Privacy Policy

We, Katapult promocija d.o.o. (hereinafter referred to as “we” or “Katapult”), understand the importance of protecting personal data and maintaining a transparent and trustworthy environment. This Privacy Policy (hereinafter referred to as the “Privacy Policy”) provides information about our commitment to protecting the privacy of all individuals whose personal data we process within our organization. The Privacy Policy contains details about the types of personal data we collect, how we use and store that data, and the measures we adopt to ensure its confidentiality.

This Privacy Policy is intended for our partners, suppliers, website visitors, and guests attending events we organize (hereinafter referred to as “you” or “the data subject”). We process your personal data exclusively in accordance with data protection regulations, in particular the General Data Protection Regulation 2016/679 (hereinafter referred to as the “GDPR”). Through this Privacy Policy, we aim to inform you about the processing of your personal data and your rights as a data subject.

1. Data Controller

The company responsible for the processing of personal data in accordance with data protection regulations is:

Katapult promocija d.o.o.
Slavonska avenija 26/1
10000 Zagreb
E-mail: katapult@katapult.hr

If you have any questions or suggestions regarding personal data protection, please feel free to contact us using the contact details provided above.

2. Definitions

The essence of personal data protection lies in ensuring the lawful processing of personal data. For better understanding, below you can find definitions of the relevant terms used in this Privacy Policy:

“Personal data” means any information relating to an individual whose identity is identified or can be identified (the so-called data subject). An identifiable individual is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, etc. Your personal data includes all information relating to you. This includes data such as your name, residential address, email address, or telephone number, as well as other information we process during your employment.

“Data subject” means a living individual whose identity is identified or can be identified, or to whom personal data relates (e.g., a website visitor). In the context of this Privacy Policy, you are the data subject.

“Special categories of personal data” are data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data used for the purpose of uniquely identifying an individual, data concerning health, or data concerning an individual’s sex life or sexual orientation.

“Processing” means any operation or set of operations performed on personal data or on sets of personal data, whether by automated or non-automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

“Data controller” means a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In your case, the data controller is KATAPULT.

“Data processor” means a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller.

“Affiliated companies” means companies that are connected to Katapult through ownership or management relationships.[DL3] 

3. Principles of Personal Data Processing

We process your personal data in accordance with the following principles of personal data protection:

1. Lawfulness, fairness, and transparency: personal data is processed in a lawful, fair, and transparent manner.
2. Purpose limitation: personal data is collected and processed solely for specific, explicit, and legitimate purposes and is not processed for purposes incompatible with the original purpose.
3. Data minimization: the amount of personal data collected must be adequate and limited to what is necessary for the purpose for which the personal data is processed.
4. Accuracy: personal data must be accurate and, where necessary, kept up to date.
5. Storage limitation: personal data must not be kept longer than necessary for the purpose for which it is processed.
6. Integrity and confidentiality: personal data must be processed in a manner that ensures its appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, through the implementation of appropriate technical or organizational measures.

Compliance with these key principles is a fundamental part of good data protection practice and enables us to respect your rights as a data subject and ensure that you can exercise them effectively.

If it is likely that a type of processing, particularly through the use of new technologies and taking into account the nature, scope, context, and purposes of the processing, will result in a high risk to the rights and freedoms of individuals, KATAPULT will conduct a data protection impact assessment of the proposed processing activities before processing begins.

4. Personal Data We Process

We process your personal data to the extent necessary for the performance of your employment contract, particularly for the purpose of salary and benefits payment, incentive plans, the provision of employee benefits, and staff training.

The categories of employee personal data we process are as follows:

1. Identification and contact data, including first and last name, mobile and/or home phone number, business phone number, and email address.
2. Personal photographs, including photos, videos, and audio recordings.
3. Data collected through the information system, including name, contact details, and employee ID, electronic identifiers such as IP addresses, log-in information for websites you have visited, as well as information about when you accessed the IT system.

5. Purposes and Legal Basis for the Processing of Personal Data

In accordance with applicable data protection regulations, there are various legal bases on which we may rely when processing your personal data. We process your personal data if one of the following applies:

1. The processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract (in accordance with Article 6(1)(b) of the GDPR);
2. The processing is necessary for compliance with a legal obligation to which KATAPULT is subject (in accordance with Article 6(1)(c) of the GDPR);
3. The processing is necessary for the purposes of our legitimate interests or those of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms (in accordance with Article 6(1)(f) of the GDPR);
4. You have given consent to the processing of your personal data for one or more specific purposes (in accordance with Article 6(1)(a) of the GDPR).

Providing your personal data may be a condition for entering into and/or performing a contractual relationship; therefore, you are required to provide certain personal data. If you do not provide certain personal data, we may be unable to establish a business relationship with you, or your refusal to provide personal data may significantly affect, or even prevent, the fulfillment of the relevant purposes outlined in this Privacy Policy.

We will specifically inform you when you are required to provide personal data and the possible consequences of not doing so.

Below, you can find an overview of the purposes and legal bases for the processing of personal data.

5.1     Performance of the Contract

We process your personal data when necessary for the performance of a contract to which you are a party or for the performance of pre-contractual actions taken at your request, primarily in connection with the execution of your employment contract. The purposes of data processing include establishing and maintaining the employment relationship.

5.2     Compliance with Legal Obligations

We process your personal data in accordance with the legal obligations to which we are subject. These obligations may arise, for example, from labor, tax, financial, or criminal law. The purposes of processing arise from the applicable legal requirements.

5.3     Legitimate Interests

We also process your personal data for the purposes of our legitimate interests or the legitimate interests of third parties, unless such interests are overridden by your interests or fundamental rights and freedoms, taking into account your reasonable expectations arising from your relationship with us. Processing based on legitimate interests is carried out for the following purposes or to protect the following interests:

1. Efficient operation and development of KATAPULT;
2. Improvement of our processes and practices;
3. Ensuring compliance with internal rules and policies, as well as applicable laws and business standards;
4. Avoiding or mitigating potential harm to you, us, and/or third parties;
5. Managing work performance;
6. Further development of products, services, and support offerings, as well as other measures to control business transactions and processes;
7. Risk management;
8. Ensuring legally compliant actions, preventing and protecting against legal violations (particularly criminal offenses), submitting and defending legal claims, and implementing internal and external compliance measures;
9. Protection of people and property, e.g., through video surveillance and other security measures within legally permitted frameworks;
10. Ensuring the availability, operation, and security of technical systems, as well as managing technical data;
11. Responding to and assessing contact requests and feedback. 

5.4     Consent

We may process your personal data based on your given consent. If you provide your consent, it is always for a specific purpose, and the purposes of processing are determined by the content of your consent statement. You may withdraw your consent at any time in the same manner in which you gave it, without affecting the lawfulness of processing based on consent before it was withdrawn.

5.5     Processing of Special Categories of Personal Data

Sometimes we may process your data that constitute special categories of personal data, or information from which special categories of personal data can be derived. In the event of processing such personal data, we will ensure that the processing is based on a valid legal basis. This specifically includes:

1. Processing of personal data based on your explicit consent and for a specific purpose (in accordance with Article 9(2)(a) of the GDPR);
2. Processing of personal data for the establishment, exercise, or defense of legal claims, or whenever courts act in their judicial capacity (in accordance with Article 9(2)(f) of the GDPR); or
3. Processing of personal data in exceptional cases when it is necessary to protect your vital interests or the interests of another individual if you are physically or legally unable to give consent (in accordance with Article 9(2)(c) of the GDPR).

5.6     Change of Purpose

When we process your personal data for a purpose different from the one for which the data was originally collected, and without your appropriate consent or a legal basis, we will consider whether the processing for the new purpose is compatible with the original purpose. In doing so, we will take into account any link between the purposes, the context in which the personal data were collected, the nature of the personal data, the possible consequences of the intended further processing, and the existence of appropriate safeguards, in accordance with Article 6(4) of the GDPR.

5.7     Automated Individual Decision-Making and Profiling

Automated decision-making within the meaning of Article 22 of the GDPR means that certain decisions are based solely on automated processing, including profiling, without human intervention. If such decisions produce legal effects concerning you or similarly significantly affect you, you have the right to request that such decisions not apply to you.

We do not use such automated decision-making in the processing of your personal data.

6. Sources and Categories of Personal Data We Collect from Third Parties

We primarily obtain your personal data directly from you during business communications or when you visit our website.

KATAPULT may occasionally receive personal data about you from external sources, such as information published on websites or in the media, or if your data is provided to us by our affiliated company. When we receive your personal data from a third party, we will inform you within a reasonable period, and no later than one month.

7. Recipients of Personal Data

Within the organization, only those individuals who require access to your personal data for the purposes specified in each case are granted access. Your personal data will be disclosed to external recipients only if permitted by law or if we have your consent. Below, you can find an overview of the relevant recipients of personal data:

1. Affiliated companies: Certain personal data may be transferred to affiliated companies, particularly for the following purposes:
   • Internal communication (maintaining an internal register of addresses and phone numbers);
   • Performance evaluation and participation in bonus programs; corporate standardization of evaluations; participation in reward programs and corporate surveys;
   • Other purposes when necessary for the performance of the employment relationship, compliance with legal obligations, legitimate interests, or when you have given consent for such disclosure and transfer of personal data, provided such disclosure and transfer is lawful.
2. Data processors: Our external service providers, for example in the areas of accounting, technical infrastructure, and maintenance, who are carefully selected and vetted. Data processors handle personal data exclusively in accordance with our instructions.
3. Public authorities: Such as tax authorities, social security bodies, public prosecutors, or courts, to whom we must transfer personal data, for example, to fulfill legal obligations or protect legitimate interests.
4. Potential investors, sellers, or buyers of KATAPULT PROMOCIJA d.o.o. and their advisors, to whom we may provide your personal data for the purpose of conducting due diligence in connection with mergers, acquisitions, or other business transactions.
5. Other persons: If necessary, to any other person with your consent.

A list of all affiliated companies or other external recipients to whom we disclose your personal data or who currently process such data on our behalf is available upon request.

All affiliated companies and other external recipients of personal data are required to handle your personal data confidentially and process it solely within the scope of providing their services.

8. International Data Transfers

We do not transfer your personal data to organizations whose headquarters or data processing location is outside a European Union member state, another country that is a signatory to the European Economic Area Agreement, or a country for which the European Commission has issued an adequacy decision.

If such a transfer to third countries becomes necessary, we will take appropriate safeguards to ensure an adequate level of protection for your data. In particular, we may rely on the standard data protection clauses adopted by the European Commission for transfers of data to third countries.

If the data transfer is based on Articles 46, 47, or 49(1) second subparagraph of the GDPR, you can obtain from us a copy of the safeguards we have implemented to ensure an adequate level of data protection in connection with the data transfer or the location where they are made available.

9. Retention Period and Deletion

ChatGPT said:

Collected personal data will be retained until you withdraw your consent, provided there is a legal basis for such retention. If you object to the processing, we will delete your personal data unless further processing is permitted or required under applicable law. Additionally, we will delete your personal data if we are required to do so for other legal reasons. Applying these general principles, we usually delete your personal data immediately:

1. After the legal basis ceases to apply, provided no other legal basis applies (e.g., retention periods in accordance with labor and tax laws). If the latter applies, data will be deleted once the other legal basis no longer applies; or
2. If your personal data is no longer necessary for the purposes for which it was collected and no other legal basis exists. If the latter applies, data will be deleted after the other legal basis ceases to apply.

Some general retention periods for personal data processed within the employment context are:

1. Documents used for bookkeeping – 11 years from the last day of the financial year to which the books relate.

Personal data collected through video surveillance is retained for a maximum of six months.

10. Accuracy and Completeness of Personal Data

We strive to ensure that the personal data we process is accurate, complete, and up to date. This is necessary to comply with obligations arising from data protection regulations, as well as to properly and effectively fulfill obligations arising from the employment relationship.

If you notice any inaccuracy or incompleteness in your personal data, please inform us as soon as possible so that the data can be corrected and/or completed.

11. Your Rights Regarding Personal Data Protection

As a data subject, you have a range of rights. You are entitled to:

Right of access to personal data: You have the right to obtain information about the personal data we process about you. You may request access to your personal data, and we will make every effort to respond to your request within one month. However, certain exceptions may apply, meaning access to some personal data may be denied, including cases where applicable law prohibits the disclosure of such data.

Right to rectification: You may request the correction (or update) of any of your personal data that is inaccurate, outdated, or incomplete.

Right to erasure: You may request the deletion of your personal data that we process (e.g., if the processing is no longer necessary for the employment relationship or if you withdraw your consent).

Right to restriction of processing: You may request that we limit the processing of your data, provided certain conditions are met.

Right to data portability: If you have provided data to us based on a contract or consent, you may, if legal conditions are met, request that the data you provided be transferred in a structured, commonly used, and machine-readable format or transmitted to another data controller.

Right to object: You have the right at any time to object to the processing of your data that we perform for the purposes of our legitimate interests, if you have reasons for doing so. If you exercise your right to object, we will cease processing your data unless we can demonstrate compelling legitimate grounds for processing that override your interests, rights, and freedoms, or if it is necessary for the establishment, exercise, or defense of legal claims.

Objection to direct marketing: If we process your personal data for direct marketing purposes, you have the right to object at any time to our processing of your data for such purposes. If you exercise this right, we will stop processing your data for direct marketing.

Withdrawal of consent: If you have given us consent to process your personal data, you may withdraw it at any time with effect for the future. Withdrawal of consent does not affect the lawfulness of processing based on consent before it was withdrawn.

Contacting us and exercising your rights: You may contact us free of charge if you have questions regarding the processing of your personal data and your rights as a data subject. Please ensure that we can reliably verify your identity. If you wish to withdraw your consent, you may do so in the same manner in which you originally provided it.

To exercise your rights, please contact us using the contact details provided above.

12. Data Protection Measures

We are committed to ensuring the security of the personal data we process and take reasonable physical, electronic, and organizational measures to protect data from unauthorized or improper access or use.

We have implemented technical and organizational measures to ensure an appropriate level of protection for your personal data, all in accordance with applicable data protection regulations. All employees involved in the processing of personal data are required to sign a confidentiality agreement regarding data processing, at the latest upon assuming their duties.

All employees engaged in the processing of personal data must undergo training and be aware of their obligation to protect the personal data they handle in their daily work.

13. Right to Lodge a Complaint with a Supervisory Authority

If you wish to exercise any of your rights guaranteed under data protection regulations, particularly the GDPR and the Act on the Implementation of the GDPR, please first contact us as the data controller processing your personal data.

If we are unable to resolve your concern and you believe that your rights have not been properly upheld and that your data protection rights have been violated, you may contact the Data Protection Agency with a request to investigate the alleged infringement.

14. Publication and Changes to This Privacy Policy

KATAPULT will make this Privacy Policy available by publishing it on the website.

The terms of this Privacy Policy may change over time.
The most recent version of this Privacy Policy applies.