A legal person accessing the PLATFORM shall have the obligation to participate in the creation of necessary conditions pertaining to the personal data protection, to the highest possible extent, so that NEOSTAR, NEOSTAR’s affiliated companies and third persons appointed by NEOSTAR could appropriately use the data as authorized persons. If there is no permission for data processing based on law or any other legal rule, the Legal person accessing the PLATFORM is obliged to submit a declaration of consent for personal data processing to the respective persons and try to get their consent within the legally allowed framework. The Legal person accessing the PLATFORM is obliged to ensure possible forwarding of data within and outside of the EU in the declaration. The Legal person accessing the PLATFORM shall, upon NEOSTAR’s invitation submit the necessary personal data processing consents at any time, should NEOSTAR ask so. NEOSTAR shall have the right to store and keep personal and business data they have received from the Legal person accessing the PLATFORM even after the cessation of the business relationships which are subject of these General Terms and Conditions.
Personal data shall be processed pursuant to the guidelines contained in the applicable regulations/provisions of the Regulation, Act on the General Data Protection Regulation Implementation (OG 42/18) and other legal regulations in force that regulate data protection.
If the Data subject does not provide mandatory information for a certain activity for which the PLATFORM requires information, they shall not be granted access to such activity because without these data, the activity on the PLATFORM shall not be executable. Withdrawal of consent shall disable the use of PLATFORM.
NEOSTAR d.o.o., Zagrebačka 117, HR-10410 Velika Gorica, OIB: 24813383735,
Controller contact data:
+385 (0) 98 9802 081; e-mail: [email protected]
Data protection officer contact data: N/A (Data protection officer has not been appointed because there is no legal obligation to do so);
Processing purpose: NEOSTAR collects and processes personal data of the Data subject for the purpose of the contractual relationship i.e. the use of the PLATFORM, or to be more precise, for the purpose of conducting a secure check of the authenticity of the Data subjects who access the PLATFORM, realization of motor vehicle purchase contract and other accompanying activities, delivery of the motor vehicle to the Data subject, communication with the Data subject, possible legal procedures regarding the realization of the contract, and we partly apply automated processing procedures in order to constantly advance our processes in the best interest of our Data subjects, to make the offers more custom-made for Data Subjects and to adapt our scope of services as much as possible to the habits and needs of Data Subjects.
For the purposes of processing, NEOSTAR and/or the PLATFORM use certain tools which, among other things, enable marketing communication with the USERS.
Every marketing e-mail that NEOSTAR and/or the PLATFORM send to the USER shall contain a note explaining how to, easily and free of charge, refuse the use of data for marketing purposes collected by NEOSTAR and/or the PLATFORM/how to withdraw the consent for further use data for marketing purposes by NEOSTAR and/or the PLATFORM.
Through a link that shall be contained in every marketing email that NEOSTAR and/or the PLATFORM send to the USER, the USER will be able to access the [link] website and by selecting “Unsubscribe me from the mailing list” the USER may refuse the use of data for marketing purposes collected by NEOSTAR and/or PLATFORM/withdraw the consent to further use data for marketing purposes by NEOSTAR and/or the PLATFORM at any time.
Selecting the option “Unsubscribe me from the mailing list” shall disable all marketing communication, but shall not affect other activities that NEOSTAR and/or the PLATFORM undertake in connection with the USER (including but not limited to, USER data processing via marketing tools, but without sending marketing e-mails to the USER). All communication exchanged with the USER shall only be disabled if the USER as data subject generally withdraws their consent to process data. However, this may result in the inability to continue using the PLATFORM, if collected data are necessary for the implementation of a certain activity of NEOSTAR and/or the PLATFORM.
In addition to having the option “Unsubscribe me from the mailing list”, by accessing the website [link] the USER shall be able to opt for personalized marketing communication sent by NEOSTAR and/or the PLATFORM by choosing to receive the messages of a specific type/content only. However, by choosing the option “Unsubscribe me from the mailing list” found on the website” [link] and/or by opting for personalized marketing communication sent by NEOSTAR and/or the PLATFORM, and/or the option to choose to receive messages of a specific type/content, the USER shall be able to access only via the link contained in the e-mail sent by NEOSTAR/the PLATFORM to the USER, and not via the USER profile. This does not affect the right of the USER to generally withdraw their consent as a data subject as well as their right to unsubscribe and/or delete the profile from the PLATFORM.
I. Specific regulation;
II. Contractual relationship;
III. Explicit and unambiguous Data subject’s consent;
In each of these three cases, for each specific database that the Controller sets up and/or activity that the Controller undertakes, legitimate interest of the Controller (e.g. legitimate interest can be reflected in the fact that some documents and personal data contained in them represent the proof of business activity and justification of the incurred business expense) shall be stated.
Collected data: name and surname, name of the legal person who owns the vehicle, OIB (PIN), IBAN, address, e-mail address, phone number, vehicle location, vehicle registration, VIN number, motor vehicle photographs. Special categories of personal data shall not be processed. We shall not collect data about children. If we come to understand that such data have been transferred to us without the consent of parents or guardians of underaged children (less than 18 years old), we shall immediately remove them. Minors (less than 18 years old) are not allowed to use the PLATFORM.
Apart from these data, NEOSTAR automatically collects data from the Data subjects device, which can include IP address and geo-location, and there are situations in which NEOSTAR automatically collects other types of data such as date and time of access to the PLATFORM, information about hardware, software or internet browser that Data subject uses as well as operating system and version of application and language properties.
NEOSTAR recommends to the user to take care of their password for the PLATFORM user account. We recommend you select a combination of characters that contain upper case and lower case letters and numbers and to use a password of at least six characters. We recommend that you change the password periodically (at least once a year).
Personal data recipients: The Controller does not normally forward nor give personal data to any unaffiliated third parties, and stores them safely on Controller’s server or an external server, subject to their own discretion, which can provide enough guarantee in terms of the implementation of technical and organisational measures so that personal data processing meets all the requirements set out in the Regulation and that it adequately ensures the protections of Data subjects’ rights.
In order to fulfill all their obligations, the Controller may forward Data subjects’ personal data to affiliated companies of the Controller so that they could appropriately use the data as authorized persons. The Controller can forward Data subjects’ data to third parties such as business partners, e.g. to on-line and/or offline authorization service providers. Furthermore, to the extent we need it, personal data may be forwarded to the legal persons who provide services to the Controller. These services might be: marketing help, credit card payment processing, providing services to the Data subjects (including legal, tax and financial advice) and sending messages on behalf of the Controller. The Controller shall limit personal data they deliver to the respective legal persons and they shall have access only to those data necessary for a particular purpose. Some personal data may be forwarded to the executive power of the Republic of Croatia at their request so that the Controller would meet legal or statutory obligations.
Storage period: Personal data shall be stored within a period which is needed to fulfill legitimate and lawful purpose, unless laws and regulations in force/provisions of the Regulation set out a different period.
In case consent is given, personal data shall be processed until consent is withdrawn. In case there is a request to erase the data, they shall be immediately erased unless set out differently in the regulations in force/provisions of the Regulation.
For example, on the grounds of accounting regulations, some data need to be stored at least 11 (eleven) years.
Data subjects’ rights: In accordance with the Regulation, among other things, Data subject has the right to transparency (Articles 12-14), right to access data (Article 15), right to have their data rectified (Article 16), right to have their data erased (“right to be forgotten”, Article 17), right to restriction of processing (Article 18), right to ask for a notification regarding rectification or erasure of personal data or restriction of processing (Article 19), right to data portability (Article 20), right to object (Article 21), right to object automated individual decision-making (including profiling, Article 22) and generally right to withdraw consent (Article 7) to the extent processing is based solely on Data subject’s consent.
Data subject’s withdrawal of their consent means they shall not be able to continue using the PLATFORM, if collected data are necessary for certain activities on the PLATFORM to be conducted.
Data subject’s withdrawal, if there are legal prerequisites for it, leads to anonymization of the registered PLATFORM USERS. Anonymization is the procedure of processing personal data which irreversibly prevents identification of a USER from processed data. As per definition, after correct anonymization it must not be possible to connect anonymized data with a particular person. Pursuant to the aforementioned, after data anonymization there is no way of retrieving the data in the same form as prior to anonymization.
Anonymization is possible:
- Through USER profile (valid for ORDINARY USERS, CONTRACTUAL USER and employees of CONTRACTUAL USERS). After anonymization, the application shall deregister USER.
The act of anonymization includes following activities:
- Selection of the particular USER
- Marking the USER as deleted
- Anonymization of the USER’s personal data using SHA256 hash method
o The following data are anonymized:
• E-mail address
• Name and surname
• OIB (PIN)
• Other personal data of the USER
- Creating a PDF document which records the act of the USER anonymization
o Document is displayed in order to be printed
o Document is permanently stored whereat the name of the file does not contain any personal data of the USER (Record on anonymization <timestamp>.PDF).
If the USER has ongoing activities on the PLATFORM (including transactions that are not finalized, published vehicles and similar), they are obliged to finish all of them independently before anonymization, within 15 (fifteen) working days at the latest, after which the process of anonymization shall be initiated. Whereas the USER is solely and exclusively responsible for any and all consequences that might arise if the ongoing activities are not finished prior to anonymization initiation. Upon anonymization, any and all rights of the USER that can cease to exist in accordance with law shall cease to exist, and the USER shall entirely waive any and all rights resulting from these General Terms and Conditions or related to them.
Data subject has the right to submit an objection to the supervisory authority - Personal Data Protection Agency.
If Data subject wishes to exercise any of their rights, they can address the Controller using the following contact data:
telephone: +385 (0) 98 9802 081; e-mail: [email protected]
Controller is obliged to provide information to Data subject within the deadline set out in the regulations/provisions of the Regulation in force. In case Data subject’s demands are unfounded or exaggerated, Controller has the right to charge a reasonable fee or refuse to take any action pursuant to the regulations/provisions of the Regulation in force.
Personal data protection safeguards: Controller shall undertake technical and organisational safeguards, which may include for example pseudoanonymization and/or anonymization, in order to enable efficient application of data protection principles such as: decreasing the amount of data and including safeguards in the processing to fulfill Regulation requirements and protect Data subjects’ rights.
NEOSTAR takes data protection seriously and undertakes different precautionary measures to keep data protected. Unfortunately, no data transmission via Internet or any other wireless measure is 100 % safe. Therefore, although NEOSTAR has reasonable safeguards to protect the data, it cannot guarantee protection of any information transmitted to and/or from the PLATFORM, and is not liable for any actions of any third parties that receive such information. NEOSTAR can decide to store personal data with service providers in the European Union (EU), and only under extraordinary circumstances outside of the EU. This shall be done only if there is a decision of the European Commission on appropriateness for this particular country and if safeguard and upholding of binding data protection regulations have been contracted.
Collected personal data are electronic and protected by SSL certificate which encrypts data thus ensuring that the communication between Data subject’s computer and the PLATFORM is conducted via secure protocol.
Controller’s expert and administrative staff processing personal data shall have in place all technical, human resource and organisational safeguards necessary to protect personal data from accidental loss or destruction, illicit access or amendment, illicit publication and any other misuse, and they establish obligations of the persons working on personal data processing.