MEEEX respects your privacy and pays special care to the protection of your personal data. Therefore, this document serves to clarify which personal data are processed, why we process such data and how we deal with personal data we process.
Principles relating to processing of personal data
When processing personal data, we do so by following the principles and rules as stipulated in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). When processing personal data, we take into account the legal obligation of professional secrecy as regulated by the EU, i.e. Croatian law. Our employees protect personal data as a trade secret, even after termination of employment. We only process personal data as follows:
- lawfully, fairly and in a transparent manner;
- for specified, explicit and legitimate purposes;
- using only accurate, up-to-date, appropriate and relevant data limited to the purpose for which they are being processed;
- keeping them for no longer than is necessary for the purposes for which the personal data are processed
- protecting them against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Personal data of children below the age of 16 years are processed only based on the parental or carer consent in the extent and scope consented to. We handle such data with particular care.
Confidentiality and safety
All personal data are handled with confidentiality, considering the adequate level of safety and technical, i.e. organisational protection. We never perform unauthorised collection, processing or any other way of such personal data use. Our employees only process the data necessary for them to perform their work and those they have been authorised to process. When our employees process personal data, they do so as authorised and within the scope of authorisation, that is, exclusively for the purpose for which data were collected or for which they are processed. When handling personal data, we follow the “need-to-know” principle in order to make sure that only authorised employees have access to certain personal data in a specified time period. Before introducing new technologies, which can be used for personal data processing, we perform thorough analysis and adjustment of technical and organisational measures to ensure that the highest personal data protection standards are applied.
Guidance for employee actions
- Using strong passwords on computers and mobile devices known only to them, changing them regularly and not distributing them to third persons;
- Regularly checking whether data are up to date and what their purpose is. If personal data are not used any more or if they are not up to date and cannot be updated, they are either deleted or anonymization is performed;
- Locking computers on which they work carrying personal data when they are left unsupervised;
- Making sure that personal data they have access to are not submitted to or disclosed to unauthorised persons and
- Consulting the Data Protection Officer or authorised person when in doubt regarding any aspects of personal data protection.
We pay special care regarding how data are stored, whether they are in printed, electronic or any other form. Personal data in printed form, regardless of whether they are in form of a print out of data generally kept in electronic form:
- When not used, are stored in a closed drawer or file cabinet accessible only by authorised persons;
- All employees are obligated not to leave such documents in visible places, that is, anywhere where unauthorised persons might access personal data and
- When they are no longer used, they are destroyed in a paper shredder, or using another technically acceptable way, and are appropriately disposed in an environmentally conscious way.
Personal data in electronic form are protected from unauthorised access, accidental changes or deletion, that is, unauthorised system access by applying a series of organisational and technical measures, such as:
- Using strong passwords which are regularly changed and known only to authorised persons and not distributed to third persons;
- If personal data are on portable media (e.g. CD, DVD, USB stick, portable HDD…), such portable media are safely stored, locked and put away at a location accessible only to authorised persons;
- For storage purposes, we exclusively use official storage media and servers, that is, selected cloud services with appropriate organisational and technical protection measures in place and with guarantee of their application;
- Servers where personal data are stored are at a safe location with access allowed only to authorised persons;
- Personal data shall not be directly stored on mobile devices (e.g. tablet, smartphone, etc.) unless this is necessary for performance of a contract, that is, performing an agreed service, and only in the agreed duration and scope and if necessary;
- All servers and computers with personal data have been protected with adequate technical protection measures such as encryption programmes, firewalls, etc.
All personal data are processed lawfully, in accordance with the terms, principles and standards of the General Data Protection Regulation and national legislation. Processing is primarily based on the performance of contractual relations or compliance with contractual and legal obligations, and on clear and unambiguous affirmative consents. Particular attention is paid to the processing of special categories of personal data. We mostly deal with special categories of personal data of our employees, who provide explicit consent for their processing or the data are processed in a way to protect and exercise rights and interests of employees in the area of labour law and social security and social protection law.
We occasionally process special categories of our clients’ personal data, who provide explicit consent for their processing, mostly to ensure their health is protected during travel (such as data about allergies, etc.). We do not use automated personal data processing, including profile creation, to make a decision that produces or may produce legal effects for data subjects or may otherwise significantly affect data subjects and exercise of their rights. We make sure that we collect personal data directly from the data subjects to whom the personal data relate. When collecting personal data, the data subjects are always informed about the reason and purpose of processing personal data as well as the legal basis for such processing. If we collect personal data from third parties, we primarily take steps to make sure that this person has a valid authorization, consent, or other legal basis for providing such personal data. In this case, we provide all the information provided for by the General Data Protection Regulation.
Transfer of personal data
Before transferring personal data to third parties, we make sure that recipients comply with the General Data Protection Regulation and national legislation, and we may, if necessary, request guarantees or direct insight into their security and protection measures.
Data protection impact assessment
If, after consulting the Data Protection Officer, we estimate that there is a probability that some sort of processing, especially when using new technologies and taking into account the nature, scope, context and purpose of processing, might cause a high risk to individuals’ rights and freedoms, we perform an impact assessment of the envisaged processing procedures on the protection of personal data. When performing an impact assessment, it normally consists of a systematic description of the envisaged processing procedures and the purpose of the processing, the assessment of the necessity and proportionality of processing procedures with respect to the purpose of processing, risk assessment of rights and freedoms, and measures to address the risk problem and demonstrate compliance with the General Data Protection Regulation. International transfer of personal data We do not transfer personal data to third countries or international organizations (international transfer), except for the performance of contractual arrangements or services, in legally required cases or at your explicit request with a clear, unambiguous and accurate consent. The possible transfer of personal data to a third country or an international organization is based solely on:
- a list of countries and international organizations which ensure an adequate level of protection, in accordance with the published European Commission Decision;
- envisaged appropriate protective measures such as binding corporate rules, instruments of public authorities, an approved code of conduct together with the binding and enforceable obligations of the controller or processor in the third country relating to the consistent application of the appropriate protective measures and
- the existence of appropriate institutional legal protection of data subjects in the third country.
Any court judgement or decision of a third country’s administrative body requiring the transfer or disclosure of personal data shall not bind us nor shall we act upon it, unless it is based on an international agreement binding for the Republic of Croatia, such as a mutual legal assistance treaty.
Accuracy and updating of personal data
It is important to us that data are accurate and up-to-date, not only in order to achieve the purpose of data processing, but also to allow you to exercise your rights and personal data protection. Therefore, we take appropriate technical and organizational measures to ensure that personal data are accurate and up-to-date, in accordance with personal data categories and their importance for achieving the purpose of processing. To ensure that personal data are accurate and up-to-date, personal data will be located, i.e. stored at as few locations as possible (that is, only where it is necessary), and employees will not create or use unnecessary copies, additional databases, sets or other ways of grouping personal data. This is how we reduce the risk of unwanted treatment of personal data.
The Data Protection Officer cooperates with the Personal Data Protection Agency as a supervisory body and acts as a contact point for the supervisory authority when it comes to personal data processing and, where appropriate, for all other matters. Exercise of the data subjects’ rights
We reserve the right to create a separate electronic form on our website as a standardized way of submitting requests for exercising the data subject’s rights, but this will not affect the option for the data subject to send such a request to the specified email address. The Data Protection Officer will take appropriate steps to unambiguously establish the identity of the applicant before providing any information pertaining to personal data. We take security of personal data very seriously and, therefore, we carry out appropriate verification measures to reduce any risks. Data regarding exercising of rights are provided in electronic form, free of charge.
In case of requesting a copy of such data or making repeated requests relating to the substantially equal exercise of rights, or in case of obviously unfounded or excessive requests, we will charge a monetary fee based on the actual administrative costs of meeting such a requirement. If your personal data processing is based on your consent, you may withdraw such consent at any time in a simple and transparent way, and request that we stop processing your personal data for marketing and promotional purposes.
MEETEX is not an autonomous public entity but an event jointly organized by CMPA – Croatian Meeting Professionals Association as main organizer and Inovativni eventi d.o.o. as technical organizer, both from Zagreb-Croatia
This document and policy is made with assistance of GDPR-MEDIA j.d.o.o., Ivice Sudnika 7, Samobor; OIB: 23309501979; e-mail: firstname.lastname@example.org.
Zagreb, May 2018