Privacy Policy
General provisions
The Croatian Biophysical Society (hereinafter referred to as the Society) is a society that operates in the fields of education, science and research. The Society's target groups are: citizens - the general population, scientific and educational institutions, scientific and educational workers, students and others.
The goals of the Society are the promotion and development of biophysical sciences, the teaching of biophysics, the application of biophysics in other scientific fields and professions, and the enhancement of the reputation and social significance of biophysics and biophysicists.
The Society operates in accordance with the Associations Act. Membership in the Society is acquired by being accepted as a member of the Society based on the provisions of the Society's Statute. By entering into a contractual relationship with the Society, becoming a member of the Society or directly or indirectly participating in the work of the Society, a natural person/member entrusts his or her personal data to be processed. The Society is obliged to implement technical and organizational measures to ensure the protection of personal data in the manner defined by the Regulation.
Therefore, for the purpose of implementing protection measures, defining what data the Company collects, the methods of collecting and processing data, the rights of respondents and other data important for the application of the right to personal data protection, this Ordinance is being adopted.
Article 1.
The Company is the manager of personal data collections that determine the purpose and method of data processing.
The company must process personal data fairly and legally. Personal data must be accurate, complete and up-to-date, and must not be collected to a greater extent than is necessary to achieve the stated purpose. Personal data must be kept in a form that allows the identification of the data subject for no longer than is necessary for the purpose for which the data is collected or further processed.
Article 2.
The definitions of terms used in this Regulation are as follows:
"personal data" is any information relating to an identified or identifiable natural person (hereinafter referred to as: data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, psychological, mental, economic, cultural or social identity.
"processing of personal data" is any operation or set of operations which is performed on personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction, and performing logical, mathematical or other operations on such data.
"collection of personal data" is any structured set of personal data that is accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis, regardless of whether it is contained in computerized personal data databases or is managed using other technical aids or manually.
"third party" is a natural or legal person, state or other body, other than the data subject, the controller of the personal data file or the processor of personal data and persons directly authorized by the controller or processor to process personal data.
"recipient" is the natural or legal person, public authority, state or other body to which personal data are disclosed, whether or not it is also a third party. However, public authorities that may receive data in the context of conducting investigations are not considered recipients.
"processor" is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
"respondent's consent" is any voluntary, specific, informed and unambiguous indication of the data subject's wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
"Personal Data Protection Officer" is a person appointed by the controller of the personal data collection who is responsible for the legality of personal data processing and the exercise of the right to personal data protection.
"personal data breach" means a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
"pseudonymization" means the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separate and is subject to technical and organisational measures to ensure that the personal data cannot be attributed to an identified or identifiable individual.
Article 3.
The company uses the following data:
a) Basic identification data: name and surname, e-mail address
b) Identification data: first and last name, personal identification number (OIB), address of residence or headquarters, date of birth, contact information
c) Other personal data made available by the data subject or a third party
Personal data is collected directly from respondents orally and in writing.
Article 4.
For each processing purpose, the Company establishes and maintains a record of processing activities that contains information on the processing procedures, in particular the following data:
a) Purpose of processing
b) Description of categories of data subjects and categories of personal data
c) Name and contact details of the data controller and data protection officer
d) Categories of recipients to whom personal data have been disclosed or will be disclosed
e) Scheduled deadlines for deletion of different categories of data
f) General description of technical and organizational security measures
Article 5.
When introducing a new purpose for processing personal data or changing an existing purpose for processing, the Company will be required to assess the need to conduct a data protection impact assessment and review the implications for the processing system and its security. The new or changed purpose must be included in the Records of Processing Activities.
Article 6.
The data protection officer is appointed from among the regular members, preferably and as a rule from among the members of the Company's Management Board.
The Company publishes the contact details of the data protection officer on its website and informs the supervisory authority about the person appointed as the officer.
The Data Protection Officer shall perform the tasks of informing and advising members who directly or indirectly participate in the bodies of the Company, and other members who directly process personal data, on their obligations under the Regulation, monitor the implementation of the Regulation and other Union or Member State provisions on protection, enable the data subject to exercise their rights defined by the Regulation, act as a contact point for the supervisory authority on issues regarding processing, including prior consultation in accordance with the provisions of the Regulation, and cooperate with the supervisory authority on all other issues regarding the processing and protection of personal data.
The Data Protection Officer is obliged to maintain the confidentiality of all information he learns in the performance of his duties.
The Data Protection Officer may also perform other tasks and duties. The company must ensure that such tasks and duties do not lead to a conflict of interest.
The Data Protection Officer shall report directly to the President of the Company. The Company shall ensure that the Data Protection Officer does not receive any instructions regarding the performance of his/her duties. The Company may not dismiss the Data Protection Officer or punish him/her for the performance of his/her duties.
The company is obliged to support the data protection officer in the performance of his tasks by providing him with the necessary resources to perform these tasks and gain access to personal data and processing procedures, and to maintain his professional knowledge.
Article 7.
The respondent has the right to access personal data contained in the Company's storage system that relates to him/her.
The Company shall, without delay, immediately, and no later than one month from the date of submission of the request by the data subject or his legal representative or attorney-in-fact:
- provide the respondent with a printout of the personal data contained in the storage system that relates to him/her
- correct incorrect data relating to him/her or, based on the request of the data subject, supplement it
- to have personal data relating to him/her erased provided that the personal data are no longer necessary in relation to the purposes for which they were collected or if the data subject withdraws the consent on which the processing is based
- inform the data subject about the purpose of the processing of his/her personal data, the categories of personal data that are processed, the recipients or categories of recipients to whom the personal data have been or will be disclosed, the envisaged period for which the personal data will be stored and, in the case where personal data are not collected from the data subject, about their source
The deadline referred to in paragraph 2 of this Article may be extended by an additional two months, if necessary, taking into account the complexity and number of requests. The Company shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.
The request is submitted electronically, and unless the respondent requests otherwise, the information is provided in electronic form.
The Company shall provide the information provided in accordance with this article of the regulations free of charge. Exceptionally, if the requests of the data subject are manifestly unfounded or excessive, the Company shall charge a reasonable fee taking into account the administrative costs of providing the information or notification.
In the event that the Company determines that personal data is incomplete, inaccurate or out of date, it is obliged to supplement or amend it independently of the data subject's request.
A respondent who believes that a right guaranteed by the Regulation has been violated has the right to submit a request for determination of the violation of rights to the competent authority.
For the purpose of protecting personal data, the Company, in all cases where possible, and especially when publicly disclosing information in accordance with the Right to Access Information Act, implements pseudonymization of data.
Article 8
The consent given by the respondent to communicate with the Company and for other purposes requested by the Company may be revoked by the respondent at any time without consequences.
Article 9.
Personal data processed by the Company are not intended to be disclosed to other recipients. The Company is authorized to provide personal data for use by other recipients expressly based on the recipient's written request, if necessary for the performance of tasks within the scope of the recipient's legally established activity.
Article 10.
The Company implements organizational and technical measures to enable the effective application of data protection principles, such as reducing the amount of data processing, including protective measures in the processing in order to meet the requirements of the Regulation.
Regular members of the Society process personal data within the scope of their authority and are obliged to take appropriate personal data protection measures necessary to protect personal data from accidental loss or destruction, from unauthorized access or unauthorized use, unauthorized publication and any other misuse, and to determine the obligations of the persons responsible for data processing. Technical measures to protect personal data processing procedures include, at a minimum, physical access control, operating system and e-mail account security, use of antivirus software, access via secure protocols and via VPN channels.
Article 11
The Company is obliged to use processors who sufficiently guarantee the implementation of appropriate technical and organizational measures in such a way that the processing complies with the requirements of this regulation and these regulations and ensures the protection of the rights of data subjects.
Entrusting processing to a processor is necessarily regulated by a contract that binds the processor to the Company and specifies the subject matter and duration of processing, consent and purpose of processing, type of personal data, and category of data subjects, obligations and rights of the controller and processor, instructions from the controller on the method of processing, secure processing requirements, organizational and technical measures, and necessary records.
The processor may not engage another processor without the prior approval of the Company.
Article 12
The Company monitors processing operations and, in the event of a personal data breach, is obliged to notify the supervisory authority no later than 72 hours after becoming aware of the breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals.
In the event of a personal data breach that is likely to result in a high risk to the rights and freedoms of the data subject, the Company shall notify the data subject of the personal data breach without undue delay in accordance with the provisions of the regulation.
The Company is obliged to record all personal data breaches, including the facts related to the personal data breach, its consequences and the measures taken to repair the damage.
Article 13.
All amendments to this Ordinance shall be adopted in the same manner as this Ordinance.
This Regulation has entered into force.
President of the Society
Dr. Mario Cindrić
