This Privacy Policy is intended to inform Users and other visitors of the websites of the company INSPO Consulting d.o.o., located at Ulica Metela Ožegovića 17, 10000 Zagreb, OIB: 98209356341 (hereinafter: INSPO Consulting or Data Processor).

INSPO Consulting operates the website www.inspo-consulting.hr (hereinafter: website). INSPO Consulting collects, processes, and uses personal data in accordance with all data protection laws: the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, Official Journal L 119/1) and the Act on the Implementation of the General Data Protection Regulation (Official Gazette 42/18) (hereinafter: Regulation).

You, the Client, are responsible for data processing and are considered the Data Controller (hereinafter: Data Controller). At the same time, INSPO Consulting is solely the Data Processor acting on your behalf (hereinafter: Data Processor). We will use your data only in accordance with applicable data protection laws.

Through this Privacy Policy, we inform you which of your personal data is collected, processed, and stored when you visit our website or use the services we offer, as well as when you provide information to INSPO Consulting through other means (phone, mail, email, SMS, etc.). Additionally, you will receive information about how we use your data and what rights you have regarding the use of your data.

INSPO Consulting stores data exclusively within the European Union and manages it confidentially. A limited number of INSPO Consulting’s technical staff have access to the data.

1. GENERAL INFORMATION

Principles of Personal Data Protection

In processing personal data, INSPO Consulting pays particular attention to the principles of personal data processing: lawfulness, fairness, and transparency of processing. This means that processing must comply with a specific legal basis, and the principles of fair and transparent processing require that individuals are informed about the processing procedure and its purposes and that the Data Controller is obliged to provide the data subject with all additional information necessary to ensure fair and transparent processing, taking into account the specific circumstances and context of the processing of personal data.

Purpose Limitation: This means that data should be collected for specific, explicit, and legitimate purposes and not further processed in a way that is incompatible with those purposes, but further processing for archiving in the public interest, scientific or historical research, or statistical purposes is possible.

Data Minimization: This means that data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

Accuracy: This means that data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

Storage Limitation: This means that data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Longer retention periods are possible only if personal data will be processed solely for archiving in the public interest, scientific or historical research, or statistical purposes with the implementation of appropriate safeguards prescribed by the Regulation.

Integrity and Confidentiality: This means that data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

Accountability: This means that the Data Controller is responsible for compliance with these principles and must be able to demonstrate compliance.

1. WHICH PERSONAL DATA OF USERS DO WE PROCESS?

INSPO Consulting collects and processes the following personal data:

1. Personal Data of Users collected when accessing and using our website; and
2. Personal Data of Users collected when filling out the contact form.
3. a) Personal Data of Users collected when accessing and using our website

Essential information on the processing of personal data when accessing and using is described in our Cookie Policy.

1. b) Personal Data of Users collected when filling out the contact form

When registering to use our services, we collect the following personal data of Users:

1. Name;
2. Surname; and
3. Email address.

We use the mentioned data to perform the identification of an individual Client and to contact them in connection with the potential provision of our services in accordance with the General Terms, as well as in accordance with the positive regulations in the Republic of Croatia applicable to the provision of consulting services.

III.      LEGAL BASIS FOR PERSONAL DATA PROCESSING

INSPO Consulting collects and processes personal data on the following legal bases:

1. Consent of the data subject (Article 6(1)(a) GDPR);
2. Legitimate interests (Article 6(1)(f) GDPR); and

Data collected on this basis are used to meet legal obligations imposed by positive regulations governing the issuance of invoices for provided services, as well as regulations governing the provision of consulting services and to comply with regulations governing anti-money laundering and counter-terrorism financing.

1. DURATION OF PERSONAL DATA PROCESSING

Considering the sensitive nature of the services provided by INSPO Consulting, all data processed based on legal grounds from point III. and all in accordance with the minimum statutory retention periods prescribed by regulations, will be retained as long as necessary to get in contact with the potential Client. It should be noted that INSPO Consulting, in this specific case, is solely a data processor that processes and stores personal data on behalf of the Data controller, who is exclusively responsible for the reasons and manner in which the data is processed. Upon contacting the potential Client, INSPO Consulting shall either enter into contractual relationship with the Client and further regulate the data processing, or delete the data in accordance with applicable Regulations.

1. WITH WHOM DO WE SHARE USERS’ PERSONAL DATA?

We may share Clients’ personal data with the following types of recipients:

1. a) Data processors during the provision of our services in accordance with this Privacy Policy, with whom we have a legal agreement guaranteeing the protection of Clients’ personal data in accordance with this Privacy Policy and positive legal regulations ensuring the protection of personal data of natural persons;
2. b) Any competent authority, regulatory body, government agency, judicial body, court, arbitration court, or third party where we believe disclosure is necessary and justified:

(i) to satisfy an obligation prescribed by positive legal regulations;

(ii) to establish, exercise, or defend the rights of the Data Controller;

(iii) to protect the vital interests of the Data Controller and/or the interests of any other person where legally justified

1. c) Any other person, such as clients and third parties, with your consent for such disclosure.

NOTE: Unless expressly stated otherwise in this Privacy Policy or if the Client has not given their explicit, unequivocal, and informed consent, INSPO Consulting under no circumstances sells, trades, rents, or otherwise shares collected Clients’ personal data for a fee.

VII.    HOW DO WE PROTECT USERS’ PERSONAL DATA?

INSPO Consulting actively implements technical, physical, and administrative security measures to protect Clients’ personal data from loss, misuse, unauthorized access, disclosure, and alteration. Security measures include firewalls, data encryption, physical access controls to our data centres, and restricting authorization for access to personal data.

To provide its Services, INSPO Consulting may conclude Data Processing Agreement (“DPA”), which further regulates and ensures lawful protection and use of personal data – which is attached to this Privacy Policy.

VIII.   USERS’ RIGHTS AS DATA SUBJECTS

Users’ rights as data subjects under the Regulation concerning the processing of personal data are as follows:

• Right of Access: The User has the right to obtain confirmation from INSPO Consulting whether or not personal data concerning them are being processed and, if so, access to the personal data and the following information: the purpose of processing, the categories of personal data concerned, the recipients or categories of recipients of personal data, the period for which the personal data will be stored, information on rights and data sources if not collected from the Client. If Clients’ personal data are transferred and processed outside the EU, the Client has the right to information on appropriate safeguards. Where possible, the Client can obtain a copy of the personal data being processed.
• Right to Rectification: The Client has the right to obtain the rectification of inaccurate personal data concerning them without undue delay and to have incomplete personal data completed.
• Right to Erasure (“Right to be Forgotten”): The Client has the right to obtain the erasure of personal data concerning them without undue delay where one of the following grounds applies:

1. The personal data are no longer necessary for the purposes for which they were collected or otherwise processed,
2. The Client withdraws consent, and there is no other legal ground for processing,
3. The Client objects to the processing, and there are no overriding legitimate grounds for the processing,
4. The personal data have been unlawfully processed,
5. The personal data have to be erased for compliance with a legal obligation,
6. The personal data have been collected in relation to the offer of information society services to children.

• Right to Restriction of Processing: The Client has the right to obtain the restriction of processing where one of the following applies:

1. The accuracy of the personal data is contested by the User for a period, enabling INSPO Consulting to verify the accuracy of the personal data,
2. The processing is unlawful, and the Client opposes the erasure of personal data and requests the restriction of their use instead,
3. INSPO Consulting no longer needs the personal data for processing, but the Client requires the data for the establishment, exercise, or defence of legal claims,
4. The Client has objected to processing pending verification of whether INSPO Consulting’s legitimate grounds override those of the Client.

• Right to Data Portability: The Client has the right to receive personal data concerning them, which they have provided to INSPO Consulting, in a structured, commonly used, and machine-readable format and has the right to transmit those data to another controller without hindrance.
• Right to Object: The Client has the right to object at any time to processing personal data concerning them, including profiling.
• Right to Lodge a Complaint: The Client has the right to lodge a complaint with the supervisory authority.

In the Republic of Croatia, this is the Croatian Personal Data Protection Agency (AZOP). To exercise their rights, the User can contact the data protection officer at INSPO Consulting via email at jelena@inspo-consulting-hr  or by post at INSPO Consulting d.o.o., Ulica Metela Ožegovića 17, 10000 Zagreb, with the note “Data Protection Officer.”

INSPO Consulting will provide the Client with information on actions taken upon their request under Articles 15 to 22 of the Regulation within one month of receiving the request.

1. CHANGES TO THE PRIVACY POLICY

INSPO Consulting may periodically update this Privacy Policy to reflect changes in its practices or applicable legal regulations. Clients’ will be notified of significant changes to this Privacy Policy through our website.

The Privacy Policy was last updated on August 1, 2024.