Information for Data Subjects

(1) Controller – Croatian Bank for Reconstruction and Development, Strossmayerov trg 9, 10000 Zagreb, OIB (PIN) 26702280390 (hereinafter: HBOR)

(2) Data Protection Officer: email address: dpo@hbor.hr

(3) Data subject - a natural person (individual) whose identity can be established directly or indirectly, particularly on the basis of name, identification number, location data, network identifier or by using one or more features specific to the person’s physical, physiological, mental, economic, cultural or social identity

(4) HBOR processes personal data (purpose and legal basis of processing) of:

a) clients, associated persons of clients, business partners, employees, external associates and members of decision-making bodies of HBOR for the purpose of entering into contractual relationships or implementing contracts with regard to HBOR’s products and services, employment contracts etc., implementation of mandate activities, procurement of goods, works, services and protection of property and people (i) if the processing is necessary for the execution of a contract in which the data subject is a party or in order to take actions at the request of the data subject before concluding the contract or (ii) if the processing is necessary to comply with HBOR's legal obligations or (iii) if the processing is necessary for legitimate interest of HBOR;

b) clients for the purpose of offering similar products, if the processing is necessary for legitimate interest of HBOR;

c) clients for the purpose of general promotional activities of HBOR on the basis of consent

(5) HBOR may transmit the personal data referred to in the above activities and purposes to the recipients or categories of recipients of personal data as follows:

a) State institutions and other bodies (ministries, agencies and other bodies such as HAMAG-BICRO, local (regional) government units, the Export Credit Insurance Committee etc.),

b) Special financial institutions with which HBOR has contractual relationship (European Investment Bank, European Investment Fund, World Bank, Central European Bank, European Bank for Reconstruction and Development, International Bank for Reconstruction and Development, etc.), in which case personal data may be transmitted to recipients in countries outside the EU,

c) Institutions providing the services of publishing embargo lists (e.g. EU, OFAC and UN lists),

d) Financial institutions with which HBOR cooperates (commercial banks, leasing companies),

e) State audit, supervisory and regulatory bodies, audit firms and rating agencies,

f) Providers of cloud services and other communication and information services etc., in which case it is possible for personal data to be transferred to recipients outside the EU.

(6) Transfers to third countries and international organizations may only be carried out in full compliance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EZ (General Data Protection Regulation – GDPR). HBOR shall take care that a minimum set of data be transmitted that is allowed to be processed for specified, explicit and legitimate purposes. A transfer can take place only if, subject to the other provisions of the Regulation, the conditions laid down in the provisions of the Regulation relating to the transfer of personal data to third countries or international organisations are complied with by the controller or processor.

(7) HBOR ensures that personal data of data subjects are stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (e.g. labour legislation, pension and health-care legislation, accounting legislation, banking legislation, etc.). HBOR may store personal data of data subjects longer provided that there is a clear purpose for that in terms of legal obligations (e.g. pursuant to the Act on Archival Documentation and Archives) or a legitimate interest (e.g. in case of a court dispute). Data collected on the basis of a consent shall be stored by HBOR until the consent is withdrawn.

(8) HBOR ensures that data subjects have all rights that are provided for in the personal data protection laws.

(9) Access to personal data may be provided to third parties based on the provisions of the Act on the Right of Access to Information.
 
RIGHTS OF DATA SUBJECTS
For the purpose of ensuring confidentiality and protection of personal data, HBOR ensures that, on the occasion of processing such data, data subjects have the following rights:

1. RIGHT TO INFORMATION ABOUT PROCESSING AND RIGHT TO ACCESS OWN PERSONAL DATA - the data subject shall have the right to contact HBOR’s Data Protection Officer and verify whether the personal data of the data subject are undergoing processing and, if yes, request access to personal data and information to which the data subject is entitled in terms of personal data protection. HBOR shall, at the request of the data subject, provide a copy of the personal data undergoing processing.

 

2. RIGHT TO RECTIFICATION - the data subject shall have the right and obligation to request from HBOR without undue delay the rectification of inaccurate personal data concerning him or her. Considering the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including, among others, by means of providing a supplementary statement. HBOR shall communicate every rectification of personal data to every recipient to whom personal data have been disclosed unless it proves to be impossible or requires disproportionate effort. HBOR shall inform the data subject about such recipients if requested so by the data subject.

 

3. RIGHT TO ERASURE („RIGHT TO BE FORGOTTEN“) - the data subject shall have the right to request the erasure of the personal data that relate to him or her. A reasonable request for erasure shall be complied with without undue delay. If the data subject is entitled to erasure of data, but the erasure is not possible or is connected with disproportionate costs, the data shall be protected against unauthorized processing in an adequate manner so as to protect the rights of the data subject. Prescribed data storage periods must be obeyed. HBOR shall communicate every erasure of personal data to every recipient to whom personal data have been disclosed, unless it proves to be impossible or requires disproportionate effort. HBOR shall inform the data subject about such recipients if requested so by the data subject.

 

4. RIGHT TO RESTRICTION OF PROCESSING - the data subject shall have the right to request from HBOR to restrict the processing in the case of contesting the accuracy, in the case of unlawful processing or if the processing is no longer necessary. The processing must be limited in the case of an objection to the processing where it is necessary to establish whether HBOR’s legitimate grounds override those of the data subject. HBOR may process personal data if the processing is limited with the consent of data subject or if the processing is necessary for the establishment, exercise or defence of legal claims, for the protection of rights of another natural person or legal entity, or due to important public interest of the Union or a member state.

 

5. RIGHT TO DATA PORTABILITY - the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to HBOR, in a structured, commonly used and machine-readable format and shall have the right to transmit those data to another controller without hindrance from HBOR where the processing is based on consent or on a contract and where the processing is carried out by automated means.

 

6. RIGHT TO OBJECT - the data subject shall have the right to object at any time to processing of personal data concerning him or her to the Data Protection Officer who shall take account of the received objection and shall take the appropriate measures.

 

7. RIGHT TO WITHDRAW CONSENT - the data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Consent is withdrawn in the same way in which it is given. The data protection officer shall take account of the received consent withdrawal request and take the appropriate measures.

 
MANNER OF EXERCISING RIGHTS

On request, HBOR shall provide information to the data subject about the measures taken with regard to the rights of the data subject without undue delay, but in any case, within the period of one month after receiving the request. If needed, this deadline can be extended by additional two months considering the complexity and number of requests.
HBOR shall inform the data subject about any such extension and about the reasons for the extension within the period of one month after receiving the request.
If HBOR does not act on the request of the data subject, HBOR shall inform the data subject, without delay and at the latest within one month of receipt of the request, about the reasons for not taking action and about the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
All information given in accordance with Articles 13 and 14 of the General Data Protection Regulation and contained in this Information for Data Subjects are free of charge. Where requests of data subjects are manifestly unfounded or excessive, in particular because of their repetitive character, HBOR may charge a reasonable fee considering the administrative costs of providing information or refuse to act on the request.
If the data subject considers that irregularities have arisen during the processing of his or her personal data, the data subject is entitled to contact HBOR, i.e. HBOR’s Data Protection Officer. In addition, the data subject is entitled to submit an objection to the Personal Data Protection Agency.