Privacy policy
Preliminary provisions
We appreciate your privacy and attach particular importance to the protection of your personal data.
Therefore, we want to explain to you in this document how we treat the personal data we are processing.
We collect and process your data exclusively for the purpose of quality provision of our services, in a lawful, fair, and transparent manner. We process only those data which are necessary for the provision of a particular service, taking into account their proper protection.
Such personal data primarily relate to people with whom Smiling Pawn has a business relationship or a legitimate interest in contacting them (clients, suppliers, business contacts, employees, etc.).
When the need to process your personal data ceases, we erase all personal data or use appropriate technical solutions to anonymize them for exclusive use for statistical purposes.
We collect and process personal data in accordance with our values and principles, this privacy policy and the applicable European and Croatian regulations relating to the protection of personal data.
This privacy policy applies equally to personal data in digital or electronic form, as well as to personal data in printed (paper) form, whether it is a printout of a digital or electronic file.
Expressions used in this privacy policy that have a gender meaning refer equally to men and women.
Principles
When processing personal data, we shall follow the principles and rules established by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals regarding the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
When processing personal data, we take into account the obligation of professional secrecy in the manner governed by the law of the European Union or the Republic of Croatia.
Personal data are processed:
• legally, fair and transparent;
• for specific, precisely defined and legitimate purposes;
• using only accurate, up-to-date, appropriate and relevant data limited to the purpose for which they are processed;
• only for as long as necessary to achieve the purpose of processing; and
• protecting them against any unauthorised or unlawful processing and against accidental loss, destruction, or damage.
Personal data under 16 years of age are processed only on the basis of parental or custodial consent and only to the extent to which consent is given.
Confidentiality and security
We approach all personal data with confidentiality, taking into account the appropriate level of security and protection. We do not collect, process or otherwise use personal data without authorization.
Smiling Pawn employees protect personal data as a business secret, even after the termination of their employment.
Smiling Pawn employees process only those data for which they are authorized, in the manner and within the limits of authorization, i.e. solely for the purpose for which the data were collected or for which they are processed.
In working with personal data, we conduct the “need-to-know” principle in order to ensure that only authorised employees have access to certain personal data for a specific period of time.
Before introducing new technologies that can be used for processing personal data, we approach a thorough analysis and adaptation of technical and organisational measures, in order to ensure the application of the highest standards for personal data protection.
Guidelines for employee behaviour
The employees of Smiling Pawn, in their everyday work, are governed by this privacy policy and the regulations in force concerning the protection of personal data.
Only Smiling Pawn employees have access to personal data, and they need such access for the performance of their work, i.e. for the performance of their tasks. Personal data will not be distributed informally among employees, but any access must be requested from the person in charge of the specific work, i.e. the person who issued the order.
Smiling Pawn organizes education at least once a year or otherwise meets its employees with their obligations and regulations related to the protection of personal data and takes into account the application of good data protection practices in accordance with the recommendations of the personal Data Protection Agency and other data protection authorities in the European Union and Croatia.
Employees shall take appropriate organisational and technical protection measures to minimise the risk to personal data, in particular by:
• useing powerful passwords (machine password), which are known only to them and are not shared with third parties;
• regularly checking the updating and purpose of personal data. Where personal data are no longer necessary or are up to date and without the possibility of updating, the data gets deleted or gets anonymized;
• locking computers on which they work with personal data when they leave them unattended;
• taking into account that personal data they have access to are not leased or disclosed to unauthorized persons, whether or not they are Smiling Pawn employees; and
• seeking advice or assistance from the competent person, when they find themselves in doubt over any aspect of personal data protection.
Storage of data
We take into account the way data is stored, regardless of whether they are on paper, in digital or electronic or any other form.
Personal data contained on paper, regardless of whether it is a printout of data normally stored in digital or electronic form:
• when not used, they are kept in a closed drawer or a briefcase closet accessible exclusively to authorised persons;
• all employees are in charge of keeping such papers invisible, i.e. in a place where unauthorized persons could access personal data; and
• when no longer necessary, they are destroyed in a paper cutter or in another technically acceptable way and properly disposed of.
Personal data that are in digital or electronic form shall be protected against unauthorized access, accidental modification or deletion, or unauthorized intrusions into the system:
• using strong passwords (machine passwords), which are regularly changed and which are known only to authorised persons and are not shared with third parties;
• if personal data are on a portable medium (e.g. CD, DVD, USB stick, HDD portable …), such media shall be stored in a secure place accessible exclusively to authorised persons;
• only official media and servers are used for storage, i.e. in the selected cloud service, which applies appropriate organizational and technical protection methods;
• the servers where personal data are stored are in a secure location accessible exclusively to authorised persons;
• backup of data is carried out regularly, in order to ensure the completeness, truthfulness and accuracy of data, in accordance with this privacy policy and the regulations in force relating to the protection of personal data;
• personal data will not be stored directly on mobile devices (e.g. tablet, smartphone …) unless this is necessary for the performance of the contract, i.e. for the fulfilment of the service agreed and only for the duration and extent to which it is contracted or necessary;
• employees do not store personal data on their own personal computers, that is, other own devices or media, which they use or can use for business purposes;
• All servers and computers containing personal data are protected by appropriate technical protection measures, such as encryption programs, firewall etc.
Data processing
All personal data are processed in a lawful manner, in accordance with the conditions, principles and standards of the General Regulation on Data Protection and national legislation. Processing is primarily based on special consent, execution of contractual relationship or compliance with legal obligations.
We do not process specific categories of personal data, except for specific categories of personal data of employees, for which employees give explicit consent to be processed or processed in order to protect and exercise the rights and interests of employees in the field of labor law and social security and social protection law.
Smiling Pawn does not use automated processing of personal data, including the creation of profiles, to make a decision that produces or may produce legal effects against the respondent or similarly significantly affect the respondent and the exercise of his rights.
We take into account that we collect personal data primarily from the examinee to whom the aforementioned personal data relate. When collecting personal data, the data subject shall always be informed of the reasons and purpose of the processing of personal data and of the legal basis for such processing.
For each transfer of personal data, we use appropriate safeguards, corresponding to the categories of personal data and the risk arising from such categorization, taking into account the specificities of each transfer case.
Personal data may be transmitted digitally or electronically taking into account the application of appropriate safeguards, technical possibilities, categories of personal data and risk assessment. We take special measures to avoid unauthorized access to personal data.
We will never reveal your data to third parties without your explicit request and clearly, unambiguously and precisely specific consent.
Exceptionally, we can reveal your personal data to competent international, state and public bodies if necessary for the fulfilment of legal obligations, in order to protect your life interests or the life interests of other natural persons. Likewise, at the request of the court and for the purposes of the court proceedings (regardless of the stage of the proceedings), we may disclose your personal data to the extent and limits of the court order.
When Smiling Pawn acts as a processor on behalf of the controller, it guarantees the implementation of appropriate technical and organisational measures in accordance with the General Regulation on Data Protection and this privacy policy, taking into account the protection of data subjects’ rights.
Such processing of personal data shall be governed by a written contract or other legal act in accordance with the law of the European Union or the law of the Republic of Croatia, by which the controller determines the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and the category of data subjects, and its obligations and rights.
In this case, Smiling Pawn processes personal data only according to explicit and clearly defined instructions, i.e. orders from the controller. As executors, Smiling Pawn does not process personal data, regardless of whether it can access them or not, unless explicitly requested by the controller, and only then in the manner and to the extent requested by the controller.
We apply the same principle in providing services such as maintenance or updating of websites, applications or other systems that may contain or contain personal data.
By using technical methods of protection, such as encryption, and by respecting and implementing this privacy policy, we ensure that our employees do not access or otherwise do not come into contact with personal data, which are not necessary for the provision of the agreed service.
International transfer of personal data
We do not transfer personal data to third countries or international organisations (international transfer), except exceptionally, in statutory cases or on your express request with a clear, unambiguous and accurate consent.
Any transfer of personal data to a third country or an international organisation shall be based solely on:
• a list of countries and international organisations which ensure an adequate level of protection, in accordance with a publicly published decision of the European Commission;
• provided for by appropriate safeguards such as binding corporate rules, public authorities’ instruments, an approved code of conduct together with binding and enforceable obligations of controllers or processors in a third country relating to the consistent application of appropriate safeguards; and
• the existence of an adequate institutional legal protection of data subjects in a third country.
Any judgments of a court or decision of an administrative authority of a third country requiring the transfer or disclosure of personal data shall not bind or treat us unless they are based on an international agreement obliging the Republic of Croatia, such as a mutual legal assistance agreement.
Accuracy and updating of personal data
The accuracy and updating of personal data is of particular importance, both for the purpose of processing and for the purpose of exercising your rights and protecting personal data. We take appropriate technical and organizational measures to ensure the accuracy and updating of personal data, in accordance with the categories of personal data and their importance for the purpose of processing.
Smiling Pawn employees, in their daily work, take reasonable, proportionate and justified steps to ensure that personal data they process are accurate and up-to-date to the greatest possible extent.
In order to ensure the accuracy and updating of personal data, personal data will be located or stored in as few places as possible (i.e. only in those places where necessary), and employees will not create or use unnecessary copies, additional databases, sets or other means of grouping personal data.
Smiling Pawn in a simple and accessible way, using examples of good practice, enables the data subject whose personal data are processed to update his personal data.
If, during the processing or use of personal data, it is established that certain personal data are incorrect or out of date and cannot be updated or such an update would result in disproportionate efforts or costs, such data will be erased.
Retention and deletion of personal data
In accordance with the principles on which our privacy policy is based, we process your personal data only for as long as necessary for the purpose of processing, i.e. as required by law or subordinate legislation, and after we no longer need personal data we delete them or anonymize them.
If we are unable to set a specific deadline, we will keep personal data permanently, that is, until the deletion, and access to it is reserved exclusively by an authorised person.
Twice a year we conduct the control and revision of personal data that we process, in order to ensure that all personal data whose purpose is realized, that is, which we no longer need, are erased or anonymised. This particularly refers to the data that we keep permanently, that is, until the deletion.
Control is carried out by an authorised employee, who is obliged to prepare a report and any recommendations, if he establishes the existence of personal data for which there is no longer any reason for retention.
Exceptionally, we can keep your personal data longer than indicated if it is necessary for the purpose of acting on a court order or an authorized body order, for the purpose of fulfilling legal obligations, in order to protect your life interests or the life interests of other people.
Exercise of data subjects’ rights
The rights of data subjects whose personal data are processed are of great importance for Smiling Pawn The exercise of data subjects’ rights is of particular importance to us, so we approach each application for the exercise of rights with maximum seriousness, taking into account the requirements of the General Data Protection Regulation and the principles underlying this privacy policy.
The review of your rights in this privacy policy has been simplified for reasons of understanding and easier learning. The General Data Protection Regulation and the national legislation regulate in detail the complex procedure for the exercise of rights; therefore, we suggest that you get to know more closely the regulations that provide a comprehensive description of your rights and how they are exercised.
The data subject has the right to obtain confirmation whether his or her personal data are being processed or not. Where his or her personal data are processed, the data subject may request access to his or her personal data, indicating the purpose of the processing, the categories of personal data in question and any recipients to whom the personal data have been disclosed (or will be disclosed to them on the basis of a valid legal basis).
The data subject has the right to request the rectification or erasure of his personal data, or restriction of the processing of personal data.
When an application or other product that we have created uses software or a third party application (third-party) software:
• If registration or application is necessary for such software or third-party application to be used, then you should contact the manufacturer of such software or application for the exercise of your rights;
• If the use of such software or third-party application does not require registration or application, then you can contact us in order to help you exercise your rights.
The exercise of the data subject’s rights by Smiling Pawn does not affect the right of the data subject to contact the Agency for personal Data Protection or other supervisory authority
The application for the exercise of the right shall be submitted by e-mail address of the smilingpawnchess@gmail.com. Smiling Pawn may also create a special electronic form on its web pages, as a standardized way of submitting the application for the exercise of the data subject’s rights, but this will not affect the possibility of sending the data subject’s request to the said e-mail address.
Such a request for the exercise of rights is received by an authorised employee of Smiling Pawn or other authorised person (e.g. contractual data protection officer). The authorised person shall take appropriate steps to unequivocally establish the identity of the applicant before providing any information relating to personal data.
Information relating to the exercise of rights shall be provided in electronic form, free of charge.
In the event of a request for a copy of such information or repeated requests relating to the substantially equal exercise of rights, that is, in the case of unfounded or excessive claims, Smiling Pawn will charge a fee in the amount of the actual costs of fulfilling such a request, which cannot be less than EUR 20, based on the actual administrative costs of fulfilling such a request.
At any time you can withdraw your consent in a simple and transparent manner and ask that we stop processing your personal data for marketing and promotion purposes.
In addition, you may request the deletion of your personal data without undue delay if: personal data are no longer necessary in relation to the purposes for which they were collected or have to be deleted in order to comply with the regulations of the European Union or the Republic of Croatia.
If you think that according to your personal data we are not treating you properly or you think that the processing of your data is contrary to the General Regulation on Data Protection and national legislation, you have the right to contact the Agency for personal Data Protection.
This privacy policy shall be updated as necessary and at least once a year, taking into account examples of good practice and developments in the field of data protection.