The Data Controller respects the privacy of every person whose personal data it collects (hereinafter: the Data Subject) and is committed to protecting your personal data. In this Privacy Policy, we would like to inform you about what personal data we collect and for what purpose, how we protect it and what your rights are as a Data Subject. Data processing is carried out in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter: the Regulation, GDPR), the Act on the Implementation of the General Data Protection Regulation (Official Gazette 42/2018) and other regulations governing the relevant area and applicable in the Republic of Croatia.

This Privacy Policy applies to all processing of personal data carried out by the Controller. The Controller processes personal data of the following categories of Data Subjects::

• employees of the Controller,
• partners of natural persons,
• responsible persons and contact persons of partners,
• potential employees of the Controller,
• persons who have sent an inquiry via the contact form on the Controller's website

The Controller processes personal data exclusively in accordance with the General Data Protection Regulation. Accordingly, personal data processed by the Controller must be (Art. 5 of the Regulation):

• processed lawfully, fairly and transparently in relation to the Data Subject ("lawfulness, fairness and transparency");
• collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes; further processing for the purposes of archiving in the public interest, for the purposes of scientific or historical research or for statistical purposes, in accordance with Article 89, paragraph 1, is not considered inconsistent with the original purposes ("purpose limitation");
• adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("reduction of the amount of data");
• accurate and, if necessary, up-to-date; every reasonable measure must be taken to ensure that personal data that is inaccurate, taking into account the purposes for which it is processed, is deleted or corrected without delay ("accuracy");
• kept in a form that enables the identification of the subject only as long as is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods if the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1), subject to the implementation of appropriate technical and organisational measures required by this Regulation to safeguard the rights and freedoms of the data subject (‘storage limitation’);
• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by applying appropriate technical or organisational measures (‘integrity and confidentiality’).

The processing of personal data is lawful only if and to the extent that at least one of the following is met (Article 6 of the Regulation):

• The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
• the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the data subject's request prior to entering into a contract;;
• the processing is necessary for compliance with a legal obligation to which the controller is subject;
• the processing is necessary to protect the vital interests of the data subject or of another natural person;
• the processing is necessary for the performance of a task carried out in the public interest or in the exercise of the controller's official authority;
• the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

The Controller will seek the consent of the Data Subject for the processing of personal data only in cases where there is no other basis for the lawfulness of the data processing. The Data Subject has the right to withdraw consent at any time.

The Data Subject's rights include (chapter III of the Regulation):

• Right of access - The Data Subject has the right to obtain from the Controller confirmation as to whether personal data relating to him or her are being processed, and must be given access to his or her personal data.
• Right to rectification - The Data Subject has the right to obtain from the Controller, without undue delay, the rectification of inaccurate personal data relating to him or her. Taking into account the purposes of the processing, the Data Subject has the right to complete incomplete personal data, including by providing an additional statement.
• Right to erasure ("right to be forgotten") - The data subject has the right to obtain from the Controller the erasure of personal data concerning him or her, and the Controller has the obligation to erase the personal data without undue delay, unless there is a legitimate reason (e.g. a legal obligation of the Controller)
• Right to restriction of processing - The data subject has the right to obtain from the Controller the restriction of processing if the conditions set out in Article 18 of the Regulation are met.
• Right to data portability - The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another Controller without hindrance from the Controller to whom the personal data have been provided.
• Right to object - The data subject has the right, on grounds relating to his or her particular situation, to object at any time to the processing of personal data concerning him or her, in accordance with Article 6. paragraph 1. point (e) or (f) of the Regulation, including the creation of profiles based on these provisions.

The controller is obliged to enable the Data Subjects to exercise all their rights related to the processing of personal data. To exercise their rights, the Data Subject may submit a request in writing or by e-mail to info@tkalcic.com

The Data Subject has the right to lodge a complaint with the supervisory authority, i.e. the Personal Data Protection Agency (AZOP), via the form at www.azop.hr, if he/she considers that the processing of personal data by the Controller is unlawful.

The Controller generally processes the personal data of the Data Subjects that the Data Subjects provide themselves for the purpose and to the extent necessary to fulfil their legal and contractual obligations. On the basis of legitimate interest, the Controller processes the personal data of the Data Subjects provided that the interests or fundamental rights and freedoms of the Data Subjects are not overridden, taking into account the reasonable expectations of the Data Subjects based on their relationship with the Controller.

The Controller does not process special categories of personal data if this is not necessary for the purposes of the processing and if the conditions set out in Article 9 of the Regulation are not met.

8.1. Employment and other comparable relationships

The data controller as an employer processes all employee data in the employee database maintained in the IT program and in the physical employee files. The data is collected in accordance with the Labor Act, the Ordinance on the content and manner of keeping records of employees employed by the employer, the Ordinance on the content of salary calculations, salary compensation, severance pay and compensation for unused annual leave, and other legal acts regulating employment relationships. The data controller collects and processes the following personal data of the employee:

• name and surname
• personal identification number (OIB)
• gender
• date of birth
• place of birth
• country of birth
• citizenship
• address of residence/residence
• telephone/mobile number
• e-mail
• qualifications
• occupation
• data on completed education and professional development
• data on pensionable service
• place/municipality of work
• contracted working hours
• workplace
• date of employment
• insured person number in HZMO and HZZO
• salary payment account number IBAN
• protected account number IBAN (if the employee has one)
• payer of the second pension pillar
• personal deduction from PK card
• data on children and dependents
• birth certificate if the child is under 15 years of age
• data on salary deductions
• date of termination of employment
• reason for termination of employment

In addition to this data, the Data Controller may store in the employee's file other data collected during the employment process, as well as other data collected during the employment relationship (certificates of completed training, decisions and resolutions regarding employment, etc.).

All employee personal data is stored in the employee database from the date of employment and is kept up to date until the termination of employment, and is kept as documentation of permanent value in accordance with relevant regulations.

8.2. Job applicants

The Data Controller processes personal data in connection with the recruitment of new employees. In this sense, the Respondents are persons who apply for a job vacancy or submit open job applications for possible future vacancies.

The Data Controller, as a potential employer, collects, processes and stores data of job applicants based on their voluntary application.

The data that is usually collected are:

• name and surname
• date of birth
• personal identification number (OIB)
• address
• telephone
• e-mail
• application
• CV
• copy of diploma or school certificate
• other documents that the candidate submitted when applying.

The Data Controller stores personal data until the end of the recruitment procedure for candidates who are not employed, and for candidates who are employed for the entire duration of the employment relationship.

8.3. Business partners

In its business operations, the Data Controller also processes personal data of employees of business partners or potential business partners, and of natural persons with whom the Data Controller has or may have a business contractual relationship.

The categories of personal data of the Data Subjects that are collected are:

• name and surname,
• OIB
• e-mail address,
• telephone/fax
• function

In addition to the above types of data and places of collection, personal data may also be processed for other specific purposes, but always within the framework prescribed by law or if the processing is necessary for the exercise of rights and obligations arising from the business relationship.

Data of Data Subjects who are natural persons in a business relationship with the Data Controller are stored in accordance with applicable legal regulations. In situations where the Data Controller is authorized to determine data retention periods, they are determined taking into account the purpose of the processing and the interests of the Data Subject.

8.4. Personal data collected via the contact form on the Controller's website

The Controller, based on legitimate interest, has enabled the sending of inquiries via the contact form on its website. For the purpose of processing inquiries, the following personal data is collected:

• name and surname
• telephone number
• e-mail

This personal data is stored in digital form and is used exclusively for the purpose of responding to the inquiry and further communication with the Respondent. The retention period for this data is one year from the last communication with the Respondent.

The Controller most often collects personal data personally from the Respondent. When providing personal data in any way, the Respondent is responsible for the accuracy of the data and agrees that the Controller uses and collects the data in accordance with applicable regulations and the terms of this Privacy Policy. In addition, the Controller may obtain the Respondent's personal data from other natural and legal persons, as well as public registers.

Within the framework of fulfilling legal obligations, the Controller is obliged to provide the personal data of the Respondent to certain data recipients. For the purpose of employment and payment of salary or other receipts, employee data is provided to the competent authorities: the Croatian Pension Insurance Institute, the Croatian Health Insurance Institute, the Tax Administration, the Central Register of Insured Persons and pension companies, and banks. The Controller is obliged in certain cases to provide or make available employment-related data to the Croatian Employment Service, e.g. for the purpose of including workers in active employment policy measures, as well as for issuing work permits, to insurance companies, and in other cases where regulations require it.

Certain personal data is also provided to business partners for the purpose of providing specific services, e.g. services of health examinations of workers (occupational medicine), institutions that organize legally mandatory training (e.g. occupational safety) or auditing companies, notaries when certifications are requested, the Financial Agency for the purpose of obtaining business certificates, public procurement subjects when the Controller applies for public procurement tenders, for the purposes of awarding and using official cards, official mobile devices, etc.

It is possible to deliver data to business entities (processors) that process data on behalf of the Controller. Most often, these are business associates of the Controller who provide IT services, or have the ability to view personal data processed by the Controller. A data processing agreement (DPA) is concluded with such entities regarding their powers and obligations when processing personal data, in accordance with the requirements of the Regulation.

If data processing involves the transfer of data to third countries, the Controller shall ensure compliance with high standards of protection in order to comply with the highest possible standard of protection of personal data, in accordance with the strict requirements of the Regulation. In this regard, when international transfers of personal data are applied, the Controller shall inform the Data Subject of the intention to transfer personal data to a third country or international organization and of the existence or absence of an adequacy decision by the European Commission. Any transfer of personal data to third countries shall be carried out in accordance with Chapter V of the Regulation.

Respondent data is processed and stored in accordance with applicable legal regulations when the obligation to store is prescribed (e.g. employee personal data and payroll data are stored permanently, and accounting documents on the basis of which data are entered into the journal, general ledger and subsidiary ledgers are stored for eleven years), and in situations where the Data Controller is authorized to determine the data storage periods, the data is stored for as long as necessary for the purposes for which the personal data are processed.

The Controller shall ensure that in the event of a personal data breach, it shall notify the competent supervisory authority and the Data Subjects of the personal data breach without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals.

The Controller has a legitimate interest in the processing of personal data for direct marketing purposes, primarily for the purpose of sending marketing messages (newsletters) by e-mail, SMS and/or via instant messaging (Viber, WhatsApp, etc.). Based on the legitimate interest, the Controller may send different marketing messages depending on the relationship that the Data Subjects have with the Controller. Data Subjects may request restriction of processing at any time.

Given its activity of providing accounting services, Tkalčić d.o.o., as the Processor, processes personal data on behalf of other Processors.

As the Processor, Tkalčić d.o.o. undertakes to:

• process the personal data of the Respondent only in accordance with the basic Service Agreement, the Personal Data Processing Agreement and the written instructions of the Processor,
• that the processing of the personal data of the Respondent will be carried out only by persons authorized by it,
• ensure that all persons authorized by it to process personal data undertake to respect confidentiality by signing a Confidentiality Statement,
• ensure that persons acting under its direction will not process the personal data of the Respondent unless requested to do so by the Processor, unless otherwise provided for by regulations,
• keep a Record of the Processor's processing activities,
• take organizational and technical security measures to protect personal data in accordance with its own Personal Data Protection Regulations.
• not to engage another Processor without the prior written consent of the Controller,
• provide the necessary information and assistance to the Controller to ensure the fulfillment of its obligations under the General Data Protection Regulation,
• make all information and documents available to the Controller for the purpose of inspection of the fulfillment of the obligations under the General Data Protection Regulation,
• inform the Controller without delay if, in its opinion, a certain instruction of the Controller is contrary to the regulations,
• cooperate with the supervisory authority (AZOP) in fulfilling the tasks of the Controller.

Data subjects whose personal data are processed by Tkalčić d.o.o. as a Processor, exercise their rights with the Controller.

The Data Controller regularly updates the Privacy Policy in order to comply with legal changes and changes in the method of data processing, and reserves the right to change its content if it deems it necessary. Data Subjects will be informed of all changes and amendments in a timely manner via the Data Controller's website.

In Zadar, February 12, 2025.