Privacy policy

Purpose and Scope of the Personal Data Protection Policy

With this policy, the Management Board of Prvo plinarsko društvo d.o.o. (hereinafter: PPD) establishes its stance on the protection of personal data and privacy, assigns responsibilities, defines rules for handling personal data, and provides full support to the personal data management system in accordance with the General Data Protection Regulation EU 2016/679 (GDPR) and other applicable national data protection and information security regulations, for all companies within the PPD Group (as defined below).

In its operations and in its relationships with employees, clients, and business partners, the PPD Group promotes privacy and respects personal data protection and ensures the highest level of information security by implementing this Privacy Policy as a common code of conduct within the Group.

This Privacy Policy applies to the entire operations of the following PPD Group companies:

Prvo plinarsko društvo d.o.o., Gospodarska zona Vukovar 13, 32000 Vukovar, Croatia

Novo Sutra Foundation, Gospodarska zona 13, 32000 Vukovar, Croatia

The policy is available to all employees and other data subjects, as well as interested third parties, on the websites of each of the listed companies. Future changes or additions to this Privacy Policy will be announced and published in a timely manner.

All employees and third parties who, within the scope of business cooperation, process personal data are required to act in accordance with this Privacy Policy.

Principles of Personal Data Processing

The PPD Group has adopted the following principles in the collection, processing, and storage of personal data:

Lawfulness, Fairness, and Transparency

Personal data is processed only when there is a valid legal basis (e.g., contractual relationship, legal obligation, or legitimate interest of the PPD Group). During data collection and throughout the processing, data subjects are provided with all relevant information about the processing and their rights, in clear and simple language.

Purpose Limitation

Personal data is collected for clearly defined legitimate processing purposes and is not processed for purposes incompatible with the original one. The PPD Group clearly states the purpose for which the data is collected and limits processing to what is necessary to achieve that purpose.

Data Minimization

When collecting personal data, the PPD Group limits itself to what is necessary, appropriate, and relevant to fulfill the purpose of the data processing.

Storage Limitation

Personal data is retained in an identifiable form only for as long as necessary to fulfill the intended processing purpose, considering applicable statutory limitation periods. Once the purpose has been fulfilled and legal requirements met, the PPD Group will either delete the data or render it anonymous. Anonymized data is not considered personal data, as it can no longer be associated with any identifiable individual.

Accuracy
The PPD Group ensures the accuracy and currency of personal data throughout the processing. Inaccurate or incomplete data will be updated or deleted in a timely manner if accuracy cannot be ensured.

Integrity and Confidentiality

The PPD Group implements appropriate technical and organizational measures to protect personal data, including protection from unauthorized or unlawful processing and accidental loss, destruction, or damage.

The level of protection and types of measures applied are based on a risk assessment of the impact of each processing activity on the rights and freedoms of data subjects.

Technical and Integrated Data Protection

When designing new, modifying or expanding existing systems and processes for processing personal data, the PPD Group applies this Policy while considering the latest advancements, implementation costs, and the nature, scope, context, and purposes of the processing, as well as the risks to individuals' rights and freedoms.

Reliability
In personal data processing activities, the PPD Group ensures appropriate records and other documentation through which the reliability and compliance of the processing with the above principles can be established at any time.

Purposes of Personal Data Processing

PPD Group companies conduct business with legal entities and do not process personal data of individual service users. However, during the contracting process and for communication related to the fulfillment of rights and obligations under contractual agreements, they collect, and process personal data of individuals authorized to act on behalf of those legal entities.

The data controller processes personal data for the following categories:

1. Job applicants
2. Business partners
3. Website visitors

Job Applicants

When you apply for a job at a PPD Group company, we collect: your name and surname, email address, information from your CV (education, qualifications, previous employment, skills, and specific knowledge, etc.), phone and/or mobile number, and address.

We collect this data directly from you and process it based on our legitimate interest in finding, selecting, and hiring qualified personnel for business needs, i.e., to identify the most suitable candidate for the advertised job, to maintain a pool of potential candidates for future openings, and attracting competent individuals to employment opportunities with the data controller.

For the selected candidate who accepts an employment offer, the data processing is based on the necessity to take steps prior to entering an employment contract, with the aim of establishing an employment relationship.

Providing personal data is voluntary. However, if you wish to apply for an advertised job opening, we require the personal data requested in the application form or collected during the further selection process for the purposes mentioned above. Failure to provide the required data will result in your inability to apply or participate in the selection process.

Business Partners

Regarding the privacy protection of our customers, suppliers, and business partners, mainly legal entities, we process personal data of individuals employed by such partners.

We collect and process personal data prescribed by applicable legal regulations in areas such as commercial law, accounting, tax law, and in accordance with relevant contracts concluded with business partners.

The processing of most of this data is mandated by law, and you are required to provide it, while we are obligated to collect and process it accordingly. Failure to provide mandatory data will prevent us from establishing or continuing a business relationship. In rare cases, the provision of specific data for certain purposes may be voluntary, in which case the only consequence of not providing such data would be the inability to benefit from additional services offered based on voluntary and informed consent, which can be withdrawn at any time.

Website Visitors

When you visit our websites, your personal data may be collected indirectly, namely:

1. Through cookies – a unique identifier is assigned to the user (see more under “Cookies”)
2. Through aggregate data related to user activity on the website via Google Analytics.

If you disagree with any part of this Privacy Policy, please do not use the website or provide us with any personal data.

Legal Basis for Personal Data Processing

Personal data is collected for the purpose of executing rights and obligations arising from contractual relationships.

Data is also processed based on legitimate interests in the context of negotiations, contracting, and other business processes, with the goal of ensuring operational efficiency and compliance.

Recipients of Personal Data

PPD Group will share personal data with other recipients only when required by legal obligations or upon a legitimate request from an authorized public body.

When necessary to achieve the purposes of processing, personal data will be forwarded to our trusted partner data processors who perform services related to our operations on behalf of PPD Group companies (e.g., accounting services, IT support, etc.).

PPD Group companies have concluded data processing agreements with all processors, which define mandatory high levels of personal data protection and confidentiality, as well as detailed instructions for data processing.

In the case of personal data transfers outside the European Economic Area, PPD will implement appropriate safeguards, such as standard contractual clauses and other applicable protection mechanisms.

Data Subject Rights

Depending on the legal basis and the method of processing personal data, data subjects may exercise the following rights in relation to the processing performed by the PPD Group:

• Right to access data and information about the processing, including a copy of the personal data;
• Right to rectification of data;
• Right to erasure of data;
• Right to restriction of processing;
• Right to data portability;
• Right to object (when processing is based on the legitimate interest of PPD Group companies);
• Rights related to automated decision-making and profiling.

Data subjects can exercise their rights by sending a request to the email address: dpo@ppd.hr or to the headquarters address of the relevant PPD Group company.

Regardless of the purpose and legal basis for processing, all data subjects may also file a complaint with the relevant supervisory authority:

CROATIA:
Croatian Personal Data Protection Agency
Selska cesta 136, 10000 Zagreb
Email: azop@azop.hr

Last Modified on: 05.05.2025