Personal Information Protection Policy at INA d.d.
INA-INDUSTRIJA NAFTE, d. d. (hereinafter: INA d.d. or INA) is very serious about protecting the privacy of your personal information and implements all technical and organisational measures required by best practices, Croatian laws and the General Data Protection Regulation (EC 2016/679), abbreviated as “GDPR”.
The company INA, d.d. processes personal information in compliance with the proscribed privacy by design-default
INA’s information system is protected in line with the best practices and standards by physical solutions and applications developed by industry leaders. The logical and physical access to system components is managed in compliance with the applicable standards and the users are regularly trained and informed about the importance of information security and protection of information.
The specific purpose and method of processing of your personal information largely depend on the type of business relationship based on which we collect your information. We are guided by the basic personal information protection principles in our business, which means that we process information legally, transparently and fairly, that the processing is limited to the purpose for which the information was collected, and that only the information essential for this purpose is processed. We only store your personal information for as long as we have to in order to fulfil the purpose of information processing, except in cases when legal regulations require us to store personal information for a longer period and in cases when the storing of information is required by our legitimate interests (e.g. establishment, realisation or protection of legal requirements). When processing your personal information, we are guided by the principles of accuracy, reliability, confidentiality and integrity. Access to your personal information is restricted to authorised persons at INA and our business service provider partners (data processors).
Several different units in our Company are working on complying with the above regulatory requirements, ensuring a multidisciplinary approach to safeguarding and protecting the privacy of our customers, business partners, job candidates and other persons whose information we collect in our business. We hold regular trainings for our employees and contractually stipulate adequate protection measures with our business service provider partners.
Data Controller and Personal Information Protection Officer
INA-INDUSTRIJA NAFTE, d. d., Zagreb, Av. V. Holjevca 10, 10000 Zagreb, personal identification number: 27759560625 is the Data Controller.
Nives Troha is the Personal Information Protection Officer at INA, d.d.
Please send all your inquiries to:
Address: Av. V. Holjevca 10, Zagreb, attn. Personal Information Protection Officer
E-mail address: firstname.lastname@example.org
Processing purposes and legal grounds for personal information processing
INA, d.d., as the Data Controller, protects your privacy and only processes the personal information that is essential to INA and that has been collected as a part of INA’s business activities, whether the information was provided by you or a third party or obtained from publicly available sources, for the following purposes:
- Fulfilment of contractual obligations – when processing is necessary to fulfil the contract that you are a party to or to take action at your request prior to concluding the contract
- Satisfaction of legitimate interests – when necessary, we process personal information outside of a specific contractual relationship in order to satisfy our legitimate interests. Such legitimate interests may include the following:
- Conducting legal proceedings and maintaining records of legal proceedings
- Discovering perpetrators of criminal offences and fraud prevention
- Protection of persons and property
- Fulfilment of your requests so you could help us develop, deliver and improve our products and services or fulfilment of our internal needs, such as audit, data analysis and research for purposes of improving our products, services and communication with our users
- Answering your inquiries and comments
- Essential compliance with regulatory requirements – considering its diverse business activities, INA, d.d. is under obligation to comply with a multitude of regulatory requirements. For instance, we have to comply with the Money Laundering and Terrorism Financing Prevention Act, Monetary Institutions Protection Act, tax regulations and so on.
- Processing of personal information for special purposes or several special purposes described by consent, solely after receiving your consent to have your personal information processed for a particular purpose. Your consent is compliant with the relevant provisions of the Regulation and given unconditionally and freely. You reserve the right to revoke your consent at any time.
Should we process your personal information for purposes not described here or outside of the purpose to which you have consented, prior to such processing, we will provide you with information about the other purpose and all other relevant information about the processing.
Which personal information do we process and how do we get it?
We primarily process personal information collected within the scope of a contractual relationship, such as name, surname, personal identification number, address, vehicle registration number and so on. However, we also collect information from public sources (Court Registry, Financial Agency-FINA) and information legitimately shared with us by other companies in the INA Group, other contractual partners or third parties when necessary for the performance of our business activities even when their collection is not associated with a specific contractual or business relationship.
Are you under obligation to share your personal information with us?
You are not under obligation to do so. However, keep in mind that in some cases, should you refuse to provide the requested information, INA will not be able to enter into a contractual relationship with you or fulfil its legal or contractual obligations. For instance, if you do not provide your identification, we will not be able to fulfil your order or sell you diesel for fishing or agricultural purposes, for which the applicable law requires clear buyer identification.
Data storage period
INA, d.d. will only store your personal information for as long as necessary to fulfil its legal or contractual obligation or legitimate interest, except in case your personal information is processed based on consent, when processing ceases at the moment that you withdraw your consent. You can withdraw your consent at any time by sending your request to:
- the email address email@example.com
- the address INA-INDUSTRIJA NAFTE, d. d., Av. V. Holjevca 10, Zagreb, attn. Personal Information Protection Officer
We would like to underline that withdrawing your consent has no effect on the legality of information processing based on the consent prior to its withdrawal.
When your personal information is no longer needed for the fulfilment of above purposes, it will be destroyed, except in cases when continued storage is required by law.
For instance, information on INA card users is stored for the duration of the INA card contract, and after the termination of the contract, it is stored for as long as necessary to resolve any open claims by the contractual parties and so on.
Who is the recipient of your personal information?
INA, d.d. is under obligation to protect your personal information and will not disclose or make it available to third parties without your express consent, except:
What are your rights with respect to the processing of personal information?
- to service providers we hire as data processors for tasks related to the execution of contracts to which you are a party (such as accounting services, company TRS d.o.o.)
- to the authorities for purposes of activities from their scope (Tax Administration, Ministry of the Interior)
- when the information is requested by a court of law, relevant state attorney’s office, or other authorities in equivalent legal proceedings
- when INA, d.d. is obligated under the law to disclose the information.
Depending on the legal basis for processing, you may have the following rights:
Requesting access to personal information pertaining to you or requesting the rectification of your personal information
- Right to request access to personal information relating to you, which means that you have the right to be informed about the scope of collected information, purpose of processing, category of personal information that is processed, recipients that the information is delivered to, and the period of storage
- Right to have incorrect personal information rectified and incomplete personal information amended, in which case we are under obligation to fulfil your request without unnecessary delay
- Right to object to the processing of personal information in case it is processed based on INA’s legitimate interest or for direct marketing purposes
- Right to request deletion of information in cases when the purpose of processing has been fulfilled, when you have withdrawn your consent as the only basis for processing, when your privacy protection interest outweighs INA’s legitimate interest in processing, when you have lodged an objection against the processing of information for direct marketing purposes, when it is required for purposes of compliance with legal requirements that INA is subject to, and in cases of any illegal processing. The right to have the information deleted is not an absolute right and does not apply, for instance, in cases when processing is necessary to exercise the right to the freedom of information and expression, compliance with legal requirements that INA, d.d. is subject to, establishment, realisation or defence of legal requests, and so on.
- Right to restrict the processing of information, for instance, in cases when you have disputed the accuracy of the information, for as long as it takes to verify its accuracy
- Right to transfer the information to another Data Controller if the processing is based on consent or execution of a contract to which you are a party, or if the processing is performed automatically and it would be technically feasible
- Right to submit an objection to a national supervisory authority, i.e. the Croatian Personal Data Protection Agency
If you want access to your personal information or if you believe that irregularities occurred in the processing of personal information, please contact our Personal Information Protection Officer.
Objecting to the processing of personal information
If you believe that INA, d.d. has no legal grounds to process your personal information, you can submit an objection to the Personal Information Protection Officer at any time.
In this case, we will no longer process your personal information and we will not be able to provide our services to you or be in a business relationship with you.