Rulebook on personal data protection

Pursuant to Regulation (EU) of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (hereinafter: the Regulation), Article 3 i. 7. of the Personal Data Protection Act (OG 103/03, 118 / 06,41 / 08,130 / 11, 106/12), and Article 19. of the Statute, the Assembly at its session held on adopted the following:

Rulebook on personal data protection

General provisions

The Croatian Biophysical Association (hereinafter: the Association) is an Association that operates in the field of education, science and research. The target groups of the Association are: citizens-general population, scientific-educational institutions, scientific-educational workers, students and others.

The goals of the Association are the promotion and development of biophysical sciences, the teaching of biophysics, the application of biophysics in other scientific fields and professions, and the promotion of the reputation and social significance of biophysics and biophysicists.

The Association operates in accordance with the Law on Associations. Membership in the Association is acquired by admission to the membership of the Association based on the provisions of the Articles of Association. By establishing a contractual relationship with the Association, membership in the Association or direct or indirect participation in the work of the Association, a natural person / member entrusts his personal data for processing. The Association is obliged to implement technical and organizational measures to ensure the protection of personal data in the manner defined by the Regulation.

Therefore, for the purpose of implementing protection measures, defining which data the Association collects, methods of data collection and processing, the rights of respondents and other data important for the application of personal data protection rights, this Ordinance is adopted.

Article 1.

The Association is the manager of personal data collections that determine the purpose and manner of data processing. The Association must process personal data fairly and lawfully. Personal data must be accurate, complete and up-to-date, and may not be collected to a greater extent than is necessary to achieve the established purpose. Personal data must be kept in a form that allows the identification of respondents no longer than is necessary for the purpose for which the data are collected or further processed.

Article 2

The definitions of terms used in this Ordinance are as follows:

“Personal data” means any information relating to an identified or identifiable natural person (hereinafter: the respondent); an identifiable person is a person whose identity can be established either indirectly, in particular on the basis of an identification number or one or more characteristics specific to his or her physical, psychological, mental, economic, cultural or social identity.

“Processing of personal data” means any operation or set of operations carried out on personal data, whether by automatic means or not, such as collecting, recording, recording, organizing, structuring, storing, adapting or modifying, withdrawing, inspecting, transferring, by disseminating, publishing or otherwise making available, classifying or combining, blocking, deleting or destroying, and performing logical, mathematical and other operations with that data.

“Personal data collection” means any structured set of personal data which is accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis, whether contained in computerized personal databases or managed using other technical aids; or by hand.

“Third party” is a natural or legal person, state or other body, except the respondent, the controller of personal data or the processor of personal data and the persons directly authorized by the controller or processor to process personal data.

“Recipient” means a natural or legal person, public authority, public or other body to whom personal data are disclosed, whether or not he is a third party. However, public authorities that may receive information as part of investigations are not considered recipients.

“Processor” means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.

“Consent of the respondent” is any voluntary, special, informed and unambiguous expression of the respondent’s wishes by which the respondent, by a statement or clear affirmative action, consents to the processing of personal data relating to him.

“Personal data protection officer” is a person appointed by the head of the personal data collection who takes care of the legality of personal data processing and the exercise of the right to personal data protection.

“Personal data breach” means a breach of security which results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed.

“Pseudonymisation” means the processing of personal data in such a way that personal data can no longer be attributed to a particular respondent without the use of additional information, provided that such additional information is kept separate and subject to technical and organizational measures to ensure that personal data cannot be attributed to an individual whose identity has been established or can be established.

Article 3

The Association uses the following information:

a) Basic identification data: name and surname, e-mail addresses

b) Identification data: name and surname, personal identification number (OIB), address of residence or registered office, date of birth, contact details

c) Other personal data made available by the respondent or a third party Personal data are collected directly from the respondent orally and in writing.

Article 4

For each purpose of processing, the Association establishes and keeps records of processing activities which contain, on the basis of information on processing procedures, and in particular the following data:

a) Purpose of processing

b) Description of categories of respondents and categories of personal data

c) Name and contact details of the controller and the data protection officer

d) Categories of recipients to whom personal data have been or will be disclosed

e) Scheduled deadlines for deleting various categories of data

f) General description of technical and organizational security measures

Article 5

When introducing a new purpose of personal data processing or when changing the existing purpose of processing, the Association will be obliged to assess the need to conduct impact assessments on data protection and consider the implications for the processing system and its security. A new or changed purpose needs to be included in the Processing Activity Record.

Article 6

The Data Protection Officer is appointed from among the regular members, preferably and as a rule from among the members of the Management Board of the Association.

The Association publishes the contact details of the Data Protection Officer on its website and informs the supervisory body about the person appointed as the Officer.

The Data Protection Officer provides information and advice to members who directly or indirectly participate in the Association’s bodies, and other members who directly process personal data on their obligations under the Regulation, monitors the implementation of the Regulation and other Union or Member State provisions on protection. its rights defined by the Regulation, acts as a contact point for the supervisory authority on processing issues, including prior consultation in accordance with the provisions of the Regulation, and cooperates with the supervisory authority in all other matters regarding the processing and protection of personal data.

The Data Protection Officer is obliged to keep confidential all information he / she learns in the performance of his / her duties.

The Data Protection Officer may also perform other tasks and duties. The Association must ensure that such tasks and duties do not lead to conflicts of interest.

The Data Protection Officer reports directly to the President of the Association. The Association is obliged to ensure that the data protection officer does not receive any instructions regarding execution their tasks. The Association may not dismiss the Data Protection Officer or penalize him for performing his duties.

The Association is obliged to support the data protection officer in the execution of his tasks by providing him with the necessary resources to perform these tasks and gain access to personal data and processing procedures and to maintain his professional knowledge.

Article 7

The respondent has the right to access personal data contained in the Association’s storage system relating to him.

The Association shall without delay, immediately, and no later than one month from the date of submission of the request of the respondent or his legal representative or proxy:

1. provide the respondent with a printout of personal data contained in the storage system relating to him

2. to correct inaccurate data relating to him or to supplement them on the basis of the respondent’s request

3. carry out the deletion of personal data relating to him, provided that the personal data are no longer necessary in relation to the purposes for which they were collected or if the respondent withdraws the consent on which the processing is based

4. inform the respondent about the purpose of processing his personal data, the categories of personal data being processed, the recipients or categories of recipients to whom personal data have been or will be disclosed, the envisaged period in which personal data will be stored and in case personal data they do not collect from respondents about their source

The time limit referred to in paragraph 2 of this Article may, if necessary, be extended by an additional two months, taking into account the complexity and number of applications. The Association shall notify the respondent of any such extension within one month of receipt of the request, together with the reasons for the delay.

The request is submitted electronically, and unless the respondent requests otherwise, the information is provided in electronic form.

The information provided in accordance with this Article of the Ordinance is provided by the Association free of charge. Exceptionally, if the claims of the respondents are manifestly unfounded or excessive, the Association will charge a reasonable fee taking into account the administrative costs of providing the information or notice.

In the event that the Association determines that personal data are incomplete, inaccurate or out of date, it is only obliged to supplement or amend them regardless of the request of the respondent.

A respondent who considers that a right guaranteed by the Regulation has been violated has the right to submit a request for a violation of the right to the competent authority.

For the purpose of personal data protection, the Association, in all cases when it is possible, and especially during the public disclosure of information in accordance with the Law on the Right to Access Information, performs pseudonymization of data.

Article 8

Consent given by the respondent to communicate with the Association and for other purposes requested by the Association may be revoked by the respondent at any time without consequences.

Article 9

Personal data processed by the Association are not intended to be disclosed to other recipients. The Association is authorized to provide personal data for use to other recipients explicitly on the basis of a written request of the recipient, if this is necessary for the performance of activities within the statutory activities of the recipient.

Article 10

The Association implements organizational and technical measures to enable the effective application of data protection principles, such as reducing the amount of data processing, including protection measures in processing in order to meet the requirements of the Regulation.

Regular members of the Association within their powers process personal data and are obliged to take appropriate measures to protect personal data necessary to protect personal data from accidental loss or destruction, from unauthorized access or unauthorized use, unauthorized disclosure and any other misuse, and determine the obligation of the persons responsible for data processing. Technical measures to protect personal data processing procedures include minimal physical access control, security of the operating system and e-mail accounts, use of antivirus software, access via secure protocols and via VPN channels.

Article 11

The Association must use processors who sufficiently guarantee the implementation of appropriate technical and organizational measures in such a way that the processing is in accordance with the requirements of this Regulation, this Ordinance and that it ensures the protection of the rights of respondents. Entrusting the processing to the processor must be regulated by a contract that binds the processor to the Association and states the subject and duration of processing, consent and purpose of processing, type of personal data and category of respondents, obligations and rights of processors and processors, instructions on how to perform processing, requirements secure processing, organizational and technical measures and necessary records.

The processor may not hire another processor without the prior approval of the Association.

Article 12

The Association supervises the processing procedures and in case of detection of personal data breach, it is obligatory to report to the supervisory authority no later than 72 hours after learning about the breach.

body, unless it is unlikely that a personal data breach will pose a risk to the rights and freedoms of the individual.

In the event of a personal data breach that is likely to cause a high risk to the rights and freedoms of the respondent, the Association shall without undue delay notify the respondent of the personal data breach in accordance with the provisions of the Regulation.

The Association is obliged to record all personal data breaches, including the facts related to the personal data breach, its consequences and measures taken to repair the damage.

Article 13

All amendments to this Ordinance shall be adopted in the same manner as this Ordinance. This Ordinance has entered into force.

President of the Association

Dr. sc. Mario Cindrić