By accessing the system for electronic data collection (E-INFO) of the company Bid Control d.o.o., Avenija Večeslava Holjevca 40, Zagreb, OIB: 75195113588, we as the User, i.e. the Data Controller, expressly and freely give the company Bid Control d.o.o. as the Executor, i.e. the Executor of its processing
CONSENT
which we give to the company Bid Control d.o.o. the right to process our general data and the personal data of our employees, all for the purpose of carrying out work in the field of occupational safety, fire protection and other technical examination work, and for the preparation of all necessary documentation based on positive legal regulations in the aforementioned areas.
The processor has appropriate technical and organizational measures for the processing of personal data, and which measures ensure that personal data are processed in accordance with the requirements of the General Regulation and Other Regulations, including, if necessary, the measures from Article 32, Paragraph 1 of the General Regulation, and that processing ensures the protection of the rights of persons whose personal data are processed (hereinafter referred to as: Respondents).
We confirm that the following is correct:
- the subject of processing is personal data necessary for the realization of the ordered work
- the duration of the processing of personal data will be carried out for the duration of the performance of the ordered work on any basis
- the purpose of personal data processing is the execution of ordered tasks, i.e. services of training workers, employers and authorized persons to work in a safe manner, training workers' commissioners for occupational safety, training workers for preventive fire extinguishing (implementation of preventive fire protection measures, fire extinguishing and rescue people and property threatened by fire), training of workers for evacuation and rescue, preparation of training programs, preparation of risk assessment, implementation of technical tests with the preparation of reports and execution of all other tasks that we ordered from the company Bid Control d.o.o.
- the type of personal data that is processed are name, surname, OIB, international identifier, date, year, place and country of birth, data on acquired education and all additional education and training, as well as work experience and data from the identity card and driver's license and other information that will be requested
- The 5th category of Respondents are employees of the Controller
The processor undertakes to process personal data in full in accordance with this consent and according to written instructions on handling that will be continuously and as necessary provided by the controller, unless the General Regulation or other regulations stipulate that he may act without such instructions.
In the event that the Processor deviates from the instructions of the Controller, he must notify the Controller in writing without delay.
The processor will ensure that access to personal data that is the subject of processing is strictly limited only to those workers who work on personal data processing tasks. The processor has a list of its employees who have access to the personal data of the Data Controller, and the same list can be submitted to the Data Controller at the written request of the Data Controller.
The processor has informed its workers, who perform personal data processing tasks, of the obligation to preserve the confidentiality of personal data for the duration of the execution of the ordered tasks and for an unlimited period of time.
The processor is obliged at all times to provide the Controller with proof that the workers referred to in paragraph 1 of this article are familiar with the instructions for handling personal data.
If the Processor wishes to include another processor in the provision of personal data processing services, in full or for part of the personal data processing process on behalf of the Controller, as well as to replace the existing other processor, he can do so only with the prior express written consent of the Controller.
The processor is obliged to enter into a written contract with another processor that regulates mutual rights and obligations, which includes conditions that enable at least the same level of protection of personal data of the Controller as specified in this contract and that meet the requirements of Article 28, paragraph 3 of the General Regulation .
The processor is fully responsible to the Controller for the performance of the obligations of another processor in accordance with the General Regulation and Other Regulations.
The processor guarantees that the processing of personal data will take place exclusively in a member state of the European Union, in a member state of the European Economic Area or in a third country for which the European Commission has determined the existence of an adequate level of data protection.
Any transfer of data to countries other than the mentioned member states and countries ('third countries') requires the prior written or electronic approval of the Controller (e.g. by email) and compliance with the provisions on the transfer of personal data to third countries or to international organizations (Articles 44-50 of the General Decree).
At the time of granting this consent, the Processor does not use the services of subcontractors in third countries. If the Processor wants to engage subcontractors in third countries, it must first obtain the approval of the Controller and ensure that:
- the subcontractor (as 'data importer') enters into an agreement with the Controller (as 'data exporter') that contains standard contractual clauses for the transfer of personal data to processors in third countries published by the European Commission in decision 2010/593/EC or, if have been published, new standard contract clauses in the sense of Article 46, paragraph 2, point (c) of the General Regulation adopted by the European Commission. The processor will agree to the standard contractual clauses of the contract concluded between the subprocessor and the processor. The processor is obliged to prepare standard contractual clauses and obtain the signatures of the subcontractor and the controller. In the event of a discrepancy or contradiction between the provisions of this consent and the standard contractual clauses, the latter shall prevail.
or
- if the European Commission has published appropriate standard contractual clauses in the sense of Article 46 paragraph 2 point (c) of the General Regulation for processing between an executor located within the European Economic Area and an executor outside the European Economic Area, such clauses are entered into the contract between the Executor processing and subcontractors
or
- if the Processor and the subcontractor(s) are part of the same group of companies and if that group has implemented binding rules for processors that serve as appropriate safeguards aligned with the applicable requirements of Articles 46 and 47 of the General Regulation, the engagement of such a subcontractor is covered mentioned protection measures.
The processor undertakes to undertake and implement appropriate technical and organizational measures for the entire period of data processing in order to ensure an adequate level of security with regard to the risk and protection against unauthorized or illegal processing of personal data and/or accidental loss, destruction or damage of personal data, including as appropriate:
- pseudonymization and encryption of personal data;
- ability to ensure permanent confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to timely reestablish the availability of personal data and access to it in the event of a physical or technical incident.
The processor guarantees that he has implemented a procedure for regular examination, assessment and evaluation of the effectiveness of technical and organizational measures for processing security according to Article 32, paragraph 1, point (d) of the General Regulation.
The processor will provide the controller with access to all necessary data, and for the purpose of exercising the rights of the data subject whose personal data is the subject of processing in accordance with the General Regulation and other regulations.
The processor will provide continuous assistance to the controller in fulfilling the obligations imposed by the General Regulation and other regulations, especially in relation to the security of the processing and responding to requests for the exercise of the data subject's rights in accordance with the General Regulation.
The processor undertakes, in the event that there is a violation of personal data during the provision of the processing service, to notify the Data Controller in writing of the resulting violation without delay, and no later than within 24 (twenty-four) hours of becoming aware of the violation, providing the Data Controller in writing , enough information to be able, in accordance with the General Regulation and Other Regulations, to fulfill all obligations of reporting/informing about the resulting violation.
In the event of a personal data violation from the previous paragraph of this article, the Processor shall provide the Controller in writing with all relevant information related to the violation, and in particular:
- a brief description of the resulting violation, indicating the exact time when the personal data violation occurred and how long it lasted;
- a list with the names of the employees of the Processor involved in the processing process during which the violation occurred;
- list of personal data in respect of which the violation occurred.
If necessary and upon request, the processor will carry out an assessment of the effect of the planned processing procedures on data protection (Data Protection Impact Assessment - DPIA) in cases prescribed by the General Regulation, which includes participation in previous consultations with the supervisory authority and/or other authorities body for the protection of personal data.
The Processor shall assist the Controller in ensuring compliance with the obligations regarding the security of processing, reporting to the supervisory authority of a breach of personal data, notifying the data subject of a breach of personal data, assessing the impact on the protection of personal data and prior consultation, all taking into account the nature of the processing and the information that are available to the Processor.
The processor undertakes to make available all the necessary information that is crucial for proving compliance with the General Regulation and Other Regulations and that enables an audit, including inspections that can be conducted by the Controller or another authorized auditor appointed by the Controller.
In the event of the termination of the need to process a certain category of personal data in relation to a specific respondent, the Processor shall delete the same data from the of its databases and inform the Data Controller without delay, i.e. return the same data to the Data Controller without delay and delete the same data from its databases, and in the case of processing subcontractors ensure that the same data is deleted from its databases within the specified period, i.e. that the same data is deleted without delay delays are returned to the Controller and deleted from the subprocessor's databases.
The processor undertakes to issue a written confirmation to the Controller that he, and in the case of the processing subcontractor, the subprocessor has fully complied with all the requests of the Controller, in accordance with the previous paragraph of this article.
The processor undertakes to keep records of all categories of processing activities performed for the controller in accordance with the General Regulation and other regulations.
We give this consent (consent) for the purpose of carrying out work and for the preparation of all the necessary documentation that the Employer must possess based on the positive legal regulations of the Republic of Croatia, primarily based on the Act on Occupational Safety, the Act on Fire Protection, the Act on Noise Protection and all related law and all by-laws adopted on the basis of those laws.
We confirm that we are informed about the purpose of processing personal data, about the existence of the right to access data and the right to correct the data that is the subject of processing, and that it is a voluntary provision of data and that there are no consequences for withholding the provision of data.
Personal data will not be used for any other purpose, except for the one for which this consent (consent) was given.
You can withdraw your consent at any time and request Bid Control d.o.o. to stop further processing of my personal data.
Terms used in this Policy, which have a gender meaning, are used neutrally and refer equally to men and women.
This Consent is given in accordance with Regulation (EU) 2016/679 of the European Parliament and Council of April 27, 2016 on the protection of individuals in connection with the processing of personal data and on the free movement of such data.