General Data Protection Regulation - Dentech
Personal data protection policy

General data protection regulation (GDPR)

Name: DENTECH d.o.o.
Address: Poljička cesta 26A, Split
OIB: 11294765977
MB: 060313814
IBAN: HR9723600001102727410

Name and address of the bank: Zagrebačka banka d.d., Poljička cesta 14, Split
E-mail address:
Phone: +385 (0)21 488 699

In Split, May 23, 2018.

Based on the General Data Protection Regulation (EU Regulation 2016/679), DENTECH d.o.o. 23/5/2018 year brings a document



Personal data – data relating to an individual whose identity has been determined or can be determined (“the respondent”)
Respondent – is a person who can be identified directly or indirectly, in particular with the help of identifiers such as name, identification number, location data, network identifier or with the help of one or more factors characteristic of physical, physiological, genetic, mental, economic, cultural or the social identity of that individual
Processing of personal data – any procedure or set of procedures performed on personal data or on sets of personal data, either by automated or non-automated means such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, inspection, use, disclosure by transfer, dissemination or otherwise making available, matching or combining, restriction, erasure or destruction
Controller – means a natural or legal person, who alone or together with others determines the purposes and means of personal data processing;
Processor – means a natural or legal person, which processes personal data on behalf of the controller;
Information system – comprehensiveness of technological infrastructure, organization, people and procedures for collecting, processing, generating, storing, transmitting, displaying and distributing information as well as disposing of it. An information system can also be defined as the interaction of information technology, data and procedures for data processing, and the people who collect and use said data.
Supervisory body – an independent body of public authority established by the Republic of Croatia for the purpose of controlling and ensuring the implementation of the Regulation
Confidentiality – the property of information (data) that it is not available or disclosed to unauthorized entities.
Integrity – the property of information (data) and processes that they have not been changed without authorization or unforeseen changes.
Consent – any voluntary, special, informed and unambiguous expression of the wishes of the respondent by which he, by a statement or a clear affirmative action, gives his consent to the processing of personal data relating to him;
Pseudonymization – processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separate and subject to technical and organizational measures to ensure that the personal data cannot be attributed to an individual whose identity has been established or can be established;
Breach of personal data – means a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of personal data that has been transmitted, stored or otherwise processed
Profiling – any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects related to an individual, in particular to analyze or predict aspects related to work performance, economic status, health, personal preferences, interests, reliability, behavior , location or movement of that individual
Third parties – natural or legal person, public authority, agency or other body that is not the subject, the data controller, the data processor or the persons authorized to process personal data under the direct authority of the data controller or data processor
Distribution channels – represent means and ways through which access, contracting, and use of products and services of DENTECH d.o.o. are enabled. and sending commercial information and offers related to DENTECH d.o.o. products and services, including contractual partners and executors, DENTECH d.o.o. website:,, https://,,
Information about the available distribution channels of DENTECH d.o.o. is available to the client at any time via e-mail at
Binding corporate rules – personal data protection policies that the data controller or data processor with business establishment in the territory of a member state adheres to for transfers or sets of transfers of personal data to the data controller or data processor in one or more third countries within DENTECH d.o.o.

In terms of this policy, DENTECH d.o.o. , all locations and websites.
Data protection occupies an important place in the business of DENTECH d.o.o. (hereinafter: DENTECH d.o.o.) which in its daily operations collects and processes personal data of clients, employees, business partners or other persons with whom it achieves business cooperation (hereinafter: respondents).
The Personal Data Protection Policy (hereinafter: the Policy) is a fundamental act that describes the purpose and goals of collecting, processing and managing personal data within DENTECH d.o.o. , which is based on the world’s leading practices in the field of personal data protection. The policy ensures an adequate level of data protection in accordance with the General Data Protection Regulation (hereinafter: the Regulation) and other applicable laws related to the protection of personal data.

The purpose of the personal protection policy is to establish a framework for the protection of personal data in accordance with the General Data Protection Regulation. The policy establishes rules related to the protection of individuals with regard to the collection and processing of personal data and rules related to the free movement of personal data.
The goal of the Policy is to establish appropriate processes for the protection and management of the personal data of respondents, that is, clients, employees, business partners of members of DENTECH d.o.o. and other persons whose personal data is processed.

The principles of data processing are the basic rules by which DENTECH d.o.o. adheres to when processing personal data of respondents, and processing carried out in accordance with the principles listed below is considered legal.

DENTECH d.o.o. personal data is processed in accordance with the following processing principles:
1. Legally and fairly – with regard to the respondents and their rights, DENTECH d.o.o. will process personal data of respondents in accordance with applicable laws and covering all rights of respondents.
2. Transparent – DENTECH d.o.o. will ensure the transparency of the processing of personal data and, in accordance with the Regulation, will provide respondents with all the necessary information and, upon request, provide respondents with insight into their data, explanations of processing, grounds and legality of processing, etc. 3. In addition to limiting the purpose – personal data must be collected in special , express and legitimate purposes and may not be further processed in a way that is inconsistent with these purposes.
4. With storage limitation – DENTECH d.o.o. ensures that the personal data of the data subject is kept in a form that enables the identification of the data subject only for as long as is necessary for the purposes for which the personal data is processed.
5. Using only the necessary data (reducing the amount of data) – DENTECH d.o.o. collects and processes personal data in such a way that they are appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
6. Accuracy – DENTECH d.o.o. ensures that data is accurate and up-to-date as necessary; every reasonable measure must be taken to ensure that personal data that is inaccurate, taking into account the purposes for which it is processed, is deleted or corrected without delay.
7. Ensures security, supervision and control over data and data processing (Integrity and confidentiality) – DENTECH d.o.o. collects and processes data in a way that ensures adequate security of personal data, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage by applying appropriate technical or organizational measures.

In accordance with the stated principles, the data of the respondents will be accessed by employees of DENTECH d.o.o. depending on their authorizations and positions, in order to successfully fulfill the tasks defined for their position.

DENTECH d.o.o. considers personal data of respondents as their property and treats them as such. Accordingly, the personal data of the respondent is processed when one of the following conditions is met:
a) processing is necessary to comply with the legal obligations of DENTECH d.o.o. (applicable legal regulations) – at any time when the law authorizes or obligates certain processing, DENTECH d.o.o. will process personal data of respondents based on that law. b) processing is necessary for the legitimate interests of DENTECH d.o.o. or third parties – except when these interests are stronger than the interests or fundamental rights and freedoms of the data subject that require the protection of personal data, especially if the data subject is a child.
c) the subject has given his consent for the processing of his personal data for one or more special purposes – the consent must be demonstrable and voluntary, written in easy-to-understand language and the subject has the right to withdraw his consent at any time (withdrawing consent must be as simple as giving consent ). DENTECH d.o.o. will ask the respondent for consent for data processing and contacting due to the needs of direct marketing through the contact information provided by the respondent.
d) processing is necessary to protect the key interests of the data subject or other natural person;
f) the processing is necessary for the performance of a task of public interest or in the exercise of the official authority of the data controller;

DENTECH d.o.o. considers that the personal data of the respondents is his property and although these data are necessary for us to provide the service, the respondents retain certain rights at all times in relation to the processing of their data and DENTECH d.o.o. collects and processes data only with the existence of the aforementioned legality of processing.
DENTECH d.o.o. will provide the following information at the time of collecting information from the respondent:
the identity and contact information of the data controller,
contact details of the data protection officer,
processing purposes for which personal data are used as well as
legal basis for processing,
legitimate interests, recipients or categories of recipients of personal data,
intention to transfer personal data to third countries (if any),
data storage period or criteria that define that period,
rights related to consents,
the potential existence of automated decision-making, which implies the creation of a profile (meaningful information about the logic of the processing and the potential consequences and importance of the processing itself for the respondent) and the existence of the rights listed below.
In case the data is not collected directly from the respondents, the source of the personal data is indicated along with the stated data.
Right to erasure (“right to be forgotten”) – the respondent has the right from DENTECH d.o.o. obtain the deletion of personal data relating to him, and DENTECH d.o.o. has the obligation to delete personal data without undue delay if one of the following conditions is met:
a. personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
b. the subject withdraws the consent on which the processing is based, and there is no other legal basis for the processing
c. the respondent lodges an objection to the processing, and the legitimate reasons for realizing the right to erasure outweigh the legitimate interest of DENTECH d.o.o. for processing and/or storing personal data
d. personal data were illegally processed
e. personal data must be deleted in order to comply with a legal obligation
The right to access data – the respondent has the right to receive from DENTECH d.o.o. confirmation of whether his personal data is being processed and if such personal data is being processed, access to personal data and purpose of processing, categories of data, potential recipients to whom personal data will be disclosed, etc.
Right to rectification – the respondent has the right to obtain from DENTECH d.o.o. without undue delay. correction of incorrect personal data relating to him. Taking into account the purposes of the processing, the respondent has the right to supplement incomplete personal data, including by providing an additional statement. The right to transfer data – the respondent has the right to receive personal data relating to him, provided by DENTECH d.o.o. in a structured, commonly used and machine-readable format and has the right to transfer this data to another controller. It is necessary to take into account that the right of transfer refers exclusively to the personal data of the respondent.
The right to object – the subject has the right, based on his particular situation, to object to the processing of personal data relating to him at any time.
DENTECH d.o.o. in such a situation, it may no longer process personal data unless it proves that there are compelling legitimate reasons for the processing that go beyond the interests, rights and freedoms of the data subject or to establish, exercise or defend legal claims. Furthermore, if personal data is processed for the purposes of direct marketing, the data subject has the right at any time to object to the processing of personal data relating to him for the purposes of such marketing, which includes the creation of a profile to the extent related to such direct marketing
The right to restriction of processing – the respondent has from DENTECH d.o.o. the right to request the right to limit processing in the event that he disputes the accuracy of personal data, when he considers that the processing is illegal and objects to the deletion of personal data and instead requests the restriction of their use, and in the event that the respondent has filed an objection to the processing and expects confirmation whether it exceeds the legitimate the reasons of the processing manager, the reasons of the respondents
The respondent has the right to demand the realization of any of the above-mentioned rights at any time. DENTECH d.o.o. upon request, provides the respondent with information on the actions taken related to the specified rights, no later than within 3 months of receiving the request (depending on the amount and complexity of the request) – all requests will be attempted to be addressed within 1 month, and the deadline will be extended by a maximum of an additional 2 months when necessary.
If DENTECH d.o.o. does not act on the respondent’s request, without delay and no later than one month after receiving the request, it will inform the respondent of the reasons for not acting.

DENTECH d.o.o. continuously implements appropriate technical and organizational protection measures taking into account the nature, scope, context and purposes of processing, as well as risks of different levels of probability and severity for the rights and freedoms of the data subjects.
The mentioned measures include the implementation of appropriate data protection policies:
– The personal data of the respondents are kept in accordance with internal security standards
– Unauthorized collection, processing or use of personal data is not allowed.
– Employees are strictly prohibited from using personal data of respondents for any purpose that is not in accordance with the conditions defined in chapter IV. Lawfulness of processing.
– Personal data is protected against unauthorized access, use, modification and loss.
– Adherence to this Policy and other policies and procedures related to data protection is also regularly checked and the check is carried out by the Data Protection Officer

DENTECH d.o.o. does not process data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or sexual orientation of an individual.
The processing of the above-mentioned special categories of personal data will be carried out exceptionally under the following conditions:
– the respondent has given express consent to the processing of this personal data for one or more specific purposes
– the processing refers to personal data that is obviously published by the respondent
– processing is necessary for the establishment, exercise or defense of legal claims

DENTECH d.o.o. especially protects the personal data of children, since children may be less aware of the risks, consequences and relevant protective measures and their rights in connection with the processing of personal data. Children are considered to be persons under the age of sixteen.

At the request of the respondent, the transfer of personal data is also possible to partners DENTECH d.o.o. which are entrusted with the performance of certain services. When transferring the data of respondents to external partners, the principle of processing restrictions is strictly observed, with the transfer of the minimum amount of data necessary to realize the requested service.

Business users within DENTECH d.o.o. they can be any legal person, state authority, unit of local or regional self-government and their bodies, associations and societies (sports, cultural, charitable, etc.), as well as any natural person (not a consumer) operating within the area of their registered economic activity or freelance.
DENTECH d.o.o. collects and processes data on business users, transactions, use of products and services and personal data of natural persons (not consumers) operating within the area of their registered economic activity or self-employment and personal data of natural persons (consumers) who are connected to business users.

DENTECH d.o.o. has appointed a Data Protection Officer who is independent and as such acts in the interest of protecting the rights of respondents and their personal data. It is his responsibility to apply the Personal Data Protection Policy and other policies and procedures that define the rules of conduct when collecting and processing personal data of respondents. He is appropriately and timely involved in all matters regarding the protection of personal data.
The data protection officer performs at least the following tasks:
– information and consulting DENTECH d.o.o. and employees who perform processing on their obligations from the Regulation and other provisions of the European Union or the Republic of Croatia on data protection;
– monitoring compliance with the Regulation and other provisions of the European Union or the Republic of Croatia on data protection and the policies of the controller or processor in relation to the protection of personal data, including the distribution of responsibilities, raising awareness and training of personnel participating in processing procedures and related audits;
– providing advice, when requested, regarding data protection impact assessment and monitoring its implementation
– cooperation with the supervisory body;
– acting as a point of contact for the supervisory authority on processing issues, and advising, as necessary, on all other issues.
Respondents can contact the Personal Data Protection Officer via the email address

The personal data protection officer is responsible for ensuring the implementation of the “data protection impact assessment”, i.e. to provide support during the preparation of the assessment. DENTECH d.o.o. must carry out an assessment of the impact on data protection in the case of:
– systematic and extensive assessments of personal aspects related to individuals based on automated processing, including profiling, and on the basis of which decisions are taken that produce legal effects that relate to the individual or similarly significantly affect the individual
– extensive processing of special categories of personal data
– systematic monitoring of the publicly accessible area to a large extent
– in cases of processing prescribed by the supervisory authority (Personal Data Protection Agency)
The impact assessment contains at least:
– a systematic description of the intended processing procedures and processing purposes
– assessment of the necessity and proportionality of processing procedures related to their purposes;
– risk assessment for the rights and freedoms of respondents from the paragraph;
– measures intended to solve the risk problem, which includes protective measures, security measures and mechanisms for ensuring the protection of personal data and proving compliance with the Regulation, taking into account the rights and legitimate interests of the data subjects and other involved persons

DENTECH d.o.o. keeps records of processing activities for which he is responsible, i.e. in cases where he is in the role of processing manager or joint processing manager. This record is in electronic form and contains at least the following information:
 name and contact information of the data controller and Data Protection Officer;
 processing purposes
 description of categories of subjects and categories of personal data
 categories of recipients to whom personal data has been or will be disclosed, including recipients in third countries or international organizations;
 transfers of personal data to a third country or international organization, including the name of the third country or the name of the international organization
 scheduled deadlines for deleting different categories of data, if possible
 general description of technical and organizational security measures
The personal data protection officer is responsible for maintaining the processing register.

DENTECH d.o.o. undertakes significant procedural and technological measures to protect the personal data of respondents. DENTECH d.o.o. is obliged to report the incident to the Personal Data Protection Agency within 72 hours after becoming aware of the violation, if this is feasible.

This Policy shall enter into force on the day of its adoption, and shall be applied from May 25, 2018.