Privacy policy

INTRODUCTION

Bagadur Metoda, LB BODYART ESTETIC, business for services, OIB: 21124171989, Kralja Tomislava 146, Crikvenica (hereinafter: Bagadur), pays special attention to the protection of personal data and privacy (hereinafter: privacy protection) of website visitors, business partners , job candidates, their employees, former employees as well as other persons (hereinafter: Users) in accordance with the General Data Protection Regulation (EU 2016/679) (hereinafter: Regulation and/or GDPR), applicable regulations, best practices and internationally accepted standards, in accordance with business and security requirements.

Confidential and responsible processing of personal data is a central element of the corporate culture of LB BODYART ESTETIC, hereinafter referred to as "Bagadur". This particularly applies to personal data of employees, business partners, candidates, visitors, etc. ("Data").
The Privacy Policy describes the rules we follow when processing personal data, as well as information related to data linking, consents, data protection, where data is processed, in which cases we forward it to third parties, and what your rights are and who you can contact regarding the protection of your privacy.

1. ABOUT THE PERSONAL DATA PROTECTION POLICY

With the personal data protection policy, we want to transparently provide users with clear information about the processing and protection of their personal data in one place, as well as enable simple monitoring and management of their personal data and consents. The policy does not reduce the rights and does not establish obligations for the Users in relation to the processing of personal data, which the Users have on the basis of valid regulations and possible contractual provisions on the protection of personal data.

The policy is a unilateral legally binding act and describes the purpose and goals of collecting, processing and managing personal data, which is based on the world's leading practices in the field of personal data protection. The policy ensures an adequate level of data protection in accordance with the Regulation and other applicable laws related to the protection of personal data.
The policy applies to all Bagadur websites and domains and to all services, products and services that include the processing of personal data. It primarily refers to natural persons who submit a request for services or use services, or come into contact with Bagadur in any way. Respecting the legitimate interests of Users who are legal entities, the Policy is also applied to legal entities in an appropriate manner, in accordance with applicable regulations.

The goal of the Policy is to establish appropriate processes for the protection and management of the personal data of respondents, i.e. website visitors, business partners, job candidates and their employees and other persons whose personal data is processed. At the moment of submitting your data, you agree to contact us and thereby give us the right to process your personal data in accordance with the indicated purpose. Privacy protection of your data is permanent. The policy was published in the form of an official document and will be applied from April 1, 2019
Please check the Personal Data Protection Policy periodically for possible changes that will be displayed on the Bagadur website.

2. DEFINITIONS OF CERTAIN TERMS CONTAINED IN THIS POLICY

Personal data - is all data related to an individual whose identity has been determined or can be determined. An identifiable individual is a person who can be identified directly or indirectly, in particular with the help of identifiers such as name, identification number, location data, online identifier or with the help of one or more factors inherent to physical, physiological, genetic, mental , economic, cultural or social identity of that individual. Personal data is name, address, e-mail address, IP and MAC address, GPS location, RFID tags and cookies on websites, phone number, photo, video recordings of individuals, OIB, biometric data (fingerprint, iris scan), genetic data, data on education and professional training, data on salary, data on credit debt, data on bank accounts, data on health, sexual orientation, voice and any other data related to a real person, i.e. the owner of the personal data can be used to directly or indirectly identify that person.

Processing – means any procedure or set of procedures performed on personal data or sets of personal data, whether by automated or non-automated means such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, inspection, use, disclosure transfer, dissemination or otherwise making available, matching or combining, restriction, erasure or destruction.

Controller – means a natural or legal person, public authority, agency or other body that alone or together with others determines the purposes and means of personal data processing;
Processor – means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller;
Recipient – means a natural or legal person, public authority, agency or other body to which personal data is disclosed, regardless of whether it is a third party;
Third party - means a natural or legal person, public authority, agency or other body that is not the subject, the data controller, the data controller or the persons authorized to process personal data under the direct authority of the data controller or data controller;

Privola - see point 8. Policies
Storage system – means any structured set of personal data accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis

Breach of personal data – means a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of personal data that has been transmitted, stored or otherwise processed
An identifiable person is a person whose identity can be determined (directly or indirectly) especially on the basis of an identification number or one or more characteristics specific to his physical, psychological, mental, economic, cultural or social identity.
Special category of personal data – refers to racial or ethnic origin, political views, religious or other beliefs, trade union membership, health or sex life and personal data on criminal and misdemeanor proceedings.

3. AREA OF APPLICATION

The policy applies to all personal data of Users or Potential Users
Personal data is any data relating to a natural person whose identity has been determined or can be determined, directly or indirectly (hereinafter: data or personal data). Data processing is any action performed on personal data, such as collection, recording, storage, use, transfer of personal data and access to personal data.
The policy does not apply to anonymous data. Anonymous data is data that has been changed in such a way that it cannot be linked to a specific natural person or cannot be linked without a disproportionate effort, and therefore, in accordance with current regulations, it is not considered personal data. The policy applies to all Bagadur services and products that involve the processing of personal data. The last manifestation of the User's will regarding the processing of personal data applies to all other services that the User uses. As a rule, Bagadur is the data controller in relation to the personal data of its Users in terms of the current regulations on the protection of personal data.

4. PRINCIPLES OF PERSONAL DATA PROCESSING

4.1. Confidence
We want to be a reliable partner for Users in protecting their privacy and justify the trust they have placed in us. Also, we want to be completely transparent and clear regarding the processing of the User's personal data. Users can always contact us with a request to change their personal data or with an expression of will about the purposes for which they want or do not want their data to be processed.

4.2. Legality and best practice
When processing personal data, we act in accordance with the law, but at the same time we always strive to apply higher standards and the best European practice, and in accordance with the recommendations of the most eminent external consultants. All Bagadur employees who come into contact with personal data sign a Confidentiality Statement and undergo continuous training on the protection of personal data. Bagadur periodically conducts an internal audit of the implementation of all personal data protection policies, with the aim of complying with legal regulations and improving the level of protection within the Company.

4.3. Limited purpose of processing
We collect and process personal data only for a specific and lawful purpose and we do not further process them in a way that is inconsistent with the purpose for which they were collected, unless otherwise prescribed by law or on the basis of the User's consent.

4.4. Reducing the amount of data
We always use only those User data that are appropriate and necessary to achieve a certain legal purpose, and not more data than that.

4.5. Processing in anonymous form
Whenever possible and justified, we use data in anonymous form. Data in an unnamed form are primarily anonymous data. However, whenever it is possible and justified, especially for the protection of the User's personal data, we pseudonymize personal data, i.e. we "mask" them with special pseudonymization procedures (e.g. substitution, hashing, etc.) in such a way that they cannot be connected to an individual User without the use of additional information that is kept securely and separately (eg use of a key).

4.6. Integrity and Confidentiality
We process personal data in a secure manner, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage (e.g. access to the User's personal data is only available to authorized persons who need it for the performance of their work, and not to other employees).

4.7. Quality of personal data
We attach great importance to the quality of the data we process. The personal data we process must be accurate, complete and up-to-date in order to ensure maximum protection of the User's data and prevent possible abuse. That is why it is important for us that the User informs us immediately or as soon as possible about any change in data.

4.8. Limited storage time
We store and process the User's data only as long as it is necessary for the execution of a certain legitimate purpose, unless a longer or shorter storage time is provided for a particular purpose by the applicable regulations or in other cases expressly prescribed by law. After that, the data is permanently deleted or made anonymous. In general, we store data in accordance with regulatory requirements and best practices to enable traceability in the supply chain, consumer safety, protection and preservation of integrity, standards, and the like. The duration of data storage depends on the nature of the data and is subject to change. In accordance with the stated principles, the User's data will be accessed by Bagadur employees depending on their authorizations and positions, in order to successfully fulfill the tasks defined for their position. Also, part of the services for Bagadur are performed by other legal entities with whom the User's data will be shared only if they are necessary for the fulfillment of obligations from joint contracts or sharing is based on the User's express request or consent. Bagadur will forward the User's data to other economic entities or state institutions in the event that there is a legal basis for this.

5. HOW WE COLLECT PERSONAL DATA

Bagadur collects the User's personal data (hereinafter: data) in several ways:

1. We collect data primarily directly from the User or Potential User, in such a way that they provide it to us. The most common example of this type of data collection is submitting a request for a particular service or product, where the User, if he wants to use a particular service or product, provides data and documents that are necessary for identification (e.g. name, surname, address, copy of documents, OIB etc.). We also collect data during communication with the User via telephone, e-mail, Human Resources Service, websites and contact forms on websites, internet portals and social networks, when resolving complaints, processing requests, requests, etc. The data collected in this way are used for the purpose of fulfilling the User's request. In cases where it is possible and legally permissible, Bagadur will not collect copies of documents, but will only request them for inspection and make a special note about the above. This especially applies to documentation that contains biometric or particularly sensitive personal data.

2. We collect data that occurs automatically when the User uses services and/or products or provides a service and/or product.
3. We collect data from publicly available sources such as, for example, data from publicly published registers, public telephone directory, publicly available services, commercial services or publicly available numbering.
4. We collect data based on concluded contracts with business partners.
5. We collect data based on concluded work contracts and/or work contracts, i.e. when performing work or a specific service.
6. We collect data based on video surveillance installed in the Company's business premises, i.e. records of entry and exit to the Company's business premises, as well as data obtained from GPS devices installed in official vehicles and/or work machines. The use of video surveillance is described in more detail in the publicly available Rulebook on the use of video surveillance systems. The system for monitoring and controlling vehicles and work machines was installed by the employer with the purpose of controlling the use of vehicles in accordance with the rules for the use of official vehicles as well as the efficient performance of work operations with the work machine. Personal data that can be collected through the GPS system for monitoring and control are: Current location, speed and status of the vehicle, movement of the vehicle in the past (drawing the route of the vehicle), detailed reports and statistics on the use of the vehicle (daily, weekly, monthly), total trip and driving time, location and time of vehicle stopping, speeding, visits to objects of interest or designated movement zones (POI and Geofencing (entry/exit from the movement zone)), statistics and analytics of vehicle use inside and outside working hours, vehicle operation, consumption fuel, use and proper use of the vehicle. The above data is kept for 5 years. The prerequisite for any collection of the User's personal data is the existence of an appropriate legal basis based on the law, legitimate interest or consent of the User.

6. WHAT TYPES OF PERSONAL DATA WE COLLECT

Depending on the contracted service or product, the User's consent and the purpose for which the individual data is used, Bagadur is authorized to collect the types of User data listed below. In doing so, we always collect only those data that are necessary to achieve a certain legal purpose, legitimate business interest and public interest. Also, Bagadur does not process special categories of data or personal data related to criminal convictions and punishable acts, except for the certificate of non-punishment, which is provided for inspection when concluding the employment contract and returned to the employee. Bagadur collects data on violations committed at work and during work, for the purpose of fulfilling its legal obligations, i.e. for the possibility of proving the fulfillment of the obligation.
6.1. Contract data

Contractual data in a broader sense include the so-called master data, i.e. data provided by the User for the purposes of concluding and executing the contract (e.g. name and surname, date and place of birth, postal address, delivery address, contact information (telephone, email, etc.), OIB, JMBG, data about ownership, possession, lease, lease, bank account number, marital status, citizenship, nationality, information about health, disability, information about children, professional training, etc.).

6.2. User communication with Bagadur
It includes, for example, the User's written or electronic communication with Bagadur, communication on social networks, the User's preferred communication channels, sending requests, applying for a job, etc. We may also automatically collect certain data from your device when you visit our website and other linked websites (“ our website"). This data may display personal information such as: IP address, name of the file you accessed, date and time of access, amount of data transferred, notifications of successful access, web browser, device type, and unique device identification numbers. We may also collect information about how your device has interacted with our website, such as information about the pages you have accessed and which links have been opened.

By collecting this information, we can better understand who comes to our website, where visitors come from and what content on our website they are interested in. We use this information for our internal analysis, to improve the quality of our website and to adapt it to the interests of our visitors. Some of this information may be collected using cookies or similar technologies on our website. For details, please see about cookies on our website or the terms of use of our website.

6.2.1. Sending applications, resumes or applications for models
Through its website, Bagadur allows you to send applications, CVs, job applications and other supporting documents.
In addition to the data you send yourself, Bagadur may access certain personal data when conducting a selection interview or testing.
Personal data obtained in this way are used and processed during the selection process depending on the changing needs for employment at Bagadur.
If the User sends an application and other documentation for a specific tender, Bagadur will use the said data exclusively for the selection process for that tender. Upon completion of the procedure, Bagadur will delete/destroy the obtained personal data, except in the case of employment of the person providing the personal data or his express written request, i.e. consent for the data to be stored in the candidate database for the purposes of future employment.
If the user sends an open application, he is also obliged to sign a consent in which he will give his consent to the sent data being kept in the candidate database and to be used for the needs of future selection procedures or job offers. Data collected in this way will be kept by Bagadur for 5 years from the date of obtaining the last consent. If applications, resumes, applications, etc. sent by mail and no consent is attached to them, Bagadur will, unless it requires excessive effort, ask the candidate to deliver the signed consent within 8 days. If the candidate does not submit the consent within a certain period, the submitted personal data will be destroyed. (For more about Privole, see point 7.). Personal data provided when applying for a job or performing professional practice, as well as during selection testing or interviews, will be available only to employees of the Human Resources Service, and in certain cases will be provided to employees in the internal organizational units of Bagadur who participate in the selection of candidates and the implementation of the tender procedure, and who have previously signed the Statement on confidentiality of personal data.

6.3. Data by Potential Users
This data includes master data, especially contact data (e.g. first and last name, e-mail address), but also interests of the Potential User for Bagadur services or products. As a rule, Bagadur will record the data of those Potential Users who contact them with the wish for Bagadur to inform them and/or offer them certain products and/or services. Data on Potential Users are deleted or anonymized after 5 years or, at the request of the Potential User, earlier, with the exception of when we keep the data longer due to legal or legal obligations (e.g. in the event of a dispute).

6.4. Collection of data from external sources
From time to time we may receive personal data about you from external sources, eg data from publicly available registers, published information on websites and from the media.

6.5 Special categories of personal data (sensitive data)
Sensitive personal data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, including the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person and data on health or data relating to a person's sex life or sexual orientation.
Special categories of personal data are usually processed on the basis of one of the following legal bases:
(a) on the basis of your express consent (Article 9 paragraph 2 subparagraph a GDPR);
(b) to determine, execute or process legal requirements (Article 9, paragraph 2, subparagraph f GDPR),
(c) if, in exceptional circumstances, it is necessary to protect your vital interests, and you are unable to give your consent (Article 9, paragraph 2, subparagraph c GDPR).
As a rule, Bagadur will not collect sensitive data except for religion and union membership, and exclusively for the purpose of fulfilling legal obligations, i.e. fulfilling the obligations/realizing the rights of workers prescribed by internal acts (Collective Agreement, Labor Regulations).

7. FOR WHAT PURPOSES DO WE USE COLLECTED PERSONAL DATA

In order for Bagadur to be able to provide the service to the User, and in accordance with the legalities mentioned below, it is necessary to process a minimum set of data necessary for the quality provision of an individual service. Otherwise, if the User refuses to provide the requested set of data, Bagadur may consequently not be able to provide the User with the service or process the request.
Accordingly, the User's personal data is processed when one of the following conditions is met:

7.1. Contract execution
Bagadur collects and processes the User's data (hereinafter: uses) primarily for the purposes of concluding and executing a contract (a contract is considered any clear expression of will) between the User and Bagadur, employment and termination of employment. This particularly includes the use of data for the purpose of verifying the User's identity, the User's ability to pay, providing the contracted service, calculating and charging costs, contacting the User if necessary in connection with the provision of the service, resolving complaints, eliminating disturbances, monitoring and ensuring the quality and security of services and products, customer support, advice and assistance in the use of products and services and other actions related to the conclusion and execution of contracts in accordance with the law.
The legal basis for data processing for these purposes is the necessity for the execution of the User's contract or taking measures at the User's request before concluding the contract. In the event that the User does not wish to provide the necessary information for the purpose of concluding and executing the contract, Bagadur may not be able to conclude the contract and/or perform certain actions related to the execution of the contract.
Bagadur also collects personal data for the fulfillment of obligations under the employment contract, i.e. the realization of rights from the Collective Agreement and the Labor Regulations.

7.2. Legitimate interest
Furthermore, Bagadur uses certain data of the User exclusively for the needs of its own records, and for the purpose of protecting the legitimate interests of the User, except when those interests are stronger than those interests or fundamental rights and freedoms of the User that require the protection of personal data. This includes, for example, the use of User data for the purpose of preventing, detecting and processing abuses to the detriment of the User or the Company, ensuring the safety of employees, Users, products and services, creating services and offers that meet the needs and wishes of the User, marketing activities and publicity, ensuring superior user experience experiences, personalized customer support, optimization of the electronic communication network, etc.
The legal basis for data processing for these purposes is the legitimate interest of Bagadur, except when that interest is stronger than the interest or fundamental rights and freedoms that require the protection of the User's data and/or the legal basis for the protection of the key interests of the User or another natural person. The exception is the cases listed in Article 7 of the Policy when the legal basis is consent.

7.3. For the purpose of fulfilling legal obligations and performing tasks of public interest
On the basis of a written request based on current regulations, Bagadur is obliged to submit or provide access to certain personal data of the User to the competent state authorities.
The legal basis for data processing for these purposes is the fulfillment of legal obligations as well as the performance of tasks of public interest. We undertake to comply with the laws of the Republic of Croatia and valid European regulations. Furthermore, we must comply with the relevant requirements of certain industry standards (such as ISO, HACCP, GLOBAL GAP, OHSAS standard).

8. PERSONAL DATA PROTECTION MEASURES

The data controller is obliged to ensure that access to personal data is granted only to authorized persons who have signed the Declaration of Confidentiality and have undergone internal training on the protection of personal data. The controller is obliged to ensure the protection of personal data in such a way as to ensure that the IT network and systems are protected from:

9. CONSENT

Consent is a voluntary, special, informed and unambiguous expression of the User's wishes by which he gives consent to the processing of personal data relating to him/her (so-called opt-in) by means of a statement or a clear affirmative action. Consent can be given in writing or in another appropriate way. Consent can be given and withheld free of charge at any time. Consent is not necessary for all data processing.

The user can change their consent and/or deny the right to process personal data in writing (e-mail or post if it is possible to determine the identity of the applicant with certainty) or by coming to the Bagadur office. Depending on the communication channel, such change and/or denial will be recorded within 48 hours of receipt at the latest, provided that the user is unequivocally identified.

10. RIGHTS OF RESPONDENTS / USERS

In accordance with the currently applicable law, you have the following rights:
The right to information - you have the right to know what personal data is collected, from which sources and for what reasons. We have given you the opportunity to contact us at any time and request that this information be delivered to you

Right to rectification – you have the right to request the rectification of any inaccurate personal data. It is our duty to ensure the accuracy of the personal data we process and we try to do so at all times, in contact with you. However, despite our best efforts, it is possible to process incorrect data. In this case, we undertake to comply with your requests for data correction.
The right to be forgotten - you have the right to request that we delete your personal data from our servers. As such, it is our obligation to comply with your request, unless we need to keep your data in accordance with the law. Bagadur undertakes to delete or anonymize your personal data from all databases related to processing based on consent, in accordance with technical possibilities.
The right to restrict processing - according to the General Regulation on the Protection of Personal Data, you have the right to restrict the processing of personal data in certain cases. We have conducted an in-depth review of our purposes and processing methods and have not found a case where such an example could be applicable. Any requests made pursuant to this right will be considered a withdrawal of consent and will result in nothing but the most important notices being sent to you.

The right to data portability - you have the right to request that your personal data be provided in a structured form. Bagadur undertakes to respond to your request within 30 days from the date of submission of your request. We will only send you personal information that you have provided to us, or that we have collected from publicly available sources or from our partners.
Right to object - The General Data Protection Regulation ensures that you can object to any data processing that takes place based on the company's legitimate interest.
Automated decision-making – Bagadur does not conduct automated decision-making, except to provide you with customized advertising services after you visit our website, for which we collect your express consent. You can withdraw your consent at any time.
Requests by the respondent, by which the respondent asks the data controller for one of his rights from the Regulation, must be in writing. It is not possible to act on the request before the identity of the respondent has been established beyond doubt. Forms for the exercise of individual rights can be requested at lorena@bagadur.com

11. INTERNATIONAL TRANSFER OF DATA

Your personal data may be transferred and processed in other countries outside the European Union, for which the appropriate level of data protection has not yet been established by the European Commission and which cannot ensure the same high level of protection. Personal data may be subject to government access rights under applicable local laws and regulations. However, we have taken appropriate security measures to ensure that your personal information is protected in accordance with this notice. We will ask for your consent in cases where the transfer is not determined by special laws or other security measures. Security measures are available upon your request.

On our website, you will be expressly warned about the possible international transfer of data outside the European Union. In certain cases, our business partners who perform certain services for us (maintenance of information systems and equipment, business applications, physical and technical protection, subcontractors under a specific contract, etc.) have access to a certain category of personal data. Bagadur will warn you if one of the business partners has access to your personal data and in certain cases will ask for your consent. Bagadur requires its business partners to implement the highest standards of personal data protection. In certain cases, personal data submitted when applying for a job or carrying out professional practice will be submitted to employees in Bagadur's internal organizational units who participate in the selection of candidates and the implementation of the tender procedure, and who have previously signed the Declaration on the confidentiality of personal data.

12. PERFORMERS OF PROCESSING

Based on the contract, which must be in writing, the data controller may entrust individual tasks related to the processing of personal data within the scope of his work to another natural or legal person (processor). Tasks related to the processing of personal data can only be entrusted to a processor who is registered to perform such activity and who provides sufficient guarantees regarding the implementation of appropriate measures for the protection of personal data, i.e. classified data if it meets the conditions established by special regulations governing the field of information security

13. HOW LONG WE KEEP YOUR DATA

We keep your personal data during the business relationship as long as it is necessary to fulfill the purpose or as long as there are contractual or legal retention obligations or documentation obligations (e.g. according to the relevant tax regulations, the Obligatory Relations Act, the Labor Act, etc.), legal limitation periods , legal obligations established by the respective laws on education, there are legitimate interests. When there are no legitimate purposes for further storage of your personal data, they will be deleted or anonymized. In the event that this will not be possible (for example, because your personal data is stored in security archives), we will store your personal data securely and make it unavailable for further processing, until deletion is possible.
Detailed storage terms for documentation and personal data are prescribed by the Ordinance on the Protection and Processing of Archival and Registry Materials.

14. PERSONAL DATA PROTECTION OFFICER – DPO

The controller will appoint a personal data protection officer. The personal data protection officer reports directly to the responsible person of the data processing manager and may not receive instructions from other employees of the data processing manager and is in charge of direct contact with the competent supervisory authority. The personal data protection officer takes care of the legality of the processing of personal data and the exercise of the right to the protection of personal data in accordance with the applicable legal regulations, and in particular performs the following duties:

15. WHO TO CONTACT

The User can exercise his rights by contacting or submitting a corresponding request to the e-mail address: lorena@bagadur.com

16. FINAL PROVISIONS

This Policy enters into force on August 1, 2020. years. All changes to the Policy will be published on the Company's website with the change number (ver.) as well as the month of the last update.
LB BODYART ESTETIC, trade for services

en_USEnglish
hrCroatian en_USEnglish