Personal data protection at the Croatian National Bank

Published: 11/5/2018

Introduction

The Croatian National Bank is the data controller for the processing of personal data of data subjects and it processes these data in accordance with applicable regulations, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and the Act on the Implementation of General Data Protection Regulation (Official Gazette 42/2018).

A data subject is any natural person (individual) whose identity is or can be established.

Why do we process your personal data?

We process your personal data when this is necessary for the performance of our tasks carried out in the public interest, the exercise of our official authority and the compliance with our legal obligations pursuant to laws and other regulations of the Republic of Croatia and the law of the European Union.

We process personal data only to the extent necessary to achieve the legal purpose of the processing.

How long do we keep your personal data?

Being a producer of official statistics and creator of archives and current records, we store personal data for longer periods for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes, subject to the application of appropriate safeguard measures.

Personal data retention periods are prescribed by an internal regulation governing the protection and processing of archives and current records of the Croatian National Bank.

Who has access to your personal data and to whom can they be forwarded?

Access to your personal data at the Croatian National Bank is provided only to our employees and associates who require these data for the performance of their tasks based on the need to know principle.

We forward the collected personal data to third persons outside the Croatian National Bank only when we are obliged to do so pursuant to the law of the Republic of Croatia or the law of the European Union. When this is the case, we will notify you about forwarding your personal data if such an obligation is stipulated by regulations in effect governing personal data protection.

How do we protect your personal data?

We protect your personal data from any infringement, including unauthorised access, accidental loss, destruction, damage and any other breach of safety.

We protect your personal data by technical and organisational measures, such as control of access to all data and documents, ensuring that persons authorised to access your personal data have committed themselves to confidentiality, applying authentication methods (passwords, PINs, smart cards), monitoring the access to and activities in the information technology system and using security software for our information technology equipment and data.

What are your rights concerning your personal data that we process?

First, you have the right of access to personal data, which entitles you to information about whether your personal data are being processed. When this is the case, we will inform you, among other things, about the purpose of processing your personal data, the category of your personal data, the recipients or categories of recipients to whom your personal data are or will be disclosed, the envisaged retention periods for these personal data and your rights as a data subject with regard to the Croatian National Bank as the data controller.

Second, you have the right of rectification, that is, the right to obtain the rectification of inaccurate personal data concerning you, and the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Third, you have the right to restrict the processing of your personal data, where one of the following applies:

  1. when you contest the accuracy of your personal data, we will restrict the processing for a period that will enable us to verify their accuracy;
  2. when the processing of your personal data is unlawful, and you oppose their erasure and request the restriction of their use instead;
  3. when there is no longer a need to process your personal data and you request that they continue to be processed for the establishment, exercise or defence of legal claims; and
  4. when you object to processing pursuant to Article 21(1) of General Data Protection Regulation, pending to verification whether our legitimate grounds for the processing of your personal data override your grounds for the cessation of their processing.

Fourth, you have the right to object, that is, the right to put forward an objection to the processing of your personal data necessary for the performance of our task carried out for reasons of public interest, in the exercise of our official authority or for the purpose of our legitimate interests. Once you have put forward an objection, we are no longer allowed to process your personal data, unless we are able to prove that our legitimate reasons for processing override your interests, that is, if processing is important for the protection of legal claims.

The above-mentioned rights of a data subject are coupled with the right to erasure and the right to data portability, which, given the stipulated conditions for their exercising, you may exercise only under exceptional circumstances.

Specifically, the right to erasure ("right to be forgotten") is the right to obtain the erasure of personal data concerning you, where one of the following applies:

  1. your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. when you withdraw the consent on which the processing is based pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) of General Data Protection Regulation, and where there is no other legal ground for processing;
  3. when you object to processing pursuant to Article 21(1) of General Data Protection Regulation and there are no overriding legitimate grounds for processing;
  4. when your personal data have been unlawfully processed; and
  5. when your personal data have to be erased for compliance with our obligations under the law of the Republic of Croatia or the law of the European Union.

In addition, a data subject's right to data portability means your right to receive your personal data, which you have provided to us in a structured, commonly used and machine-readable format, and to transmit those data to another controller without hindrance on our part, and only in the case when processing is carried out by automated means and it is based on consent or a contract.

How can you exercise your rights?

The exercising of your rights is facilitated by request forms, which you can access here:

Request form for access to personal data

Request form for rectification of personal data

Request form for restriction of processing of personal data

Objection form for processing of personal data

Request form for erasure of personal data

Request form for transmission of personal data to another controller.

A request form submitted to the Croatian National Bank has to be properly completed and signed.

A request form that has not been properly completed or signed by the data subject will be returned for correction.

How can you contact us?

You can submit your request form to the Croatian National Bank:

a) by regular post to the address indicated below:

HRVATSKA NARODNA BANKA                    (CROATIAN NATIONAL BANK)

n/p Službenika za zaštitu podataka               (attn: data protection officer)

Trg hrvatskih velikana 3                                (Trg hrvatskih velikana 3)

10000 Zagreb, Republika Hrvatska              (10000 Zagreb, Republic of Croatia)

or

b) by e-mail to the address indicated below:

sluzbenik.osobni@hnb.hr.

 

We will enable you to exercise the previously stated data subject rights in accordance with the provisions of General Data Protection Regulation, within an appropriate period and without undue delay.

Feel free to contact us using the given contact information should you have any questions regarding the processing of your personal data at the Croatian National Bank.

Lodging a complaint with the Personal Data Protection Agency

The supervisory authority for the protection of personal data in the Republic of Croatia is the Personal Data Protection Agency, Zagreb, Martićeva ulica 14.

Please note that you can lodge a complaint about our actions concerning the processing of your personal data with the Personal Data Protection Agency.

Additional information

Any additional information on the realisation of the right to personal data protection may be requested by e-mail from the Croatian National Bank personal data protection officer at: sluzbenik.osobni@hnb.hr.