This Privacy Policy regulates processing of personal data by our attorney at law office and it is intended for all persons we cooperate with in any way. Please inform yourself of your rights.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Data controller means any person that determines the purposes and means of the processing of personal data.
Data processor means any person that processes personal data on behalf of the data controller.
Data protection regulations mean all regulations applicable to protection and processing of personal data, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Data subject means any natural person whose identity is determined or can be determined through the processing of personal data.
Personal data means all information relating to an identified or identifiable person, directly or indirectly, in particular by reference to an identifier such as name and surname, identification number or other factors specific for that natural person.
Processing means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with European Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Our office carries out legal practice and within the scope of our practice we process the following categories of data:
- data on employees, which are collected and processed in accordance with the law (data collected for purposes of the employment agreement, employees records, pension and health insurance application of the employees, and benefit payments), as well as additional contact details: e-mail address, telephone number and/or other contact detail;
- data on clients, which refer to data needed for the purpose of service provision and within the limits of such need, in accordance with the regulations on prevention of money laundering and terrorist financing, and for the purposes of invoicing and maintaining contact, that is data which are apparent during payment transactions (the latter refers to: name and surname, residence address, PIN/other tax number, e-mail address, telephone number and/or other contact detail and/or bank account data, through which bank account the bank transaction is made). When performing our services we collect other personal data, particularly data regarding the counterparties, that is regarding other participants of the legal relationship, which are part of the attorney at law case file. The latter data we also keep and process in accordance with this Policy;
- data on suppliers of goods and providers of services, which refer to data collected for the purpose of invoicing and maintaining contact (the latter refers to: name and surname, residence address, PIN/other tax number, e-mail address, telephone number and/or other contact detail and/or bank account data, through which bank account the bank transaction is made).
Personal data regarding employees are collected for the purpose of establishment of the employment relationship and/or for the execution of the employment, and as a condition for establishment of the employment relationship and/or for the execution of the employment. Regarding the mentioned purpose, data are processed during the employment relationship and after termination of the employment, that is in accordance with the time periods defined by law during which such data have to be processed and kept. Data which have to be kept for the purpose of proving that the procedures prescribed by the law were followed we keep until the absolute limitations periods of the misdemeanour prosecution expire, unless it is prescribed that such data have to be kept even after expiration of such periods.
Personal data regarding clients are collected for the purpose of establishing a contractual relationship and as a condition for establishing such relationship and/or for fulfilling obligations and execution of the rights deriving from such relationship. We are entitled to terminate the further cooperation and contact in case we are not provided with requested data. In accordance with the mentioned purpose, data are processed until the purpose for which the contact was established is fulfilled or until all obligations related to the contractual relationship are fulfilled, with the exception of data we are obliged to keep as a part of the attorney at law case file, which are kept and processed in accordance with the time periods prescribed by the Act on Advocacy Profession. Data which have to be kept for the purpose of proving that the procedures prescribed by the law were followed we keep until the absolute limitations periods of the misdemeanour prosecution expire. Data regarding the counterparties and other person which are part of the attorney at law case file are processed and kept in accordance with the regulations which regulate legal practice.
Personal data regarding suppliers of goods and providers of services are collected for the purpose of establishing a contractual or pre-contractual relationship and/or as a condition for establishing such relationship and/or for fulfilling obligations and execution of the rights deriving from such relationship. We are entitled to terminate the further cooperation and contact in case we are not provided with requested data. In relation to the mentioned purpose, data are processed until the purpose of the contact is achieved or until all obligations related to such pre-contractual and/or contractual relationship are fulfilled.
Data may be processed for the purpose of fulfilling our other obligations deriving from the law, including situations in which we are obliged to act in accordance with the individual acts adopted by the public authorities upon whose order we are, in accordance with law or other regulations, obliged to act. In such case data can be available to public authorities and can be stored in accordance with the prescribed time periods. We transfer data within the limits of the obligations and authorisations we have as attorneys at law (for example, data are delivered to courts, to administrative authorities in the procedures which are conducted before such authorities).
After expiry of the personal data retention period, the personal data are permanently erased, except when otherwise imposed under the statutory regulations or where it is necessary for the establishment, exercise or defence of legal claims. We shall erase all media storing or otherwise processing the personal data when no longer required. We oblige data processors to proceed in the same manner. We shall provide upon request of the Data Subject a certificate of destruction.
In addition to the above mentioned, we collect certain data through our web page. Our web page uses only the essential “cookies” for functioning. Cookies cannot be used for disclosure of the personal identity of a data subject. When accessing the web pages, this information identifies characteristics of the search engine of the data subject for the providers, but not the characteristics of the data subject.
Data Subject is entitled to execute the following rights:
Right of access personal data: obtain confirmation as to whether or not personal data are being processed in relation to the data subject, and, where that is the case, access to the personal data and all collected information.
Right to rectification: obtain without undue delay the rectification of inaccurate personal data related to the data subject. Data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure (‘right to be forgotten’): obtain erasure of personal data related to the data subject without undue delay. We will erase personal data e.g. where one of the following grounds applies:
- personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
- data subject objects to the processing;
- personal data have been unlawfully processed;
- personal data have to be erased for compliance with a legal obligation to which we are subject.
We are not obliged to proceed as indicated e.g. where processing is necessary to comply with a legal obligation which requires processing or where it is necessary for the establishment, exercise or defence of legal claims.
Right to restriction of processing: obtain restriction of processing where one of the following applies:
- accuracy of the personal data is contested by the data subject, for a period enabling us to verify the accuracy of the personal data;
- processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- we no longer need the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- data subject has objected to processing pending the verification whether our legitimate grounds override those of the data subject.
Where processing has been restricted as described, personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.
Right to a notification regarding rectification or erasure of personal data or restriction of processing: we shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with previous clauses to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. We will inform the data subject about those recipients if the data subject requests it.
Right to data portability: receive personal data concerning him or her, which he or she has provided to us in a structured, commonly used and machine-readable format, and transmit those data to another controller without hindrance of attorney at law, where the processing is based on the consent or agreement and is carried out by automated means. Where technically feasible, the personal data shall be transmitted directly to another controller.
Right to object:
- object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her when processing that is necessary for: (a) the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or (b) the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. In case of objection we will no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or where processing is necessary for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that is related to such direct marketing;
- not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. This shall not apply if the decision: (a) is necessary for entering into, or performance of, a contract between the Data Subject and us; (b) is authorised by law to which we are subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or (c) is based on the data subject's explicit consent.
Right to lodge a complaint with a supervisory authority: lodge a complaint before a supervisory authority if he or she considers that the processing of personal data relating to him or her infringes the data protection regulations.
Right to an effective judicial remedy against a supervisory authority: an effective judicial remedy against the legally binding decision of the supervisory authority concerning the data subject, what also considers an effective judicial remedy where the supervisory authority does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the lodged complaint.
Right to an effective judicial remedy against a controller or processor: where data subject considers that his or her rights under the data protection regulations have been infringed as a result of the processing of his or her personal data in non-compliance with the data protection regulations. Data subject has the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law, has statutory objectives which are in the public interest and is active in the field of the protection of data subject’s rights and freedoms in relation to protection of personal data, to represent the data subject for the purpose of protection of his or her rights.
Right to compensation: seek compensation for the damage caused by processing which infringes the data protection regulations. We will be exempt from liability if we are not in any way responsible for the event giving rise to the damage.
Right to be informed with respect to a personal data breach: in event of breach of personal data, when the breach is likely to result in a high risk to the rights and freedoms of individuals, we are obliged to communicate the personal data breach to the data subject without undue delay.
Data subject willing to excise his or her rights can submit a written request to us by e-mail: tp@tina-poropat.com. Where we are not data controller with respect to the submitted request, we will notify the data subject on the person of the data controller. This does not apply to requests that are in authority of the supervisory agency, courts or other institutions.
Where we have reasonable doubts concerning the identity of the natural person making the request, we may request the provision of additional information necessary to confirm the identity of the data subject.
On the request of the data subject, we will provide him or her with information on action taken without undue delay and in any event within one month of receipt of the request. Information shall be provided by electronic means, unless otherwise requested by the data subject. If we do not take action on the request of the data subject, without delay and at the latest within one month of receipt of the request, we will inform the data subject of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
Based on data protection regulations, we are not obliged to designate a data protection officer and carry out a data protection impact assessment.
When we use data processor, processing shall be based on a written data processing agreement. We will ensure that we have received sufficient guarantees from our data processor that the data processor can implement measures to meet the requirements of the data protection regulation, otherwise the cooperation with such data processor shall be terminated.
By general data security rules, we define appropriate technical and organizational measures for protection of personal data and we regulate security incident management procedure.
