Privacy Policy

LEGAL FRAMEWORK

The data controller respects the privacy of each individual (hereinafter: Data Subject) whose personal data it collects and processes and undertakes to protect such personal data. In this Privacy Policy, we would like to inform you about the personal data we collect and for what purposes, how we protect them, and what your rights as a Data Subject are.

Data processing is carried out in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter: General Data Protection Regulation, GDPR), the Implementation Act of the General Data Protection Regulation (NN 42/2018) and other regulations governing the relevant area, applicable in the Republic of Croatia.

SCOPE OF APPLICATION

This Privacy Policy applies to all processing of personal data carried out by the data controller. The data controller processes the personal data of the following categories of Data Subjects:

customers/potential customers,

employees and family members,

business partners and employees of business partners of the data controller.

In principle, the data controller processes the personal data that Data Subjects themselves provide to the extent necessary for the fulfillment of legal and contractual obligations. Based on the legitimate interest, the data controller processes the personal data of Data Subjects provided that the interests or fundamental rights and freedoms of the Data Subjects do not prevail, taking into account the reasonable expectations of the Data Subjects based on their relationship with the data controller.

CUSTOMERS AND POTENTIAL CUSTOMERS

Pursuant to Article 6(1)(f) of the General Data Protection Regulation, according to which processing is necessary for the purposes of the legitimate interests pursued by the data controller, the data controller processes the personal data provided by Data Subjects via the contact form on the website www.nordia.hr or if they contact the data controller through other communication channels (telephone, SMS, social networks, email). Personal data of Data Subjects are processed for the purpose of processing orders or other inquiries. The following personal data of Data Subjects are collected and processed:

first and last name,

address,

email,

phone number.

Personal data of customers are stored in the customer database for the legally prescribed period (11 years), while data of potential customers are stored in the potential customer database for one year.

BUSINESS PARTNERS

In its business operations, the data controller also processes personal data of employees of business partners or potential business partners, and individuals with whom the data controller has or may have a business contractual relationship.

The categories of personal data of Data Subjects that are collected are:

first and last name,

personal identification number (OIB),

email address,

phone number,

data on the position within the legal entity represented,

other data depending on the nature of the business relationship.

In addition to the mentioned types of data and places of collection, the processing of personal data for other specific purposes is possible, but always within the framework prescribed by law or if the processing is necessary for the exercise of rights and obligations from the business relationship.

Data of Data Subjects who are individuals in a business relationship with the data controller are stored in accordance with applicable legal regulations.

In situations where the data controller is authorized to determine data retention periods, they are determined taking into account the purpose of processing and the interests of the Data Subjects.

MARKETING MESSAGES (NEWSLETTERS)

The data controller has a legitimate interest in processing personal data conducted for the purposes of direct marketing, primarily for sending marketing messages about its products and services (newsletters) via email, SMS, social networks (Facebook, Instagram, etc.), messaging applications (Viber, WhatsApp, etc.) or by mail.

Data Subjects can request limitation of processing at any time, and the data controller will immediately cease further newsletter delivery.

DISCLOSURE OF DATA TO THIRD PARTIES

The data controller discloses the personal data of Data Subjects to legal entities and bodies in accordance with legal regulations.

In the event of an order being placed with a Data Subject, their personal data are disclosed to companies with which the data controller has concluded agency agreements, for the purpose of processing and delivery of orders on their behalf.

Personal data of Data Subjects are provided to the accounting service for the purpose of performing accounting services. An agreement on the processing of personal data has been concluded with the accounting service, as the data processor.

The data controller does not transfer the personal data of Data Subjects to third countries.

DATA RETENTION PERIOD

Data of Data Subjects are processed and stored in accordance with applicable legal regulations when the obligation to retain is prescribed (e.g. personal data of employees and data on payroll are stored permanently, and accounting documents based on which data are entered into the journal, general ledger, and auxiliary ledgers are stored for eleven years), and in situations where the data controller is authorized to determine data retention periods, data are kept for as long as necessary for the purposes for which personal data are processed.

RIGHTS OF DATA SUBJECTS

In accordance with the General Data Protection Regulation, the rights of Data Subjects include:

Right of access - Data Subjects have the right to obtain confirmation from the data controller as to whether personal data concerning them are being processed, and they must be provided access to their personal data.

Right to rectification - Data Subjects have the right to obtain from the data controller without undue delay the rectification of inaccurate personal data concerning them. Taking into account the purposes of processing, Data Subjects have the right to complete incomplete personal data, including by providing an additional statement.

Right to erasure ("right to be forgotten") - Data Subjects have the right to obtain from the data controller the erasure of personal data concerning them, and the data controller is obliged to erase personal data without undue delay, unless there is a legitimate reason (e.g. legal obligation of the data controller).

Right to restriction of processing - Data Subjects have the right to obtain from the data controller restriction of processing where one of the conditions of Article 18 of the Regulation is met.

Right to data portability - Data Subjects have the right to receive the personal data concerning them, which they have provided to the data controller, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another data controller without hindrance from the data controller to which the personal data have been provided.

Right to object - Data Subjects have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them under Article 6(1)(e) or (f), including profiling based on those provisions (see Lawfulness of processing).

Automated individual decision-making, including profiling - Data Subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY

Data Subjects have the right to lodge a complaint with the supervisory authority, i.e., the Croatian Personal Data Protection Agency (AZOP), at www.azop.hr, if they consider that the processing of personal data is not lawful.

DATA PROTECTION MEASURES

Taking into account the latest achievements, the cost of implementation, and the nature, scope, context, and purposes of processing, as well as the risks arising from processing, the data controller implements appropriate technical and organizational measures to protect data.

HANDLING OF PERSONAL DATA BREACH

The data controller ensures that in case of a personal data breach, they will inform the competent supervisory authority (AZOP) and the data subjects about the breach without undue delay and, if feasible, no later than 72 hours after becoming aware of the breach, unless it is unlikely to result in a risk to the rights and freedoms of individuals.

USE OF COOKIES

Cookies are small files that a website stores on a user's computer for various purposes. These purposes can vary, including storing language preferences, shopping cart items in an online store, user login credentials, email addresses, user geolocation, etc.

Cookies are categorized based on duration, source, and function.

Based on duration, cookies can be:

Persistent Cookies: These cookies remain on the computer even after closing the web browser. Websites use them to store data such as login credentials, language preferences, or cookie settings, so users don't have to re-enter them on subsequent visits. Persistent cookies can remain on the computer for days, months, or even years.

Session Cookies: These cookies are removed from the computer after closing the web browser. Websites use them to store temporary data, such as the last few pages visited or items in a shopping cart.

Based on source, cookies can be:

First-party cookies: These are cookies set by the website the user primarily visits.

Third-party cookies: These are cookies set by other websites or web services that are part of the primary website the user visits. They are often used for tracking user behavior on the primary website or for providing services.

Based on function, there are several types of cookies:

Technical/Necessary Cookies: These cookies are essential for the functionality of the website and its core features, such as session identifiers or the content of a shopping cart in an online store.

Functional Cookies: These cookies enable the website to provide enhanced functionality and personalization, such as remembering language preferences.

Statistical Cookies: These cookies collect information about how users interact with the website. Generally, data is collected in aggregated form without identifying individual users.

Marketing Cookies: These cookies collect information about users' habits and behavior on the website to display personalized ads.

Only technical/necessary cookies will be used without the consent of the data subjects. Consent will be sought for all other cookies used by the website www.nordia.hr. Non-essential cookies can be disabled on the website or in browser settings.

CONTACT INFORMATION

If you have any questions regarding the processing of your personal data, you can contact us by phone at +385993755005 or by email at info@nordia.hr.

FINAL PROVISIONS

We regularly update our privacy policy to ensure its accuracy and relevance, reserving the right to change its content if deemed necessary. You will be promptly informed of any changes and amendments through our website in accordance with the principle of transparency.

In Kotoriba, September 7, 2023.