Effective from: May 2023
At TasteMakers, we know how important privacy is to our employees, suppliers, customers and everyone else we work with. We aim to be clear about how we collect, use, disclose, transmit and store personal information.
Scope and purpose
Liability for compliance
Principles of the General Data Protection Regulation
Special categories of personal data
Sharing of personal data (including non-EEA data transfer)
Profile development and automated decision making
Data subjects rights
Violation of personal data
Permission to access data
Useful contact information
1. Scope and purpose
This document sets out the data protection rules and legal requirements to be met, which relate to the collection, handling, processing, storage, transfer and destruction of personal data.
The types of data we may process include details of current, past, and potential future staff members, suppliers, customers, and anyone we interact with. Data stored on paper, computer or other media are subject to legal safeguards set out in the General Data Protection Regulation (“GDPR”) and applicable data protection law, which impose restrictions on the manner in which we may use such data.
Maintaining the highest standards in our handling of personal data is a collective and individual responsibility and these Policies apply to the ways of obtaining, using, storing, deleting and other forms of personal data processing that we encounter in our business. They include an extensive summary of the major data protection obligations that apply to us as an organization.
Staff members will also be required to attend training on this and related rules at TasteMakers’s request.
2. Liability for compliance
The Data Protection Officer is responsible for supervising the implementation of data protection and compliance with these Rules.
People in management positions are responsible for ensuring that members of their teams follow data protection rules.
3. Our liability
The General Data Protection Regulation provides for high fines for organizations that violate its provisions. Depending on the type of violation, organizations could pay a fine of up to € 20 million, or 4% of the total annual worldwide turnover for the last financial year.
Data from criminal records refer to criminal offenses committed by a person and convictions imposed on him.
Controllers are persons or organizations that determine the purpose and manner of processing personal data. It is their duty to establish practices and rules that will be in line with the General Data Protection Regulation. We are leaders in the processing of all personal data used in our business. Our suppliers, consultants and contractors can also be controllers.
Data subjects for the purposes of these Policies include all living individuals whose personal information we hold, including current, past and potential clients, suppliers, agents, investors and members of our staff. All data subjects have legal rights regarding their personal data.
Personal data are data relating to a living individual whose identity can be established on the basis of such data (or on the basis of these and other data in our possession). Personal data can be facts (e.g., name, address, or date of birth) or opinions (e.g., performance appraisal). The definition of personal data in the General Data Protection Regulation and the applicable data protection law is very broad, so it is possible to classify a lot of identifiers under personal data accordingly. This includes name, identification number and location information.
Processing is any process that involves the use of personal data. It involves obtaining, using, reviewing, accessing, recording, or possessing data or performing a single action or set of actions related to data, including organizing, correcting, retrieving, using, detecting, deleting, or destroying data. Processing also involves the transfer of personal data to third parties.
Special categories of personal data (formerly known as sensitive personal data) include information on a person’s racial or ethnic origin, political opinion, religious or similar beliefs, trade union membership, physical or mental health or condition and sexual life, and genetic and biometric data for identification purposes of individual.
5. Principles of the General Data Protection Regulation
Anyone who processes data must comply with the applicable principles of good practice set out in the General Data Protection Regulation, which TasteMakers will adhere to in the following ways:
We will process personal data legally, fairly and transparently (see under “lawfulness, fairness and transparency”).
We will collect personal data for specific, explicit and legitimate purposes and will not process it in a way that is not in accordance with these purposes (see under “purpose limitation and data minimisation”).
We will process personal data that is appropriate, relevant and limited to what is necessary in relation to the purposes for which it is processed (see under “l purpose limitation and data minimisation”).
We will ensure that personal information is accurate and up to date as required; if the data is inaccurate, we will take all reasonable steps to have it erased or corrected without delay, taking into account the purposes for which the data is processed (see “accuracy”).
We will keep personal data in a form that allows the identification of the individual to whom it relates only for as long as is necessary for the purposes for which the personal data are processed (see under “storage limitation”).
We will apply appropriate technical or organizational measures to ensure the security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage (see under “integrity and confidentiality”).
The following is additional information on each of these principles.
5.1. Lawfulness, fairness and transparency
The aim of the applicable law on personal data protection is not to prevent the processing of personal data, but to ensure that this is done fairly and without adversely affecting the rights of data subjects.
The processing of personal data is lawful if one of the legal conditions for processing is met. These legal requirements include the following: the data subject has expressly and freely given consent to the processing; processing is prescribed by law; processing is necessary for the execution of the contract we have entered into with the data subject; processing is necessary for the legitimate interests of TasteMakers or the party to whom the data is disclosed (except when those interests are stronger than the interests or fundamental rights or freedoms of the individual). Before processing personal data (for example, before collecting personal data from an individual), we consider the reasons for collecting the data and why we need it. We also establish a legal basis that allows us to legally obtain and process data.
The data subject is required by law to provide certain information, including (but not limited to) the following: who is the controller (in this case, we, TasteMakers, Zagreb, Trg kralja Tomislava 21, Croatia); the purposes for which we will process the data, the legal basis for the processing, the identity of the persons to whom the data may be disclosed or transmitted and the rights of the data subjects in relation to their personal data. This information must be included in an appropriate data privacy notice or fair data processing statement.
5.2. Purpose limitation and data minimisation
Personal data may be processed only for certain purposes of which the data subject was informed during the first data collection or for other purposes expressly permitted by the applicable data protection law. This means that personal data may not be collected for one purpose and used for other purposes. If it is necessary to change the purpose for which personal data are processed, the data subject must be informed of the new purpose before beginning any processing.
Personal information must be accurate and up-to-date. Incorrect or misleading data is inaccurate, so steps need to be taken to verify the accuracy of all personal data at the time of collection and thereafter at regular intervals. Inaccurate or out-of-date data needs to be destroyed.
5.4. Storage limitation
Personal data should be kept in a form that does not allow the identification of the individual to whom they relate only for as long as is necessary for the purposes for which the personal data are collected. This means that data needs to be destroyed or deleted from our system when it is no longer needed, and personal data needs to be hidden.
After the retention period, records containing personal data will be safely removed and destroyed, unless there is a valid business reason to keep it after this period (for example, the data subject has initiated a dispute against us and retained personal data is relevant to that dispute).
5.5. Integrity and confidentiality
We are obliged to take appropriate protection measures against illegal or unauthorized processing of personal data and against their accidental loss or damage. Data subject can initiate proceedings in court to obtain compensation for damage caused by the loss of personal data.
Preservation of data security means ensuring the confidentiality, integrity and availability of personal data, which are defined as follows:
Confidentiality means that only those persons authorized to use personal data have access to them.
Integrity means that personal data must be accurate and appropriate for the purposes for which they are processed and reliable for their lifetime (ie, unauthorized persons may not alter that data).
Availability means that authorized users have access to data if they need it for approved purposes. Therefore, personal data, instead of on individual personal computers, needs to be stored in our central computer system.
Security procedures include:
Entrance controls. Reporting a stranger in rooms with controlled entrance.
Secure lockable tables and cabinets. Lock tables and cabinets if they hold confidential information of any kind. (Personal information is always considered confidential).
Ways of destruction. Paper documents need to be cut out. Floppy disks and read-only CDs (CD-ROMs) need to be physically destroyed when they are no longer needed.
TasteMakersstaff members are required to ensure that confidential information is not visible to passers-by on screens and to log out of a personal computer when left unattended.
TasteMakers adheres to all procedures and uses all available technologies to maintain the security of all personal data from the time it is collected until it is destroyed. In practice, this means the following:
Only personal data for which there is permission can be accessed and only for approved purposes.
No other person (including other TasteMakers staff members) should be given access to personal information unless they have the appropriate permission to do so.
Personal data is protected, for example, by complying with the rules on access to premises, access to a computer, password protection and encryption, enabling secure storage and destruction of data, and other security measures set out in TasteMakers’s data security policy.
Personal data (including personal data in files) or devices containing personal data (or devices that can be used to access personal data) are not removed from TasteMakers’s premises unless appropriate security measures are taken (e.g. pseudonymization, encryption or password protection) to protect data and devices.
Personal information is not stored on a local disk or personal device used for business purposes.
6. Special categories of personal data
From time to time, we may need to process specific categories of personal information.
We will only process special categories of personal data when we have a legal basis to do so (see Section 5 of these Policies) and when one of the special conditions for processing special category data applies. Special conditions include, but are not limited to, the following:
The data subject gave his explicit consent to the processing.
Processing is necessary for the purposes of exercising the rights and fulfilling the obligations of TasteMakers or data subject in the field of labor law.
Processing is necessary to protect the vital interests of the data subject, and the data subject is physically incapable of giving consent.
Processing refers to data that are obviously published by the data subject.
Processing is necessary to establish, enforce or defend legal claims.
Processing is necessary for needs of significant public interest.
Special categories of personal data will not be processed:
until a collection impact assessment is conducted and
until the data subject is duly informed (by a privacy statement or otherwise) of the nature of the processing, the purpose for which and the legal basis on which it is based.
7. Sharing of personal data (including non-EEA data transfer)
Personal data may only be transferred to a third party as a service provider who agrees to comply with the necessary rules and procedures and to comply with all relevant contractual provisions we require of it and who agrees to implement appropriate measures upon request.
Personal data may be shared with another member of our group’s staff (which includes our subsidiaries and our parent company together with its subsidiaries) only if the data subject needs such data for business purposes and the transfer complies with applicable cross-border transfer restrictions (see in continuation).
Data protection legislation restricts the transfer of data to countries outside the European Economic Area (“EEA”) in order not to jeopardize the required level of data protection. Personal data originating from one country are transferred across the border if they are transmitted, sent, inspected or accessed in another country. Prior to the cross-border transfer of personal data, it will be checked that all the necessary conditions have been met.
Profile development and automated decision making
There are significant limitations regarding the circumstances in which it is possible to make an automated decision about individuals (this is a decision that is made exclusively automatically, without any human interference). This also applies to the creation of profiles (it is about the automated processing of personal data to assess certain aspects of the individual, for example, whether the individual would be interested in certain products).
This type of decision-making is possible only for the purpose of executing the contract, when it is allowed by law or if the individual has given his explicit consent. Individuals have the right to information about decision-making and have certain rights to be informed, including the right to request human intervention or the right to challenge a decision, and there are also strict restrictions on this type of decision-making regarding the use of specific categories of personal data.
Any profiling activity will be carried out in full compliance with the relevant legislation.
9. Direct marketing
There are strict data protection requirements regarding direct marketing aimed at our customers, and we follow all guidelines that apply to us.
10. Record keeping
It is important that we can prove that we adhere to the principles of data processing. Then, when necessary, we keep appropriate records of our handling of personal information. It may include records of the legal basis on which we process personal data, records of data sent to data subjects and records of our processing of personal data.
11. Data subjects rights
Personal data is processed in accordance with the rights of data subjects. Data subjects have the following rights:
If they have given their consent to the processing, they can withdraw that consent at any time (this must be as simple as giving it).
They have the right to clear, transparent and easily understandable information about the ways in which their personal data is used (which is why we provide a privacy statement).
They have the right to request access to all data in the possession of the processing manager relating to them.
They have the right to request that incorrect information be amended and corrected.
They have the right to request the deletion of data relating to them which are in the possession of the controller if certain conditions laid down by applicable law are met.
They have the right to request a restriction on processing in cases where certain conditions set out in applicable law are met.
They have the right to request the transfer of data to another controller if certain conditions set out in applicable law are met.
They have the right to object to the processing of personal data if certain conditions set out in the applicable data protection law are met.
They have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects relating to them or similarly significantly affects them, unless they have given their express consent or it is necessary for concluding or executing contracts with them.
They have the right to complain to the Personal Data Protection Agency regarding our data processing (contact details are below), although we would like to encourage data subjects to contact us first in case of any doubts so that we can try to solve the problem.
If the data subject wants to exercise any of his rights, he should contact the Data Protection Officer. Appropriate steps may need to be taken to establish the identity of the applicant.
The official request of the data subject (applicant) for access to personal data relating to him/her and held by TasteMakers may be submitted in writing. However, the data subject’s request for access to personal data does not necessarily have to be official, nor must it be submitted in writing (access to personal data can be requested on social networks or by telephone). Any staff member who receives a request for access to personal data shall without delay forward the request to the Data Protection Officer and / or the Legal and Compliance Service.
The Data Protection Officer shall, except in exceptional cases, respond to the request within 30 days of its receipt. If TasteMakers is unable to provide the requested personal information, the reasons for this will be fully documented and the data subject will be notified in writing. The data subject will also be provided with information on the competent supervisory authority to which the complaint can be lodged, in accordance with the requirements of the applicable data protection law.
12. Violation of personal data
Violation of personal data is a breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed. An infringement does not necessarily involve the disclosure of personal data to an external source without the necessary permission, but it may mean that someone from the inside accessed that data without the necessary permission.
We are obliged to report some forms of violations to the competent regulatory body, and in a limited number of cases to the data subject themselves.
We will promptly notify TasteMakers’s Data Protection Officer and/or the Legal and Compliance Department of any breach of personal data or suspected breach so that they can take the necessary measures or, if necessary forward them further.
13. Permission to access data
Access to data collected and/or used by TasteMakers is granted only to the following persons:
Personal customer data collected through websites designed for specific marketing purposes:
Legal representatives of TasteMakers
Marketing staff whose job responsibilities include handling personal data collected for specific marketing purposes
14. Policy Update
The Human Resources Department, the Legal and Compliance Departmemt Monitoring Service are responsible for maintaining, regularly reviewing and updating these Rules. You will be notified of updates and changes to these Policies via the bulletin board and/or e-mail.
15. Useful contact information
Regarding data protection, you can contact the following address:
Trg Kralja Tomislava 21, Zagreb, Croatia
Email address: email@example.com