer and verify whether the personal data of the data subject are undergoing processing and, if yes, request access to personal data and information to which the data subject is entitled in terms of personal data protection. HBOR shall, at the request of the data subject, provide a copy of the personal data undergoing processing.
b) Right to rectification – the data subject shall have the right and obligation to request from HBOR without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including, among others, by means of providing a supplementary statement. HBOR shall communicate every rectification of personal data to every recipient to whom personal data have been disclosed, unless it proves to be impossible or requires disproportionate effort. HBOR shall inform the data subject about such recipients if requested so by the data subject.
c) Right to erasure (“right to be forgotten”) – the data subject shall have the right to request the erasure of the personal data that relate to him or her. A reasonable request for erasure shall be complied with without undue delay. If the data subject is entitled to erasure of data, but the erasure is not possible or is connected with disproportionate costs, the data shall be protected against unauthorised processing in an adequate manner so as to protect the rights of the data subject. Prescribed data storage periods must be obeyed. HBOR shall communicate every erasure of personal data to every recipient to whom personal data have been disclosed, unless it proves to be impossible or requires disproportionate effort. HBOR shall inform the data subject about such recipients if requested so by the data subject.
d) Right to restriction of processing – the data subject shall have the right to request from HBOR to restrict the processing in the case of contesting the accuracy, in the case of unlawful processing or if the processing is no longer necessary. The processing must be limited in the case of an objection to the processing where it is necessary to establish whether HBOR’s legitimate grounds override those of the data subject. HBOR may process personal data if the processing is limited with the consent of data subject or if the processing is necessary for the establishment, exercise or defence of legal claims, for the protection of rights of another natural person or legal entity, or due to important public interest of the Union or a member state.
e) Right to data portability – the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to HBOR, in a structured, commonly used and machine-readable format and shall have the right to transmit those data to another controller without hindrance from HBOR where the processing is based on consent or on a contract and where the processing is carried out by automated means.
f) Right to object – the data subject shall have the right to object at any time to processing of personal data concerning him or her to the data protection officer who shall take account of the received objection and shall take the appropriate measures.
g) Right to withdraw consent – the data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Consent is withdrawn in the same way in which it is given. The data protection officer shall take account of the received consent withdrawal request and take the appropriate measures.
Manner of Exercising Rights
(13) The data subject may exercise his or her rights by using contact details published on HBOR’s website. On request, HBOR shall provide information to the data subject about the measures taken with regard to the rights of the data subject without undue delay but in any case within the period of one month after receiving the request. If needed, this deadline can be extended by additional two months considering the complexity and number of requests.
HBOR shall inform the data subject about any such extension and about the reasons for the extension within the period of one month after receiving the request.
If the data subject submits the request by electronic means, the information shall also be given by electronic means, if possible, unless the data subject requests otherwise.
If HBOR does not take action on the request of the data subject, HBOR shall inform the data subject, without delay and at the latest within one month of receipt of the request, about the reasons for not taking action and about the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
All information given in accordance with Articles 13 and 14 of the General Data Protection Regulation and contained in this Information for Data Subjects as well as all communications made and actions taken as a result of the aforementioned rights of data subjects, including the communication to data subjects of a personal data breach, are free of charge.
Where requests of data subjects are manifestly unfounded or excessive, in particular because of their repetitive character, HBOR may:
a) Charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
b) Refuse to act on the request.
If the data subject considers that irregularities have arisen during the processing of his or her personal data, the data subject is entitled to contact HBOR’s data protection officer at: email@example.com. In addition, the data subject is entitled to submit an objection to the Personal Data Protection Agency.