BELJE plus, Limited Liability Company, Svetog Ivana Krstitelja 1a, 31 326 Darda, IIN (OIB): 35385249539 (hereinafter: Belje), pays particular attention to the protection of personal data and privacy (hereinafter: privacy protection) of website visitors, business partners, job candidates, its employees, former employees as well as other persons (hereinafter: Users) in compliance with the General Data Protection Regulation (EU 2016/679) (hereinafter: the Regulation and/or GDPR), regulations in force, best practice and internationally accepted standards, in accordance with business and security requirements.
The confidential and responsible processing of personal data is the central element of the corporate culture at Belje plus d.o.o. Darda (hereinafter called “BELJE”). This particularly applies to the personal data of employees, business partners, candidates, visitors and so on (“Data”).
The Personal Data Protection Policy is intended to provide Users, transparently and in one place, with clear information about the processing and protection of their personal data, as well as a simple way to supervise and manage their personal data and consents.
The Policy does not impair the rights that the Users have pursuant to the regulations in force and possible contractual provisions on personal data protection nor impose any obligations on the Users with regards to the personal data processing.
The Policy is a unilateral, legally binding act and describes the purpose and objectives of collecting, processing and managing personal data, based on the world’s leading practices in the area of personal data protection. The Policy provides an adequate data protection level in compliance with the Regulation and other applicable laws in force related to personal data protection.
The Policy applies to all websites and domains of Belje as well as all services and products that include personal data processing. It primarily applies to natural persons requesting or using services or establishing contact with Belje in any other way. With due consideration of the legitimate interests of Users who are legal persons, the Policy also applies to legal persons as appropriate, in accordance with the regulations in force.
The Policy is intended to establish appropriate processes of protecting and managing the personal data of data subjects, ie. website visitors, business partners, job candidates, the company’s employees and other persons whose data are being processed.
At the point of providing your data you agree to the contact with us and hence provide us with the right to process your personal data in accordance with the intended purpose. The privacy protection of your data is permanent.
The Policy has been published in the form of an official document and shall start to apply as of 1st April 2019.
You are kindly requested to occasionally check the Personal Data Protection Policy with regards to possible changes published on Belje’s websites.
Personal data – any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal data includes name, address, e-mail address, IP and MAC address, GPS location, RFID tags and cookies on websites, phone number, photo, videos of natural persons, PIN, biometric data (fingerprint, iris recognition), genetic data, data about education and professional qualification, salary, borrowings, bank accounts, health, sexual orientation, voice and any other data connected to real persons, i.e. owners of personal data that can be used to directly or indirectly identify that person specifically.
Processing – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Controller – means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processor – means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Recipient – means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
Third party – means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Consent – see item 8 of the Policy.
Filing system – means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
Personal data breach – means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Identifiable natural person – is a person who can be identified (directly or indirectly) in particular by reference to identification number or one or more factors specific to the physical, physiological, mental, economic, cultural or social identity.
Special category of personal data – relates to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sex life, and personal data concerning criminal and misdemeanour procedure.
The Policy shall apply to all personal data of Users or Potential Users.
Personal data is any data pertaining to a natural person whose identity has been or can be established, directly or indirectly (hereinafter: data or personal data). Data processing is any activity performed on personal data, such as collecting, recording, storing, using, transfer of and insight in personal data.
The Policy does not apply to anonymous data. Anonymous data is data changed in such way that it cannot be connected to an individual natural person or cannot be connected without exerting disproportionate efforts and hence, in accordance with the regulations in force, is not considered to be personal data.
The Policy applies to all services and products of Belje that include personal data processing. The latest declaration of will of the User with regards to personal data processing applies to all other services used by the User.
As a rule, Belje is the data controller with regards to the personal data of its Users in the sense of the personal data protection regulations in force.
We want to be a reliable partner to our Users in the protection of their privacy and justify the trust that they have placed in us. We also want to be completely transparent and clear when it comes to the processing of our Users’ personal data.
Users can always contact us with the request to change the personal data pertaining to them or with a declaration of will as to the purposes for which they want or do not want their data to be processed.
4.2. Lawfulness and best practice
In processing personal data we act in compliance with the law, but we also always strive to apply higher standards and the best European practice, in accordance with the recommendations of the most eminent external consultants. All Belje employees who are in contact with personal data sign a Confidentiality Statement and are continuously being educated about personal data protection.
Belje periodically conducts internal revisions of all personal data protection policies with a view to complying with statutory regulations and improving the level of protection within the Company.
4.3. Limited purpose of processing
Personal data is collected and processed only for a specific and lawful purpose and we do not process it further in a way that would not be in compliance with the purpose for which it was collected, unless otherwise set forth by the law or consented to by the User.
4.4. Reduction of data quantity
We always use only such user data as is appropriate and necessary to achieve a specific lawful purpose, and not more than that.
4.5. Processing in unnamed form
Whenever it is possible and justified, we use data in unnamed form. Data in unnamed form are primarily considered to be anonymous data. However, whenever possible and justified, particularly in order to protect Users’ personal data, personal data are pseudonymised, ie. “disguised” by way of special pseudonymisation procedures (eg. substitution, hashing etc.) in such way that they cannot be linked to the individual User without using additional information that is kept in a safe and separate place (eg. use of keys).
4.6. Integrity and confidentiality
Personal data is processed in a safe way, including protection from unauthorized or unlawful processing as well as from accidental loss, destruction or damage (eg. access to Users’ personal data is only allowed to authorized persons for whom this is necessary to perform their job, but not to other employees).
4.7. Personal data quality
We attach particular importance to the quality of data we process. The personal data that we process has to be accurate, complete and up-to-date in order to secure maximum protection of Users’ data and prevent possible misuse. It is therefore important that each User notifies us of any data changes immediately or within shortest time.
4.8. Limited time of retention
User data are stored and processed for only as long as it is required to meet a specific legitimate purpose, unless the regulations in force set forth a longer or shorter time of retention for a specific purpose or otherwise explicitly stipulated by the law. Thereafter the data are permanently erased or rendered anonymous.
In general, data is stored in accordance with the regulatory requirements and best practice in order to provide for traceability in the supply chain, consumer safety, protection and preservation of integrity, standards and the like. The time of retaining data depends on its nature and is subject to change.
In accordance with the aforesaid principles, User data shall be accessed by Belje employees depending on their authorisations and job positions in order to successfully perform the work defined in connection with their respective job. Also, some services for Belje are performed by other legal persons with whom User data shall only be shared if necessary for them to meet the obligations from common agreements or where such sharing is based on the explicit request or consent of the User.
Belje will forward User data to other economic entities or state institutions in case there is a legal ground to do so.
Belje collects Users’ personal data (hereinafter: data) in several ways:
1.We primarily collect data directly from the User or Potential user, by them providing the data. A typical example of such way of data collection is the submission of a request for a particular service or product, with the User, if they want to use a specific service or product, providing the data and documents required for identification (eg. given name, family name, address, copies of documents, IIN (OIB) etc.). We also collect data when communicating with the User via telephone, email, through the HR Department, websites and website contact forms, internet portals and social networks, when addressing complaints, dealing with requests etc. The data thus collected are used in order to meet the User’s request. In case when this is possible and legally permissible, Belje will not collect document copies but only request them for insight and make a specific note about that. This specifically applies to documents containing biometrical or particularly sensitive personal data.
The prerequisite for any collection of Users’ personal data is the existence of tha appropriate legal grounds based on the law, legitimate interest or User’s consent.
Depending on the service or product agreed, User consents and purpose for which specific data is used, Belje is authorized to collect the types of User data as stated below. In doing so, we always collect only the data that is necessary to achieve a specific lawful purpose, legitimate business interest and public interest.
Moreover, Belje does not process special data categories nor personal data related to criminal records and criminal offences, other than the certificate of good conduct (ie. lack of criminal record) submitted for insight when closing an Employment Contract and returned to the worker.
Belje collects data on infringements commited at work and during work, in order to comply with its legal obligations, ie. in order to be able to prove that the obligation has been met.
6.1. Contractual data
Contractual data in the broader sense include so-called civil registry data, ie. data provided by the User for the purpose of concluding and executing a contract (eg. name, date and place of birth, postal address, delivery address, contact data (telephone, email etc.), PIN (OIB), JMBG, data on ownership, lease, rent, concession, bank account number, marital status, citizenship, nationality, health condition, disability, data about children, professional qualification etc.).
6.2. Communication of Users with Belje
It includes, for example, written or electronic communication of the user with Belje, communication via social networks, Users’ preferred communication channels, sending of requests, job applications etc.
We can also automatically collect certain data from your device when you visit our website and other related websites (“our website”). Such data may contain personal data such as: IP address, name of file accessed, date and time of access, quantity of transmitted data, notifications of successful access, web-browser, type of device and unique identification numbers of the device. We can also collect data about how your device interacted with our website, such as information on the sites that you accessed and what links were opened.
By collecting those data we can better understand who visits our website, where the visitors come from and what content on our website they are interested in. We use these information for internal analysis purposes, in order to improve the quality of our website and to adjust it to the interests of our visitors.
Some of that data can be collected through cookies or similar technologies on our website.
For details please see about cookies on our websites and the terms and conditions of use of our websites.
6.2.1. Sending requests, CV’s or job applications
Through its website Belje provides the possibility to send requests, CV’s, job applications as well as supporting documentation.
Apart from the data provided by yourself, Belje can also collect certain personal data during the selection interview or testing.
Personal data thus obtained is used and processed in the selection procedure, depending on the changing needs for employment / vacancies at Belje or subsidiary companies.
If the User submits an application and other documentation for a specific recruitment competition, Belje shall use the aforesaid data solely for the selection procedure in such competition. Upon completion of the procedure Belje shall erase / destroy the personal data obtained, except in the case of employing the person who provided the personal data or a person’s explicit request, ie. consent for the data to be stored in the candidates database for the purpose of possible future employment.
In case the user submits an open application, they are also obliged to sign a consent for the provided data to be kept in the candidates database and to be used for the purpose of future selection procedures or job vacancies. The data thus collected shall be kept by Belje for 5 years as of obtaining the last consent. If the request, CV, application etc. were sent by mail without enclosing a consent, Belje shall, unless that requires disproportionate efforts, request from the candidate to provide a signed consent within 8 days. If the candidate does not provide the consent within the deadline set, the provided personal data shall be destroyed (for more about Consents refer to Point 7).
Personal data provided in job applications or for practical training purposes, as well as during selection testings or interviews, shall only be available to employees of the Human Resources Department and in certain cases they will be provided to employees at Belje’s internal organisational units who take part in selecting the candidates and conducting the recruitment procedure, who have previously signed a personal data non-disclosure statement.
6.3. Potential Users’ data
Those data include civil registry data, particularly contact data (eg. given and family name, e-address), as well as the Potential User’s interest for Belje’s services or products. As a rule, Belje shall record the data of those Potential Users who address it with the request for Belje to inform them and/or to offer specific products and/or services. Potential Users’ data shall be erased or anonymised after 5 years or, upon request of the Potential User, earlier, except in cases when we keep the data longer due to legal or statutory obligations (eg. in case of dispute).
6.4. Collecting data from external sources
Occasionally we may receive personal data about you from external sources, eg. data from publicly available registers, information published on websites and in the media.
Sensitive personal data is data disclosing race or ethnicity, political opinions, religious of philosophic convictions or trade union membership, including the processing of genetic data, biometrical data intended to identify a natural person and data about a person’s health, sexual life or sexual orientation.
Special personal data categories are usually processed based on one of the following legal grounds:
(a) pursuant to your explicit consent (Article 9, item 2, point a) GDPR);
(b) to establish, execute of process legal requests (Article 9, item 2, point f) GDPR);
(c) if, under exeptional circumstances, it is necessary to protect your vital interests and you are not able to provide your consent (Article 9, item 2, point c) GDPR).
As a rule, Belje shall not collect sensitive data other than religion and trade union membership, solely in order to meet statutory obligations, ie. to meet the obligations / exercise workers’ rights set forth by internal by-laws (Collective Agreement, Labour Regulations).
In order for Belje to be able to provide a service to the User, in compliance with the lawful grounds stated below, it is necessary to process a minimum set of data required to properly provide a specific service. Otherwise, if the User refuses to provide the required set of data, Belje may consequently not be able to provide the service or process the request.
In accordance therewith, Users’ personal data is processed when one of the conditions set out below is met:
7.1. Execution of contract
Belje collects and processes (hereinafter: uses) User data primarily for the purpose of concluding and executing contracts (where contract is considered to be any clear declaration of will) between the User and Belje, employment and cessation of employment. This particularly includes the use of data in order to check the identity of the User or the User’s payment capabilities, provide the agreed service, calculate and collect costs, contact the User if necessary with regards to the provision of the service, address complaints, remove disturbances, monitor and secure quality and safety of services and products, provide customer support services, consultations and help in using products and services and other activities related to the conclusion and execution of contracts in accordance with the law.
The legal ground for the processing of data for those purposes is the necessity of executing the contract by the User or the taking of measures upon request of the User prior to concluding the contract. In case the User does not want to provide the data required to conclude and execute the contract, Belje may not be able to conclude the contract and/or execute individual activities related to the execution of the contract.
Belje collects personal data also in order to meet its obligations under employment contracts, ie. for the realisation of rights under the Collective Agreement and Labour Regulations.
7.2. Legitimate interest
Furthermore, Belje uses certain User data solely for the purpose of keeping its own records, with a view to protecting the legitimate interests of Users, unless those interests are outweighed by the User’s interests or fundamental rights and liberties that require personal data protection. That includes, for example, the use of User data for preventing, revealing and processing misuse to the detriment of the User or the Company, providing security for employees, Users, products and services, creating services and offers that meet the needs and wishes of Users, marketing activities and promotion, providing premium user experience, personalized customer support service, optimising the electronic communication network etc.
The legal ground for the processing of data for the above purposes is the legitimate interest of Belje, unless such interest is outweighed by the User’s interest or fundamental rights and freedoms that require the protection of User’s data or the legal ground of protecting key interests of the User or another natural person. Exceptions thereto are the cases stated under Article 7 of the Policy, when the legal ground is the consent.
7.3. In order to comply with statutory obligations and perform tasks of public interest
Pursuant to a written request based on regulations in force, Belje is obliged to submit or provide access to certain personal data of Users to competent state authorities.
The legal ground for processing data for that purpose is to meet legal obligations and to perform tasks of public interest.
We are obliged to comply with the laws of the Republic of Croatia and the European regulations in force. Furthermore, we have to comply with the relevant requirements of certain industrial standards (such as ISO, HACCP, GLOBAL GAP, OHSAS standard).
The controller is obligated to ensure that personal data can be accessed only by authorised persons who have signed the Declaration of Confidentiality and completed the internal personal data protection training course.
The controller is obligated to ensure that personal data are protected by securing the information network and systems from:
A consent is a voluntary, special, informed and unambiguous expression of the User’s wishes, where they give consent (so-called opt-in) for the processing of personal data pertaining to them by making a statement or by a clear confirmatory act. Consent can be given in writing or in another appropriate way. Consent can be given and withdrawn free of charge at any point in time. Consent is not necessary for all types of data processing.
The User may change their consents and/or withhold the right to process their personal data in writing (via email or regular mail, provided it is possible to establish the identity of the applicant beyond doubt) or by visiting Belje’s offices. Depending on the communication channel, such change and/or withholding shall be recorded not later than within 48 hours upon reception, provided that the User has been identified beyond doubt.
In accordance with the law currently in force, you have the following rights:
Right to be informed – you have the right to know what personal data is collected, from what sources and for what reasons. We have given you the possibility to contact us at any point in time and request for such data to be provided.
Right of rectification – you have the right to request for any inaccurate personal data to be corrected. It is our duty to secure the accuracy of personal data that we process and we are trying to do so at any time, in contact with you. However, in spite of our efforts, the processing of inaccurate data is possible. In such case we undertake to comply with your request to correct the data.
Right to be forgotten – you have the right to request for your personal data to be erased from our servers. It is our obligation to comply with your request, unless we are required to keep your data in accordance with the law. Belje undertakes, in accordance with the technical possibilities, to erase or anonymise your personal data in all databases related to processing based on consent.
Right to restriction of processing – according to the General Data Protection Regulation you have the right to restrict the processing of personal data in certain cases. We have carried out an in-depth review of our processing purposes and ways and found no case where this would apply. All requests submitted according to this right shall be considered as withdrawal of consent and result in sending you nothing but crucial notifications.
Right to data portability – you have the right to request for your personal data to be provided in structured form. Belje undertakes to reply to your request within 30 days as of its submission. We will send you only the personal data provided by you or those collected from publicly available sources or from our partners.
Right to object – the General Data Protection Regulation provides that you can object to any data processing taking place pursuant to the legitimate interest of the company.
Automated decision-making – Belje does not carry out automated decision-making, other than providing adjusted advertising services after you have visited our website, for which we collect your explicit consent. You can withdraw your consent at any point in time.
Any requests submitted by data subjects to the controller for the purpose of exercising any of their rights arising from the Regulation must be made in writing. It is not possible to comply with the request if the data subject has not been previously identified with absolute certainty.
Forms for the exercise of individual rights can be requested at email@example.com.
Your personal data may be transferred to and processed in other countries outside the European Union, for which an appropriate level of data protection has not yet been established by the European Commission and hence the same, high level of protection cannot be secured there. Personal data may be subject to state access rights pursuant to local laws and regulations in force. However, we have taken appropriate security measures to make sure that your personal data are protected in accordance with this notice. We will request your consent in cases when the transfer is not regulated by special laws or other security measures. Security measures are available upon your request.
On our websites you will be explicitly cautioned in case of a possible international data transfer outside the territory of the European Union.
In some cases our business partners who perform specific services for us (maintenance of IT systems and equipment, business applications, physical and technical security, subcontractors under certain contracts etc.) also have access to some personal data categories. Belje shall notify you if some of the business partners has access to your personal data and in some cases request your consent. Belje requires its business partners to apply the highest personal data protection standards.
Personal data provided with job applications or for practical training purposes will in some cases be forwarded to employees in Belje’s internal organisational units who participate in the selection of candidates and in carrying out the recruitment procedure, who have previously signed a personal data non-disclosure statement.
The controller may entrust certain tasks related to personal data processing falling within the scope of its activities to another natural or legal person (data processor) by concluding a written contract to that effect.
Tasks related to personal data processing can only be entrusted to a data processor registered to perform such activities and ensuring sufficient guarantees regarding the implementation of appropriate measures for protecting personal and classified data, provided that it fulfils the requirements defined in special regulations governing information security.
We keep your personal data over the course of the business relation as long as this is necessary for the purpose to be fulfilled or as long as there is a contractual or statutory retention obligation or documentation obligation (eg. pursuant to applicable tax legislation, the Civil Obligations Act, Labour Act etc.), there are statutory limitation deadlines, legal obligations set forth by appropriate education legislation or legitimate interests.
When there is no legitimate purpose to further retain your personal data, it will be erased or anonymised. In case this should not be possible (for example, because your personal data are stored in security archives), we shall keep your personal data safe and make them unavailable for further processing, for as long as it is not possible to erase it.
Detailed retention deadlines for documents and personal data are set forth by the Archive and Registration Materials Protection and Processing Regulations.
The controller shall appoint a data protection officer.
The data protection officer reports directly to the person responsible for the processing appointed by the controller. Therefore, he/she may not receive any orders from other data controller’s employees and he/she must have direct contact with a competent supervisory authority.
The data protection officer ensures that personal data are processed on a lawful basis and that the right to personal data protection is exercised properly, in compliance with the applicable legal regulations. In particular, his/her tasks shall include the following:
The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
The data protection officer must have the following skills and competence:
The data protection officer shall not be:
Users can exercise their rights by referring and submitting the appropriate request to the email address: firstname.lastname@example.org or the postal address BELJE plus d.o.o., Svetog Ivana Krstitelja 1a, 31 326 Darda.
The request form for treating personal data is available on our website.
This Policy comes into force as at the day of its adoption.
All changes to the Policy shall be published at the Company’s website, stating the number of the change (ver.) and the month of the most recent update.