KONČAR - Electrical Industry Inc. for manufacturing and services (KONČAR Inc.) respects your privacy and undertakes to protect your personal data in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). ), the Act on the Implementation of the General Data Protection Regulation (Official Gazette 42/2018) and other relevant regulations applicable in the Republic of Croatia.

KONČAR Inc. is very serious about protecting the privacy of your personal data and implements all technical and organisational measures required by best practices, Croatian laws and the General Data Protection Regulation (EC 2016/679) – GDPR. The specific purpose and method of processing of your personal data depend on the type of business relationship based on which your data is collected.

The information system of KONČAR Inc. is protected in accordance with the best practices and standards, by physical solutions and applications developed by industry leaders. The logical and physical access to system components is managed in compliance with the applicable standards and the users are regularly trained and informed about the importance of information security and data protection.

Data protection principles

KONČAR Inc. processes personal data as follows:

• Lawfully – processing is permitted by law and subject to legally mandated restrictions
• Fairly – respecting the nature of our relationship with you, putting in place the necessary safeguards, and facilitating the exercise of your rights
• Transparently – by making all the information clear and easily accessible within the restrictions set by the General Data Protection Regulation
• With purpose limitation – personal data processing is limited to the purpose for which it was collected
• With limited storage period – storing the data in a form that allows data subjects to be identified for no longer than is necessary for the purposes for which the personal data is processed, and storing them for longer periods only if permitted by the Regulation
• With data minimisation – processing only the data that is directly relevant and limited to what is necessary to accomplish a specific purpose
• Observing data accuracy – ensuring that the data is accurate and up to date, and erasing any inaccurate data in accordance with the requirements of the Regulation
• Protecting data integrity and confidentiality – implementing technical and organisational measures, ensuring appropriate security of the personal data depending on the risk, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

Lawfulness

Lawfulness, i.e., legal grounds of data processing may include the following:

• Compliance with a legal obligation to which KONČAR Inc. is subject
• Your consent
• Legitimate interests pursued by us, to the extent such interests override the interests of the data subject which require that the data not be processed, or
• Other legal grounds in accordance with the Regulation

Processing purposes

1. Fulfilment of contractual obligations – when processing is necessary to fulfil the contract that you are a party to or to take action at your request prior to concluding the contract
2. Satisfaction of legitimate interests – when necessary, we process personal data in order to satisfy the legitimate interests important for our operations. Such legitimate interests may include the following:
   • Fulfilment of your requests so you could help us develop, deliver and improve our products and services, or fulfilment of our internal needs, such as audit, data analysis and research for purposes of improving our products, services and communication with our users
   • Answering your inquiries and comments
   • Conducting legal proceedings and maintaining records of legal proceedings
   • Discovering perpetrators of criminal offences and fraud prevention
   • Protection of persons and property
   • Other purposes of which data subjects are informed in accordance with the General Data Protection Regulation

Recipients

KONČAR Inc. undertakes to protect your personal data and will not disclose or make it available to third parties without your express consent, except:

• To service providers we hire as data processors for tasks related to the execution of contracts to which you are a party (such as consultants and alike)
• To market research agencies as our service providers when personal data is used for contacting for the purpose of market research
• To competent authorities for the purpose of completing the tasks within their scope of duties (Tax Administration, Ministry of the Interior)
• Whenever KONČAR Inc. is legally obligated to disclose such data

KONČAR Inc. shall carefully regulate its contractual relationships with third parties and ensure that personal data is protected appropriately and in accordance with the requirements of the Regulation.

Where personal data processing includes international transfer of such data, KONČAR Inc. will inform you of the intent to transfer personal data to a third country or an international organisation, on the existence or non-existence of a decision on appropriateness adopted by the European Commission, as well as on appropriate safeguards and the manner of obtaining the copies thereof where such transfer is subject to appropriate safeguards in accordance with Article 46 of the Regulation, subject to the application of binding corporate rules in accordance with Article 47 of the Regulation, or, if that is the case, in accordance with Article 49, paragraph 1, sub-paragraph 2 of the Regulation. Each international transfer of personal data to third countries will be carried out in accordance with Chapter V. of the Regulation.

Your rights

Regardless of the legal grounds for data processing, you have the following rights:

• Right of access and right to have your data rectified or amended
• Right to personal data erasure (“right to be forgotten”)
• Right to restriction of processing or right to object to your personal data being processed
• Right to have your data transferred to you or to third parties
• Where data is collected based on consent, you can always withdraw your consent without any detrimental consequences
• Right to submit an objection to the national supervisory authority – in Croatia, specifically, to the Croatian Personal Data Protection Agency (more on www.azop.hr)

All the rights are subject to proportionate restrictions, in accordance with the Regulation.

Please e-mail your written request to sluzbenikzazastitu@koncar.hr or send it by mail to KONČAR d.d., Fallerovo šetalište 22, 10000 Zagreb.

Data storage

KONČAR Inc. will only store your personal data for as long as necessary to fulfil its legal or contractual obligation or legitimate interest.

In case your personal data is processed based on your consent, the data is stored until you withdraw the consent. Withdrawing your consent has no effect on the legality of data processing based on such consent prior to its withdrawal.

If you provide your data by registering for a specific event, we will destroy it shortly after the event ends, no later than within 30 days.

Additional information

Data protection by design and by default

KONČAR Inc. protects your data, and therefore, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, KONČAR implements, both at the time of the determination of the means for processing and at the time of the processing itself, appropriate technical and organisational measures, designed to implement data-protection principles.

KONČAR Inc. also implements appropriate technical and organisational measures for ensuring that, by default, only the personal data necessary for each specific processing purpose is processed.

Records of processing activities

As the Controller, KONČAR Inc. maintains records of processing activities, which contain the following:

• The name and contact details of the Controller
• The purposes of the processing
• A description of the categories of data subjects and categories of personal data
• Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, if necessary, documentation of suitable safeguards
• Where possible, the envisaged time limits for erasure of different categories of data
• Where possible, a general description of the technical and organisational security measures

Personal data breach management

In the case of a personal data breach, KONČAR Inc. shall, without undue delay and, where feasible, no later than 72 hours after having become aware of it, notify the personal data breach to the Personal Data Protection Agency, in accordance with the Regulation, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Where stipulated by the Regulation, KONČAR Inc. shall communicate the personal data breach to the data subject without undue delay.

Data protection impact assessment

KONČAR Inc. does not conduct the type of processing likely to result in a high risk to the rights and freedoms of data subjects. However, if a certain type of processing meets the criteria for being high-risk, KONČAR Inc. shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data, in accordance with the Regulation.