Introduction
GDPR is the General Data Protection Regulation which applies since May 25, 2018 and represents the most significant change related to personal data protection in the last two decades. It was designed to fully meet needs of the digital age.The twenty-first century brings a wider application of technology in everyday life, and also brings new definitions of personal data. GDPR goal is to standardize data protection laws in the European Union and provide individuals greater and more consistent rights related to access and control of their personal information.
Our commitment to data protection
Fine’sa Group is fully committed to providing security and protection to the personal data of users . We have always strived to have an effective data protection program that complies with current laws and basic data protection principles. In spite of, we recognize the need to improve it in order to fully comply with the GDPR guidelines and the laws of the Republic of Croatia.
How do we manage GDPR
Fine’sa Group has a consistent level of data protection policies and processes at all organizational levels, however, in order to fully comply with the GDPR guidelines by May 25, 2018, we have implemented the following steps:
- Information revision – audit of collected personal information was implemented at all organizational levels
- Policies and Procedures – an audit was carried out and new data protection policies and procedures that comply with the GDPR requirements were introduced and include the following:
- Data Protection – major policy document and data protection process has been revised to meet GDPR standards and requirements. Responsibilities and management measures are placed to ensure that we understand and prove our obligations and responsibilities with a particular focus on the privacy of design and the rights of individuals.
- Data retention and deletion policy – we have updated our policies to ensure that we comply the principles of “data minimization” and “storage limitations” and that personal data are stored, archived and destroyed ethically. We have specific deletion procedures in place to fulfill the new “deletion right” obligation and we are aware of when the other rights of the data subject apply with all exceptions, response timeframes and notification responsibilities.
- Misdemeanor management – Our misdemeanor management procedures present measures and procedures to identify, evaluate, investigate and report personal data breaches as soon as possible. Our procedures are accessible to all employees, and represent the concrete steps that must be taken.
- Data Transfer to Third Parties – where Fine’s Conceptus d.d. stores or transmits personal data outside the EU, there are procedures and measures in place to ensure that the data is secured, encrypted and their integrity is maintained. Our procedures include a continuous review of countries with sufficient adequacy decisions. They also include directive on binding corporate rules, as well as standard data protection clauses.
- Subject Access Request (SAR) – we have modified our SAR procedures to match the 30-day timeframe for providing the requested information.
- Legal basis for processing – we review all activities to determine the legal basis for processing and insurance in a way that each base is suitable for the activity to which it relates.
- Notice and Privacy Policy – We have modified privacy notices to comply with GDPR, ensuring that all individuals whose personal data are processed are informed why we need the data, how it is used and what are their rights.
- Obtaining consent – we have developed rigorous procedures for recording consent, along with the time and date of the record.
- Direct Marketing – We have revised the text and procedures for direct marketing. We have included clear mechanisms for subscribing to the newsletter, as well as a clear way to unsubscribe from all marketing materials.
- Data Protection Impact Assessments (DPIA) – where we process personally identifiable information that is considered high risk, we have developed procedures that comply with the requirements of Article 35 of the GDPR.
- External Data Processing Contracts – We made appropriate contracts and due diligence procedures to ensure that everything is in line with our and their GDPR obligations. These measures include initial and ongoing audits of the provided services and GDPR compliance.
- Special Category Information – In situations where we collect special category data, all procedures are in accordance with the requirements of Article 9. Special Category Data shall only be processed where necessary.
Rights of the person whose information was collected
Persons whose information has been collected have the right to request information on:
- All personal information we hold about them
- Purpose of data processing
- Categories of personal data being processed
- About all parties who will have access to personal information
- How long personal information will be stored
- Data source
- The right to correct incorrect information about them
- Right about requesting to delete personal information
- Right to file a complaint
Information security
Fine’sa Group takes the security of personal information seriously.
Security policies have these security measures:
- SSL
- Access control
- Password rules
- Coding
- Pseudonymisation
- Practice
- Limitations
- IT
- Authentication
GDPR roles and employees
In Fine’sa Group Kresimir Misak is in charge of data security. A group was formed which is in charge of implementing GDPR-compliant policies and procedures.