Jump to navigation Jump to main content

Protection of personal data

The General Data Protection Regulation has been in force since 25 May 2018, in all EU Member States. The City of Rijeka collects and processes certain personal data and keeps records of personal data processing.

WHAT IS THE GENERAL DATA PROTECTION REGULATION (GDPR)?

The General Data Protection Regulation (GDPR) is a document adopted at EU level with the aim of protecting the citizens’ personal data. It has been in force since 25 May 2018 in all EU Member States, and it also applies to those business entities outside the EU when they offer goods and services or monitor the behaviour of EU residents.

TO WHICH PERSONAL DATA PROCESSING DOES THE GENERAL DATA PROTECTION REGULATION (GDPR) RELATE?

It relates to the processing of personal data for business purposes.

WHO IS THE DATA PROTECTION OFFICER?

In 2013, the City of Rijeka adopted the Decision on the appointment of a data protection officer, whereby appointing Doris Šajn as data protection officer.

For all questions regarding the protection of your personal data by the City of Rijeka, you can contact the data protection officer:

email: gdpr@rijeka.hr
at the address: Korzo 16, 51000 Rijeka
phone number: +385 51 209 521

The data protection officer takes care of the protection of personal data, the lawfulness of the processing of personal data in terms of compliance with the provisions of the General Data Protection Regulation (GDPR) and other regulations governing personal data processing issues. This officer is obliged to maintain the confidentiality of all information and data that she learns while carrying out her duties, and this obligation continues even after the performance of the duty of the data protection officer.

You can contact the data protection officer for all questions regarding the processing of your personal data and you have the right to:

  • information about the processing of your personal data;
  • obtain access to personal data about yourself;
  • request rectification of incorrect, imprecise or incomplete personal data;
  • request that personal data be deleted when they are no longer necessary or if the processing is illegal;
  • object to the processing of your personal data;
  • request the restriction of the processing of your personal data in special cases.

WHEN DOES THE GENERAL DATA PROTECTION REGULATION (GDPR) NOT APPLY?

The Regulation does not apply in cases of criminal law activities, such as the prevention of criminal offenses or prosecution of perpetrators of criminal offenses and in areas outside the jurisdiction of EU law, nor to the processing of personal data carried out by natural persons as part of exclusively personal or household activities.

WHO IS THE DATA SUBJECT WITHIN THE MEANING OF THE GDPR?

Any natural person whose data are collected and processed.

WHO IS THE CONTROLLER OF PERSONAL DATA PROCESSING?

Any business entity (natural person or legal entity, association, public authority, agency or other body) that collects and determines the purpose of the processing of personal data.

The controller of personal data collected by the City of Rijeka is the City of Rijeka, legal entity. The registered office of the City of Rijeka is in Rijeka, at the address Korzo 16.

Example: companies or crafts, financial institutions, associations, clubs, schools or faculties, hospitals, state bodies or bodies of local/regional self-government units, individuals who perform a specific professional activity, and even natural persons when they process personal data beyond the scope of household needs.

WHO IS THE PROCESSOR OF PERSONAL DATA?

Any business entity that processes personal data on behalf of the controller.

The processor of data collected and processed by the City of Rijeka is the business entity that processes personal data on behalf of the City of Rijeka on the basis of a previously concluded contract or another act that complies with the General Data Protection Regulation (GDPR).

For example the processor is a company hired to implement video surveillance over facilities owned by the City of Rijeka for the protection of people and property.

WHAT ARE PERSONAL DATA?

Any information relating to a natural person who is identified or identifiable by using that information.

That is, any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to additional identifiers or by using one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Example: name and surname, residential address, e-mail address, identification number (OIB), location data, network identifier, data on professional qualification, workplace, bank accounts, borrowings, pictures, voice, phone number, IP address, medical history, list of favourite literature or songs and more.

WHEN MAY YOUR PERSONAL DATA BE COLLECTED AND PROCESSED?

Personal data can be collected and processed when you are aware of it and when there is a valid legal basis.

A valid basis exists in the following cases:

  • you have given consent to data processing for one or more special purposes (e.g. for inclusion in a loyalty programme, consumer cards)
  • processing is necessary for the performance of a contract to which you are party or in order to take steps at the request of the data subject prior to entering into a contract (e.g. processing your data when applying for a job, a scholarship, submitting a request to exercise various rights, support, assistance, etc. )
  • processing is necessary for compliance with a legal obligation (e.g. sending information about workers to the Croatian Health Insurance Fund or the Croatian Pension Insurance Institute.)
  • processing is necessary in order to protect your vital interests or of another natural person (e.g. disclosure by competent authorities of the data of one parent to another for the purpose of child support.)
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (e.g. due to the official authority of the Croatian Bureau of Statistics, we are obliged to submit certain personal data to the Bureau.)
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data, in particular where the data subject is a child.. (e.g. the legitimate interest of the property owner to install a video surveillance system to prevent a real risk to his property)

WHAT ARE “SENSITIVE DATA” AND WHEN DO WE PROCESS THEM?

Special categories of personal data (so-called “sensitive data”) are data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and the processing of genetic data, biometric data for the purpose of unique identification of an individual, data related to health, or information about the sex life or the sexual orientation of a data-subject.

These data can be collected and processed under the following conditions:

  • You have given explicit consent to the processing of those personal data for one or more specified purposes,
  • processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or your rights in the field of employment and social security and social protection,
  • processing is necessary to protect your vital interests or of another natural person where you are physically or legally incapable of giving consent,
  • processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without your consent,
  • processing relates to personal data which are manifestly made public by you,
  • processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity,
  • processing is necessary for reasons of substantial public interest,
  • processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services,
  • processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices,
  • processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

WHAT DOES THE PROCESSING OF PERSONAL DATA MEAN?

Processing means any procedure or set of procedures performed on personal data.

Example: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

DOES THE CITY OF RIJEKA KEEP THE RECORDS OF PERSONAL DATA PROCESSING?

The City of Rijeka is the obligor and it keeps records of the processing of personal data. The records of processing activities help to monitor compliance with the General Data Protection Regulation and are in written and electronic form.

WHAT INFORMATION SHOULD YOU GET WHEN YOU GIVE YOUR PERSONAL DATA?

When you give your personal data, you must, among others, receive information about:

  • the name of the company or organisation that processes your data, including the contact details of the data protection officer;
  • the purposes of the processing for which the personal data are intended;
  • the categories of personal data concerned;
  • the legal basis for the processing of your personal data;
  • the period for which the personal data will be stored;
  • other companies/organisations that will receive your data;
  • whether the data will be transferred outside the EU;
  • your basic rights in the field of data protection (example: the right to access and the right to data portability or to their removal);
  • the right to lodge a complaint with a supervisory authority;
  • the right to withdraw consent at any time if the processing is based on consent;
  • the existence of automated decision-making and meaningful information about the logic involved and the envisaged consequences of such processing.

Information is provided in a concise, visible and comprehensible manner and is written in clear and simple language.

HOW CAN YOU ACCESS YOUR DATA?

You have the right to ask the City of Rijeka and receive confirmation as to whether the City of Rijeka has personal data relating to you. If the City of Rijeka has your personal data, then you have the right to access those data, you have the right to receive a copy and all important additional information (such as the reason for processing your personal data, the category of personal data used, etc.).

You can send a request for accessing data to the data protection officer. When the request is submitted electronically (e.g.: by email) and unless you request otherwise, the City of Rijeka will provide you with the information in the usual electronic format.

This right is not an absolute right and the use of the right to access your personal data should not affect the rights and freedoms of others.

THE RIGHTS THAT WE GUARANTEE TO YOU IN ACCORDANCE WITH THE GENERAL DATA PROTECTION REGULATION (GDPR)

  • transparency: it represents the provision of information when collecting personal data. The City of Rijeka informs you of its identity and contact details, processing purposes and the legal basis for data processing, recipients, the storage period and other necessary information;
  • access to data: you have the right to receive confirmation as to whether your personal data are being processed and if they are being processed, which data and access to the concerned data and information on processing, among other things, about the purpose of processing, the storage period, forwarding of certain data to third parties, etc.;
  • right to rectification: you have the right to request the rectification of incorrect personal data and the right to complete incomplete personal data, among others, by providing an additional statement;
  • erasure (“right to be forgotten”): you have the right to obtain the erasure of personal data relating to you without undue delay if, among other things, the personal data are no longer necessary in relation to the processing purpose, if there is a legal obligation, if the processing was based on consent and you have withdrawn it, if personal data have been illegally processed, etc., this right has limitations, so, for example, a politician cannot request the erasure of information about himself given as part of his political activities;
  • the right to restrict processing: in certain situations (for example, when the accuracy of the data is disputed), you have the right to request that the processing be restricted with the exception of storage and some other types of processing;
  • the right to transferability: you have the right to receive your personal data, in a structured form and in a commonly used and machine-readable format, and to transfer these data to another controller without interference from the controller to whom the personal data were provided, if the processing is carried out by automated means and based on consent or a contract;
  • the right to object: you have the right to object to the processing of personal data if it is based on the performance of a task carried out in the public interest, or in the exercise of official authority or legitimate interests, the City of Rijeka shall no longer process your personal data unless it demonstrates legitimate grounds for the processing which override your interests and for the defence of legal claims.
  • the right to object to a decision based solely on automated processing (profiling): you have the right not to be subject to, including profiling, a decision based solely on automated processing, including profiling, which relates to you or significantly affects you, unless such a decision is required in the cases envisaged by the Regulation.

WHAT HAPPENS IF YOUR DATA GET LEAKED?

A personal data breach occurs when there is a security breach that leads to an accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data that have been processed. In this case, we will notify the supervisory authority without undue delay. If the breach of personal data may lead to a high degree of risk to your rights and freedoms and if the risk is not mitigated, then you will be notified.

THE RIGHT TO SUBMIT AN OBJECTION TO THE SUPERVISORY AUTHORITY

At any time, you can submit an objection to the processing of your personal data if you think that the City of Rijeka has violated Croatian or European regulations on data protection when processing your data. You can send a complaint to the supervisory authority – Agency for the Protection of Personal Data, Martićeva 14, Zagreb, azop@azop.hr

The City of Rijeka makes considerable efforts to adequately ensure the security of all personal data that are processed. Your data are constantly protected against loss, falsification, manipulation, unauthorised access or unauthorized disclosure. They are available only to persons who need them to perform their work, and the necessary measures are implemented in accordance with the possibilities so that all employees and partners act in accordance with the General Data Protection Regulation, respect confidentiality and privacy and protect your data in the best possible manner.

The City of Rijeka will regularly update information on transparency, including potential impacts of changes on you, will inform you about regular improvements in protective measures, supplement instructions on the processing and protection of personal data, provide additional information that could be of use and answer questions and inquiries and in accordance with the principle of responsibility will provide reminders referring to privacy.

Skip to content