General data protection regulation

Hrvoje Požar Energy Institute (in the text: the Institute), as a legal entity with public authorities and as a controller or executor of personal data processing, manages and processes personal data collected by the General Data Protection Regulation (EU Regulation 2016/679) and the Evidence Act of the General Regulation on Data Protection (OG 42/18).

Every respondent (a person whose personal data is kept and processed at the Institute) has the right to access, correct, or delete their data and the right to object.

 

The respondent applies for these rights by submitting a written request:

  • in person or by mail to the address:

Personal Data Protection Officer

Hrvoje Požar Energy Institute

Savska cesta 163

10000 Zagreb

 

Institut's Personal Data Protection Officer

Valent Pessi (e-mail: zastita.podataka@eihp.hr )

Report on the appointment of the data protection officers

 

GENERAL DATA PROTECTION REGULATION

Hrvoje Požar Energy Institute is a scientific institution that performs the following activities:

  • activities in the field of energy, the performance of proven and promotion of the energy policy, the benefit of renewable energy sources and efficient use of energy, writing publications, holding consultations, seminars,
  • professional workshops and other forms of education in the energy field,
  • performing scientific and professional work in the energy sector: for the necessities of the Republic of Croatia, municipalities, and local self-government units; for legal entities activities in the field of energy,
  • preparation of draft acts adopted by the regulatory authority for energy, and performing other professional tasks for energy activities,
  • professional efforts of environmental protection, activities in the field of nature protection, professional activities of physical planning, design and professional supervision of construction and technical consulting, related to the energy field,
  • monitoring the situation in the energy sector and keeping registers and databases on that situation, processing collected data, preparing national energy reports and other documents connected to the condition in the energy sector for the needs of the Croatian authorities, legal entities with public authorities in the energy sector and other legal entities perform energy activities,
  • participation in the arrangement of strategic planning and operational documents in the energy sector and in the preparation of expert bases for spatial planning documents of the Republic of Croatia and lower-level spatial planning documents in the part that meets energy development requirements (needs and methods of energy supply, energy production, energy efficiency, environmental care)
  • energy certification, building energy audit, and regular inspection of the building's heating, cooling, and air conditioning systems

We process personal data following the provisions of EU Regulation 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of individuals concerning the processing of personal data and the free movement of such data (General Data Protection Regulation), data protection (OG 42/2018) and other relevant regulations applicable in the Republic of Croatia.

 

PURPOSE OF PROCESSING

  • Realization of mutual obligations arising within the contractual relations, related to the performance of services,
  • informing the public about the activities of the Institute through the media,
  • including social networks and web streaming, protection of persons and property by video surveillance measures, including social networks and web streaming,
  • protection of persons and property by video surveillance measures,
  • other purposes that individuals are informed, by the provision of the General Data Protection Regulation.
 

PRINCIPLES OF DATA PROTECTION

We process data:

  • Legal - only if the processing is allowed by law and limits prescribed by law.
  • Fair - respecting the specifics of the business relationship, applying all measures to protect personal data by facilitating the exercise of rights.
  • Transparent - providing information in clear and easily accessible terms within the regulations set by General data protection.
  • Limited purpose - the data collecting and other actions taking into account (a) any link between the aim of collecting the personal data and the purposes of the continued process; (b) the context of collecting data, in particular concerning business relationships; (c) the nature of personal info, in particular, whether special categories are processed data under Article 9 of the Regulation or personal data relating to criminal convictions and criminal offenses acts following Article 10 of the Regulation; (d) the possible consequences of the intended continuation of processing for respondents; and (e) the existence of appropriate precautions.
  • With storage limitation - keeping data in a form that allows individual identification only as necessary processing of personal data, and longer only if permitted by the Decree.
  • In addition to reducing the amount of data - we make sure that the data we process is appropriate, relevant, and limited to what is necessary.
  • Taking care of accuracy - we take care of the accuracy and up-to-dateness of the data and delete incorrect data under the requirements of the Regulation.
  • Special attention to integrity and confidentiality - we take care of technical and organizational measures adequate security of personal data depending on their risk, including protection against unauthorized or unlawful processing and from accidental loss, destruction or damage by applying appropriate technical or organizational measures.
 

Legality, legal bases of data processing can be:

  • fulfillment of legal obligations of the Institute,
  • performing a task of public interest or in the exercise of official authority of the Institute,
  • concluding or executing a contract,
  • legitimate appeal to the extent that it is more important than the interest of the respondents not to process the data,
  • consent, another legal basis under the Regulation.

 

RECIPIENTS

Under special regulations, we may also submit personal data to public organizations to perform their official tasks.

If we hire a natural or legal person for the procedure of the personal data, exclusively in our name and according to our instructions (executors), we consider hiring only processors based on a written contract, who sufficiently guarantee the implementation of appropriate technical and organizational criteria. Standards that meet the requirements of the General Data Protection Regulation and personal data protection regulations, so we can ensure the protection of your rights.

In certain business relations, the Institute also appears as the executor of data processing for those users who have entrusted us with given business cooperation by contract.

 

THE RIGHTS OF RESPONDENTS

Regardless of the legal basis of data processing, respondents are entitled to:

- access, modification or supplementation of data, - deletion ("right to forget") of the personal data,

- restrict data processing or object to data processing,

- if the data are given based on consent, can be removed, - the right to file a complaint to the competent supervisory authority - in Croatia, it is the Agency for Personal Data Protection (more on this at www.atop.hr).

All rights are subject to proportionally restrictions by the Regulation.

 

DATA STORAGE

Energy Institute Hrvoje Poža keeps certain data permanently, prescribed by special laws. However, the vast majority of information is kept to a minimum and to the extent necessary to fulfill mutual obligations to our partners, additionally the deadline for data retention depends on the fulfillment of contractual obligations.

If we process data founded on consent, we retain the data until the consent is withdrawn, except in the case of legal data retention obligations based on which proof of competence for obtaining work. We keep such data for the duration, following special regulations.

Data from the video surveillance system are regularly deleted and saved for a maximum of 6 months, except in cases when they are necessary for conducting proceedings before the competent authorities.

 

ADDITIONAL INFORMATION

  • TECHNICAL AND INTEGRATED DATA PROTECTION

Energy Institute Hrvoje Požar protects personal data taking into account the latest achievements, cost of the implementation and the scope, context, and purposes of the processing, as well as the risks of different levels of probability and severity for the rights and freedoms of individuals arising from the processing of data, at the time of determining the means of processing and at the time of processing, and implements appropriate technical and organizational measures to enable the efficient application of data protection principles.

Appropriate technical and organizational measures have to be applied to ensure that only personal data is necessary for each specific processing purpose in an integrated manner. This measure refers to the amount of personal data collected, the scope of their process, the period of storage, and availability.

  • RECORDS OF PROCESSING ACTIVITIES

Hrvoje Požar Energy Institute, as the processing manager, keeps records of processing activities, which contain: - name and contact details of the processing manager; joint processing manager, if applicable; - processing purposes; - description of categories of respondents and personal data; - categories of recipients to whom personal data have been or will be available, including recipients in third countries or international organizations; - if possible, deadlines for deleting different categories of data; - if possible, a general description of the technical and organizational security measures.

  • TREATMENT OF PERSONAL DATA BREACHES

The Institute ensures that in the event of personal data breaches without unnecessary delay and, if practicable, no later than 72 hours after learning of the violation, shall report to the protection of personal data on the personal data breach. Unless it is unlikely that personal details are data pose a risk to the rights and freedoms of individuals.

When prescribed by the Decree, the Institute informs the respondents about the violation of personal data without undue delay.

  • DATA PROTECTION IMPACT ASSESSMENT

The Hrvoje Požar Energy Institute does not process data that is likely to pose a high risk to the rights and freedoms of respondents. However, if a particular treatment is exceptionally high-risk, the Institute will impact by envisaged processing operations on the protection of personal data following the requirements of the Regulation.