Bruketa& d.o.o. /Ltd./ Privacy Policy
We take your privacy very seriously. This Privacy Policy explains why and how we collect your personal data, how we use and protect them, with whom we share them, and how to contact us regarding your privacy protection and compliance with Regulation (EU) 2016/679 of the EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: GDPR, Regulation).
We can collect information about you in multiple ways. Be careful when disclosing your personal data, and check the accuracy and sensitivity of the data and the information provided or inserted.
Provided there is a legitimate ground for the collection of your personal data, we are not required to seek your prior consent. Nevertheless, we shall lawfully notify you of the collection and processing of your personal data beforehand. However, whenever we have no legitimate interest, or our legitimate interest is suspected, we will always seek your consent to the use of your personal data, and use such data solely for the purpose for which the consent was given.
I. Controller
Bruketa& d.o.o. /Ltd./, Zagreb, Nova Ves 17, email: info@bruketa.com
Personal Data Protection Officer
With regard to any issues concerning the processing of your personal data and exercising the rights provided for under the Regulation, you may contact the Personal Data Protection Officer by post or email as indicated below:
Martina Arapinac Radičević, Savski gaj IX. 2a, 10 020 Zagreb
Phone: +385 95 8000 216
email: martina@odvjetnica-arapinac-radicevic.com
II. Legal grounds for personal data processing
We collect and process personal data solely based on a legal ground for so doing. An overview of the purposes and legal grounds based on which we process your data is provided below, and includes the following:
| Purpose of personal data processing | Legal grounds |
| Performance of a contract (e.g. service provision) | Necessity for the performance of a contract |
| Recruitment (CV processing) | Consent of the applicant (or legal obligation) |
| Compliance with legal obligations (e.g. taxes, legal records) | Legal obligation of the Controller |
| Marketing activities (e.g. newsletter, promotions) | Explicit consent of the data subject |
| Protection of people and property (e.g. video surveillance) | Legitimate interest of the Controller |
| Business communication (e.g. partners, journalists) | Legitimate interest (professional cooperation) |
Provided processing is not required for the performance of a contract or compliance with a legal obligation, we will ask for your explicit consent. You may withdraw your consent at any time.
In the course of our business relationships, we sometimes organize business events and parties with the aim of improving our professional cooperation. On such occasions, we process the data (first name, last name, contact information) on the grounds of our legitimate interest in cultivating business relationships, while respecting all your privacy rights.
III. How we collect your data and what data we collect and process
We can collect your personal data in the following ways:
- Directly from you, e.g. information provided for the conclusion or performance of a contract,
- When you enter into the Company’s premises (video surveillance),
- From your CV and job application submitted to us,
- During attendance at any of our or our Clients’ events,
- During job-related phone calls with an individual,
- During participation in a prize draw or prize contest, etc.
Children’s privacy
In accordance with the applicable legislation in the Republic of Croatia, we consider any persons under the age of 16 as children. We refrain from collecting personal information from children without their parents’ or guardian’s consent.
If a parent or a guardian has questions regarding our processing of their children’s personal information, the same policy applies as for adults.
Disclosing your information
In the course of our interaction, you may be asked to disclose some information in the following ways:
- By submitting your CV;
- By submitting your CV and portfolio for the Talent Pool;
- By agreeing to receive our newsletter;
- Our business contact and cooperation may reveal some data about business partners or their employees for the purpose of performing professional activities, but also for the purpose of establishing close business contacts and relationships;
- When you attend our public event or celebration, or take part in our surveys, competitions or prize draws, we may solicit information from you such as your business card, first and last name, contact information, interests and preferences;
- When you attend a public event or a celebration, you may be photographed or video recorded;
- When using our online services, we may receive the content you decided to share, such as comments, photographs and posts from the online discussion forum or the particulars about your interests and preferences you shared with us;
- When we represent our Clients while performing their marketing activities arising from the contractual relationship with the Clients;
- When becoming our employee in compliance with the applicable legislation;
- By video surveillance when entering into our business premises.
Information we collect while working with our business partners and their employees
While working with our business partners that are legal/natural persons, we often establish a friendly and collegial relationship, and sometimes we may invite you to our business parties and other events and celebrations, and in general, to socialize with you either professionally or privately.
Information we collect from media relations
Our core business also includes the provision of PR services, which is why we often need to contact journalists with the aim of performing our professional activity. In our communication with journalists to date, we have collected their contact information (first and last name, email address and phone number) provided by the journalists themselves.
We will continue to contact journalists by using the contact information received from them. Any journalist, or a person who regards himself/herself as a journalist, can always withdraw their consent to contacting them, and using their personal contact information without detriment, as set out herein.
The abovementioned journalists’ contact information database will be retained and used for professional purposes until journalists withdraw their consent given to us to contact them in such a way and obtain mutual professional benefit.
Information we collect from employees during employment
We greatly appreciate the privacy of all our employees, and we refrain from collecting their personal data without a legitimate interest in so doing. Whenever we need any information about our employees (and close persons of employees) for the purposes of exercising certain rights, we always seek prior consent of the employees, provided such consent is necessary, and we have no overriding legitimate interest.
Our employees are obligated to provide such data for time sheet record keeping requirements as laid down in applicable labor legislation and other regulations governing the abovementioned area. The employees shall always update and timely disclose accurate data in case of any modifications to the data provided initially. The employees shall be held liable for the inaccuracy of such data.
Personal information about our employees may be collected, processed, used and shared with third parties where required to exercise their rights and obligations arising from their employment or related to their employment. For such purpose, the data will be collected, processed, used and shared with third parties as laid down by legislation related to accounting, pension and health insurance, health and safety at work, and legislation and regulations adopted for the purpose of the enforcement of the Labor Act.
We refrain from sharing the information about our employees with other parties without the explicit consent given by our employees, except in cases of legal obligations and contractual commitments arising from their employment contracts.
The employee information will be maintained for as long as it is legally binding for us to maintain such information, and we will delete/destroy such data as soon as the applicable legal pre-requirements come into force.
We notify all employees transparently about what data we collect, for what purpose, and based on what legal grounds, and how long we retain the data.
Personal data collected through the video surveillance system
We monitor any entrance into and exit from our business premises with the aim of protecting people and property on the grounds of our legitimate interest.
We use video recordings solely for the purpose of protecting people and property, and can deliver them at the request of the competent authorities (law enforcement, court of law), if required to carry out the procedures under specific legislation.
We retain video recordings obtained through the video surveillance system for a maximum of six months (or longer, provided they are excluded as evidence in judicial, administrative, arbitral or any other proceedings).
Personal data that you share
Our website or social media includes some arrangements that facilitate the transfer and sharing of messages, photographs, videos and other content that cease to be private or confidential after you post them, e.g. online discussion fora allow you to post comments, photographs and videos (under your account name) visible to other users of such service.
Marketing communication
When you willingly disclose your contact data to us to use them for the purpose of performing our marketing activities, such communication with you may include receiving the particulars about your latest products and services, awards, etc.
Cookies
Our official website uses the so-called cookies – text files installed into your computer by an online server, allowing the internet service provider (ISP) to display a website.
Cookies are installed when the browser on the user’s device uploads the visited website, which in turn sends the data to the browser, and creates a text file (cookie). The browser retrieves and sends the cookie to the website server when the user revisits the same website.
Our website uses technical (mandatory) cookies that cannot be disabled and that are essential for a website’s operation.
Information we collect while representing our Clients as a Processor
Bruketa& d.o.o. /Ltd./ is a marketing agency that represents Clients as a Processor in performing their marketing activities in accordance with a contractual relationship established with the Client. In such a case, the Database Controller is the Client represented by the agency, while we act as a Personal Data Processor.
While performing the abovementioned activities, we will always present ourselves as a representative of the Client who will be accurately named. In such communication, if you want to exercise your rights in compliance with the GDPR, you will have to contact our Client directly, but we will readily assist you and provide you with any information in this regard.
When we represent our Client, we may collect your personal data in several ways as follows:
- At events where you are invited as a guest and warned by an adequate disclaimer in advance that you will be photographed and video recorded, indicating the purpose and where exactly such material will be published. When you participate in such an event, you give your consent to photographs and filming, and to the use of such material for the Client/Event Organizer/Controller as indicated. If you do not want to be filmed and photographed, we will respect your rights and arrange the situation adequately to protect you;
- When you take part in prize draws/competitions or other sorts of contests of our Clients in accordance with positive legislation, you give your consent to the use of your personal information for a prize draw/competition and marketing activities related to such prize draw/competition;
- When you participate in surveys conducted for our Clients, you give us your consent to use your personal information/preferences/opinions (e.g. first and last name, age, etc.) for market analyses and other purposes specifically and clearly indicated and explained during surveys;
- For other purposes as requested explicitly by our Client, i.e. Controller.
We will delete the personal information collected as requested by our Client while performing our professional activity according to the contractual relationship established with the Client as soon as the assignment given by the Client has been completed. At the request of the Client, the database will be returned to the Client, but deleted from our records.
IV. How we use your personal data
We may use your data for multiple purposes:
- When providing services in accordance with contractual obligations;
- When organizing prize draws, competitions and other promotional offers;
- When considering your job application in case you contact us over our website, or otherwise, and submit your CV;
- When your CV and portfolio are included in our Talent Pool, in case you contact us over our website, and provide such data to us (and give your explicit consent to be included in the Talent Pool);
- When sending newsletters and other communication via email or other contact information, provided we obtained your prior consent for such purposes;
- When carrying out marketing activities, we may contact you to notify you about new content or similar activities, provided we obtained your prior consent for such purposes;
- When producing anonymous, overall statistics about the use of our website, which may be shared with third parties and/or made publicly available;
- Every time you post or respond to a post on our website or social media sites (e.g. on online discussion fora), the name of the respective forum may be recorded as well, as well as the time and date of your post or message, together with the particulars of your account, to align our marketing communication with your activity. The content of your posts or online discussion fora messages will not be used for any other purposes;
- We may use the information collected during monitoring of our website, network services and email for your protection and the protection of our employees and partners. Such information may be forwarded to law enforcement or other competent authority as required by positive legislation. When you use our website and other network services, you give your explicit consent to the abovementioned;
- Photographs and video recordings made during public events and celebrations organized for ourselves and our Clients may be used and posted on our own or our Clients’ website, in public media releases and for our own or our Clients’ marketing purposes, unless you explicitly refuse to give your consent for the abovementioned, which you will certainly be able to do. You will be notified of such intentions in advance by appropriate disclaimers when you arrive at the public event/celebration;
- When sending a newsletter as the Processor on behalf of our Client as the Controller, and with your consent given to our Client;
- To protect the Company’s employees, we may reveal individual personal information only if we deem it to be necessary or appropriate to protect the health and safety of our employees, property and/or customers, and
- For legally required reporting and data processing purposes.
Sharing your information
As a rule, we will never share your information with third parties without your permission, but there are some exceptions to this rule:
- We may transfer your personal data for use by providers of information-communication solutions and services acting as Processors. We have concluded contracts with such Processors prescribing handling of personal data in detail, so they cannot process your personal data without our request, nor forward them to third parties. Our service providers act solely in accordance with our guidelines, in compliance with our policies, and are subject to appropriate obligations regarding confidentiality and security;
- We are obligated and may share your information with third parties for legal and/or commercial purposes, such as e.g. with the government and competent authorities to comply with positive legislation, and to fulfil reasonable requirements of such authorities, as well as of legal advisers who enforce or protect our legal rights, etc.;
- We may share anonymous, overall or general data, without identifying you, with any other third party (e.g. partners, advertisers, media, public, etc.);
- We may forward the information about our employees to competent authorities to exercise rights and benefits related to employment (pension and health insurance funds, etc.).
International transfer of your data
We process your data within the European Economic Area. In case of a need to transfer your personal information beyond the abovementioned area, such transfer will take place provided that the European Commission has verified the third country’s compliance with the specific data protection level or its application of adequate safeguards in line with the positive legislation.
Automated decision-making and profiling
We hereby inform you that we perform no automated decision-making, including profiling, which would produce legal effects for you or substantially similarly affect you. In case of introducing such processing in the future, we will timely notify you, and enable you to exercise any legally prescribed rights.
V. Personal data retention period
We will retain your personal data only for as long as required to fulfil the purpose for which they were collected or to fulfil legal obligations (e.g. tax regulations).
Consent: Provided data processing is based on your consent, the data are retained until you withdraw your consent.
Contractual relationship: We retain the data related to the performance of a contract for the duration of the contract, and for any further period as prescribed by legal obligations concerning maintenance of archival and accounting documentation.
Security (video surveillance): We delete video surveillance recordings within 6 months at the latest, unless required as evidence in judicial or other proceedings.
After the expiry of the abovementioned deadlines, personal data are permanently deleted or anonymized in such a way that they no longer refer to the individual.
VI. How we protect your personal data
We collect and process personal data in such a way to ensure their proper security and confidentiality in their processing and to enable effective application of the principles of data protection, data minimization, data processing scope, retention period and data availability.
We take any appropriate technical and organizational safeguards to prevent accidental or unlawful destruction, loss, alteration, unauthorized use, disclosure, insight into or access to data.
All our employees are obliged to protect personal data by signing a non-disclosure agreement, which remains in force even after the termination of employment.
We take multiple actions to protect your data from authorized access and use, e.g.:
- Your information may only be accessed by our employees who need such information to perform their job-related activities;
- The information is stored in special and separate folders (special folders in personal computers, special locking storage cabinets), with clearly determined access rules;
- We have taken adequate technical and organizational actions to prevent the loss, exchange and theft of your data or access to your data by unauthorized third parties;
- We have provided adequate physical, electronic and management systems to protect and store the data collected online.
- We have provided adequate physical, technical, organizational and management systems to protect and store the data collected through video surveillance.
VII. Your rights concerning personal data processing
To exercise your rights, you may contact our Personal Data Protection Officer in writing or by email as set out above herein.
At any given moment, without detriment, you may:
- Withdraw your consent for any sort of marketing communication and other processing;
- Request a processing confirmation (about the purpose of data processing, source, category of personal information, receivers or category of receivers to whom the personal information was or could have been transferred, as well as the location of such transfer, the period foreseen for personal information retention);
- Have insight into your personal data;
- Request personal data correction or modification;
- Lodge a complaint against further or excessive personal data processing;
- Block unlawful personal data processing;
- Request deletion of your personal data;
- Request personal information transfer to another Controller.
You can make your requests by simply unsubscribing from our list or by contacting our Personal Data Protection Officer directly.
We will take every request into consideration in compliance with applicable positive legislation governing personal data protection. We reserve the right to charge costs for request processing in cases where such requests are deemed unreasonable. We will respond to every request within a maximum 30 days of receiving such a request.
Right to lodge a complaint with the supervisory authority
At any given moment if you think that our processing of your personal data has violated the Croatian or European personal data protection regulations, you can lodge a complaint against processing of your personal data with a competent supervisory authority, the Croatian Personal Data Protection Agency, or in case of amendment to the applicable regulations, with another authority that will take over its jurisdiction, and as of May 25, 2018 with a supervisory authority within the EU.
VIII. Requirements from judicial authorities
In specific cases, we are allowed to share your personal information without your knowledge or consent, such as the following:
- To prevent or reveal crime;
- To apprehend or prosecute a perpetrator;
- To assess or charge taxes or fees;
- As ordered by the court of law or any other legislation.
IX. Data security and liability
We are aware of our liability concerning your personal data protection. While no online data transfer is fully secure, we take all reasonable technical and organizational actions to ensure a high level of data protection against loss, misuse, unauthorized access or disclosure.
Our safeguards include, but are not limited to:
- Regular security protocol and software updates;
- Control of physical access to our premises and digital systems;
- Confidentiality of all employees and associates involved in personal data processing;
- Application of the “data minimization” principle (by collecting only what is required).
In the event of a personal data breach that could pose a high risk to your rights and freedoms, we undertake to notify the competent supervisory authority and you personally without delay, in accordance with the GDPR provisions.
We disclaim any liability for the third-party content and actions (e.g. links to external websites or sponsored third-party activities) over which we have no direct control, and we encourage you to familiarize yourself with the privacy policies of such third parties.
We regularly review our data processing information to ensure it reflects how we process personal data. The updated version is always available on our website, and we will notify you directly in case of any significant changes affecting your rights and freedoms. You will be timely informed of any amendments or updates to this Privacy Policy via our website, in accordance with the principle of transparency.