15
Menu

Privacy policy

We value your privacy and attach particular importance to the protection of your personal data. Accordingly, by means of this document, we wish to explain how we handle the personal data we process.

Introductory Provisions

We collect and process your data solely for the purpose of providing our services to a high standard, in a lawful, fair, and transparent manner. We process only the data necessary for the provision of a particular service, while ensuring that such data is adequately protected.

Such personal data primarily relates to natural persons with whom the City of Drniš has a business relationship or a legitimate interest in contacting (clients, suppliers, business contacts, employees, etc.).

When the need to process your personal data ceases, we delete all personal data or, by applying appropriate technical solutions, anonymize it for the sole purpose of statistical use.

We collect and process personal data in accordance with our values and principles, this Privacy Policy, and the applicable European and Croatian regulations relating to the protection of personal data.

This Privacy Policy applies equally to personal data in digital or electronic form, as well as to personal data in printed (paper) form, regardless of whether it is a printout of a digital or electronic record.

Terms used in this Privacy Policy that have gender-specific meaning shall apply equally to both male and female genders.

Principles

When processing personal data, we are guided by the principles and rules established by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

When processing personal data, we observe the obligation of professional confidentiality in the manner prescribed by the law of the European Union and the Republic of Croatia.

We process personal data:

  • lawfully, fairly, and transparently;
  • for specific, explicit, and lawful purposes;
  • using only accurate, up-to-date, adequate, and relevant data limited to the purpose for which it is processed;
  • only for as long as necessary to achieve the purpose of processing; and
  • while protecting it against any unauthorized or unlawful processing and against accidental loss, destruction, or damage.

We process the personal data of persons under the age of 16 only on the basis of parental or guardian consent and only to the extent and within the scope for which such consent has been given.

Confidentiality and Security

We treat all personal data confidentially, while ensuring an appropriate level of security and protection. Under no circumstances do we unlawfully collect, process, or otherwise unlawfully use personal data.

Employees of the City of Drniš protect personal data as a business secret, even after the termination of their employment.

Employees of the City of Drniš process only the data they are authorized to process, in the manner and within the limits of such authorization, and solely for the purpose for which the data was collected or is being processed.

In our handling of personal data, we apply the “need-to-know” principle in order to ensure that only authorized employees have access to specific personal data for a precisely defined period of time.

Before introducing new technologies that may be used for the processing of personal data, we conduct a thorough analysis and adjust technical and organizational measures in order to ensure the application of the highest standards of personal data protection.

Guidelines for Employee Conduct

In their day-to-day work, employees of the City of Drniš act in accordance with this Privacy Policy and the applicable regulations relating to the protection of personal data.

Access to personal data is granted exclusively to employees of the City of Drniš who require such access for the performance of their work or duties. Personal data shall not be shared informally among employees; each instance of access must be requested from the person responsible for the specific task or from the person who issued the instruction.

At least once a year, the City of Drniš organizes training or otherwise appropriately informs its employees of their obligations and of the regulations relating to the protection of personal data, while also ensuring the application of good data protection practices in accordance with the recommendations of the Personal Data Protection Agency and other bodies competent for data protection in the European Union and Croatia.

Employees take appropriate organizational and technical protection measures in order to minimize risks to personal data to the greatest extent possible, and in particular:

  • use strong passwords, known only to them and not shared with third parties;
  • regularly check the accuracy, currency, and relevance of personal data. If personal data is no longer needed or is outdated and cannot be updated, such data shall be deleted or anonymized;
  • lock the computers on which they work with personal data when leaving them unattended;
  • exercise particular care not to disclose or make available personal data to unauthorized persons, regardless of whether such persons are employees of the City of Drniš or not; 
  • seek advice or assistance from the responsible person whenever they are uncertain about any aspect of personal data protection.

Data Storage

We pay due attention to the manner in which data is stored, regardless of whether it is stored on paper, in digital or electronic form, or in any other form.

Personal data stored on paper, regardless of whether it is a printout of data otherwise kept in digital or electronic form:

  • when not in use, is kept in a locked drawer or filing cabinet accessible only to authorized persons;
  • all employees are responsible for ensuring that such papers are not left in a visible place or in a place where unauthorized persons could gain access to personal data; and
  • when no longer needed, is destroyed in a paper shredder or by another technically appropriate means and properly disposed of.

Personal data in digital or electronic form is protected against unauthorized access, accidental alteration or deletion, and unauthorized system intrusions:

  • by using strong passwords, which are changed regularly, known only to authorized persons, and not shared with third parties;
  • if personal data is stored on portable media (e.g. CD, DVD, USB stick, portable HDD, etc.), such media is kept in a secure place accessible only to authorized persons;
  • only official media and servers, or a selected cloud service that applies appropriate organizational and technical protection measures, are used for storage;
  • servers on which personal data is stored are located in a secure place accessible only to authorized persons;
  • data backups are performed regularly in order to ensure the integrity, authenticity, and accuracy of data, in accordance with this Privacy Policy and the applicable regulations relating to the protection of personal data;
  • personal data shall not be stored directly on mobile devices (e.g. tablet, smartphone, etc.) unless this is necessary for the performance of a contract or the provision of the agreed service, and then only for the duration and to the extent agreed or necessary;
  • employees do not store personal data on their own personal computers or other personal devices or media that they use or may use for work-related purposes;
  • all servers and computers containing personal data are protected by appropriate technical security measures, such as encryption software, firewalls, and similar safeguards.

Data Processing

We process all personal data lawfully, in accordance with the conditions, principles, and standards of the General Data Protection Regulation and national legislation. Processing is based primarily on specific consents, the performance of a contractual relationship, or compliance with legal obligations.

We do not process special categories of personal data, except where this concerns special categories of personal data of employees, for which employees have given explicit consent to processing, or where such processing is necessary in order to protect and exercise the rights and interests of employees in the field of employment law and social security and social protection law.

The City of Drniš does not use automated processing of personal data, including profiling, in order to make decisions that produce or may produce legal effects concerning a data subject or similarly significantly affect the data subject and the exercise of his or her rights.

We ensure that personal data is collected primarily from the data subject to whom such personal data relates. When collecting personal data, the data subject is always informed of the reason and purpose of processing, as well as of the legal basis for such processing.

For every transfer of personal data, we apply appropriate safeguards corresponding to the categories of personal data and the risk arising from such categorization, taking into account the particularities of each individual case of transfer.

Personal data may be transmitted digitally or electronically, with due regard to the application of appropriate protection measures, technical capabilities, categories of personal data, and risk assessment. We take special measures to prevent unauthorized access to personal data.

We will never disclose your data to third parties without your explicit request and your clearly given, unambiguous, and specific consent.

Exceptionally, we may disclose your personal data to competent international, state, and public authorities where necessary to comply with legal obligations or to protect your vital interests or the vital interests of other natural persons. Likewise, at the request of a court and for the purposes of judicial proceedings (regardless of the stage of the proceedings), we may disclose your personal data within the scope and limits of the court order.

When the City of Drniš acts as a processor on behalf of a controller, it guarantees the implementation of appropriate technical and organizational measures in accordance with the General Data Protection Regulation and this Privacy Policy, taking into account the protection of the rights of data subjects.

Such processing of personal data shall be governed by a written contract or other legal act in accordance with European Union law or the law of the Republic of Croatia, by which the controller determines the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, as well as its obligations and rights.

In such case, the City of Drniš processes personal data only in accordance with the explicit and clearly defined instructions or orders of the controller. The City of Drniš, in its capacity as processor, does not process personal data, regardless of whether it is able to access it or not, unless expressly requested by the controller, and even then only in the manner and to the extent requested by the controller.

We apply the same principle when providing services such as the maintenance or updating of websites, applications, or other systems that may contain or do contain personal data.

By using technical protection methods such as encryption, and by observing and implementing this Privacy Policy, we ensure that our employees do not access or otherwise come into contact with personal data that is not necessary for the provision of the contracted service.

International Transfer of Personal Data

We do not transfer personal data to third countries or international organizations (international transfer), except exceptionally, in cases prescribed by law or at your explicit request accompanied by clearly given, unambiguous, and specific consent.

Any transfer of personal data to a third country or international organization shall be based exclusively on:

  • the list of countries and international organizations ensuring an adequate level of protection, pursuant to a publicly available decision of the European Commission;
  • the provision of appropriate safeguards, such as binding corporate rules, instruments of public authorities, or an approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country concerning the consistent application of appropriate safeguards; and
  • the existence of appropriate institutional legal protection for data subjects in the third country.

Any judgment of a court or decision of an administrative authority of a third country requiring the transfer or disclosure of personal data shall not be binding on us, nor shall we act upon it, unless it is based on an international agreement binding on the Republic of Croatia, such as a mutual legal assistance treaty.

Accuracy and Updating of Personal Data

The accuracy and currency of personal data are of particular importance, both for achieving the purpose of processing and for the exercise of your rights and the protection of personal data. We take appropriate technical and organizational measures to ensure the accuracy and currency of personal data, in accordance with the categories of personal data and their significance for achieving the purpose of processing.

In their daily work, employees of the City of Drniš take reasonable, proportionate, and justified steps to ensure, to the greatest extent possible, that the personal data they process is accurate and up to date.

In order to ensure the accuracy and currency of personal data, personal data shall be kept or stored in as few places as possible (that is, only where necessary), and employees shall not create or use unnecessary copies, additional databases, sets, or other means of grouping personal data.

The City of Drniš enables the data subject whose personal data is being processed to update such personal data in a simple and accessible manner, using examples of good practice.

If, during the processing or use of personal data, it is determined that certain personal data is inaccurate or outdated, and it cannot be updated or such updating would result in disproportionate effort or cost, such data shall be deleted.

Retention and Deletion of Personal Data

In accordance with the principles on which our Privacy Policy is based, we process your personal data only for as long as necessary to achieve the purpose of processing, or for as long as required by law or secondary legislation, after which, once the personal data is no longer needed, we delete or anonymize it.

If we are unable to determine the retention period precisely, personal data shall be retained permanently, that is, until deletion, and access to it shall be granted exclusively to an authorized person.

Twice a year, we carry out control and review of the personal data we process in order to ensure that all personal data whose purpose has been fulfilled, or which is no longer needed, has been deleted or anonymized. This applies in particular to data retained permanently, that is, until deletion.

Such control is carried out by an authorized employee, who is required to prepare a report and any recommendations if personal data is found for which there is no longer any reason to retain it.

Exceptionally, we may retain your personal data longer than stated above where this is necessary for compliance with a court order or an order of an authorized authority, for the purpose of fulfilling legal obligations, or to protect your vital interests or the vital interests of other natural persons.

Exercise of Data Subject Rights

The rights of data subjects whose personal data we process are of exceptional importance to the City of Drniš. The exercise of data subject rights is of particular importance to us, and therefore every request for the exercise of rights is treated with the utmost seriousness, guided by the requirements of the General Data Protection Regulation and the principles on which this Privacy Policy is based.

The overview of your rights in this Privacy Policy has been simplified for the sake of clarity and ease of reference. The General Data Protection Regulation and national legislation regulate in detail the complex procedure for exercising rights; accordingly, we recommend that you familiarize yourself more closely with the regulations that provide a comprehensive description of your rights and the manner of their exercise.

The data subject has the right to obtain confirmation as to whether or not his or her personal data is being processed. If his or her personal data is being processed, the data subject may request access to his or her personal data, together with an indication of the purposes of the processing, the categories of personal data concerned, and any recipients to whom the personal data has been disclosed (or will be disclosed on the basis of a valid legal basis).

The data subject has the right to request the rectification or erasure of his or her personal data, or the restriction of the processing of personal data.

Where an application or other product that we have developed uses third-party software or an application:

  • if registration or login is required in order to use such third-party software or application, you should contact the manufacturer of such software or application in order to exercise your rights;
  • if the use of such third-party software or application does not require registration or login, you may contact us so that we may assist you in exercising your rights.

The exercise of data subject rights by the City of Drniš does not affect the data subject’s right to contact the Personal Data Protection Agency or another supervisory authority.

A request for the exercise of rights shall be submitted via the following e-mail address: pisarnica@drnis.hr. The City of Drniš may also create a special electronic form on its website as a standardized means of submitting requests for the exercise of data subject rights, but this shall not affect the possibility for a data subject to send such a request to the above e-mail address.

A request for the exercise of rights submitted in this manner shall be received by an authorized employee of the City of Drniš or another authorized person (e.g. a contracted data protection officer). The authorized person shall take appropriate steps to unequivocally establish the identity of the applicant before providing any information relating to personal data.

Information relating to the exercise of rights shall be provided electronically, free of charge.

In the event of a request for a copy of such information, or repeated requests relating to the exercise of the same right in substance, or where requests are manifestly unfounded or excessive, the City of Drniš shall charge a fee in the amount of the actual costs of fulfilling such request, which may not be less than EUR 20 and shall be based on the actual administrative costs of fulfilling such request.

At any time, you may withdraw your consent in a simple and transparent manner and request that we cease processing your personal data for marketing and promotional purposes.

In addition, you may request the deletion of your personal data without undue delay if the personal data is no longer necessary in relation to the purposes for which it was collected or if it must be deleted in order to comply with European Union or Republic of Croatia regulations.

If you believe that we are not handling your personal data appropriately, or you consider that the processing of your data is contrary to the General Data Protection Regulation and national legislation, you have the right to contact the Personal Data Protection Agency.

This Privacy Policy is updated as necessary, and at least once a year, taking into account examples of good practice and developments in the field of data protection.

In Drniš, 1 January 2026.