...

Data Privacy

Datasecurity5.jpg

Following the application of the Global Data Protection Regulation (EU 2016/679) and in the continuous effort to make our services the best possible, GS1 Croatia takes extreme care of all the personal data in its possession. Therefore, we have created a new Private Data Protection Policy, a central place with all the most important information about how GS1 Croatia collects, manages and stores personal data.



Personal Data Protection Policy of GS1 Croatia


GS1® Croatia - Croatian Association for Automatic Identification, Electronic Data Interchange and Management of Business Processes, Preradovićeva 35, 10000 Zagreb,
OIB: 03365973101 (hereinafter: GS1 Croatia), takes particular care of protection of personal data and privacy (hereinafter: protection of privacy) pf its member companies, former member companies, potential member companies, participants in seminars, expert workshops and other events organized by GS1 Croatia, suppliers, members of administrative bodies of Association and its employees (hereinafter: Users) in accordance with General regulation on data protection (EU 2016/679) (hereinafter: Regulation), valid and applicable legislation, best practices and internationally accepted standards, in accordance with commercial and safety requirements of international GS1 organization (whose member is GS1 Croatia). Protection of privacy of Users of GS1 Croatia is a constituent part of commercial activities of Association and an important element in users’ experience.


Disclaimer: This English version is a translation of the original in Croatian and should be used for information purposes only. In case of any discrepancy, the Croatian original will prevail.

What is the personal Data Protection Policy of GS1 Croatia and why is it adopted?

By adopting this Personal Data Protection Policy, GS1 Croatia wishes to, in one place and transparently, provide clear information to Users in respect to processing and protection of their personal data in GS1 Croatia, as well as to enable easy supervision and administration of their personal data and consents.

This Policy does not diminish rights and does not impose obligations upon Users in respect to processing of personal data, which Users already have pursuant to valid and applicable legislation and possible contractual provisions on data protection.

This Policy is one-sided binding enactment of GS1 Croatia which stipulates purpose and goals of collection, processing and management of personal data by GS1 Croatia, based on best global practices from domain of personal data protection. This Policy ensures adequate level of protection of data in accordance with Regulation and other valid and applicable laws governing personal data protection.

This Policy shall be applied to all web pages and domains of GS1 Croatia and on all services and products of GS1 Croatia that include processing of personal data (for instance allocation of GS1 identifier, PKPG, GlobeCat®, seminars, expert workshops and other). It primarily applies to physical persons who are submitting requests for GS1 Croatia services or who use services of GS1 Croatia. However, taking into consideration legitimate interests of Users who are legal entities, this Policy shall be accordingly and pursuant to valid and applicable legislation applied to such legal entities.

The goal of this Policy is to facilitate appropriate processes of protection and management of personal data of examinees, i.e. members, members of administrative bodies of the Association, employees, business partners and other persons whose personal data are being processed.

At the moment of submission of your personal data you are consenting to contact with us and thus give us the right to process your personal data in accordance with the indicated purpose. Protection of privacy of your personal data shall be permanent.

This Policy was published in the form of official document and shall be applied from May 21, 2018.

We are kindly requesting you to occasionally verify this personal data protection policy, taking into consideration possible changes and amendments that shall be published on web pages of GS1 Croatia.

This Policy shall be applied to all personal data of Users or Potential users of GS1 Croatia that are being collected, used or processed in any mother manner by GS1 Croatia or its partners. Personal data is every information relating to a physical person whose identity has been determined or may be determined, directly or indirectly (hereinafter: information or personal data). Processing of data is every action performed in respect to personal data, for instance collecting, recording, storing, use, transfer of personal data and access to personal data.

This Policy shall not be applied to anonymous data. Anonymous data is information that is altered in the manner that it may not be associated with a particular physical person or it may not be associated without disproportionate effort and is therefore pursuant to valid and applicable legislation not considered to constitute personal data. GS1 Croatia applies best European practices of anonymization of data.

This Policy shall be applied to all services and products of GS1 Croatia that include processing of personal data. Last statement of intent of Users in respect to processing of personal data shall be applied to all other GS1 Croatia services used by such User.

As a rule, GS1 Croatia shall be the controller in respect to personal data of its Users, within the meaning of valid and applicable legislation on personal data protection.

This Policy primarily relates to physical persons who are submitting requests or use services of GS1 Croatia (hereinafter: Users) and/or are interested to use services of GS1 Croatia (hereinafter: Potential users). However, taking into consideration legitimate interests of Users who are legal entities, this Policy shall be accordingly and pursuant to valid and applicable legislation applied to such legal entities. In order to avoid any ambiguities, this Policy shall be in any case entirely applied to employees of legal entities who are Users of GS1 Croatia.

 3.1. Trust

We wish to be a reliable partner in protection of privacy of our Users and to justify their trust. Also, we wish to be completely transparent and clear in respect to processing of personal data of our Users. This is, among other, the purpose of this Policy, especially through active role of our Users in administration of data. Users may contact us at any time with request to change personal data relating to them or with declaration on purpose to which they wish, i.e. do not wish, to process their personal data.

3.2. Legality and Best Practice

While processing personal data we are acting in accordance with the law but are also trying to implement higher standards and best European practices.

3.3. Limited Purpose of Processing

We are collecting and processing personal data only in specific and legal purposes and do not process them further in the manner which is not compliant with the purpose to which they are collected, unless stipulated otherwise by the law or o the basis of User’s consent. 

3.4. Reduced Quantities of Data

We are always using only those data of our Users that are appropriate and necessary for achievement of a specific legitimate purpose and not any additional data.

3.5. Processing in Anonymous Form

Whenever possible and practicable, we are using data in anonymous form. Data in anonymous form are primarily anonymous data. However, whenever possible and practicable, particularly due to protection of personal data of our Users, we are pseudonymizing personal data, i.e. we utilize special procedures of pseudonymization (for instance, substitution, hashing etc.) to "mask" them in the manner to make them unsuitable to connect with individual Users without use of additional information that are kept securely and separately (for instance, use of keys). 

3.6. Comprehensiveness and Confidentiality

We are processing personal data in a safe manner, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage (for instance, only authorized persons who require such access for performance of their work and no other employees have access to personal data of our Users).

3.7. Quality of Personal Data

We are paying particular attention to quality of data we are processing. Personal data that we are processing have to be accurate, complete and updated in order to ensure maximum protection of data of our Users and to prevent possible misuse. Therefore it is important to us to be immediately or as soon as possible notified by Users on each change of personal data.

3.8. Limited Time of Storing

We re storing and processing personal data of our Users only for the period necessary for achievement of particular legitimate purpose, unless valid and applicable legislation for certain purposes do not stipulate longer or shorter period of storing or in other cases explicitly stipulated by the law. After that, data are being permanently deleted or anonymized.

Generally, we are storing data in accordance with regulatory requests and best practices for purpose of enabling of traceability in the supply chain, safety of consumers, protection and safeguarding of integrity of global GS1 system of standards and similar. Duration of storing of data depends on nature of data and is subject to changes.

In accordance with the above described principles, data of our Users shall be accessed by employees of GS1 Croatia depending on their authorizations and work positions in order to successfully perform tasks defined for their positions. Also, a part of services for GS1 Croatia is performed by other legal entities with whom data of our Users shall be shared only in case it is necessary for purpose of performing of obligations from mutual contracts.

GS1 Croatia shall forward personal data of our Users to other commercial entities or state institutions in case there are legal grounds for such forwarding.

GS1 Croatia collects personal data (hereinafter: data) of its Users in several manners:

  1. We are collecting data primarily from Users or Potential users, in the manner that they submit such data to us. Most common example of such method of collection of data is submission of requests for particular service or product, while the User, in case he/she wishes to use certain service or product, provides data and documents necessary for identification (for instance, name, surname, address, copy of documents, PIN, etc.). During the course of communication between GS1 Croatia and Users, we are also collecting data via telephone, e-mail, Customer service, Users’ web pages and contact forms on web pages, internet portals and social networks, while resolving complaints, etc. Data collected in this manner is being used for fulfillment of User’s request.
  2. We are collecting data that occur automatically during the course of use of GS1 Croatia products and/or services by Users.
  3. We are collecting data from publicly available sources such as, for example, public registries, public telephone directory, publicly available services, commercial services or publicly available numeration.
  4. GS1 Croatia collects data pursuant to agreements on cooperation with public authorities, i.e. Ministry of Defense of the Republic of Croatia, Croatian Bureau of Statistics, Environmental Protection and Energy Efficiency Fund, Financial Agency and pursuant to queries to competent inspection authorities at the Ministry of Economy of the Republic of Croatia, Ministry of Finance of the Republic of Croatia, Ministry of Agriculture of the Republic of Croatia, Customs Administration of the Ministry of Finance of the Republic of Croatia and other public authorities, in accordance with their official competences.
  5. GS1 Croatia collects data received from the international GS1 organization for purpose of protection and supervision of integrity of global GS1 system of standards[MV1] , as well as in other situations stipulated in the License Agreement and Rules of Business Conduct entered into with the international GS1 organization.

Prerequisite for each collection of personal data of Users is existence of appropriate legal basis pursuant to the law.

Depending on the agree upon service or product, User’s consent and purpose for which particular data is being used for, GS1 Croatia is authorized to collect categories of Users’ data listed below. In performance of this activity, we are always collecting only data which is necessary for achievement of a particular legitimate purpose.

GS1 Croatia does not process data that reveal racial or ethnic origin, political affiliation, religious or philosophical convictions, union membership or sexual orientation of individuals. Also, GS1 Croatia does not process special categories of data or personal data in respect to criminal convictions and criminal acts.

5.1. Contractual Data

Contractual data in the broader sense include so-called master data, i.e. data provided by User for purpose of entering into and performance of contract (for instance, name and surname, date of birth, postal address, mailing address, contact information). Contractual data also include information on services and products in use by such User or used previously in GS1 Croatia, as well as information on methods and history of payment of services of GS1 Croatia (for instance, outstanding amounts).

5.2. Communication between Users and GS1 Croatia

This includes, for instance, recordings of telephone conversations between Users and GS1 Croatia, written or electronic communication between Users and GS1 Croatia, communication with GS1 Croatia on social networks, preferred channels of communication between Users and GS1 Croatia etc.

5.3. Information on Potential Users

These information include master data, particularly contact information (for instance, name and surname, e-address), but also interests of Potential users for services of GS1 Croatia. As a rule, GS1 Croatia shall record data of Potential users who contact GS1 Croatia with request to be informed by GS1 Croatia and/or to be offered certain products and/or services. Information on Potential users are being deleted or anonymized after expiry of 5 years or earlier, upon request of such Potential user, with exception of data that is being stored for longer period of time due to legal obligations (for instance, in case of dispute).

In order to enable GS1 Croatia to provide services to its Users, in accordance with rules listed below, it is necessary to process a minimal set of data necessary for good performance of particular service. In the contrary, in case a User refuses to provide the requested set of data, GS1 Croatia shall not be able to provide service to such User.

In accordance with the above mentioned, personal data of our Users are being processed after fulfillment of one of the below listed terms and conditions:

6.1. Performance of Contracts

GS1 Croatia collects and processes Users’ data (hereinafter: uses) primarily for purpose of entering into and performance of contracts between Users and GS1 Croatia. This particularly includes use of data for purpose of verification of identity of Users, good standing of Users, providing of the agreed upon services, calculation and charging of expenses, contacting Users in case it is necessary in relation with performance of services, resolving of complaints, resolving of interruptions, monitoring and assuring of quality and safety of services and products, customer support, counselling and assistance in use of products and services and other actions related with entering into and performance of contracts in accordance with the law.

Legal basis for processing of date for such purpose if the necessity for performance of contracts towards Users or implementation of measures upon requests of Users prior to entering into contracts. In case a User does not wish to provide data necessary for entering into and performance of contract, GS1 Croatia shall not be able to enter into contract and/or perform particular actions in respect to performance of contract.

6.2. Legitimate Interest

Furthermore, GS1 Croatia uses certain Users’ data exclusively for purpose of own records and for purpose of protection of legitimate interests of Users and/or global GS1 system of standards, except in cases when such interests are superseded by interests or basic rights and liberties of Users that require protection of personal data. For instance, this includes use of Users’ data for purpose of prevention, disclosure and persecution of misuses against Users or global GS1 system of standards, ensuring of safety of employees, Users, products and services of GS1 Croatia, creation of services and offers that meet requirements and desires of Users, ensuring of top level user experience, personalized customer support, optimization of electronic communication network etc.

Legal basis for processing of data for these purposes is legitimate interest of GS1 Croatia, except in cases when such interests are superseded by interests or basic rights and liberties of Users that require protection of Users’ personal data and/or legal basis for protection of key interests of Users or other physical persons. Exceptions are cases listed in Section 7 of this Policy when consent constitutes legal basis.

6.3. Direct Promotion of Services and Products

GS1 Croatia, as a part of the international GS1 organization, is under obligation to offer certain services and information to its active members in order to assist them in proper implementation of global GS1 system of standards (expert educations, verifications of bar codes and logistic labels, expert publications and similar).

GS1 Croatia, therefore, may use Users’ contact information for notices on services and products of GS1 Croatia via all promotional channels, unless Users determine otherwise. Each User may at any time declare that he/she no longer wishes to receive promotional notices. In such case data of such user shall no longer be processed for promotional purposes. Promotional notices on services and products of third parties (partners) shall be sent by GS1 Croatia to Users only subject to their consent.

Legal basis for processing of data for these purposes is legitimate interest of GS1 Croatia, except in cases when such interests are superseded by interests or basic rights and liberties of Users that require protection of Users’ personal data. Exceptions are cases listed in Section 7 of this Policy when consent constitutes legal basis.

For sending of promotional notices on all services and products GS1 Croatia uses service MailChimp with whom it enter into Contract on processing of personal data. MailChimp possesses Shield certificate. European-American system for protection of privacy (Privacy Shield) is system of self-certification that is binding upon USA-based organizations and which is recognized by the European Commission as the system that ensures appropriate level of protection of personal data that are being transferred from EU to self-certified USA-based organizations, which represents one of legal guarantees for such transfer of data. You may read more about Privacy Shield and MailChimp at https://kb.mailchimp.com/accounts/management/about-mailchimp-the-eu-swiss-privacy-shield-and-the-gdpr

6.4. For Purpose of Fulfillment of legal Obligations and Performance of Tasks of Public Interest

Pursuant to written request based on valid and applicable legislation, GS1 Croatia is under obligation to provide competent state authorities (for instance, courts, police, Croatian Personal Data Protection Agency, Environmental Protection and Energy Efficiency Fund, Croatian Bureau of Statistics etc.) or enable access to certain Users’ personal data.

Legal basis for processing of data for this purpose is fulfillment of legal obligations of GS1 Croatia, as well as performance of tasks of public interest.

Global GS1 system of standards for whose proper implementation in the Republic of Croatia, as well as for assistance to commercial entities in its application, GS1 Croatia is entrusted, is applied in numerous commercial sectors. Among other things, it enables traceability of products in all phases, including production, packaging, distribution and placement on local and global market, identification of packaging intended for recycling, verification of authenticity of products (combat against forgeries), unique identification of products, services and commercial entities on global level and other. The above listed are some of the reasons due to which competent state authorities may, within the scope of their competences, request GS1 Croatia to enable access to certain personal data of our Users.

7.1. What are consents?

Consent is voluntary, separate, informed and unambiguous declaration of intent of User in form of statement or clear affirmative action granting consent for processing of personal data relating to him/her (so-called opt-in). Consent may be given in writing or in some other appropriate manner (examples of consents may be found at https://www.gs1hr.org/hr/gs1-croatia/zastita-privatnosti). Consent may be given or withdrawn free of charge at any time. Consent is not necessary for all processing of personal data.

Without User’s consent:

  • We shall never use the following User’s data to any purposes other than very performance of contract, i.e. providing of service, prevention of misuse, normal use of global GS1 system of standards or fulfillment of legal obligations of GS1 Croatia;
  •  We shall never send promotional notices of third parties to User;
  • We shall never process User’s data in other cases in which pursuant to valid and applicable legislation consent is necessary.

7.2. Method of Administration of Consents

Users may change their consents and/or withhold the right to process personal data by means of a written notice (e-mail or mail in case identity of sender may be conclusively confirmed) or by personal attendance of GS1 Croatia office. Depending on the communication channel, such change and/or withholding shall be registered no later than 48 hours from the moment of receipt thereof, under condition that User was conclusively identified.

Consents granted prior to application of new concept of consents and Policy of protection of privacy are registered I accordance with provisions of the new Regulation.

Publishing of personal data in GEPIR and other publicly available GS1 services

In Section 12 you may read more about consents for publishing of data in GEPIR and other publicly available GS1 services.

Terms and conditions of use of material from Internet pages

The said terms and conditions of use of written materials, list of products and services and material from Internet pages of GS1 Croatia are rules that have to be complied with by all Users. Each use of www.gs1hr.org is subject to the said terms and conditions.

All content published at www.gs1hr.org is ownership of GS1 Croatia and may be used only in private and non-commercial purposes and may not be copied, reproduced or distributed in any manner whatsoever without explicit written consent of  GS1 Croatia. Each unauthorized possession and search without consent of the author shall be subject to legal sanctions.

GS1 Croatia shall undertake its best endeavors to maintain pages www.gs1hr.org fully functional and that all published information are accurate and complete but it is not liable for occasional non-functioning of pages, possible inaccuracy of information or any damage caused by use of inaccurate or incomplete information or impossibility to access information.

Pages www.gs1hr.org are accessed via Internet. Internet is global computer network which is not under direct control of GS1 Croatia and to which GS1 Croatia is merely connected and therefore may not guarantee availability of services and information.

GS1 Croatia withholds the right to, at any time and without prior announcement, change any content published at www.gs1hr.org.

The said terms and conditions relate to several segments:

Safety of data

Due to safety of information on this address and in order to ensure availability of service to all Users, computer system uses software programs that monitor visits to network and recognize unauthorized attempts to dispatch or alter data, as well as those that may be harmful in some other manner. Unauthorized attempts to dispatch or alter data are strictly prohibited at this location.

Confidentiality of data

Your personal data remain secret while visiting pages, unless you want to disclose them voluntarily. We undertake not to disclose received data to third parties, unless there is a legal basis for such disclosure.

GS1 Croatia shall collect Users’ personal data (name, surname, company name, telephone number, e-mail address ...) at specific places and at certain times on www.gs1hr.org pages. Such data shall be used to contact and register web page Users and for statistical processing of visits of www.gs1hr.org pages. GS1 Croatia guarantees not to sell or in any manner whatsoever transfer to third parties data collected in this manner.

Server statistics

Our global network server uses statistical software programs for network administration, which are being used for administration of these pages as well. These programs are a standard feature of all web-server and are not specific only to our pages. These statistical programs enable us to determine data that are the most or the least interesting for our Users, which browser to introduce, which is the efficiency of structure our location and what is the rate of visit to our pages.

User pages of GS1 Croatia

Users who are at the same orderly members of GS1 Croatia gain the tight to access certain protected content of web pages (for instance, My data, Interactive search, expert publication and other). Registered members have the right to access protected content by entering their GLN number and password. Users are under obligation to safeguard information on their usernames and passwords and are entirely liable for damages caused by unauthorized use.

Contact form and sending of messages via electronic mail

When User is sending electronic mail (e-mail) to GS1 Croatia containing personal data on the basis of which it is possible to identify such User, by e-mail message with question or comment or by filling Contact form on https://www.gs1hr.org/en/contact, GS1 Croatia shall use such data for fulfillment of requests of such User. In case such User does not wish to provide his/her personal data, GS1 Croatia shall not be able to process requests of such User. GS1 Croatia may possibly forward e-mail of such User to other employees who may be able to provide better answers to User’s questions.

Your information are being stored for duration required for processing of your request and are being deleted or anonymized after expiry of 5 years, with exception of data that is being stored for longer period of time due to legal obligations (for instance, in case of dispute). 

Web pages www.gs1hr.org use so-called "cookies" in order to provide completely functional services and best possible content to Users. Cookies represent a set of data generated by web page server and stored by web browser to User’s disc as a small textual file with certain User’s data (for instance, IP address used for access to web page, time of connection etc.).

Types of cookies

Web page www.gs1hr.org uses the following cookies:

  • Temporary Cookies (Session cookies) – are being stored on computer of User f web pages www.gs1hr.org only during visit to these pages, User is thus enabled to more efficiently use web pages www.gs1hr.org and they are automatically deleted once the browser is closed.
  • Permanent Cookies (Persistent cookies) – these are cookies that remain ''recorded'' in User’s Internet browser until they expire only until manually deleted by such User. Collected information are anonymous and do not include User’s personal data.

Why permit use of cookies?

GS1 Croatia uses cookies:

  • For purpose of providing of better user experience;
  • For purpose of monitoring and analysis of use and visits of our web-places;
  • For proper operation of pages (in cases when it is necessary).

Users shall obtain detailed information cookies used by individual web page immediately upon first visit to such Internet page. On the basis of these information and during the first visit to Internet page, Users grant or withhold their consent to use of cookies. Users of web pages www.gs1hr.org may always independently regulate receipt of cookies through their web browser settings. GS1 Croatia excludes any liability for any loss of functionality and/or quality of content of web pages www.gs1hr.org in all cases of selection of regulation of receipt of cookies by Users.

GS1 Croatia is not liable for cookies on other Internet pages that are not owned by GS1 Croatia. GS1 Croatia shall connect information on Users obtained through cookies with other data of such User for purpose of better familiarization with User’s requirements and providing of better user experience, only on the basis of User’s consent.

What happens if a User does not accept cookies?

In case a User does not accept cookies, it is possible that certain features of this Internet page will not be shown or will not work properly. This shall limit User’s possibilities provided by GS1 Croatia page and may affect design and user experience.

Web page statistics

Besides, web pages www.gs1hr.org monitor statistical visits exclusively for purpose of obtaining of necessary information on attractiveness and market success of its pages, while using third party service under name Google Analytics. Detailed third party information on this service, as well as on possibilities of users of web pages www.gs1hr.org in respect to necessary cookie regulation are available at: http://www.google.com/intl/en/analytics/privacyoverview.html.

Other

Use of web pages www.gs1hr.org deems that User is at all times familiar with these terms of use, including provisions on data processing and possibilities in respect to cookies.

GS1 Croatia withholds the right to change content of these web pages and shall not be liable for any possible consequences arising from such changes.

GS1 Croatia utilizes various technical and organizational measures of protection of Users’ data against unauthorized disclosure within and outside of GS1 Croatia, against alterations, losses, theft and any other violation and misuse of data, in accordance with the best global practices. These measures, among others, include the following:

  • Services and products of GS1 Croatia, before being offered to Users, fulfill safety demands and demands for protection of data (so-called privacy by design and security by design). Also, Users’ personal data are being stored in accordance with internal safety standards of GS1 Croatia and GS1 Croatia continuously implements significant organizational and technical measures in order to protect personal and all other data of our Users. Where practicable, GS1 Croatia utilizes cryptographic methods of data protection and continuously works on improvement of safety measures. Besides the above mentioned, advanced tools for protection and prevention of leakage of data are being used and critical systems within GS1 Croatia are being monitored;
  • Entering into contracts on protection of Users’ personal data with all so-called subcontractors;
  • Implementation of all protective measures on systems on which Users’ data are being located. GS1 Croatia does not allow unauthorized collecting, processing or use of personal data. Rule of limitation of access only to data necessary for performance of particular commercial tasks is being applied. In accordance with the above mentioned, roles and responsibilities are clearly defined. Employees are strictly prohibited from use of Users’ personal data for any purpose that is not in accordance with terms and conditions defined in Section 6;
  • Implementation of regular controls of safety measures and measures of protection of personal data. Personal data are being protected from unauthorized access, use, alteration and loss. Protective mechanisms are applied to personal data regardless of the form in which they are kept – paper or electronic;
  • Permanent education of employees;
  • Existence of special organizational units within GS1 Croatia that are dedicated exclusively to protection and safety of Users’ data, as well as function of Trustee for protection of personal data;
  • GS1 Croatia undertakes its best endeavors to ensure that all rerouting from GS1 Croatia web pages link to Internet pages that do not contain illegal and/or harmful content. However, pages and addresses on the web are being quickly changed and GS1 Croatia may not always guarantee for content of each address to which it routes. In case Users have any questions or doubts in respect to his/her experiences with web pages and services of GS1 Croatia, Users should contact GS1 Croatia office.

As a rule, GS1 Croatia processes personal data of its Users in the Republic of Croatia. Exceptionally, it processes data in other countries (for instance, in case a subcontractor from another country is hired for performance of particular service or a part of such service that includes processing of personal data), as a rule in member states of the European Union. Exceptionally, it processes data in other countries, but always ensuring appropriate protection of personal data, as a minimum the same level as if personal data are being processed in the Republic of Croatia (for instance, by application of the so-called EU Standard Contractual Clauses for Processors in Third Countries). 

GS1 Croatia extremely values personal data of our Users. GS1 Croatia does not ever sell Users’ personal data to anyone. GS1 Croatia does not forward and does not exchange Users’ personal data with any legal entities or physical persons (hereinafter: persons), except in the following cases:

a.    In case there is a legal obligation or explicit authorization based on the law (for instance, on the basis of court’s request);

b.    In case GS1 Croatia hires another person for performance of particular tasks as so-called subcontractor, i.e. processor. It is important to emphasize that the so-called subcontractor acts exclusively upon order of GS1 Croatia and GS1 Croatia ensures all measures of protection of Users’ personal data as if it performs these tasks independently.

c.    In case personal data have to be forwarded to third parties for purpose of performance of contract with User;

d.   Cessions, i.e. transfer of receivables to third persons pursuant to Article 80 of the Law on obligations;

e.    In case it is necessary for performance of tasks in public interest;

f.     Pursuant to User’s consent.

Transfer of data within international GS1 organization

Global GS1 system of standards comprises one body and organizations-members of international GS1 organization cooperate at multiple levels for purpose of providing of best possible services. In order for this cooperation to continue without interruptions, there is a need for exchange of personal data within the international GS1 organization.

GS1 organizations-members mutually exchange personal data in case it is necessary in order to provide the requested service to Users, i.e. only in case there is a need on the basis of terms and conditions listed in Section 6 or for purpose of tasks entrusted by organization-members to the international GS1 organization, which is stipulated in separate contracts.

Principle of limitation of processing is being strictly observed during transfer of Users’ data to foreign partners, with transfer of minimal quantity of data necessary for realization of the requested service. Additionally, GS1 Croatia facilitated control mechanisms that require our partners to have at least the same level of protection of personal data as within GS1 Croatia.

If necessary and exclusively pursuant to terms and conditions listed in Section 6, GS1 Croatia transfers data to partners in third countries or within the international GS1 organization. In such cases additional controls and protective measures for transfer of personal data are being applied in accordance with the Regulation. These measures may include legally binding and enforceable instrument, binding corporate rules, certification and similar.

GEPIR (Global Electronic Party Information Registry)

GS1 GEPIR is a database containing basic data of more than a million companies from more than 100 countries. By accessing GEPIR one may find names of companies, institutions or other commercial entities that use bar codes.

Participants in the GEPIR project are convinced that international interconnecting of national databases is the only guarantee of accuracy of data and is completely in accordance with GS1 principles of decentralized control and system administration. International GS1 organization is a network that facilitates voluntary exchange of information and the GEPIR project is the application of this principle.

GS1 Croatia shall not publish personal data in GEPIR without User’s written consent. In case a User wishes his/her data to be visible in GEPIR, it is necessary to complete and sign consent form that is available at www.gs1hr.org or to contact GS1 Croatia at osobnipodaci@gs1hr.org.

PKPG (List of coded products and GLNs)

PKPG is a free web-application for allocation of new codes to products (GTIN) and entry of locations (GLN) and records of used codes with accompanying product names and/or location, available 24/7 to orderly members of GS1 Croatia.

A User who is at the same time an orderly member of GS1 Croatia gains the right to access PKPG by entering its username and password. Users are under obligation to safeguard information on their usernames and passwords and are entirely liable for damages caused by unauthorized use.

GlobeCat® electronic catalogue

GlobeCat® (former name eCrokat®) is online electronic catalogue that in place provides Users with the possibility to enter, store and update wide array of information on their products.

Users with open access to GlobeCat® electronic catalogue may access it by username and password. Users are under obligation to safeguard information on their usernames and passwords and are entirely liable for damages caused by unauthorized use.

Besides active role of Users in administration of consents, i.e. right of Users to withdraw their consents at any time (Items 7 and 8), User have other active roles, all in accordance with valid and applicable legislation:

a.    Right to raise complaints: Users have the right at any time to request to cease to receive promotional notices on services and products of GS1 Croatia. Users also have the right to raise complaints to any other processing of personal data of such Users that is based on so-called legitimate interest of GS1 Croatia, (so-called opt-out).

b.    Obligation to safeguard data: Users have the right to confidentially and diligently keep all identification marks allocated by GS1 Croatia (for instance reference to account number, username, password, etc.) taking into consideration that all actions that undertaken with identification marks of such Users are considered to be actions undertaken by such Users. Also, Users are under obligation to change password or other access data immediately upon suspecting unauthorized use of such data and to inform
GS1 Croatia in case of suspected misuse of identification marks.

c.    Right to access: Users have the right to obtain confirmation whether their personal data are being processed and, in case such personal data are being processed, access to such data and information on purpose of processing, categories of personal data, recipients or categories of recipients, on foreseen duration of storing of data or on criteria used for determination of such period, existence of Users’ rights, as well as on protective measures in case of transfer of such data to so-called third countries.

d.   Right on deletion: Users have the right to obtain deletion of their personal data without undue delay and under terms and conditions stipulated in valid and applicable legislation on personal data.

e.    Right on correction: Users have the right to obtain correction of incorrect their personal data. Additionally, Users have the obligation to regularly update personal data in their commercial relations with GS1 Croatia.

Users have the right to request realization of any of the above listed rights at any time. GS1 Croatia shall, upon request, provide Users with information on actions undertaken in respect to the said rights no later than 3 months from receipt of such request (depending on quantity and complexity of request) – all requests shall be processed within 1 month and time limit shall be extended for additional 2 months, at the most, in case it is necessary. In case GS1 Croatia fails to act upon User’s request without delay and no later than one month upon receipt of request, GS1 Croatia shall notify such User on reasons for failure to act. Reasons for failure to act imply existence of legitimacy of processing that prevents GS1 Croatia from acting upon request.

GS1 Croatia implements significant procedural and technological measures in order to protect personal data of our Users. Additionally, all employees of GS1 Croatia are under obligation to notify responsible persons in case of incidents relating to protection of personal data. In case of violation of personal data, GS1 Croatia is under obligation to report such incident to Personal Data Protection Agency within 72 hours upon information on such violation, in case it is practicable.

Also, in case of violation of personal data that is likely to case high risk for rights and liberties of individuals, GS1 Croatia shall without delay inform such User on violation of his/her personal data.

Exceptionally, GS1 Croatia shall not notify Users in case of violation of their personal data in case of fulfillment of at least one of the following terms and conditions:

  • GS1 Croatia implemented appropriate technical and organizational protection measures and such measures were applied to personal data affected by violation of personal data. This especially relates to protection measures that make personal data unintelligible to any person without authorized access, such as encryption;
  • GS1 Croatia implemented subsequent measures that ensure that it is no longer likely that high risk for rights and liberties of such Users may occur;
  • Such notification would require disproportionate effort. In such case there must be public notification or a similar measures that effectuates public notification of Users in equally effective manner.

User shall have the right to file a complaint to the regulatory body (Personal Data Protection Agency) in case of incident concerning personal data of such User or in case such User considers that GS1 Croatia is violating his/her rights stipulated by Regulation.

Users may exercise their rights by contacting, i.e. submitting of appropriate request to e-address osobnipodaci@gs1hr.org or mail address GS1 Croatia, Preradovićeva 35, 10000 Zagreb, or in some other manner enabled by GS1 Croatia to Users, depending of the type of request.

In case a User suspects violation of his/her personal data or has any questions in respect to this Policy and/or protection of personal data by GS1 Croatia, such User may contact us through e-address osobnipodaci@gs1hr.org or mail address GS1 Croatia, Preradovićeva 35, 10000 Zagreb.

Also, Users are entitled to submit complaints to Personal Data Protection Agency.

This Policy shall enter into effect and shall be applied to new Users from the date of publication and shall be available at web pages and at GS1 Croatia offices. Users shall be notified in a timely manner and by publication on web pages of GS1 Croatia in respect to all possible changes and amendments of this Policy.

This Policy shall be applied from the date of publication to Users that were, at the moment of first publication of this Policy, existing Users of GS1 Croatia.

This Policy shall enter into effect on the date of its passing and shall be applied from May 21, 2018.

 

Zagreb, May 10, 2018

Private Data Protection Policy

Contact