PRIVACY POLICY

In accordance with the General Data Protection Regulation, the Privacy Policy of the University of Zagreb was created for the purposes of transparency and providing data subjects with information regarding the principles, purposes and legal basis of the processing of personal data, the type of personal data collected in relation to our activities and how the data are processed, used and protected, as well as the rights of the data subjects regarding the protection of personal data.

Data controller

University of Zagreb, Trg Republike Hrvatske 14, Zagreb, Personal identification number (OIB): 36612267447, protects your personal data and takes all necessary technical and organisational measures in accordance with the best practices and obligations provided in Croatian legislation and the General Data Protection Regulation.

This document applies to all persons, students, employees, associates, users and website visitors whose personal data the University of Zagreb collects, uses or otherwise processes. This document defines the types of personal data collected and processed by the University of Zagreb, the purpose and manner in which the collected personal data are used, as well as protection measures for personal data and the rights of data subjects.

Principles relating to the processing of personal data

The data are always used for specified, explicit and legitimate purposes for which they were provided and about which you have been informed.

We are obliged to protect your data and keep them safe. Therefore, we only work with reliable partners.

We are obliged to use your data openly and transparently.

We respect your rights and we always try to fulfil your requests to the greatest extent possible and in accordance with our legal and operational obligations.

Processor

The processing of personal data may be entrusted to a processor. In that case, we will conclude a contract with the processor, in which the handling of personal data is prescribed in detail. Therefore, processors will not be able to process your personal data without our order or communicate them to third parties. The University has established contractual relations with the University Computing Centre, which processes data on behalf of the University. In cases in which the University carries out the processing on behalf of another data controller, the University is considered as processor and is obliged to conclude a contract on the processing of personal data in accordance with the regulations.

Types of personal data collected

Personal data are collected in different ways: via forms, web pages, personal contacts, by telephone and others.

The collected personal data may include: name and surname, address and telephone number, JMBAG and OIB numbers, health/pension insurance number, date and place of birth, sex, nationality, bank account number, data on completed education, data on family status, name of father or mother, dependants, trade-union membership, residence/address, data on rights related to employment, e.g. maternity leave, occupational injuries, social rights and support, sick leave, etc., data on the establishment and termination of employment, type of employment relationship, position, data on salaries, working hours, time sheets, marital status, war veteran status, type of study grant, study programme ID, year of enrolment, number of obtained ECTS credits, dormant student statuses and academic years spent on exchange.

Legal basis and purpose of processing personal data

An appropriate legal basis is a prerequisite for any collection of users’ personal data. Personal data are gathered in order to comply with the University's legal obligations (including tax and accounting obligations), respond to requests for information by the state authorities and comply with legal and regulatory obligations, including those related to transparency and disclosure, public interest, and exercise of public power (statistical surveys, use of human resources, monitoring the quality of professional work or the work of professional services, exercise of rights and obligations related to employment and other official purposes).

The collected data are used for the following activities:

- regulating the employment status,

- regulating the relationship with users of the University's services,

- regulating the status of students attending lifelong-learning programmes,

- contracting and carrying out business cooperation with the University of Zagreb,

- implementing legal obligations and requests to which the University of Zagreb is obliged to respond.

As a personal data controller, the University of Zagreb processes the personal data of Erasmus+ candidates solely for the purpose of conducting the call concerned, i.e., the University processes the personal data of the participants in the Erasmus+ Programme solely for the purposes of implementing the Erasmus+ mobility scheme, reporting on the project, drafting and implementing contracts awarding financial support, as well as the disbursement of the financial support. The implementation of the Erasmus+ mobility scheme and reporting on the project imply entering the candidates’ personal data into the database of the University of Zagreb and that of the European Commission (https://webgate.ec.europa.eu/erasmus-esc/index/privacy-statement). The national Agency for Mobility and EU Programmes and the relevant bodies for exercising student rights may be provided with the candidates’ personal data for the purposes of implementing the Erasmus+ mobility scheme and reporting on the project.

Employment candidates and recruitment procedures

The Office for Human Resources of the University of Zagreb collects and processes candidates’ personal data for the purposes of completing the recruitment procedure and establishing an employment relationship. The data can also be processed electronically. If an employment contract is concluded with the candidate, the submitted data will be stored according to the regulations governing employment relationships. If an employment contract is not concluded with the candidate, the candidate’s personal data are deleted after expiration of the appeal period, except where they are retained in the database, with the candidate’s consent, for the purpose of possible future employment.

Cookies

The website of the University of Zagreb and all other network services use cookies. Cookies are small text files which are stored on your computer by your web browser and do not cause any damage. These are technical cookies ‒ obligatory cookies (always active), which are necessary for the proper functioning of the website and cannot be turned off in our systems.

Making personal data available for use

User data are not communicated or exchanged with any other legal or natural persons (hereinafter referred to as „persons”), except in the following cases and to the extent necessary for meeting the specified purpose.

• If there is a legal obligation or explicit authorisation provided by law and the processing of personal data may include their international transfer. The legal obligation may derive from national or EU regulations. Personal data may be accessed by State and public bodies, as well as other legal and natural persons authorised to do so by law or if access is necessary for the purpose of conducting the legally defined recipient’s business activity, on the basis of the recipient’s written request that must contain the purpose, the type of data required and the legal basis for use in accordance with the regulations on personal data protection.
• If a third person is used as processor, in which case appropriate data protection measures shall be applied.
• If that should be necessary to fulfil the stated purpose, your data can be accessed by lawyers and external service providers, who process the data solely according to our explicit instructions.
• If the data needs to be communicated to third parties for the purpose of implementing user contracts or providing a requested service
• based on the user’s consent.
• Personal data can also be transferred for the purpose of complying with legal obligations, including to relevant authorities involved in handling your complaint.

Security of personal data

We collect and process personal data in a manner that ensures appropriate security and confidentiality and enables efficient application of data protection principles, data minimisation, scope of their processing, the period of their storage and their accessibility.

In order to protect the collected personal data, we implement appropriate physical, technical and organisational protection measures to prevent accidental or unlawful destruction, loss, alteration, unauthorised use, disclosure, consultation of or access to the data. All employees of the University are required to protect information about the personal data of the data subjects.

All collected data are stored in protected databases. Those databases can be accessed only by authorised persons. We use tools to protect data and prevent data leakages, continuously monitor critical systems and protect data from unauthorised consultation, alteration, loss, theft and any other breach or misuse. In case of a data breach, we will take all available measures to mitigate the consequences of the breach, inform without delay the relevant institutions and all the data subjects whose data have been affected where there is a risk of a serious threat to their rights and freedoms.

LOCATION OF PERSONAL DATA PROCESSING

As a rule, the subjects’ personal data are processed in Croatia, exceptionally in other countries, and, in that case, as a rule in the Member States of the European Union. Exceptionally, we also process data in other countries, always ensuring that personal data are appropriately protected and that the users are informed.

Retention period of personal data

Your personal data are processed until the purpose of the processing of personal data has been fulfilled. Once that purpose has been fulfilled, we will no longer use the personal data, they will be retained in our filing system and kept in accordance with the applicable regulations.

Automated decision-making

The University of Zagreb does not use automated decision-making (profiling) on this website.

User rights

Under the conditions laid down in the General Data Protection Regulation, the user has the following rights, which can be exercised once the data subject/applicant has been identified:

• right to access stored personal data,
• right to request modification or completion of incomplete personal data,
• right to request erasure of personal data (partial or complete erasure of all personal data can be requested; the University shall exclude and erase the data if they are available),
• right to request restriction of processing,
• right to data portability if the processing is based on consent or a contract,
• right to request rectification of inaccurate personal data,
• right to withdraw consent for the processing of personal data (the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal),
• right to lodge a complaint.

These rights are exercised via a request sent by e-mail to the University of Zagreb's data protection officer or by handing in the request in person in the University's offices.

For all issues related to the protection of personal data at the University of Zagreb, contact the data protection officer by email at gdpr@remove-this.unizg.hr, by post to the University's main seat or by phone at 01 456 4221.

The user has the right to lodge a complaint concerning the collection and processing of personal data with the Croatian Personal Data Protection Agency, Martićeva ulica 14, Zagreb, azop@remove-this.azop.hr, http://azop.hr/.

Amendments to the Privacy Policy

We regularly update the Privacy Policy to ensure that it is accurate and up-to-date, and we reserve the right to alter its content, if deemed necessary. You will be informed about any amendments on our website in accordance with the principle of transparency.