GDPR Compliance

Your data protection rights under European law

Introduction

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies throughout the European Union, including Croatia. As a Croatian company serving international clients, Toward Shift fully complies with GDPR requirements.

This page explains your specific rights under GDPR and how we fulfill our obligations as a data controller.

Data Controller Information

For the purposes of GDPR, the data controller is:

Toward Shift d.o.o.
Ulica Svetog Polikarpa 24
52100 Pula, Croatia
Email: [email protected]

Lawful Basis for Processing

We process your personal data only when we have a lawful basis to do so. Under GDPR Article 6, our processing activities rely on:

Consent (Article 6(1)(a))

When you provide explicit consent for specific processing activities, such as receiving marketing communications about properties or market updates. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

Contractual Necessity (Article 6(1)(b))

Processing necessary to perform our contractual obligations when you engage our services. This includes searching for properties, coordinating viewings, conducting due diligence, and facilitating transactions.

Legal Obligation (Article 6(1)(c))

Processing required to comply with Croatian and EU legal requirements, including anti-money laundering regulations, tax obligations, and real estate transaction documentation requirements.

Legitimate Interests (Article 6(1)(f))

Processing necessary for our legitimate business interests, provided these interests do not override your fundamental rights and freedoms. This includes improving our services, preventing fraud, and maintaining business records.

Your GDPR Rights

GDPR grants you comprehensive rights regarding your personal data. We respect these rights and provide mechanisms for you to exercise them.

Right to Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and, if so, to access that data. You may request a copy of your personal information in our possession, along with details about how we use it.

We provide the first copy free of charge. For additional copies or manifestly unfounded requests, we may charge a reasonable administrative fee.

Right to Rectification (Article 16)

If personal information we hold about you is inaccurate or incomplete, you have the right to have it corrected or completed. We will make corrections promptly and notify third parties to whom we've disclosed the data where appropriate.

Right to Erasure (Article 17)

Also known as the "right to be forgotten," you may request deletion of your personal data when:

  • The data is no longer necessary for the purposes we collected it
  • You withdraw consent and there is no other legal ground for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • Deletion is required to comply with a legal obligation

This right is not absolute. We may retain information when required by law or when other legitimate grounds exist, such as ongoing legal obligations related to completed transactions.

Right to Restriction of Processing (Article 18)

You may request that we limit how we process your data in certain circumstances:

  • When you contest the accuracy of data, pending verification
  • When processing is unlawful but you prefer restriction over erasure
  • When we no longer need the data but you require it for legal claims
  • When you've objected to processing, pending verification of legitimate grounds

When processing is restricted, we may store the data but not use it except with your consent or for legal purposes.

Right to Data Portability (Article 20)

For data you've provided to us based on consent or contract, and which we process by automated means, you have the right to receive that data in a structured, commonly used, machine-readable format. You may also request that we transmit this data directly to another controller where technically feasible.

Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes. When you object to direct marketing, we will cease such processing immediately. For objections based on legitimate interests, we will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making (Article 22)

We do not use automated decision-making or profiling that produces legal effects or similarly significant impacts on individuals. Our services involve personal consultation and human judgment throughout.

How to Exercise Your Rights

To exercise any of these rights, contact us at [email protected] with your request. Please include:

  • Your full name and contact information
  • Clear description of the right you wish to exercise
  • Specific information about what data or processing you're referring to
  • Any supporting information that helps us verify your identity

We will respond to your request without undue delay and within one month of receipt. In complex cases, we may extend this period by two additional months, in which case we will inform you of the extension and the reasons for delay.

Data Protection Principles

Our data processing practices adhere to the core GDPR principles outlined in Article 5:

Lawfulness, Fairness, and Transparency

We process data lawfully, fairly, and in a transparent manner. This GDPR page and our Privacy Policy explain our practices clearly.

Purpose Limitation

We collect data for specified, explicit, and legitimate purposes. We do not process data in ways incompatible with those purposes.

Data Minimization

We collect only data that is adequate, relevant, and limited to what is necessary for our stated purposes.

Accuracy

We take reasonable steps to ensure personal data is accurate and kept up to date. Inaccurate data is erased or corrected without delay.

Storage Limitation

We retain personal data only as long as necessary for the purposes for which it was collected or as required by law.

Integrity and Confidentiality

We implement appropriate security measures to protect against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

Accountability

We are responsible for demonstrating compliance with these principles and maintain documentation of our processing activities.

Data Breach Notification

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will notify you without undue delay. We will also report the breach to the Croatian supervisory authority within 72 hours of becoming aware of it, as required by GDPR Article 33.

Our breach notification will include:

  • Nature of the breach and categories of data affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach
  • Contact information for obtaining more details

Third-Party Processing

When we engage third parties to process personal data on our behalf, we ensure they provide sufficient guarantees of GDPR compliance. We enter into written contracts (Data Processing Agreements) that specify:

  • The subject matter and duration of processing
  • The nature and purpose of processing
  • Categories of personal data and data subjects
  • Rights and obligations of both parties
  • Technical and organizational security measures

International Data Transfers

When transferring personal data outside the European Economic Area, we ensure adequate protection through:

  • Transfers to countries with adequacy decisions from the European Commission
  • Standard Contractual Clauses approved by the European Commission
  • Other legally recognized transfer mechanisms under GDPR Chapter V

Children's Data

Our services are not directed to children under 16 years of age. We do not knowingly process personal data of children without parental consent where required by law.

Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates GDPR. The relevant authority for Croatia is:

Croatian Personal Data Protection Agency
(Agencija za zaštitu osobnih podataka)
Martićeva 14
10000 Zagreb, Croatia
Website: azop.hr

However, we encourage you to contact us first so we can address your concerns directly.

Updates to This Information

We may update this GDPR compliance information to reflect changes in our practices or legal requirements. Significant changes will be communicated through our website or direct notification to active clients.

Questions About GDPR Compliance

If you have questions about how we comply with GDPR or wish to exercise your data protection rights, please contact us at [email protected]. We are committed to transparency and will respond to all inquiries promptly.