GDPR Compliance Information

Last updated: January 15, 2024

The General Data Protection Regulation (GDPR) is the European Union's framework for protecting personal data. As a Croatian company operating within the EU, Stormy Wheel d.o.o. is fully committed to GDPR compliance. This page explains what GDPR means for you and how we ensure your rights are protected.

Our Commitment

Data protection isn't just a legal obligation for us—it's part of how we build trust with clients. Real estate transactions involve sensitive personal and financial information. We take that responsibility seriously.

Our approach to GDPR compliance includes:

  • Processing only the data genuinely needed for our services
  • Being transparent about what we collect and why
  • Implementing security measures appropriate to the sensitivity of data
  • Training all staff on data protection principles
  • Responding promptly to data subject requests
  • Working only with processors who meet equivalent standards

Your Rights Under GDPR

GDPR grants you specific rights regarding your personal data. Here's what each means in practice:

Right to Be Informed

You have the right to know what data we collect, why we collect it, how long we keep it, and who we share it with. Our Privacy Policy provides this information comprehensively.

Right of Access

You can request a copy of all personal data we hold about you. This includes emails, notes from consultations, and any documents you've provided. We provide this information free of charge within 30 days of your request.

Right to Rectification

If any information we hold is inaccurate or incomplete, you can ask us to correct it. This commonly applies to contact details or property preferences that have changed.

Right to Erasure

Also called the "right to be forgotten," you can request deletion of your personal data in certain circumstances. However, this right has limits—we may need to retain some data for legal compliance, such as transaction records required by Croatian law.

Right to Restrict Processing

You can ask us to limit how we use your data while disputes are resolved or if you want us to keep data but not actively process it.

Right to Data Portability

You can request your data in a structured, commonly used format that can be transferred to another service provider. This applies to data you've provided to us based on consent or contract.

Right to Object

You can object to processing based on our legitimate interests or for direct marketing purposes. We will stop processing unless we demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that significantly affect you. We do not use automated decision-making for significant choices about clients.

How to Exercise Your Rights

To make a data subject request:

  1. Email us at [email protected] with your request
  2. Include sufficient information for us to verify your identity
  3. Specify which right you wish to exercise
  4. Provide any additional details that will help us respond appropriately

We respond to all requests within 30 days. Complex requests may require an extension of up to two additional months—we'll inform you if this is necessary and explain why.

There is no fee for most requests. However, we may charge a reasonable administrative fee for manifestly unfounded or excessive requests, or refuse to act on them.

Lawful Bases for Processing

Under GDPR, we must have a valid legal basis for processing your data. The bases we rely on include:

Contractual Necessity

When you engage our services, we need to process certain data to fulfill our agreement. This includes your contact details, property preferences, and information needed for transactions.

Legitimate Interests

Sometimes we process data because we have a valid business reason that doesn't override your rights. Examples include analyzing website usage to improve user experience and maintaining records for quality assurance.

Legal Obligation

Croatian real estate regulations and tax laws require us to collect and retain certain information. We cannot delete data when legal requirements mandate its retention.

Consent

For certain processing, such as sending marketing communications, we rely on your explicit consent. You can withdraw consent at any time without affecting the lawfulness of prior processing.

Data Protection Officer

Given our company size, we are not required to appoint a formal Data Protection Officer under GDPR. However, data protection responsibilities are assigned to our legal coordinator who can be reached at:

Privacy Contact: Tomislav Horvat
Email: [email protected]
Address: Ulica Varoška 18, 21000 Split, Croatia

Data Processing Activities

We maintain records of our processing activities as required by Article 30 of GDPR. Key categories include:

Client Relationship Management

  • Data: Contact information, communication history, preferences
  • Purpose: Providing requested services and maintaining client relationships
  • Legal basis: Contract performance and legitimate interests
  • Retention: Duration of relationship plus 10 years

Property Transactions

  • Data: Identification documents, financial information, transaction records
  • Purpose: Facilitating property purchases and legal compliance
  • Legal basis: Contract performance and legal obligation
  • Retention: 10 years from transaction completion

Website Analytics

  • Data: Technical data, usage patterns, device information
  • Purpose: Website improvement and performance monitoring
  • Legal basis: Consent (via cookies) and legitimate interests
  • Retention: 26 months in aggregated form

International Data Transfers

Most data processing occurs within the European Economic Area. When we transfer data outside the EEA, we ensure adequate protection through:

  • Using providers in countries with EU adequacy decisions
  • Implementing Standard Contractual Clauses approved by the European Commission
  • Verifying appropriate supplementary measures where necessary

Data Breach Procedures

In the event of a personal data breach, we follow established procedures:

  1. Immediate assessment of the breach scope and severity
  2. Notification to the Croatian supervisory authority (AZOP) within 72 hours if required
  3. Direct notification to affected individuals when the breach poses high risk to their rights
  4. Documentation of the breach and remedial actions taken

Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the competent supervisory authority:

Croatian Personal Data Protection Agency (AZOP)
Agencija za zaštitu osobnih podataka
Selska cesta 136, 10000 Zagreb, Croatia
Website: azop.hr
Email: [email protected]

We encourage you to contact us first so we can address your concerns directly. However, this does not affect your right to approach the supervisory authority at any time.

Updates to This Information

We review our GDPR compliance measures regularly and update this page when changes occur. Material changes will be communicated to active clients via email.

Further Questions

For any questions about GDPR, our compliance measures, or your rights as a data subject, please contact our privacy team at [email protected].