PERSONAL DATA PRIVACY POLICY

1. Introduction

GENERATOR Ltd. with its headquarters in Zagreb, Jarun 68, OIB: 69921826127 (hereinafter: Generator), is a commercial company registered in the court register of the Commercial Court in Zagreb.

Generator company primarily deals with and is registered for providing consulting services related to business and management. Generator must collect and process certain data about individuals in its business operations and is therefore the data controller. Generator can also be in the position of data processor when processing personal data provided by its clients exclusively when providing contracted services.

The purpose of this policy is to ensure that Generator fully complies with legal, organizational, and technical obligations regarding the protection of personal data.

All Generator employees are fully familiar with the content of this policy and ensure its implementation when processing personal data. Employees whose tasks include handling personal data are adequately trained in relation to their tasks regarding the protection of personal data.

This policy applies to all personal data processed by Generator in relation to any person, regardless of whether they have been, currently are, or will be an employee, client, supplier, or contact. This policy does not apply to anonymous data. An anonymous datum is a datum that has been altered in a way that it cannot be linked to a specific individual, or cannot be linked without disproportionate effort, and therefore, in accordance with applicable regulations, is not considered personal data.

This policy has been developed to improve Generator's services to its clients, to protect individuals in terms of the confidentiality of their personal data when providing Generator's services, and to ensure that the processing of personal data by Generator is fully in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (GDPR) and other applicable regulations. Personal data that Generator processes in its operations are not shared with unauthorized persons, offered, sold, or transferred outside the Republic of Croatia, to third countries, or humanitarian organizations.

2. Definition and application

Personal data is considered all data relating to an individual whose identity is determined or can be determined, i.e., an individual who can be identified directly or indirectly, particularly by reference to an identifier such as a name, identification number, location data, network identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that individual.

Processing of personal data refers to any operation or set of operations performed on personal data or sets of personal data, whether by automated or non-automated means, such as collecting, recording, organizing, structuring, storing, adapting, or modifying, withdrawing, finding, using, disclosing by transmission, dissemination, publishing, or making available in any other way, alignment or combination, restriction, deletion, or destruction, and performing logical, mathematical, and other operations with these data.

The categories of personal data that Generator processes in its operations depend on individual categories of respondents (employees, clients, suppliers, persons who have contacted Generator with some of the inquiries), but these are usually the name and surname and e-mail address.

Generator collects and processes personal data primarily for the purpose of providing services in its operations or in fulfilling legal or contractual obligations. The legal basis for processing personal data is the contractual relationship between Generator and the data subject, Generator's legal obligation, or the data subject's consent. Generator handles these personal data adequately, regardless of how these data were collected, recorded, stored, and used on paper, computer, or other material.

When a data subject sends an e-mail with personal data by which he/she can be identified, via an e-mail message with a question or comment, Generator uses these data to fulfill the request or inquiry of the data subject in relation to providing Generator's services. In case the data subject does not want to provide his/her personal data necessary for the provision of these services, fulfilling the data subject's request, or responding to the data subject's inquiry, Generator will not be able to process such request or inquiry or provide the service.

At the moment of delivering the data subject's data to Generator, the data subject agrees that Generator processes his/her personal data, in accordance with the indicated purpose. The privacy protection of the data subject's data is permanent, and at any time, the data subject can exercise his/her rights listed and explained below.

Generator keeps the personal data of employees from the employment relationship and in connection with the employment relationship permanently. Personal data from accounting or bookkeeping documents (for example, invoices issued to clients, as well as received invoices from suppliers) Generator keeps for at least 11 years in accordance with accounting regulations. The data that the client provides to Generator are kept in accordance with the contract with each of the clients. Contact data of data subjects received at the first contact, which would not result in a contract, Generator processes until the withdrawal of consent on which they are processed. Personal data for which the retention period has expired (e.g., if the purpose for which they were collected has been achieved or because the statutory period has expired) will be deleted, destroyed or anonymized in a way that restoring personal data is no longer possible.

For the purpose of carrying out its business process, Generator may entrust certain data processing tasks to data processors, but only those that meet the technical, logical, and organizational measures of personal data protection provided by Generator.

The data collected by Generator is stored in an appropriate manner and its confidentiality is ensured. Generator will not forward the collected data to third parties without the consent of the data subject, except in cases where it is necessary to fulfill Generator's legal obligations (for example, to the Tax Administration, Croatian Pension Insurance Institute and other competent bodies), in cases where it is necessary for the performance of tasks carried out in the public interest, and in other cases defined by the competent regulation.

The data subject, regarding personal data processed by Generator on his behalf, has the following rights:

1. Right to be informed – The data subject has the right at any time to request information whether his personal data is being processed and for what purpose, who is the data controller, contact data of the data protection officer, which categories of personal data are being processed, for what period they are being processed or stored, who is the source of his personal data, who are all the recipients of his personal data, as well as the right to be informed about other his rights stated in this policy (right to access, right to rectification, right to erasure, right to restrict processing and others).
   
   
2. Right of access – The data subject has the right to obtain from the Generator confirmation as to whether personal data concerning him or her is being processed, then to access these data and information about:
   - the purpose of processing,
   - categories of personal data being processed;
   - recipients or categories of recipients to whom the data have been or will be disclosed;
   - if possible, about the period for which the data is stored or about the criteria used to determine that period;
   that he or she may request the Generator to correct or delete personal data or restrict the processing of personal data concerning him or her, or object to such processing;
   - right to lodge a complaint with a supervisory authority;
   - if personal data is not collected from the data subject, any available information about their source;
   - the existence of automated decision-making, including profiling, and its consequences.
   
   
   
3. Right to rectification – The data subject has the right to obtain from the Generator without undue delay the rectification of inaccurate personal data concerning him or her. The data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.
   
   
4. Right to erasure / right to be forgotten – The data subject has the right to obtain from the Generator the erasure of personal data concerning him or her without undue delay if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, if the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing, if the data subject objects to the processing, if the personal data have been unlawfully processed, if the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Generator is subject, if the personal data have been collected in relation to the offer of information society services to a child. This does not apply if processing is necessary (and to the extent necessary) for the exercise of the right to freedom of expression and information, for compliance with a legal obligation that requires processing under Union or Member State law to which the Generator is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Generator, for reasons of public interest in the area of public health, for archiving purposes in the public interest, for scientific or historical research purposes, for the establishment, exercise or defence of legal claims.
   
   
5. Right to lodge a complaint with a supervisory authority – The data subject has the right to object at any time, on grounds relating to his or her particular situation, to processing of personal data concerning him or her, including profiling, in cases where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Generator or if the processing is necessary for the purposes of the legitimate interests pursued by the Generator or by a third party. The Generator shall no longer process the personal data unless the Generator demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
   
   
6. Right to data portability – The data subject has the right to receive the personal data concerning him or her, which he or she has provided to a Generator, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, if the processing is based on consent and if the processing is carried out by automated means. The data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible, and this right shall not adversely affect the rights and freedoms of others.
   
   
7. Rights related to automated decision making and profiling – The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, except where such decision is necessary for entering into, or performance of, a contract between the data subject and a data controller, is authorised by Union or Member State law to which the controller is subject or is based on the data subject’s explicit consent.
   
   
8. Right to withdraw consent – Consent of the data subject is one of the legal bases for processing data related to the data subject. The data subject has the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
   
   
9. Right to restrict processing – The data subject has the right to request the restriction of processing of his or her personal data: if he or she disputes the accuracy of his or her personal data - for a period enabling the Generator to verify the accuracy, if the processing of his or her personal data is unlawful and he or she does not request erasure but only restriction of processing, if the Generator no longer needs his or her personal data, but their existence is necessary for the realization of his or her legal claims, if he or she has objected to the processing, he or she has the right to request restriction of processing for the period until it is determined whether legitimate reasons of the Generator for processing outweigh his or her reasons from the objection.

To exercise their rights, the data subject must contact the data protection officer by sending a written notification or request to the data protection officer at GENERATOR Ltd. to the e-mail address of the data protection officer stated below, as well as by submitting a personal statement directly in the business premises of GENERATOR Ltd, after prior announcement to the telephone number +385-1-5530-350, with identification by a valid personal document. Generator reserves the right to set additional requirements regarding the identification of the person who seeks to exercise their rights, all in order to prevent or disable the abuse of the rights of the data subject in relation to the protection of their personal data.

3. Data Protection Officer

Generator has appointed a data protection officer and every data subject has the right to contact him regarding the protection of their personal data via:

Phone: +385-1-5530-350

E-mail address:

All questions related to data protection should be directed to the data protection officer.

4. Principles of Personal Data Protection

Generator believes that lawful and proper handling of personal data is very important and therefore ensures that personal data is treated lawfully and correctly. To this end, Generator fully supports and adheres to the Data Protection Principles.

Data Protection Principles require that personal data:

• must be processed fairly and lawfully and in particular must not be processed unless specific regulations are met;
• are collected only for one or more specified and lawful purposes and must not be further processed in any manner incompatible with these purposes;
• processing must be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are processed, and the data must be accurate and up-to-date;
• must not be kept longer than necessary for the applicable purpose;
• must be processed in accordance with the rights of data subjects in accordance with applicable regulations;
• appropriate technical and organizational measures must be taken against unauthorized or unlawful processing of personal data and against accidental loss, destruction, or damage to personal data;
• must not be transferred to a country or territory outside the EU unless that country or territory ensures an adequate level of protection of the rights and freedoms of data subjects in relation to the processing of personal data.

Generator's Activities Related to Data Processing

Generator undertakes the following:

• fully respects the conditions of fair collection and processing of personal data;
• fulfills the obligation to specify the purpose for which personal data is processed;
• collects and processes adequate personal data, and only to the extent necessary to meet operational needs or in accordance with any legal requirements;
• provides all necessary data to the Personal Data Protection Agency;
• strictly checks the length of time personal data is kept;
• ensures that the rights of the persons whose data are processed can be fully exercised in accordance with data protection;
• takes appropriate technical and organizational security measures to protect personal data;
• ensures that personal data is not transferred abroad without securing protection;
• treats all people fairly and honestly regardless of their age, religion, disability, sex, sexual orientation, or ethnic affiliation when dealing with their requests for information;
• establishes clear procedures for responding to requests for information.

In case of personal data breach likely to result in a high risk to the rights and freedoms of data subjects, Generator will notify the data subject of the personal data breach without undue delay, unless Generator has taken appropriate technical and organizational protection measures and these measures have been applied to the personal data affected by the personal data breach, particularly those that make personal data unintelligible to any person who is not authorized to access them or if Generator has taken subsequent measures which ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialize or if this would involve disproportionate effort, in which case Generator will apply public notification or similar measure informing data subjects in an equally effective manner.

6. Cookie Policy

In order for the website to work properly and in order to improve your browsing experience, a minimum amount of information (cookies) needs to be stored on your computer. More than 90% of websites use the practice of cookies and according to European Union rules, they are required to ask for user consent. By using this website, you agree to the use of cookies, which you can still block and continue to browse the site, but some of its capabilities will not be functional.

What is a cookie?

A cookie is information saved on your personal computer at the time of browsing the website you visited. Cookies enable easier usage since they save your website settings (language or address) and activate them again upon restart. In this way, the information is tailored to your needs and usual ways of use.

From simple settings information, cookies can save a large amount of personal information (name, e-mail address) which you must fully give access to. If you have not enabled them, then cookies cannot access files on your computer. The activities of saving and sending cookies are not visible to you, however, you can choose the option of approval/rejection of the request for saving cookies, deleting saved cookies, and other activities related to the use of cookies in your chosen Internet browser settings.

How to disable cookies?

By disabling cookies, you do not allow them to be stored on your own computer. Cookie settings can be configured and changed in your web browser. To see the settings and how to adjust them, check out the instructions, help, and support of your chosen web browser. If you disable cookies, then you will not be able to use certain functionalities of web pages.

What are temporary cookies?

Temporary cookies, or session cookies, are removed from your personal computer at the moment of closing the web browser in which you were browsing the website. With the help of these cookies, pages store temporary data.

What are persistent cookies?

Persistent, or saved, cookies remain on your personal computer even after closing the web browser. With the help of these cookies, websites store data to make your usage easier. For example, websites that require a username and password entry will "remember" your input that will appear every new visit to the same. Persistent cookies will remain recorded on the computer for days, months, or years.

What are first-party cookies?

First-party cookies come from the website you are viewing, and can be temporary or permanent. In this way, websites store data that will facilitate your usage upon each new visit to that website.

What are third-party cookies?

Third-party cookies come to your computer from other websites that are on the website you are viewing. These are, for example, pop-up ads, and cookies have the role of tracking websites for advertising purposes.

Does this website use cookies?

Yes, this website uses cookies to provide you with a simpler and better user experience.

What kind of cookies does this website use?

• Temporary cookies (Session cookies) - these are cookies that will automatically delete when closing the internet browser in which you are working

• Persistent cookies (Persistent cookies) - these are cookies that will remain "recorded" in your web browser until they expire or you manually delete them. Collected information is anonymous, and does not include your private data

Are there third-party cookies on the website?

There are several external services that store you limited (limited) cookies, which were not set by this website. Limited cookies are used for uninterrupted use of features that provide users with easy access to content. This page enables:

• Attendance measurement

The site uses Google Analytics - a service for measuring attendance. If you want to disable the saving of cookies by this service, ban them at the following link:

Google Analytics - https://tools.google.com/dlpage/gaoptout

Additional information about disabling cookies

There are several websites for disabling cookies for various services. Read more at the following links:

http://www.allaboutcookies.org/

http://www.youronlinechoices.eu/

7. Review and Check

The company Generator Ltd. reserves the right to update this policy as necessary to reflect best practices and to ensure compliance with any changes or amendments in terms of personal data protection.

In Zagreb, on July 31, 2023

Generator Ltd.