Version 1.0 (24 May 2018)
- Principles relating to processing of personal data
- Manner of personal data collection by SRCE
- Basis of personal data processing by SRCE (legal basis)
- Personal data coupling
- Data subject's consent
- Manner of personal data protection by SRCE
- Location of personal data processing
- Conditions for transfer of personal data by SRCE to third parties
- Rights of the data subject
- Policy amendments and entry into force
The University Computing Centre (SRCE) attaches immense importance to protecting personal data and privacy (hereinafter: protection of privacy) of all its data subjects in accordance with applicable regulations and European best practices. The protection of privacy of SRCE data subjects is an important element in shaping each of our services.
The Policy neither diminishes data subjects' rights nor establishes their obligations with regard to the processing of personal data that data subjects were granted based on applicable regulations and possible contractual provisions on personal data protection. The Policy is a legally binding unilateral act adopted by SRCE.
This Policy applies to data subjects of SRCE services, that is, to any person whose personal data is collected, used or otherwise processed by SRCE.
Personal data are any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal data processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The Policy applies to all SRCE services involving activities of personal data processing in which SRCE is the controller in the sense of the General Data Protection Regulation (the Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data is available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=en).
It is necessary to differentiate situations in which SRCE is the controller from situations in which SRCE is the processor of personal data with regard to actions taken by both SRCE and its data subjects.
SRCE aims to be a trusted partner in the protection of data subjects' privacy and to justify their trust. SRCE will, therefore, enable its data subjects to exercise all their rights granted by the General Data Protection Regulation.
- Lawfulness and best practices
SRCE will, during the processing of personal data, not only act in accordance with positive regulations governing the protection of personal data, but also always strive to apply European best practices.
- Restriction of processing
SRCE collects and processes personal data only for a particular purpose and does not further process them in a way that is not in accordance with the purpose for which they were collected, unless provided otherwise by law or on the basis of data subject's consent.
- Data minimisation
SRCE uses only that personal data that is appropriate and necessary to achieve a particular purpose.
- Processing of anonymous information
SRCE will endeavour, whenever possible and justified, to use anonymous information which does not relate to an identifiable data subject. It will also, whenever possible and justified, apply techniques of pseudonymisation, that is, process personal data in such a way that personal data are changed so that they can no longer be attributed to a specific data subject without the use of additional information which is kept securely and separately.
- Integrity and confidentiality
SRCE processes personal data in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage (for example,the access to data subjects' personal information is granted only to authorised persons who require such information to perform their tasks, but not to other SRCE employees).
- Personal data quality
SRCE attaches great importance to the quality of data it processes. Personal data processed by SRCE must be accurate and complete in order to ensure their maximum protection and prevent their abuse. It is, therefore, important that a data subject, without delay, notifies SRCE about any changes to his or her data.
- Storage period limitation
SRCE stores and processes data subjects' data only as long as necessary to complete a particular processing, unless applicable regulations provide for a longer or shorter period for which such data will be stored or in other cases explicitly prescribed by law. After such period, data are permanently deleted, made anonymous or subject to pseudonymisation.
SRCE collects data subjects' personal data (hereinafter: data) in four basic ways:
- Directly from the data subject, where the data subject personally provides us with his or her information. The most common example of such data collection is submitting an application for a particular service, whereby the data subject, should he or she wish to use that particular service, provides data and documents necessary for the service (for example, name, surname, address, document copy, personal identification number (OIB), etc.). Data are also collected from legal persons – SRCE services data subjects who, according to our terms of service, provide us with data on natural persons.
- Indirectly, by linking information systems, but only with the prior appropriate notice to the data subject.
- By automatic use of SRCE services by the data subject. For example, through the use of its services, SRCE collects data on internet connection, IP address, time and duration of communication, and the like.
- From publicly available sources, such as public phone directory information, official websites of legal persons, publicly available services, etc.
The prerequisite for any data subject's personal data collection is the existence of an appropriate legal basis.
SRCE, as the controller, bases the processing of personal data on one of the following basis:
- Processing is necessary for the use of service provided by SRCE which the data subject can access by request or by filling in the application form in accordance with terms of service that are publicly available on the SRCE website, where such fulfilment of application or request is characterised as concluding the contract for using the service with SRCE;
- Processing is necessary in order to comply with legal provisions and other regulations that SRCE is subject to, as well as to exercise the public authority that SRCE may be granted in accordance with law by the competent national authority;
- Processing is necessary for legitimate interests pursued by SRCE, as an infrastructural institution of the academic community and the central hub of e-infrastructure system for science and higher education in the Republic of Croatia, which develops and maintains services and utilities for the needs of the community, as well as promotes and facilitates the use of new technologies in the process of education and research;
- Processing is necessary for a purpose not covered by the above points and is based on the informed consent of the person whose personal data is collected.
Data subject's personal data related to a particular SRCE service may, when necessary, be coupled with that same data subject's personal data related to other SRCE services while respecting the legal basis stated in point 4, all in order to enable SRCE to receive more accurate information on the needs of the data subject and ultimately be able to provide the data subject with optimal support and service.
Data subject's consent is any freely given, specific, informed and unambiguous indication of data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of his or her personal data for a particular purpose (so-called opt-in). The consent may be given electronically or in writing.
A data subject may manage his or her consent in accordance with his or her needs and interests. For this purpose, SRCE allows the data subject to easily give or withdraw his or her consent at any time.
SRCE uses a number of technical and organisational measures to protect data subjects' data from unauthorised access within and outside of SRCE, as well as alteration, loss, theft and any other breach or abuse of data in accordance with regulations applicable in the Republic of Croatia and European best practices.
SRCE generally processes personal data in the Republic of Croatia. Exceptionally, it may also process data in other countries (for example, when engaging a contractor from another country to provide a particular service or a part of service that includes personal data processing), primarily other European Union Member States. When it processes data in other countries, it will always ensure the adequate level of personal data protection and inform its data subjects thereof.
SRCE neither transfers nor exchanges data subjects' data with any other legal or natural persons (hereinafter: persons) other than in the following events:
a) Where the provision of personal data is a statutory requirement or subject to an express authorisation granted in accordance with law (for example, on the basis of judicial request);
b) Where other person is engaged to perform certain tasks as the processor, whereby SRCE will ensure that adequate data protection measures are taken;
c) Where data need to be transferred to third parties for the purpose of executing the contract with the data subject or providing the requested service (see point 4);
d) Based on the data subject's consent.
SRCE will in all referred cases where personal data is transferred to third parties ensure that data subjects are informed about such transfers through the appropriate Privacy Notice.
Under the terms of the General Data Protection Regulation, the data subject has the right of access to his or her personal data collected by SRCE, the right to erasure (right to be forgotten), the right to restriction of processing, the right to object, the right to data portability and the right to rectification, where data are incorrect.
Data subject can contact SRCE for all questions about the processing of data at the contact address for the SRCE service which he or she is using or at the contact address of the SRCE helpdesk (helpdesk [at] srce.hr, http://www.srce.unizg.hr/kontakt).
For questions related to the protection of personal data in SRCE, please contact the SRCE Data Protection Officer at e-mail: zop [at] srce.hr or by post addressed to the SRCE main office.
The data subject has the right to lodge a complaint about the collection and processing of personal data with the supervisory authority for the protection of personal data in the Republic of Croatia.
This Policy is adopted as a public part of the Rules on Personal Data Protection in SRCE, and enters into force and begins to apply as of 25 May 2018.
Data subjects will be timely notified of possible amendments to the Policy, including via the announcement on the SRCE website.