Privacy policy

1 INTRODUCTION

 

The Croatian Bureau of Statistics (hereinafter referred to as: the Bureau) is a central administration body (state administration organisation) and the main producer, disseminator and coordinator of the official statistical system of the Republic of Croatia, as well as the main representative of the national statistical system before the European and international bodies competent for statistics.

Official statistics provide impartial statistical data to the government, economy and the public on economic, demographic, social, health and environmental status of a country, the activities or events that can be measured by statistical methods, and ensure that the international obligations of the Republic of Croatia relating to the production and dissemination of official statistics are met.

Official statistics are based on the principles of professional independence, impartiality, objectivity, reliability, statistical confidentiality and cost-effectiveness.

The area of official statistics in the Republic of Croatia is regulated by the Official Statistics Act (NN, Nos 25/20) and by implementing regulations adopted on the basis of this Act.

The European Statistical System is governed by Regulation (EC) No 223/2009 of the European Parliament and of the Council on European statistics and repealing Regulation (EC, Euratom) No 1101/2008 of the European Parliament and of the Council on the transmission of data subject to statistical confidentiality to the Statistical Office of the European Communities, Council Regulation (EC) No 322/97 on Community Statistics, and Council Decision 89/382/EEC, Euratom establishing a Committee on the Statistical Programmes of the European Communities, as well as by other acts of the European Union that constitute the legal framework for the development, production and dissemination of European statistics, and by Regulation (EU) No 2015/759 of the European Parliament and of the Council of 29 April 2015 amending Regulation (EC) No 223/2009 on European statistics.

2 THE PURPOSE OF PERSONAL DATA PROCESSING

The Bureau shall collect and process personal data for the purpose of performing its official duties, namely the following data:

-     of legal entities and natural persons or public authorities (reporting units/administrative sources of data) for the purpose of performing the tasks of official statistics, that is, producing official statistical data

-     of employees and their family members, as well as of persons engaged in professional training for the purpose of fulfilling the obligations of the employer towards employees/persons in professional training

-     of candidates for public tenders, job announcements and public calls for professional training for the purpose of conducting the aforementioned

-     of all persons with whom the Bureau realises business cooperation for the purpose of fulfilling the obligations arising from business cooperation

-     of users of statistical data for the purpose of meeting the legal and contractual obligations, as well as for other purposes (more details in item 7)

- of video surveillance for the purpose of protecting persons and property.

The Bureau shall respect the privacy and protect the personal data of reporting units, users, employees, candidates for public tenders/job announcements/public calls, and all persons with whom it realises business cooperation and whose personal data it collects and processes for the performance of its official duties.

3 PROCESSING OF PERSONAL DATA FOR THE PRODUCTION OF OFFICIAL STATISTICS

For the production of official statistical data, the Bureau shall conduct the processing of personal data for the purpose of exercising the official authority stipulated by the act establishing the organisation and scope of work of central state administration bodies, the act establishing the scope of work of official statistics in the Republic of Croatia, the Programme of Statistical Activities and the Annual Implementation Plan of Statistical Activities in the Republic Croatia.

3a) Confidentiality of personal data collected for statistical purposes

Personal data processed by the Bureau, if such data can be directly or indirectly linked to a natural or legal person, are statistically confidential and represent an official secret.

Personal data collected for the purpose of official statistics shall be used only for statistical purposes and expressed in aggregate form, and they may not be the basis for determining any rights and obligations of the reporting units, such as administrative, legal or tax purposes, or for checking the persons they refer to.

3b) Access to personal data collected for the production of official statistics

In order to reduce the burden on the reporting units and to ensure the harmonisation necessary to produce official statistics or to evaluate the quality of the results, the Bureau may make the personal data collected by statistical surveys available to other producers of official statistics and to Eurostat, provided that it is necessary for effective development, production, dissemination or increase of the quality of official statistics within their scope and that the delivery of such data is justified.

The aforementioned producers of official statistics are also subject to statistical confidentiality rules and may use the received statistical data solely for statistical purposes.

The Bureau may, on the basis of a written request, provide scientists and scientific organisations carrying out statistical analyses for scientific purposes with access to personal data that enable only indirect identification of persons they refer to.

3c) Protection of personal data collected for the production of official statistics

Personal data processed for statistical purposes do not enable the identification of the person they refer to.

Personal data collected for the production of official statistics shall be kept in such a manner as to prevent their destruction, abuse, forgery, theft and unauthorised disclosure.

The Bureau and other producers of official statistics, as well as scientists and scientific organisations, as the receivers of data, shall take all the necessary regulatory, administrative, technical and organisational measures to ensure the physical and logical protection of confidential data.

Persons who have access to personal data shall comply with the provisions of the regulations relating to the confidentiality and protection of statistical data even after the termination of employment or the performance of official statistics tasks, based on which they could have access to confidential data. Anyone having access to the aforementioned data shall sign a Statement of Statistical Confidentiality.

The Bureau shall separate identifiers from content variables after finishing the entry, editing and coding of the collected data or data taken over from administrative sources and after using them for updating of statistical registers.

The Bureau shall destroy statistical forms in paper that contain personal data collected for the production of official statistics once the entry, editing, coding and processing of data is completed.

3d) Obligations of the Bureau prior to collecting data for statistical purposes

When collecting data directly from data subjects, prior to collecting data, the Bureau shall notify data subjects of the following:

  • the legal basis for data processing
  • the purpose of data processing
  • the controller (identity and contact information)
  • data protection
  • the consequences of refusing to provide data
  • the recipients
  • the rights of data subjects
  • the right to lodge a complaint with the Croatian Personal Data Protection Agency
  • the period for data storage or criteria for determining such period
  • the contact information of the data protection officer

 

When data are not collected directly from data subjects (data collected from administrative sources, etc.), the Bureau shall publish information related to such a method of collecting and processing data on its website www.dzs.hr.

 

3e) Ensuring the rights of data subjects with regard to the processing of data for statistical purposes

 

In order to ensure the conditions necessary for the achievement of the purpose of official statistics in so far as the rights of data subjects are likely to render impossible or seriously impair the achievement of the purpose of producing official statistics, and such derogations are necessary for the fulfilment of this purpose, the Bureau is not obliged to provide data subjects with the right to access personal data, the right to the rectification of personal data, the right to the restriction of processing of personal data, or the right to object to processing of personal data.

 

When transferring personal data for statistical purposes, the controller is not obliged to inform data subjects about the transfer of personal data.

 

4 PROCESSING OF PERSONAL DATA OF EMPLOYEES, THEIR FAMILY MEMBERS AND PERSONS IN PROFESSIONAL TRAINING

 

The Bureau shall process personal data of employees and persons in professional training for the purpose of fulfilling Bureau’s obligations as an employer towards these persons.

 

The processing of personal data of family members of Bureau’s employees shall be conducted by the Bureau to the extent necessary for the performance of Bureau's obligations as an employer towards employees in accordance with the regulations and the rights established by the Collective Agreement for Civil Servants and Auxiliary Workers.

 

5 PROCESSING OF PERSONAL DATA OF CANDIDATES FOR PUBLIC TENDERS/JOB ANNOUNCEMENTS/PUBLIC CALLS

 

The Bureau shall process personal data of candidates for public tenders, job announcements and public calls solely for the purpose of conducting the aforementioned.

 

Access to personal data of the aforementioned candidates shall be granted solely to the persons involved in the conducting of a particular public tender, job announcement or public call (commission members, civil servants from the organisational unit competent for human resources involved in their implementation). The Director General of the Bureau shall haves the right to access personal data on candidates from the candidate ranking list.

 

All candidates for public tenders, job announcements or public calls shall have the right to access personal data on the selected candidate relating to the conditions from the public tender, job announcement or public call.

 

Notifications to candidates (testing, interview, etc.) shall not contain candidates’ personal data.

 

6 PROCESSING OF PERSONAL DATA OF PERSONS WITH WHOM THE BUREAU REALISES BUSINESS COOPERATION

 

Personal data of persons with whom the Bureau realises business cooperation (external associates hired under contractual agreement, students, service providers, etc.) shall be processed solely for the purpose of fulfilling the obligations arising from business cooperation (contract, agreement, etc.).

 

7 PROCESSING OF PERSONAL DATA OF STATISTICAL DATA USERS

 

The Bureau shall process personal data of statistical data users for the following purposes:

  1. meeting the legal and contractual obligations
  2. participation in the User Satisfaction Survey of the Bureau
  3. sending reminders for the renewal of subscription to Bureau’s data/publications
  4. sending invitations to conferences organised by the Bureau for the media representatives
  5. promotional activities (sending notifications about new products/services, sending information about events, sending releases (infographics/articles), etc.).

 

The Bureau shall process personal data of statistical data users for the purposes under items 2 to 5 on the basis of users’ consent.

 

The consent by which the user gives to the Bureau his/her consent to the processing of personal data relating to him/her shall be voluntary, written (including electronic form) in an easily understandable, clear and simple language, with a clearly indicated purpose for which it is given and it should not contain unfair terms.

 

In the case of processing personal data of a child below the age of 16, the consent shall be given by the holder of parental responsibility over the child (parent or legal guardian of the child).

 

The user may withdraw the consent at any time by submitting a request for the withdrawal of consent.

 

It shall be as easy to withdraw as to give consent.

 

The withdrawal of consent shall not affect the lawfulness of processing based on the consent before its withdrawal.

 

Prior to giving consent, the Bureau shall inform the user about the possibility of its withdrawal.

 

8 VIDEO SURVEILLANCE

 

The Bureau shall conduct the processing of personal data using video surveillance only for the purpose that is necessary and justified for the protection of persons and property, unless the interests of data subjects that are contrary to the processing of data using video surveillance are prevalent.

 

The video surveillance covers the internal part of the entrance to Bureau’s facilities and external areas of these facilities.

 

The Bureau has marked the areas under video surveillance, and the mark is visible when entering the recording perimeter at the latest.

 

The mark contains all the relevant information, in particular a simple and easy-to-understand picture with a text that provides the following information to data subjects:

 

  • that the area is under video surveillance
  • data on the controller
  • data on the processor
  • contact information by means of which the data subject may exercise his/her rights.

Access to personal data collected through video surveillance shall be granted to the head of the organisational unit competent for Bureau's assets, who may use the video surveillance recordings for the protection of persons and property.

 

The video surveillance system is protected against access by unauthorised persons.

 

Access to the video surveillance recordings may be granted to competent state bodies as part of the performance of tasks within their scope of work stipulated by the law.

 

The Bureau and the processor have established an automated record system for registering access to the video surveillance recordings, which contains the time and place of access as well as the identifiers of the persons who have accessed data collected through video surveillance.

 

The video surveillance recordings may be kept for up to six months (unless a special law provides for a longer period of keeping or if these recordings serve as evidence in court, administrative, arbitration or other equivalent proceedings).

 

9 PRINCIPLES RELATING TO THE PROCESSING OF PERSONAL DATA

 

The Bureau shall process personal data in accordance with the following principles of processing:

 

  • The Bureau shall process personal data in accordance with applicable laws and respecting the rights of data subjects. The Bureau shall ensure a transparent processing of personal data and provide all the necessary information to data subjects.
  • The Bureau shall provide data subjects with information on how personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The data subject shall be informed in a timely manner, i.e. prior to the data collection, about all the relevant information.
  • The Bureau shall collect and process personal data only for specified, explicit and legitimate purposes and shall not further process them in a manner that is incompatible with those purposes.
  • The Bureau shall use only those data of data subjects that are adequate and necessary for particular lawful purposes.
  • The Bureau shall be responsible for keeping the personal data of data subjects in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  • The Bureau shall take care that the personal data it processes are accurate, complete and up-to-date.
  • The Bureau shall collect and process personal data in a safe manner, including the protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. Personal data may be accessed only by authorised persons depending on their authority and position for the purpose of performing their obligations, all in accordance with the specific purpose of the collection and processing of personal data.

 

10 STORAGE OF PERSONAL DATA

 

The Bureau shall store personal data only for as long as they are needed for the purpose for which they are collected, or until the withdrawal of the consent in the case of data processing based on consent.

 

Personal data shall be deleted after the cessation of the purpose for which they are collected and no later than the expiry of all legal obligations relating to storage, except in the event of a court or any other procedure that requires data storage.

 

After the expiry of storage periods, personal data shall be removed from the system and archives or converted into anonymous data, preventing the identification of individuals.

 

11 ACCESS TO PERSONAL DATA PROCESSED BY THE BUREAU

 

Access to personal data processed by the Bureau may be granted to third parties only in the following cases:

 

  • if there is a legal requirement
  • if the Bureau hires another person, that is, a processor, to provide certain services, who acts exclusively by the order of the Bureau, whereby the Bureau undertakes all the measures of data protection as if it provides these services itself
  • if data are to be transferred to third parties for the performance of contractual obligations.

When third parties access the personal data processed by the Bureau, the Bureau shall strictly respect the principle of the restriction of processing and enable access to the minimum amount of data necessary, respecting all other relevant data protection principles.

 

12 RECORDS OF PROCESSING ACTIVITIES

 

The Bureau shall keep the Records of Processing Activities for personal data in electronic form.

 

The Records of Processing Activities shall contain the following:

 

  • the name/indication of the processing activity
  • the name of the Bureau’s organisational unit in charge of conducting the processing activity (and contact information of the Bureau)
  • the name and contact information of the data protection officer
  • the name of the processor (if applicable)
  • the purpose of processing
  • the description of the categories of data subjects/data sources
  • the category of personal data
  • the basis for the processing of personal data (regulation, contract, consent)
  • the categories of recipients to whom the personal data are disclosed, including recipients in third countries or international organisations
  • the transfer of personal data to third countries or international organisations, including the identification of that third country or international organisation
  • the envisaged time limits for erasure of different categories of data
  • the general description of the technical and organisational security measures.

 

13 ACTIONS TAKEN BY THE BUREAU IN THE CASE OF A PERSONAL DATA BREACH

In the event of a personal data breach, the Bureau shall notify the Croatian Personal Data Protection Agency thereof without undue delay and, if possible, not later than 72 hours after becoming aware of it, unless it is unlikely that the personal data breach will result in a risk to the rights and freedoms of natural persons.

 

Where such notification cannot be achieved within 72 hours, the Bureau shall indicate the reasons for the delay in the aforementioned notification.

 

In the event of a personal data breach that is likely to result in a high risk to the rights and freedoms of data subjects, the Bureau shall notify data subjects of the personal data breach without undue delay.

 

The Bureau is not required to notify data subjects on the personal data breach if any of the following conditions are met:

 

  • the Bureau has applied appropriate technical and organisational protection measures to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption
  • the Bureau has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise
  • it would involve disproportionate effort. In such a case, there shall be instead public communication or similar measure whereby the data subjects are informed in an equally effective manner.

 

14 RIGHTS OF DATA SUBJECTS

 

In the processing of personal data, the Bureau shall provide the data subject with appropriate information (in writing or directly verbally) regarding the processing of his/her personal data, in particular regarding the purpose of data processing, the legal basis for data processing, the intention of transferring personal data to third parties, the period for which personal data will be stored, the right of the data subject to access personal data, and the right to rectification or erasure of personal data and the restriction of processing, the right to lodge a complaint, etc.

 

Where the data subject makes the request by electronic means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

 

The Bureau shall, without delay and not later than one month of the submission of the request, provide information on the actions taken on the request.

 

That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

 

The Bureau shall inform the data subject of any such extension within one month of the receipt of the request, together with the reasons for the delay.

 

In justified cases, the Bureau may reject the request of the data subject; in such a case, the Bureau shall inform the data subject of the reasons for rejecting the request, without delay and at the latest within one month of the receipt of the request.

 

A data subject who considers that the Bureau has violated any of his/her rights stipulated by the General Data Protection Regulation shall have the right to lodge a complaint with the Croatian Personal Data Protection Agency.

 

15 PERSONAL DATA PROTECTION MEASURES

 

The Bureau shall implement appropriate technical and organisational measures to enable effective application of data protection principles, such as data minimisation, and to integrate the necessary protection measures into the processing in order to meet the requirements of the General Data Protection Regulation.

 

The Bureau shall undertake the necessary technical, personnel and organisational measures to protect personal data against accidental loss or destruction, unauthorised access or unauthorised change, unauthorised disclosure and any other misuse.

 

Personal data relating to underage persons are collected and processed by the Bureau in accordance with the General Data Protection Regulation and with special protection measures prescribed by special laws.

 

In order to prevent unauthorised access to personal data, the Bureau shall keep the data in writing in registers, in locked cabinets, and the data in computers shall be protected by a username and a password known only to the employees responsible for data processing and stored on portable storage devices for further security and confidentiality.

 

16 DATA PROTECTION OFFICER (DPO)

The Croatian Bureau of Statistics has appointed two personal data protection officers whom you can contact if you have any questions or concerns about how your personal data are dealt with and how they are used, or if you want to exercise your rights, at the following address:

Croatian Bureau of Statistics

Data Protection Officer

Ilica 3

10000 ZAGREB

e-mail: zastitapodataka@dzs.hr

The Croatian Bureau of Statistics has the right to charge a reasonable fee taking into account the administrative costs or refuse to act on the request if the requests of data subjects are obviously unfounded or excessive, in particular because of their repetitive character.

 

Accesibility settings