Information for Data Subjects

(1) Controller: Croatian Bank for Reconstruction and Development, Strossmayerov trg 9, 10000 Zagreb, OIB (PIN) 26702280390 (hereinafter: HBOR)

(2) Data Protection Officer: email address: dpo@hbor.hr

(3) Data subject - a natural person (individual) whose identity can be established directly or indirectly, particularly on the basis of name, identification number, location data, network identifier or by using one or more features specific to the person’s physical, physiological, mental, economic, cultural or social identity
HBOR is processing personal data of the following data subjects: a) clients, b) associated persons of clients, c) real owners, d) business partners, e) employees, f) external associates, g) students and h) members of HBOR’s decision-making bodies

(4) HBOR is processing personal data of data subjects mentioned in the previous point for the purpose of:
a) processing of applications for approval of HBOR’s products and services, or
b) concluding a contractual relationship or performing a contract related to HBOR's products and services, or
c) concluding an employment contract, or
d) concluding contracts with associates or students, or
e) implementation of mandate programs, or
f) offering similar products to clients, or
g) HBOR's promotional activities, or
h) collection of receivables, or
i) procurement of goods, works and services, or
j) improvements to HBOR’s services, or
k) protection of property and people, or
l) protection of HBOR’s IT resources.


(5) HBOR is processing personal data of data subjects referred to in point (3) for the purposes referred to in point (4) based on the following legal grounds:
a) if the processing is necessary for the performance of a contract to which the data subject is a party or in order to take actions at the request of the data subject prior to the conclusion of the contract (e.g. processing of a credit application, performance of a loan agreement, performance of an employment contract etc.), or
b) if the processing is necessary for compliance with HBOR's legal obligations (e.g. accounting laws, prevention of money laundering and terrorist financing and restrictive measures laws, labour laws, pension and health insurance laws, banking laws, etc.), or
c) if the processing is necessary for the purposes of HBOR's legitimate interests (e.g. video surveillance, customer call centre, offering of similar products to clients, etc.);
d) on the basis of clients consent for the purpose of HBOR's promotional activities.

(6) HBOR, depending on the purpose of processing, is transferring personal data processed within the framework of the  activities mentioned in point (4) to recipients or categories of recipients of personal data as follows:
a) State institutions and other bodies (ministries, agencies and other bodies such as HAMAG-BICRO, local (regional) government units, the Export Credit Insurance Committee etc.),
b) special financial institutions with which HBOR has contractual relationship (European Investment Bank, European Investment Fund, World Bank, Central European Bank, European Bank for Reconstruction and Development, International Bank for Reconstruction and Development, etc.), in which case personal data may be transmitted to recipients in countries outside the EU,
c) institutions providing the services of publishing embargo lists (e.g. EU, OFAC and UN lists),
d) financial institutions with which HBOR cooperates (commercial banks, leasing companies),
e) State audit, supervisory and regulatory bodies, audit firms and rating agencies,
f) providers of cloud services and other communication and information services etc., in which case it is possible for personal data to be transferred to recipients outside the EU.

(7) For the purpose of processing an application for approval of banks products and which would be financed from European Investment Bank (EIB) funds, entering into a contractual relationship with a client or executing a contract with a client, HBOR is transferring to EIB the following personal data of clients (natural persons, sole entrepreneurships, OPG’s, etc.): forename and surname, i.e. client’s name, client's ID, client's location, client category, employee number, data about the project that may be financed from the EIB funds and loan information. Information about the processing of personal data by the EIB and the accompanying rights of data subjects are contained in the EIB’s Privacy policy published on the web page https://www.eib.org/en/privacy/lending. 

(8) Transfers to third countries and international organizations may only be carried out in full compliance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EZ (General Data Protection Regulation - GDPR). HBOR shall take care that a minimum set of data be transmitted that is allowed to be processed for specified, explicit and legitimate purposes. A transfer can take place only if, subject to the other provisions of the Regulation, the conditions laid down in the provisions of the Regulation relating to the transfer of personal data to third countries or international organisations are complied with by the controller or processor.
 
For the purpose of processing applications for approval of banks products which would be financed from Council of Europe Development Bank (CEB) funds, entering into a contractual relationship with a client or executing a contract with a client, HBOR is transferring the following personal data of clients (natural persons, sole entrepreneurships, OPG’s, etc.) to CEB: first and last name or name of the client, client ID, client location, client category, number of employees, data on the project that can be financed from EIB funds, and loan data. Information on the processing of personal data by CEB and the associated rights of data subjects are contained in the CEB Data Protection Regulations published on the website: https://coebank.org/en/about/policies-and-guidelines/regulations-system-protection-personal-data-ceb/

(9) HBOR is ensuring that personal data of data subjects is stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. Upon the expiry of the retention periods, HBOR deletes or anonymizes personal data.
HBOR is storing personal data of data subjects for a longer period if necessary:
​​(a) for compliance with a legal obligation to which processing is subject under European Union or Croatian law or
(b) for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes or
(c) for the establishment, exercise or defence of legal claims.
 
HBOR is required to act in accordance with Zakon o arhivskom gradivu i arhivima and is therefore obliged to keep certain documentation and data permanently (for example, minutes and decisions from meetings of HBOR’s bodies, financing agreements with state agencies, export insurance contracts, agreements and contracts on cooperation with international associations, photographs from domestic and international meetings and visits, etc.). In accordance with Zakon o arhivskom gradivu i arhivima (Article 14), archival material is submitted to the competent state archive within a period that is generally no longer than 30 years from its creation, and that which is in digital form is submitted to the state archive within a period that is generally no longer than ten years from its creation (unless the archival material is necessary for the performance of HBOR's activities, in which case the decision is made by the competent state archive).
HBOR is storing data collected based on consent until the consent is revoked.

(10) HBOR is ensuring that data subjects have all rights that are provided for in the personal data protection laws.

(11) Access to personal data may be provided to third parties based on the provisions of the Zakon o pravu na pristup informacijama.
 
(12) RIGHTS OF DATA SUBJECTS
For the purpose of ensuring confidentiality and protection of personal data, HBOR ensures that, when processing such data, data subjects have the following rights:

1. RIGHT TO INFORMATION ABOUT PROCESSING AND RIGHT TO ACCESS OWN PERSONAL DATA - the data subject shall have the right to contact HBOR’s Data Protection Officer and verify whether the personal data of the data subject are undergoing processing and, if yes, request access to personal data and information to which the data subject is entitled in terms of personal data protection. HBOR shall, at the request of the data subject, provide a copy of the personal data undergoing processing.

2. RIGHT TO RECTIFICATION - the data subject shall have the right and obligation to request from HBOR without undue delay the rectification of inaccurate personal data concerning him or her. Considering the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including, among others, by means of providing a supplementary statement. HBOR shall communicate every rectification of personal data to every recipient to whom personal data have been disclosed unless it proves to be impossible or requires disproportionate effort. HBOR shall inform the data subject about such recipients if requested so by the data subject.

3. RIGHT TO ERASURE („RIGHT TO BE FORGOTTEN“) - the data subject shall have the right to request the erasure of the personal data that relate to him or her. A reasonable request for erasure shall be complied with without undue delay. If the data subject is entitled to erasure of data, but the erasure is not possible or is connected with disproportionate costs, the data shall be protected against unauthorized processing in an adequate manner so as to protect the rights of the data subject. Prescribed data storage periods must be obeyed. HBOR shall communicate every erasure of personal data to every recipient to whom personal data have been disclosed, unless it proves to be impossible or requires disproportionate effort. HBOR shall inform the data subject about such recipients if requested so by the data subject.

4. RIGHT TO RESTRICTION OF PROCESSING - the data subject shall have the right to request from HBOR to restrict the processing in the case of contesting the accuracy, in the case of unlawful processing or if the processing is no longer necessary. The processing must be limited in the case of an objection to the processing where it is necessary to establish whether HBOR’s legitimate grounds override those of the data subject. HBOR may process personal data if the processing is limited with the consent of data subject or if the processing is necessary for the establishment, exercise or defence of legal claims, for the protection of rights of another natural person or legal entity, or due to important public interest of the Union or a member state.

5. RIGHT TO DATA PORTABILITY - the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to HBOR, in a structured, commonly used and machine-readable format and shall have the right to transmit those data to another controller without hindrance from HBOR where the processing is based on consent or on a contract and where the processing is carried out by automated means.

6. RIGHT TO OBJECT - the data subject shall have the right to object at any time to processing of personal data concerning him or her to the Data Protection Officer who shall take account of the received objection and shall take the appropriate measures.

7. RIGHT TO WITHDRAW CONSENT - the data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Consent is withdrawn in the same way in which it is given. The data protection officer shall take account of the received consent withdrawal request and take the appropriate measures.

 
(13) MANNER OF EXERCISING RIGHTS

On request, HBOR shall provide information to the data subject about the measures taken regarding the rights of the data subject without undue delay, but in any case, within the period of one month after receiving the request. If needed, this deadline can be extended by additional two months considering the complexity and number of requests. HBOR shall inform the data subject about any such extension and about the reasons for the extension within the period of one month after receiving the request.


If HBOR does not act on the request of the data subject, HBOR shall inform the data subject, without delay and at the latest within one month of receipt of the request, about the reasons for not acting and about the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

All information given in accordance with Articles 13 and 14 of the General Data Protection Regulation and contained in this Information for Data Subjects are free of charge. Where requests of data subjects are manifestly unfounded or excessive, in particular because of their repetitive character, HBOR may charge a reasonable fee considering the administrative costs of providing information or refuse to act on the request.

If the data subject considers that irregularities have arisen during the processing of his or her personal data, the data subject is entitled to contact HBOR, i.e. HBOR’s Data Protection Officer. In addition, the data subject is entitled to submit an objection to the Croatian Personal Data Protection Agency.