Personal Data Protection Policy
This Personal Data Protection Policy (hereinafter: ‘Policy’) is a statement relating to the privacy of personal data collected, used and processed by PHRIXUS d.o.o. in the course of the organisation’s business operations, specific and legitimate purposes and legal bases for processing, the categories of personal data concerned and also includes information on your rights as a data subject, including the right to be informed. This Policy does not apply to the processing of personal data of our employees, as they are otherwise informed of how their personal data are being used and processed according to their rights and obligations under the existing employment.
This Policy provides answers to the following questions:
- What are personal data?
- Who are we?
- What personal data we collect and how we use them?
- With whom we share your personal data?
- Are personal data transferred outside EEA?
- What rights do you have as a data subject?
- How long can data be kept for?
- Are we processing your data for a purpose other than that for which they have been collected?
- How we protect your personal data?
- Amendments, modifications and availability of this Personal Data Protection Policy?
- How to contact us concerning the protection of your personal data?
Detailed explanation of personal data processing carried out by PHRIXUS d.o.o. is provided below.
1. What are personal data?
‘Personal data’ is any information that enables persons (‘data subjects’) to be directly or indirectly identified. Therefore, personal data includes any information that makes a person directly or indirectly identifiable, such as name, personal identification number, mail or email address. To identify a person one or more pieces of information in our possession or likely to come into our possession can be used.
2. Who are we?
Phrixus d.o.o. (hereinafter: ‘Company’) is a data controller. That means that the Company specifies the purposes, manner and methods used to collect and process your personal data.
3. What personal data we collect and how we use them?
From data subjects we can collect personal data such as their first and last name, personal identification numbers, mail and email addresses and other contact data, including those necessary for recruitment purposes, such as education, work experience and photographs.
Your personal data can be collected in the process of negotiation and performance of contracts with our business partners, if you are their representative or agent, or if you are personally a buyer of our products or services or you are selling or offering services, when you contact us by submitting an enquiry or report at our business units (e.g. when you report an incident at the reception of an establishment under our management) or when you apply for a job opening posted by our Company.
We process your personal data to the extent necessary for any of the abovementioned purposes and within the time limit required for the purposes of their collection. Our data processing is lawful under Article 6 of the General Data Protection Regulation (GDPR), as the processing of data of our partners’ representatives or partners/buyers of our products or services is necessary for the performance of a contract to which they are a party, i.e. when you are submitting the data in order to report an incident or any similar situation occurring at any establishment under our management it is necessary for the purposes constituting our legitimate interest.
Your personal data will not be retained longer than 5 years from the performance of a contract (when the purpose of collecting was the execution and performance of a contract), unless the protection of rights and interests is required, i.e. your personal data will not be kept longer than required to complete the recruitment and hiring process, in which case the data will be erased unless the data subject expressly consents in writing to his/her personal data being retained for a longer time.
In addition, we are entitled to use some of the collected data for achieving compliance with a legal obligation to which we are subject (under the Accounting Act, General Tax Act, etc.) and personal data collected for that purpose will be used exclusively for achieving compliance with legal obligations and data will be retained for as long as legally required.
4. With whom we share your personal data?
Your personal data may in specific cases be shared with our parent company ENGIE Austria GmbH and reliable third parties providing us administrative and technical support, i.e. data processors who have implemented technical and security measures and mechanisms to ensure appropriate level of security of personal data. Also, we can share your personal data with authorities and public entities that will process them within the scope of their legal authority, when we are legally required to do so under applicable laws and in accordance with their public authority, as well as with external consultants who are bound by a non-disclosure agreement.
Only a limited number of our employees will have access to your personal data. Our employees are obligated to keep your personal data confidential and to implement appropriate technical or organisational security measures.
5. Are personal data transferred outside EEA?
If personal data will be transferred outside the European Economic Area, data subjects will be notified and, as prescribed by applicable laws and regulations, we will ensure that the data and rights of data subjects are appropriately protected by the existence of appropriate safeguards.
6. What rights do you have as a data subject?
What rights do you have according to data protection laws and regulations?
Unless exceptions apply under existing data protection laws and regulations, data subjects have the following rights regarding their personal data processed by the Company:
- Right to be informed if the data subject’s personal data are being processed or not and right to access to such personal data (‘Right of access’);
- Right to request and obtain rectification or amendment of incorrect or incomplete personal data (‘Right to rectification’);
- Right to have their personal data erased if they are no longer required for the purposes for which they were collected (‘Right to erasure’);
- Right to withdraw consent at any time if processing is based on consent;
- Right to request personal data to be transferred to the data subject or from one data controller to another, if applicable (‘Data portability’);
- Right to restrict further processing, if applicable (‘Right to restrict processing);
- Data subject have the right to object to the processing of their personal data, when applicable (‘Right to object’);
- Right to file a complaint with the supervisory authority.
If a request is received for exercise of rights of data subjects, the Company will, without unnecessary postponement, act according to the request. Also, data subjects will be provided information on actions taken without unnecessary postponement and in any case within a month from the request received date.
This deadline can be extended for additional two months, takin into account the complexity and number of requests. The data subject will be notified of each extension within a month from the received date and reasons for postponement will be provided as well.
The information is provided free of charge. Where requests are manifestly unfounded or excessive, or repetitive in character we reserve the right to:
- charge a reasonable fee based on administrative costs; or
- refuse to act on the request.
7. How long can data be kept for?
We will keep your personal data only for as long as necessary for the purposes for which the personal data are processed, i.e. until the performance of a contract or as required by law. If your personal data are being processed based on your consent, personal data will be processed only as long as there is a valid consent, which can be withdrawn or restricted at any time, but the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. If you do so, we will end the processing of your personal data for the purposes you consented to.
The data will be immediately erased or anonymized, except if they need to be stored for a certain period of time, in accordance with corporate, tax or other laws (e.g. accounting documents have to be retained for 11 years), in which case such data will no longer be processed for other purposes.
8. Are we processing your data for a purpose other than that for which they have been collected?
If we plan to process your personal data for a purpose other than that for which they have been collected and that purpose is not included in this Policy, prior to processing and determining relevant purposes and terms and conditions of processing, we will issue a new Policy explaining the new way data will be used. If and whenever necessary, we will request a prior consent for the new processing.
9. How we protect your personal data?
We implement technical and organisational measures to protect your personal data from unauthorized access within and outside the Company and to protect them from modification, loss, theft and any other breach or misuse.
Measures we implement include, without limitation:
- assessment of risks connected with data processing activities;
- encryption of personal data;
- implementing information security measures for the purpose of ensuring resilience of processing systems used for storing personal data;
- implementing regular controls of security and personal data protection measures;
- continuous education for employees;
- appointment of a data protection officer/person responsible for data protection within the Company;
- prescribing disciplinary measures and liability in case of breach of data privacy;
- restricted use of mobile electronic devices that are carried outside the workplace;
- password policy;
- implementing measures to ensure the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- assignment of special authorisations for access to specific data categories, including those granted to temporary employees.
10. Amendments, modifications and availability of this Personal Data Protection Policy?
Due to continuous changes to our data protection practices, legal changes and technological development, this Policy will be occasionally revised. We continuously monitor and improve our data protection practices so as to ensure appropriate personal data protection at all times. Therefore, we recommend you visit this website regularly to check for updates. This Policy will be available on http://www.phrixusgroup.com/hr/ and at our business premises located at Roberta Frangeša Mihanovića 9, 10 000 Zagreb.
11. How to contact us concerning the protection of your personal data?
For any enquiry relating to the processing of your personal data and your rights as a data subject under the General Data Protection Regulation, you can contact us at:
|Mail address:||Phrixus d.o.o.
Roberta Frangeša Mihanovića 9
10 000 Zagreb
|Phone:||+385 1 3866 501|
|Fax:||+385 1 3866 500|
The national supervisory authority in Croatia is the Croatian Data Protection Agency which can be contacted by phone at 00385 (0)1 4609-000, by email at firstname.lastname@example.org or at Martićeva ulica 14, HR - 10 000 Zagreb, Croatia.
This Personal Data Protection Policy was last updated in May 2018.