Data protection notice for legal entities

Thank you for visiting our website. We take the protection of your personal data very seriously. We try to inform you comprehensively about the processing of your personal data.

The following personal data protection notice applies to you when you contact us, when you enter into negotiations with us and/or when you conclude a contract with us, as well as when the data of natural persons is being processed in this context.

The legal basis for this is, in particular, the European General Data Protection Regulation (GDPR) and the Act on the Implementation of the General Data Protection Regulation.

Which data will be processed in more detail will depend to a considerable extent on the contracted services. Therefore, not all parts of this notice will be relevant for you.

We basically collect your personal data directly from you.

However, it may also be necessary to process personal data that we receive from other companies, government bodies or third parties such as credit rating agencies, the tax administration and others. This may also include personal data that we receive through our established reporting systems in connection with a possible violation of the law or as part of the verification of received reports of irregularities.

Relevant personal data may include: specific personal data (for example, name and surname, address and other contact data, date and place of birth as well as citizenship), identification data and data for credibility checks (for example, extracts from the business register, data from identity documents, signature card), data within the scope of our business relationship (for example, payment data, order data), data about creditworthiness, data on the company structure and ownership relationships, photos and videos that are taken (for example, when delivering goods) as well as other data similar to those from the above-mentioned categories.

You always have the option to choose whether you want to communicate with us by e-mail or regular mail. In certain circumstances, e-mail communication takes place in an unencrypted form due to technical reasons.

For the purpose of fulfilling contractual obligations (Article 6, paragraph 1, point b. of GDPR)

The purpose of data processing arises from performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

For the purpose of fulfilling legal obligations (Article 6, paragraph 1, point c. of GDPR)

The purpose of data processing derives in individual cases from legal regulations. These legal obligations include, for example, the fulfillment of data storage and identification obligations, such as in the context of regulations on the prevention of money laundering, obligations of tax supervision and tax reporting, as well as data processing in the context of requests from state authorities.

For the purposes of the legitimate interests (Article 6, paragraph 1, point f. of GDPR)

It may be necessary for the personal data you provided to be processed outside the context of the execution of the contract. In this case, legitimate interests particularly refer to the selection of suitable business partners, the implementation of surveys and company checks, the storage and use of contact data of business partners and their employees, and if necessary, their transfer to third parties for the purpose of digitization files, avoiding economic losses, allocation of work results to individual business partners, recording business transactions, negotiating with contacts who are not or will not be direct business partners, and invitations to events. They also refer to the fulfillment of claim requests, identity checks (in the case of companies involved in the transportation of money), defense against claims based on liability, detection and processing of potentially malicious e-mails, protection of our IT infrastructure, management of access authorizations to our systems, access control, facilitating communication and obtaining contact through the directory of all users at the level of the entire business group, clarifying possible compliance violations, preventing criminal acts, resolving damages arising from business relationships and other administrative purposes (optimization of processes and workflows).

When concluding a contract, we sometimes collect information about your creditworthiness through a credit rating agency in order to achieve the above-mentioned legitimate interests. We use the credit information obtained from the credit rating agency to check your creditworthiness. Credit rating agencies store data they receive, for example, from banks or companies. These data include, in particular, first and last names, dates of birth, addresses and information on the regularity of payment. You will receive information about the data stored about you directly from the credit rating agency.

If you sign the contract with an electronic signature (e.g. Adobe Sign), we collect data about the e-mail address, IP address and the time the document was edited (date of approval, display and signature). Every editing of the document is recorded with the exact time and date. Our legitimate interest in the mentioned data processing is the efficient and quick digital processing of contract signatures and appropriate documentation of the signing process for verification purposes.

Furthermore, individual contracts can be signed with a qualified electronic signature. In this case, in addition to the above-mentioned data, we also process data on signature certificates. Our legitimate interest for the processing of this data is to verify the validity of the signature and compliance with the legal requirements of a signature. A prerequisite for using a qualified electronic signature is to register with a qualified trust service provider, which you must carry out yourself. However, a qualified trust service provider recognized in the Republic of Croatia, member states of the European Union or third countries in accordance with Regulation (EU) no. 910/2014 on electronic identification and trust services for electronic transactions in the internal market (hereinafter referred to as the eIDAS Regulation), processes your data that you provided during the registration process on your own initiative and responsibility, and not at our request. 

In our company, access to the data you have provided is given to those departments that need it to fulfill contractual or legal obligations or pursue legitimate interests. In the context of contractual relations, we also engage processors or service providers who can gain access to your personal data. Compliance with legal regulations on the protection of personal data is guaranteed by the contract.

In addition, personal data may be forwarded to member companies of the Schwarz Group in order to fulfill contractual obligations.

In the case of electronic signing of the contract, your data is also available to all persons participating in the conclusion and signing of the contract. This is because after signing the contract, they receive a record in which all processing steps are visible, including the e-mail address, IP address and the date and time of the signature. In addition, your data may become available to the respective trust service providers we use for the electronic signature process. In the case of the Adobe Sign service, the trust service provider is the company Adobe Systems Software Ireland Limited, 4-6 Riverwalk, City West, Business Campus, Saggart D24, Dublin, Ireland.

If a qualified electronic signature is used for the electronic conclusion of the contract, your data also becomes available to the qualified trust service provider you use, which must be recognized in the Republic of Croatia, member states of the European Union or third countries in accordance with the eIDAS Regulation, because the trust service provider must check the validity of the signature.

Personal data is retained only for the duration necessary to fulfill the above-stated purposes. Relevant legal obligations for data retention, as outlined in the Accounting Act and General Tax Act, particularly prescribe retention for up to eleven years.

As part of our business relationship, you must provide the personal data necessary for the establishment, implementation, and termination of the business relationship, and for the fulfillment of related obligations, the collection of which is our legal obligation or right based on legitimate interests. In principle, we would not be able to establish a business relationship with you without this data.

If we need to forward personal data to a recipient outside the European Economic Area (EEA), the data is only transferred if the European Commission has confirmed an adequate level of data protection in that country, if an appropriate level of data protection has been agreed with the data recipient (e.g., through European standard contractual clauses), or if we have obtained your consent for this purpose.

You have the right, upon request, to obtain information free of charge about data stored concerning your person. Furthermore, based on legal regulations, you have the right to have your personal data corrected and deleted, the right to data portability, and the right to restrict processing. If you have consented to the processing of your personal data, you have the right to revoke this consent at any time with effect for the future. In such a case, please contact our Data Protection Officer in writing or by e-mail. Furthermore, if you do not agree with the processing of your personal data, you can file a complaint with the competent supervisory authority that is responsible for the protection of personal data.

The data controller is the company with which you are establishing or building a business relationship.

Contact details of the data protection officer:

E-mail: gdpr@kaufland.hr

Postal address:

Kaufland Hrvatska k.d.

Data Protection Officer

Donje Svetice 14, 10 000 Zagreb