This Policy applies in addition to the rules of Croatian and EU data protection legislation, including the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”) and Croatian GDPR Implementing Act (Official gazette no. 42/18).
Personal Data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data controller means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
Sensitive data or special category data means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Recipient means a natural or legal person to which the Personal Data are disclosed.
Applicable data protection laws means the GDPR, Croatian GDPR Implementing Act and other data
protection laws that apply to us.
You means a data subject whose Personal Data is processed by us.
Unless otherwise provided in this Policy, any other term contained herein will have the same meaning as defined under Applicable data protection laws.
Data controller contact details
Babic & Partners Law Firm LLC Nova cesta 60 / 1st floor
We (Babic & Partners Law Firm LLC) are the data controller with regard to the Personal Data we process. We ensure that our employees who handle and/or process Personal Data comply with this Policy and Applicable data protection laws.
Personal Data we process about you
We collect the following categories of Personal Data about data subjects who are either our clients and/or prospective clients and their contact persons, suppliers and their contact persons, employee candidates users of our website, and/or other data subjects:
➢ General data: Name, title, gender, organization/employer, role within organization, place of work, phone number, address, email address and other details.
➢ Special categories of data: data revealing racial or ethnic origin, trade union membership, data concerning health etc.
➢ Client data: Personal Data provided by clients and/or prospective clients regarding their business operations, management, employees, business partners, suppliers, customers or other data subjects, billing details, content of communication received from clients and/or prospective clients, details about the matter related to our engagement.
➢ Supplier data: Personal Data about the contact persons and/or employees of the suppliers providing goods and/or services to us, including their name, address, telephone number, role within the organization, email address and other general information.
➢ Professional data: data regarding professional qualifications, areas of practice, participation in professional conferences, seminars and associations.
➢ Regulatory data: Personal identification number, passports or other identification documents and their numbers, date of birth, country of residence, information on ultimate beneficial owners, data obtained within client due diligence checks and other information that we are required to collect and obtain under applicable laws, such as for example, anti-money laundering laws, laws governing legal profession, tax laws etc.
➢ Employee candidates’ data: data delivered by employee candidates via email or other means in relation to prospective employment at Babic & Partners.
➢ Device data: Computer Internet Protocol (IP) address, user agent (i.e. information on your internet browser), and data about visited websites and files. We also use essential cookies that are strictly necessary in order to provide access to our website.
We collect your Personal Data by direct interaction, for example when this data is provided by the client’s or prospective client’s contact person or when we engage third party suppliers that provide us with services. We also collect Personal Data from publicly available sources, such as commercial registers, registers of beneficial owners.
Purposes and Legal Bases for Personal Data processing
We will only use Personal Data when the law allows us to. Most commonly, we will use Personal Data based on the following legal grounds:
- ➢ Where we need to perform the contract, we are about to enter into or have entered into with the client or prospective client;
- ➢ Where it is necessary for our legitimate interests (or those of a third party) and the data subject’s interests and fundamental rights do not override those interests;
- ➢ Where we need to comply with a legal obligation;
- ➢ Where the processing is necessary for the establishment, exercise or defense of legal claims; and
- ➢ In exceptional circumstances, where the data subjects provide their consent to our processing of Personal Data.
We have set out below a description of all the ways we process Personal Data, and which of the legal bases we rely on to do so. The purposes for which we use Personal Data are the following:
➢ Providing legal services to our clients
For these purposes we use general data, client data, special categories of data and, where required under the law, regulatory data. This processing is necessary for performance of contracts with our clients, to protect our and our client’s legitimate interests, to establish, exercise or defend the client’s legal claims, and to comply with our legal obligations. We require the client’s or prospective client’s contact persons to provide only the information which is necessary for provision of legal services.
- ➢ Client administration and engagement For this purpose we use general data and client data. This is necessary for performance of contracts with our clients (for example, to issue invoices and collect our fees) and for the purposes of our legitimate interests (for example, to provide clients with information that we consider relevant for them).
- ➢ Business and supplier administration For this purpose, we use supplier data, general data, client data and regulatory data. This processing is necessary to internally manage our business operations, to agree on payment arrangements with our suppliers, to manage our relationships with suppliers (for example, when suppliers are assisting in providing services to our clients) and to manage our time tracking and billing system. The legal bases for these processing operations are protection of our legitimate interests and those of a third party, performance of contracts with our suppliers, and compliance with our legal obligations.
- ➢ Provision of access to our website
For this purpose, we use device data that is strictly necessary to access and safely communicate with our website.
- ➢ Compliance with regulatory requirements For these purposes, we use regulatory data, general data, client data and special categories of data. The legal basis for this processing is compliance with our legal obligations under applicable laws, for example anti-money laundering laws, laws governing legal profession, tax laws etc.
- ➢ Recruitment For this purpose, we use employee candidates’ data and professional data provided to us by the employee candidate concerned. Such processing is necessary for the purposes of recruitment as our legitimate interest. Only authorized persons within Babic & Partners have access to employee candidates’ data. Employee candidates’ data are processed only during the recruitment process or, based on the data subject’s consent, for a maximum of one year following the provision of such consent, in order to inform the employee candidate on any potential job opportunities. Please see the Data Subject Rights for more information on consent withdrawal.Recipients of Personal DataWe only share Personal Data where this is allowed under applicable data protection laws. We sometimes need to share Personal Data with the following recipients:
- ➢ Business partners: In exceptional circumstances, when another law firm or attorney is assisting in providing legal services to the client, we may share Personal Data with other law firms, attorneys and other consultants if this is requested by the client to protect the client’s interests or to perform our contract with the client.
- ➢ Suppliers and contractors: We share your Personal Data with our suppliers that provide us with services and/or goods, including IT service providers, accounting service providers and auditors, translation service providers, courier and post service providers, and other third-party consultants that provide us with support in relation to our business operations. We make sure that suppliers are subject to obligations of confidentiality and that they provide sufficient guarantees to implement technical and organizational measures in such manner that the processing meets requirements applicable under applicable data protection laws. Suppliers receiving Personal Data are typically located in Croatia or in another country within the European Economic Area (“EEA”).
- ➢ Financial institutions: We share Personal Data with financial institutions for the purpose of billing and payments, in accordance with applicable laws. Financial institutions that receive Personal Data from us are usually located in Croatia.
- ➢ Competent authorities: We share Personal Data if this is required to comply with an order of a competent authority, or if the disclosure is necessary to comply with a legal obligation; or if the Personal Data should be shared with the competent authority in order to perform our contract with the client or to protect the legitimate interests of our client; or if it is necessary for establishment, exercise or defense of client’s and/or our legal claims.
Rights of Data Subjects
You have the following rights:
- ➢ Right of Access You have the right to request a confirmation as to whether or not Personal Data concerning you are being processed by us. This also enables you to receive a copy of the Personal Data we hold and to check that we are lawfully processing it.
- ➢ Right to Rectification You have the right to obtain from us without undue delay the rectification of your inaccurate Personal Data. Taking into account the purposes of the processing, you have the right to have incomplete Personal Data completed, including by means of providing a supplementary statement.
- ➢ Right to be forgotten You have the right to request that we delete Personal Data that we process about you, unless we are required to retain such data to comply with a legal obligation or to establish, exercise or defend legal claims.
- ➢ Right to Restriction of Processing
You have the right to request that we restrict our processing of your Personal Data. This enables you to ask us to suspend the processing of your Personal Data in the following scenarios:
- If you want us to establish the data’s accuracy;
- Where our use of the data is unlawful but you do not want us to erase it;
- Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims;
- You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- ➢ Right to Data Portability You have the right to receive your Personal Data which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from us, where we are processing that data on the basis of your consent or in order to perform our obligations under contract to you (such as to provide legal advice, representation or other services). The right to data portability does not apply to paper files.
- ➢ Right to Object If the legal basis for processing of Personal Data is our legitimate interest or legitimate interest of a third party, you have the right to object to such processing on grounds relating to your particular situation. In such case, we will no longer process your Personal Data unless we can demonstrate compelling legitimate grounds for processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.
- ➢ Withdrawal of consent If you have consented to our processing of your Personal Data, you have the right to withdraw your consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. You may withdraw your consent by the same means used for giving such consent, e.g. via email.We may require you to prove your identity before providing the requested information. This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to expedite our response. You will not have to pay a fee to access your Personal Data (or to exercise any of the otherrights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances. We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests.
You also have the right to lodge a complaint with the local data protection authority. In Croatia this is the Croatian Personal Data Protection Agency (Agencija za zaštitu osobnih podataka, www.azop.hr).
Security of Personal Data
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your Personal Data on our instructions and they are subject to a duty of confidentiality.
Transfers of Personal Data to third countries
In certain limited circumstances, we may transfer your Personal Data to third countries outside the EEA subject to the conditions laid down in Chapter V of the GDPR for transfers of Personal Data to third countries or international organizations.
Whenever we transfer your Personal Data out of the EEA, we ensure that at least one of the following applies:
- ➢ We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission (the list of countries is available here);
- ➢ Where Personal Data is transferred to a processor outside the EEA, we may also use specific contracts (Standard contractual clauses) approved by the European Commission which give personal data the appropriate protection (available here);
- ➢ The transfer otherwise complies with Articles 46 – 49 of the GDPR. Data Retention We will only retain Personal Data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain Personal Data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship involving the data subject.To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.Under the laws governing provision of legal services in Croatia, we are required to retain all information about the client’s matter for the duration of 10 years following the end of proceedings related to that particular matter. Furthermore, under Croatian anti-money laundering legislation, we are required to retain regulatory data and documents for the period of 10 years.Consequences of not providing Personal DataYou are not required to provide all Personal Data identified in this Policy. However, if you do not provide certain Personal Data, we may not be able to respond to your request, provide legal services to you, or provide you with information that we believe you would find valuable. For example, if you do not provide the regulatory data that we need to collect to comply with our legal obligation, we may not be allowed to establish a business relationship, or if you do not provide the client data we may not be able to adequately provide our services.
We do not use automated decision-making, including profiling.
If you have any questions concerning this Policy, our privacy practices or your rights, please do not hesitate to contact us at:
Babic & Partners Law Firm LLC
Nova cesta 60 / 1st floor,
Tel: +38513821124, Email: email@example.com