Security policy and GDPR

WHO PROCESSES YOUR PERSONAL DATA?

Octopus obrt collects personal data for the purpose of your user experience, business improvement, and for marketing purposes.

Octopus obrt also has a website, www.octopuspiercing.hr, and complies with all relevant regulations to protect the privacy of its customers and users.

This document describes how the data controller, Octopus obrt, processes the personal data of customers and/or potential customers and other users. Octopus obrt takes all necessary measures to ensure the security of your personal data.

For all questions regarding personal data, you can contact our Data Protection Officer via email at octopus.obrt@gmail.com.

Octopus obrt’s customers (hereinafter referred to as Customers) or users of our products and services, users who receive our product and service notifications, and users who access our websites are encouraged to read all the information in these Rules to better understand the data Octopus obrt collects and processes, the purpose, the legal basis, with whom and why it is shared, the protective measures in place, and the rights of Customers and users as data subjects.

 

WHAT CATEGORIES OF PERSONAL DATA DO WE PROCESS?

When performing activities for which we are registered as a trade, we will process various categories of personal data.

1.CUSTOMER SUPPORT

If you contact our store or reach out to us in any other way that is available to you, we need your contact information to address the issue you are contacting us about. In addition, we will need to identify you in a manner detailed in our other internal regulations. The data you provide will be used solely for the stated purpose. In certain cases, we may use the services of other legal entities to whom we entrust your data only to the extent necessary to resolve your case (e.g., authorized companies that maintain our website system or delivery service providers for webshop orders).

2.WEBSHOP (ONLINE STORE)

When registering on the www.octopuspiercing.hr website, we collect certain personal data such as your name, address, telephone number, email address, and date of birth to provide various benefits. We recommend that our users create a password for their user account that combines upper and lower case letters as well as numbers to make the password more sophisticated and harder to crack. After registration, the customer can access their data through their account on the www.octopuspiercing.hr webshop, where they have several advantages as a registered user (loyalty program, order history, etc).

When making a purchase on the www.octopuspiercing.hr website without registration, we collect only the data necessary for the delivery of the purchased goods, and these data are stored for the purpose of fulfilling the contract.

A user of our website can choose whether they want to receive promotional messages or not by giving consent to receive newsletters, regardless of whether they have registered on the website or not.

To deactivate your account on www.octopuspiercing.hr, you can contact us at octopuspiercing@gmail.com. In this case, the data will be stored in the webshop system for as long as there is a legitimate purpose, and at least for the duration of the contract between the user and Octopus obrt.

Providing personal data is the decision of the user who may or may not use the benefits of our company. If a user decides not to provide the data required for a specific activity, that activity cannot be performed.

Octopus obrt does not store credit card information or any similar data, nor do we process it on our websites. This information is processed on secure pages of online card payment processors (payment gateways) where everything is done through encryption, and as a company, we do not see this data in its original form. As a user, you can choose to leave your data permanently on the payment pages, but this data is not on our servers or within our software. We advise you to read how these pages process and record this type of data.

Octopus obrt automatically collects personal data from your computer, and there are situations in which we collect other types of data, such as the date and time of access to our website, information about the hardware, software, or web browser you are using, as well as the operating system of your computer, application version, and your language settings. We may collect information about clicks and your access to the pages shown to you.

3.EMPLOYEES AND COLLABORATORS

Octopus obrt collects and processes personal data from its employees and other collaborators for the purpose of executing employment contracts signed with employees and consulting contracts and/or work contracts signed with collaborators, which relate to personnel, administrative, or other business/contractual purposes. In the latter case, we collect and process data such as: name, surname, gender, nationality, place of residence, date and place of birth, personal identification number, title, occupation, data on professional training, information related to health insurance, work experience, bank account number (IBAN), signature, and others.

4.SUPPLIERS AND BUSINESS PARTNERS

From suppliers and other clients or collaborators and business partners, we collect and process data such as the name and surname of the responsible person in a legal entity, contact details of the person responsible for communication and the execution of contracted obligations.

5.RECRUITMENT PROCESS

From job candidates, in order to assess their potential employment, Octopus obrt may collect and process data including name, surname, address, contact information, education level, nationality, qualifications, occupation, information about previous work experience, data related to professional development and training, and test results that may reflect the candidate’s ability to perform all job duties required by the specific position they are applying for. Data processing is based on consent and the clear purpose of data collection, and we will inform you about this when opening the recruitment process.

6.RECEIVING NOTIFICATIONS ABOUT OUR SERVICES AND PRODUCTS (NEWSLETTER)

From subscribers to our newsletter, for the purpose of informing about our new products and the benefits you can obtain, we collect data such as email addresses. Processing of this data is based on consent or our legitimate interests, primarily to monitor and ensure a high standard of quality for our services and products, thereby increasing your satisfaction, especially for sending information about our products and services that can lead to additional savings and increased satisfaction with our services.

7.EXERCISING DATA SUBJECT RIGHTS AND RESPONDING TO CUSTOMER AND USER REQUESTS

When processing your requests for the protection of rights, we will process your personal data such as name, surname, OIB (personal identification number), or address. We must process this data to fulfill our obligations arising from applicable regulations.

8.VIDEO SURVEILLANCE

Video recordings obtained through the video surveillance system contain specific characteristics and features of individuals that can identify each individual, and are considered personal data.

We process personal data through video surveillance cameras for the purpose of protecting individuals and property. Octopus obrt collects and continues to process the personal data of customers and/or users and all other visitors who enter our business premises based on our legitimate interest.

Upon request from competent authorities (police, courts), video recordings can be provided for the purpose of proceedings based on specific regulations.

Octopus obrt respects that every user should have the ability to ensure the accuracy, completeness, and timeliness of their personal data. If a user believes that their personal data is incomplete, inaccurate, or not up to date, they can contact Octopus obrt by sending an email to octopuspiercing@gmail.com

Please note that at any time, you have the right to request the following from Octopus obrt:

1. To provide you with access to your personal data. You can ask the data controller which of your personal data is being used and request access to those personal data. You have the right to know the purpose of processing, the categories of your personal data that we keep, the recipients or categories of recipients with whom your personal data is shared, the data retention period, as well as the data source in cases where data is indirectly collected. You can contact us if you want a copy of some or all of the personal data we hold about you.
2. Request the correction of incorrect data. We want your personal information to be accurate and up to date. You can ask us to correct or remove information that you believe is inaccurate or outdated.
3. Request the deletion of personal data. You can request the data controller to stop processing or even delete your personal data. If we need your personal data to fulfill a contractual obligation to you, the data controller may no longer be able to perform such contractual obligations. Additionally, if your personal data is required to meet certain legal obligations (e.g., tax obligations), your request may not be able to be fulfilled.
4. Restrict access to your data (by us and/or third parties) in certain processes or entirely. If you want to dispute the accuracy of data or we no longer need personal data for the processing purpose, but you need them for the establishment, execution, or processing of legal claims, or you have objected to the processing based on what we consider to be legitimate interests, you have the right to request the restriction of the processing of personal data.
5. File a complaint about how we use your data. If you want to dispute the accuracy of data or we no longer need personal data for the processing purpose, but you need them for the establishment, execution, or processing of legal claims, or you have objected to the processing based on what we consider to be legitimate interests, you have the right to request the restriction of the processing of personal data.
6. Request the transfer of data to another data controller (portability of rights). If the processing is based on your consent or is carried out by automated means, you have the right to request Octopus obrt to transfer data to another data processor.

To exercise any of the above rights, please use the contact information provided at the beginning of these Rules. If you are not satisfied with how we have collected or used your personal data, you can file a formal complaint with the Croatian Personal Data Protection Agency.

 

WHERE ARE YOUR PERSONAL DATA STORED, AND WHO HAS ACCESS TO YOUR DATA?

We store the personal data we collect about you in a secure environment. Your personal data is protected against unauthorized access, disclosure, use, alteration, or destruction by any organization or individual.

Processed data is stored in our premises and IT systems, but sometimes we store data on servers of our trusted service providers.

Octopus obrt will ensure that personal data are kept in a safe place (which includes reasonable administrative, technical, and physical protection to prevent unauthorized use, access, disclosure, copying, or alteration of personal data), accessible only to authorized personnel.

The collected data for the purposes outlined in these Rules will be stored only for as long as necessary to fulfill those purposes. Your personal data will not be stored in a form that allows you to be identified for longer than Octopus obrt reasonably believes is necessary to achieve the purpose for which they were collected or processed. If you are interested in specific data retention periods, you can contact our Data Protection Officer.

Octopus obrt will keep certain personal data for a period prescribed by law or regulation that obliges us to keep the data.

In case you have given us your consent, we will process your personal data until your consent is withdrawn. If you raise a legitimate objection to the processing of personal data based on a legitimate interest, we will not process your personal data in the future.

In addition, it is important to note that if legal, administrative, or extrajudicial proceedings are initiated, personal data may be retained until the end of such proceedings, including the possible period for filing legal remedies. Therefore, Octopus obrt will keep certain personal data for the time prescribed by law or regulation that obliges the data controller to keep the data.

Data protection is important to us, so we will never share your personal data with third parties except for the purposes described in these Rules.

 

DOES OCTOPUS OBRT SHARE DATA WITH THIRD PARTIES?

Octopus obrt collaborates with other companies. This means that we sometimes share your personal data using secure IT systems. When we do so, the data is transferred to servers located in the EU or in a country that provides an adequate level of protection in accordance with EU legislation.

As the data controller of personal data, Octopus obrt may transfer personal data outside the EU when it is necessary to fulfill a contract between Octopus obrt and a data processor and/or another data controller or to comply with legal obligations. In the latter case, Octopus obrt transfers personal data to countries that provide an adequate level of protection only through contract models that contain binding clauses or through binding corporate rules or in accordance with an approved certification mechanism and/or privacy shield framework for the transfer of personal data from the European Union and Switzerland.

Octopus obrt uses tools and services from social media companies that do not operate within the European Union, and we are required to inform you that these third parties managing social media may transfer your data to the USA, where they are shared with intelligence services in accordance with the regulations in force in the USA.

We care about the protection of your personal data, which is why we have initiated mechanisms to provide even greater protection. Temporary data transfers regarding Google and Facebook service providers are based on the consent of the data subjects to the proposed transfer, and we always emphasize that there are risks associated with such transfers due to the lack of an adequacy decision and appropriate safeguards by Google Ireland Ltd. and Facebook Ireland Ltd. as independent data controllers.

Octopus obrt will send a specific notice to Users or Customers in cases where:

• data transfer is necessary for the execution of a contract or the performance of pre-contractual measures at the request of the data subject
• data transfer is necessary for the conclusion or performance of a contract concluded in the interest of you as a Customer or User, between us as the data controller and another natural or legal person
• data transfer is necessary for establishing, exercising, or defending certain legal claims.

We will inform you of all measures taken and will update our internal documents after the ongoing procedures are completed.

We may disclose your personal information to our trusted partners who maintain our IT system or provide services on behalf of Octopus obrt, for example, for marketing, delivery, finance, advertising, debt collection services, legal services, and other services in Octopus obrt, without which we would not be able to ensure the adequate performance of our obligations and contracted services. However, service providers are obligated, under relevant agreements, to use the data entrusted to them only in accordance with our guidelines and strictly for the purpose we have specified. We also obligate them to adequately protect your data and consider them as a business secret. Moreover, you do not need to worry because the compliance of our partners with the applicable regulations of the Republic of Croatia is checked through regular audits.

 

PERIOD AND PLACE OF DATA STORAGE

The period of personal data storage that we collect depends on the processing purpose for which they were collected.

We retain your personal data during the contract formation process and while using our services or products, and we delete them upon the termination of the contractual relationship, expiration of all legal obligations, or cessation of the legal bases under the General Data Protection Regulation related to the processing of your personal data. Therefore, we must inform you that in certain situations, we may not be able to delete your data because other valid regulations of the Republic of Croatia obligate us to retain them.

We retain your personal data in case a process of forced collection of unpaid claims is initiated until the legally valid conclusion of the procedure or, if an objection to the product or service is filed within the set deadline, until the final completion of the objection procedures in accordance with applicable regulations.

 

OTHER WEBSITES

These Privacy Rules apply only to the use and data collected by Octopus obrt from users (data subjects). Other websites that can be accessed through the website www.octopuspiercing.hr have their own statements on confidentiality and data collection, as well as the ways they use and disclose data.

Octopus obrt is not responsible for the methods and conditions of operation of third parties. You can find out more about the privacy rules of third parties on their websites.

 

USE OF INTERNET COOKIES

To maintain the website and ensure its functionality, Octopus obrt uses a technology commonly known as “cookies.”

A cookie is a small text file that is stored on your computer or mobile device when you visit a specific website. With cookies, the website can remember your actions and settings (such as login, language, font size, and other display-related settings) for a predefined period, so you don’t have to re-enter them every time you return to the same page or browse different pages on the same website. Cookies can be temporary or permanent, such as JavaScript or Flash technology. Thanks to cookies on our site, you can browse content effortlessly, and results relevant to you will be displayed.

 

USE OF GOOGLE ANALYTICS TOOL

For statistical analysis and measuring the effectiveness of the website www.octopuspiercing.hr, we use Google Analytics – a service for measuring web traffic and related Google services.

You can learn more about Google’s privacy policies at this link.

These rules do not apply to third-party services that have separate privacy policies. However, in accordance with data protection regulations, Octopus obrt is obligated to inform its users about the data collected by Google when providing its services to other individuals and legal entities.

Octopus obrt cannot fully influence Google’s data processing during your use of their services. Please carefully read the sections of these rules to learn how Google processes your personal data.

The data that Google collects includes unique identifiers, browser type and settings, device type and settings, operating system, mobile network information including the operator’s name and phone number, and app version number.

Additionally, Google collects data on the interaction of apps, browsers, and devices with Google services, including IP address, crash reports, system activity, and the date, time, and URL of requests made by users.

Google collects data when Google’s service on your device contacts Google’s servers – for example, when you install an app from the Play Store or when the service checks for automatic updates. If you use an Android device with Google apps, your device occasionally contacts Google servers to provide device information and connect to their services. This includes information such as the device type, mobile operator name, crash reports, and installed apps.

For details on the use of Google and other cookies, please refer to the Terms of Use of the website.

 

ENTRY INTO FORCE AND RULES CHANGES

These Rules come into force upon publication on the website.

Octopus obrt reserves the right to amend and supplement these Rules, which will be published on the website. In the event that changes significantly affect your rights or pose a risk to the exercise of your rights, we will inform you about the changes through the most adequate means depending on the specific situation.