Privacy Policy

1. Data Controller

Kostelar Ltd.

Address: Josip Štruk Street 3, 49218 Pregrada, Croatia

Phone Number: +385 49 301 333

E-mail: info@kostelar.hr

Data Protection Officer: gdpr@kostelar.hr

2. Processing of Personal Data

We process the following types of personal data:

  • Name and surname,
  • Email address,
  • Address,
  • Network identifiers (IP address, records/logs, metadata) or domain name of the computer,
  • Cookie ID, language preference data,
  • Phone/mobile number,
  • Content of messages and communication with us,
  • Photograph,
  • Video recording,
  • Data from open job applications (work experience), CV, recommendations,
  • Data from job application submissions, CV, interview notes, test results, recommendations,
  • Data on given and withdrawn consents,
  • Data on inquiries, comments, requests, and complaints, records, reports, legal and similar proceedings.

Open job applications

The data controller receives open job applications from candidates for employment at the data controller via the website and electronic communication. For this purpose, the personal data of the candidate for employment that the candidate voluntarily provided in the application and CV are processed (name, surname, date of birth, contact information, previous work experience, professional qualifications, education, photograph, recommendations).

Open job applications are received by an authorized employee of the data controller and stored in the dedicated work folders in the information system. Only authorized persons have access to open job applications, as well as processors authorized by the data controller.

Data you send us through open job applications are processed based on a legitimate interest solely for the recruitment of new employees and are stored for 12 months. If you do not want to be in our database of potential job seekers, you can object to the legitimate interest and request deletion from the database.

Job applications

The data controller receives job applications from candidates for employment at the data controller via the website and electronic communication. For this purpose, the personal data of the candidate for employment that the candidate voluntarily provided in the application and CV are processed (name, surname, date of birth, contact information, previous work experience, professional qualifications, education, photograph, recommendations).

Depending on the job position, the data controller conducts professional and psychological tests and interviews to select candidates for employment.
The data is stored until the completion of the job application, but no longer than one year from the completion of the job application. Candidates whose data is to be stored for another job application are required to provide consent. Participation in the job application is voluntary and the data of the candidates is processed as pre-contractual actions that precede the conclusion of an employment contract.

If a particular candidate has given consent for the data to be stored after the end of the application, the data is stored for a maximum of 2 years. Candidates who have voluntarily provided their data for future job applications can withdraw their consent at any time without negative consequences. Withdrawal of consent does not affect the legality of the processing up to the time of withdrawal.

Only authorized persons have access to the data of candidates for employment. Psychological testing is conducted by a person who has the necessary approvals for conducting psychological testing, and the conversation with the psychologist and psychological testing are conducted by the applicable law.

Electronic communication

If you communicate with us via the contact form on our website or through social media, we process your personal data that you have provided, such as your name, email address, phone number/mobile phone number, message content, comment, reaction to our message, etc., based on our legitimate interests.

Business cooperation

The data controller processes the personal data of business partners and the personal data that the data controller receives from business partners that are necessary for the smooth operation of daily business, issuing invoices and fulfilling legal and contractual obligations (e.g., name and surname of authorized persons, contact details of representatives of partners, IBAN, OIB).

The data controller processes the data to conduct its commercial activities, such as selecting contractual partners and concluding and executing contracts. The data will also be processed to fulfill legal obligations (including tax and accounting obligations, obligations arising from public procurement regulations or occupational safety regulations, for qualifying suppliers), for administrative processing of contracts, for receiving goods and/or services, for proceeding in court proceedings, for the purposes of internal audit (security, productivity, product quality, preservation of financial integrity), for the purpose of management control and for the purpose of certification.

Processing of data for these purposes does not require the consent of the data subject because the legal basis for processing personal data is a contractual obligation/pre-contractual action. The collection of data is mandatory because otherwise the data controller will not be able to conclude a contract or properly fulfill relevant obligations. The data is stored for 11 years from the end of the business year in which the business cooperation ended.

Event filming and photography

Based on our legitimate interests, we film and photograph public events that we organize or participate in as a sponsor. We also publish photos and videos of people who attended the events on our website and social media. We hire processors to perform the filming and photography, who act in accordance with our instructions.
Consent is not required for this purpose because the filming and photography is carried out in a way that does not exceed the rights and freedoms of the data subject, for example, if the person is not a publicly exposed person, the person is photographed in a way that does not stand out from the crowd and certain photos may be blurred and cropped in order to achieve a balance between our legitimate interests in promoting the event and the rights of the data subject.

Security and compliance

The data controller takes technical and organizational measures based on its legitimate interest in protecting property and people. For this reason, it implements security measures in its offices using electronic systems. The physical access control system records the entry and exit of people, and the video surveillance system using cameras placed at the entrance/exit of the offices stores the recordings on the servers of the data controller and stores them for a maximum of 6 months. Only authorized persons have access to the data. The data may be provided to competent state bodies and courts in accordance with applicable law. The information systems of the data controller, for the sake of security and ensuring digital evidence, record logs/records of access to the property of the company.

To effectively manage risks, audit operations, monitor compliance with operations, and monitor compliance with the General Data Protection Regulation, the data controller is obliged to carry out certain investigations, investigate reports, receive and resolve reports of irregularities in accordance with the Law on the Protection of Whistleblowers, carry out inspections and collect data that may be used as evidence in a particular court or similar proceeding and protect its interests and the interests of its users. The identity and data related to reports of irregularities are kept in accordance with the Law on the Protection of Whistleblowers.

The data controller processes as a legal obligation the necessary data about members of the management board, supervisory board and audit committee (name, surname, OIB, citizenship, contact details, conflict of interest data, suitability for the position, qualifications, education, work experience, related persons, convictions and financial situation). The data controller makes minutes of business meetings, board meetings and supervisory board meetings, and individual meetings are recorded to prepare minutes, about which the meeting participants are informed in advance.

3. Cookies

On our website, we use necessary cookies (small files that are stored on the user’s terminal equipment) for which consent is not required in accordance with the Law on Electronic Communications. These are session cookies and cookies that are necessary for the provision of information society services. We also use cookies to remember the user’s language selection, which is stored on the user’s terminal equipment for up to one year.

4. Technical and organizational measures for the processing of personal data

We have implemented security measures to reduce the risk of a breach or misuse of your personal data, such as unauthorized disclosure and unauthorized access to your data. The equipment/premises where we store personal data are located in a secure environment with restricted physical access (i.e., a locked room). We use a firewall, strong passwords, antivirus programs, and other data protection measures (such as encryption and pseudonymization). Only authorized persons have access to personal data, and the subject of processing is regulated by our internal documents. We organize data protection training for our employees to inform them of their obligations arising from the legal framework for data protection and to raise awareness of data protection in our organization.

5. The rights of data subjects

Right to Access Personal Data

You have the right to access your personal data that we process about you and can request detailed information, especially about their purpose of processing, the type/categories of personal data being processed including access to your personal data, the recipients or categories of recipients, and the intended period for which the personal data will be stored. Access to personal data may be limited only in cases prescribed by the law of the European Union or our national legislation, or when such limitation respects the essence of fundamental rights and freedoms of others.

Right to Rectification of Personal Data

You have the right to request correction or completion of personal data if your data is not accurate, complete, and up-to-date. To do this, please send us a request. It is important to specify in the request what exactly is not accurate, complete, or up-to-date, and in what sense it should be corrected.

Right to Erasure

You have the right to request the deletion of personal data related to you if one of the following conditions is met: your personal data is no longer necessary in relation to the purposes for which we collected or processed them; you have withdrawn consent on which the processing is based according to Article 6(1)(a) or Article 9(2)(a) of the General Data Protection Regulation, and there is no other legal ground for processing; you have objected to the processing of your personal data according to Article 21(1) of the General Data Protection Regulation, and there are no overriding legitimate grounds for processing; the personal data has been unlawfully processed; the personal data must be erased for compliance with a legal obligation in Union or Member State law to which the Data Controller is subject; the personal data has been collected in relation to the offer of information society services.

Right to Restriction of Processing

You have the right to obtain a restriction of processing if: you contest their accuracy; the processing is unlawful, and you oppose their erasure; the Data Controller no longer needs the personal data but you require them for the establishment, exercise, or defense of legal claims; you have objected to the processing of your personal data.

Right to Object

If personal data is processed based on legitimate interest or for direct marketing purposes, you can object to such processing.

Right to Data Portability

You have the right to receive your personal data that you have provided to the Data Controller in a structured, commonly used, and machine-readable format. You have the right to transmit this data to another Data Controller without hindrance from the Data Controller to whom the personal data has been provided, if the processing is carried out by automated means and is based on consent or a contract.

The aforementioned rights are not applicable to the extent that processing is necessary: for the exercise of the right to freedom of expression and information; for compliance with a legal obligation requiring processing under Union or Member State law to which the Data Controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller; for reasons of public interest in the area of public health; for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, to the extent that the right is likely to render impossible or seriously impair the achievement of the objectives of that processing; or for the establishment, exercise, or defense of legal claims.

If the processing of personal data is based on consent, you can withdraw it at any time. For withdrawing consent and other requests and questions, you can contact us at: gdpr@kostelar.hr, +385 49 301 333, info@kostelar.com

You can exercise your rights free of charge. In the case of repeated and unjustified requests, the applicable fee schedule for the administrative costs of the Data Controller will be applied. We will respond to your request within the legal deadline.

6. Transfer of Personal Data

Your data is transferred to the following recipients to provide you with our services. We share personal data with third-party providers and other service providers who perform functions or services on our behalf and according to our instructions to make our services available to you. This includes:

  • IT services
  • Delivery companies

We may disclose your personal data to third parties such as fraud prevention bodies and law enforcement agencies to comply with our legal obligations.

We have established legal grounds for the transfer of personal data to the aforementioned third parties and have entered into contracts with our suppliers (data processors) that regulate the processing of your personal data (in accordance with Article 28 of the General Data Protection Regulation).

When we transfer your personal data outside the EEA, we take all necessary steps and additional protective measures to ensure that the level of protection of your data and rights is the same as in the EEA.

7. The right to file a complaint with the Agency for Personal Data Protection

If you have any doubts or questions about the way we use your personal data, you can contact us at gdpr@kostelar.hr.

You can also file a complaint with the supervisory authority: Croatian Personal Data Protection Agency, Selska cesta 136, Zagreb, email: azop@azop.hr

8. Final Provisions

For all questions related to these Privacy Rules, the law of the Republic of Croatia is applicable. During our operations, we may sell or buy certain assets. If another company acquires the Data Controller or a part of our assets, the personal data we have collected may be transferred to that company.

If any provision of these Privacy Rules is deemed or declared invalid, unlawful, or unenforceable, such provision shall not apply to the extent that it is invalid or unenforceable, and the other provisions shall continue to apply with full legal effect.
The Data Controller reserves the right to modify or update these Privacy Rules at any time and without prior notice. Please check periodically for any changes or updates to our Privacy Rules on the page where the updated effective date of the Privacy Rules will be indicated.

Latest version of the document: December 6, 2023.