Privacy policy

of General Logistics Systems Croatia d.o.o.

Download

1. INTRODUCTION

1.1. These are the General Privacy Rules (hereinafter: "Privacy Policy") issued by General Logistics Systems Croatia d.o.o. (hereinafter: "GLS Croatia" or "Data Controller"), Stupničke Šipkovine 22, 10255 Donji Stupnik, Croatia, VAT number 88360795357.

GLS Croatia is part of the GLS group, an international provider of postal services owned by International Distribution Services Plc (formerly: Royal Mail Group), with affiliated companies across Europe, offering reliable and high-quality parcel delivery services, express delivery, and additional logistics services.

1.2. The purpose of this Privacy Policy is to clearly and thoroughly inform the users of GLS Croatia's services, business partners, and all other individuals who come into contact with GLS Croatia about all facts related to the processing of their personal data, their rights, and the available legal remedies regarding the data processing procedure, before the data processing begins. During the data processing, our primary goal is the protection of personal data.

This Privacy Policy is designed from the perspective of the data subject, meaning that each data subject, based on their specific relationship with GLS Croatia, can easily access information about the personal data processing they can expect when engaging in collaboration with GLS Croatia.

1.3. In case of any questions or requests regarding the processing or protection of your personal data, please contact us at the email address: dataprotection@gls-croatia.com.

2. CONTACT DETAILS OF THE DATA CONTROLLER AND DATA PROTECTION OFFICER

Company: General Logistics Systems Croatia d.o.o.

Adress: Stupničke Šipkovine 22, 10255 Donji Stupnik, Hrvatska

E-mail: gls@gls-croatia.com

Contact number: +385 1 2042 672

For any inquiries or requests regarding personal data, please contact our Data Protection Officer:
E-mail: dataprotection@gls-croatia.com
Contact number: +385 91 298 8662

3. DEFINITIONS

Data processing: any operation or set of operations performed on personal data or sets of personal data, whether by automated or non-automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Data Controller: a natural or legal person, public authority, agency, or other body which alone or jointly with others determines the purposes and means of processing personal data; where the purposes and means of such processing are established by Union or member state law, the data controller or the specific criteria for its designation may be provided for by Union or member state law. For the purposes of this Privacy Policy, unless explicitly stated otherwise, the data controller is GLS Croatia.

Data Processor: a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller.

Sender: a natural or legal person who sends a postal item and who holds all the rights and obligations under the contract until the proper delivery of the postal item.

Recipient: according to the Postal Services Act, the recipient is the legal or natural person to whom the postal item is addressed and to whom the item must be delivered based on the sender’s instructions.

Parcel: a postal item, or letter or package with a maximum weight of 40 kg per piece, which contains at least a delivery address on the packaging or an attached list, or any other letter or parcel defined by law as postal mail. The types of postal items, according to the provisions of the Postal Services Act, include letter items, parcels, registered items, items with a declared value, items for the blind, direct mail, and printed matter.

Postal service: a service that includes any handling of postal items by a postal service provider, particularly the acceptance, routing, transfer, and delivery of postal items in domestic or international postal traffic. Postal services do not include the delivery of items by the sender themselves (self-delivery), transportation as a standalone service, or the receipt, transfer, and delivery of postal items directly from the sender to the recipient upon individual request, without routing, in such a way that the same worker of the service provider performs all of these tasks (courier service).

Data subject: a natural person, an individual whose personal data is processed in any data processing, regardless of their origin, age, or nationality.

Postal service user: a natural or legal person who uses postal services, either as an orderer, sender, or recipient of a postal item.

Third party: a natural or legal person, public authority, agency, or another body that is not the data subject, data controller, data processor, or persons authorized to process personal data under the direct authority of the data controller or data processor.

Personal data: any information relating to an identified or identifiable individual ("data subject"). This includes data that directly or indirectly identifies an individual, such as name and surname, age, biometric and other health and financial data, information about education, ethnic and religious background (so-called special categories of personal data), but can also include various other data such as identification numbers, location data, online identifiers, or factors significant to the physical, physiological, genetic, mental, economic, cultural, or social identity of the data subject.

4. APPLICABLE LEGAL REGULATIONS

- Regulation (EU) 2016/679 of the European Parliament and Council of April 27, 2016, on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; hereinafter: "GDPR")

- The Act on the Implementation of the General Data Protection Regulation (NN 42/18)

- Postal Services Act (NN 144/12, 153/13, 78/15, 110/149, dalje: PSA)

- Act on Measures for Restriction (NN 133/23)

- Other applicable sources depending on the specific situation in terms of compliance with the legal obligations of the data controller, as listed in this Privacy Policy (Article 6, paragraph 1, point c) GDPR).

5. WHICH PERSONAL DATA WE PROCESS AND FOR WHAT PURPOSES

GLS Croatia will process your personal data in its operations, with the ultimate goal of providing postal services. Which data we process, why we need them, what we do with them, who we share them with, and how long we retain them – all of this depends on the purpose for which we obtained the data. Therefore, below we provide an overview of the most common situations that involve the processing of personal data, along with all other relevant information. You will easily find the relevant information for you if you answer a simple question:

What is my relationship with GLS? In other words, for what do I need GLS ?

…I am the SENDER

…I am the RECIPIENT

…I cooperate with GLS Croatia (I am a SUPPLIER OR BUSINESS PARTNER)

…I am a VISITOR TO THE GLS HUB OR DEPOT

…I have a COMPLAINT ABOUT THE POSTAL SERVICE

…I have an INQUIRY FOR CUSTOMER SERVICE

…I am a VISITOR TO THE WEBSITE

…I am a USER OF THE GLS APP

…I am a CANDIDATE FOR A JOB POSITION

SENDER

In accordance with the provisions of the general terms and conditions, the Sender can order the shipment of a package in the following ways and according to the following contracts:

- as part of a long-term contract, or

- by sending a package at a GLS PaketShop, or

- by ordering on the website www.paket.hr

Since the sender orders the package shipment, the Data Controller receives the personal data necessary for the shipment and delivery of the package primarily from the sender based on one of the above-mentioned contracts.

If you enter into a long-term contract with us, we will ask for the following data:

- Name and surname of the legal representative (e.g., company director or owner of a craft/farm/other comparable activity)

- Your personal identification number, business address (which may coincide with your residence address), and IBAN if you are operating as a business or self-employed, or other comparable form equivalent to a natural person

- Your signature

- Billing address

- Pickup address

- Contact details, such as email address and mobile number

- Data required for delivery (recipient's name and surname, recipient's mobile number recipient's address)

If you use our internal portal MyGLS, we will ask for the following data:

- Company name

- Company headquarters address

- Package pickup address (if different from the company headquarters address)

- Billing address (if different from the company headquarters address)

- Phone number

- Tax number

- Personal identification number/Tax ID number

- Information about the expected contents of the package

- IBAN number

- SWIFT address

- Name, surname, email address, and phone number of the owner or authorized representative, as well as other persons responsible for specific matters (e.g., financial matters)

If you send a package via a GLS Paketshop, we will ask for the following data:

- Your name and surname

- Your signature

- Your address

- Contact details, such as email address and mobile numberž

- Data required for delivery (recipient's name and surname, recipient's mobile number, recipient's address)

If you send a package via web site www.paket.hr , we will ask for the following data:

- Your name and surname

- Your address

- Contact details, such as email address and mobile number

- Data required for delivery (recipient's name and surname, recipient's mobile number, recipient's email address, recipient's address)

Purpose of processing:

The processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract (Article 6, paragraph 1, point b) GDPR). Without this data, we will not be able to provide the postal service you requested, issue an invoice for the service rendered, or process your inquiries, etc.

Recipients of data:

In order for the postal service to be executed (e.g., for the package to be picked up and delivered), we must share the data with our delivery partners who are employees of our subcontractors. We share only the data necessary to perform the postal service (e.g., we will not provide your IBAN to subcontractors). Depending on the circumstances, if necessary to protect our legal or financial interests, we may share the data with providers of legal advice (law firms), auditors, tax advisors, and similar entities, all under confidentiality or professional secrecy obligations.

Transfer to third countries:

Data is transferred to a third country only if the destination of the package is in a third country.

Data retention period:

All data that is part of accounting documents (e.g., invoices) is kept for 11 years (Article 10 paragraph 2 of the Accounting Act).

Other data is retained as long as necessary for the statute of limitations for damage compensation claims (5 years after the damage occurs).

Important notes:

The sender is responsible for the accuracy and completeness of the address information. The sender is obliged to cooperate with the service provider regarding the processing of data, especially concerning the correction, restriction, and deletion of data provided by the sender or regarding taking actions to protect the data.

If the sender is responsible for inaccuracies in the data, they must take all necessary measures to correct, delete, or restrict the data. Failure to comply with or violation of this obligation will be the sender's responsibility.

The postal service provider will be solely responsible for the data processing carried out within the scope of the postal service.

RECIPIENT

Since the sender orders the shipment of the package, the Data Controller primarily obtains the personal data needed for the shipment and delivery of the package from the sender based on one of the above-mentioned contracts. The sender has likely obtained these details from You.

Due to the nature of the service, if you want a package to be delivered to a specific address (whether via a PaketShop, Parcel Locker, or home or other address), we will process the following data:

- Your first and last name

- Your signature (as proof of delivery)

- Your address (if that is the delivery address for the package)

- Contact details such as your email address and mobile phone number

- A unique code for opening a Parcel Locker compartment (if the delivery is via Parcel Locker)

Please note that the aforementioned data (except for your signature and unique code) will be printed on the package label to allow the delivery driver to carry out the delivery task.

Purpose of processing:

he processing is necessary for the performance of a contract in which the data subject is a party or to take steps at the request of the data subject before entering into a contract (Article 6(1)(b) GDPR). Without this data, we cannot perform the requested postal service (e.g., deliver your package).

Recipients of the data:

To perform the postal service (e.g., deliver the package), we must share the data with our delivery partners who are employees of our collaborators. Depending on the circumstances, if necessary to protect our legal or financial interests, we may share the data with legal advisory service providers (law firms), auditors, tax advisors, and similar bodies, all under the condition of confidentiality or the obligation to maintain professional secrecy.

Transfer to third countries:

Data will be sent to a third country only if the destination of the package is in a third country.

Data retention period:

We will retain this data for as long as necessary for the statute of limitations related to damage claims (5 years from the occurrence of the damage).

SUPPLIER / BUSINESS PARTNER

If you are collaborating with us on a different basis (i.e., you are not the sender), this text applies to you.

In cooperation with us, we will request the following data from you:

- First and last name of the legal representative (e.g., company director or holder of a craft/farm/other similar activity)

- Your personal identification number, registered office address (which may coincide with your residence address) and IBAN if you are operating as a craft/farm/sole trader or any other comparable form equated with a physical person

- Your signature

- Contact details such as email address and mobile phone number

In addition to the above, if you provide collection and delivery services for GLS Croatia or manage regional warehouses on our behalf and at our expense, you will be required to share data on your employees working within the GLS system, including the following information:

- First and last name

- Contact details (mobile phone number and email address)

- Location data collected via GPS devices installed in GLS delivery vehicles

- Video surveillance data established at the regional warehouse location

Such data processing will be subject to a separate data processing agreement.

Purpose of processing:

The processing is necessary for the performance of a contract in which the data subject is a party or to take steps at the request of the data subject before entering into a contract (Article 6 paragraph 1 point b) GDPR). Without this data, it is not possible to perform the agreed work. Regarding the providers of collection and delivery services, without this data, it is not possible to establish an efficient postal service system.

Recipients of the data:

To comply with legal obligations (e.g., invoice records with tax authorities), certain documents (e.g., invoices) containing your personal data will be forwarded to our accounting service. Depending on the circumstances, if necessary to protect our legal or financial interests, we may share the data with legal advisory service providers (law firms), auditors, tax advisors, and similar bodies, all under the condition of confidentiality or the obligation to maintain professional secrecy.

Transfer to third countries:

The collected data will not be sent to the third countries.

Data Retention Period: All data that is part of accounting documents (e.g., invoices) will be retained for 11 years (Article 10, Paragraph 2 of the Accounting Act).

Other data will be retained for as long as necessary to allow the statute of limitations for damage compensation to expire (5 years after the occurrence of the damage)

VISITOR TO THE HUB OR CENTRAL/REGIONAL WAREHOUSE

You may not use our postal services or have a business relationship with us, but your data may still be processed. One example of such a situation would be your visit to our locations.

At some locations, video surveillance is in place, and you will be notified through written notices visible before entering the surveillance area.

At some locations (e.g., our headquarters), access will only be permitted upon presenting (but not copying) an ID document. Your name will be recorded, and you will be asked the reason for your visit.

Purpose of Processing: The legitimate interest of the Data Controller (Article 6(1)(f) GDPR) for the protection of property and individuals, considering that GLS Croatia, as a postal service provider, is obliged to maintain postal confidentiality. Furthermore, recognizing the importance of the packages entrusted to it for transportation, GLS Croatia takes all reasonable measures to monitor them.

Recipients of Data: Depending on the circumstances, if necessary for the protection of our legal or financial interests, the data may be shared with legal advisors (law firms), auditors, tax consultants, and similar entities, all under confidentiality agreements or obligations to maintain professional secrecy.

Transfer to third countries: The data collected in this manner will not be transferred to third countries.

Data retention period: Video surveillance footage is retained for up to 6 months, unless a longer retention period is required by other laws or if the footage is evidence in judicial, administrative, arbitration, or other similar proceedings. Other data will be retained for as long as necessary to allow the statute of limitations for damage compensation to expire (5 years after the occurrence of the damage).

COMPLAINT SUBMITTER FOR POSTAL SERVICES

It is the right of postal service users to file a complaint. If you submit a complaint, we will process the following data:

- Your name and surname

- Tracking number of the shipment

- Your contact details (phone number or mobile number and email address)

- Residential address

- Workplace address (and employer)

- Other alternative addresses associated with the recipient

- Phone number

- Content of the package

- Depending on the circumstances, other data about the private individual’s order (sender, order value, including photos of the contents)

Purpose of processing:

The processing is necessary to comply with the legal obligations of the Data Controller (Article 6 paragrahp 1 point c) GDPR). This data is required to quickly identify the service/package to which your complaint pertains and to review all relevant circumstances, in order to respond to your complaint within the time frame prescribed by the Postal Services Act.

Recipients of data:

Depending on the circumstances, if necessary for the protection of our legal or financial interests, the data may be shared with legal advisors (law firms), auditors, tax consultants, and similar entities, all under confidentiality agreements or obligations to maintain professional secrecy

Transfer to third countries:

The data collected in this manner will not be transferred to third countries.

Data retention period:

We will retain this data for as long as necessary for the statute of limitations for damage compensation to expire (5 years after the occurrence of the damage).

INQUIRY SUBMITTER TO CUSTOMER SERVICE

A postal service user or another authorized person may contact our customer service to submit general inquiries or specific inquiries (e.g., about the delivery status). Depending on the nature of the inquiry, we will process the following data:

- Your name and surname

- Tracking number of the shipment

- Your contact details (phone number or mobile number and email address)

- Residential address

- Workplace address (and employer)

- Other alternative addresses associated with the recipient

- Phone number

- Contents of the package

- Depending on the circumstances, other data about the private individual’s order (sender, order value, including photos of the contents)

- Contents of the call in the form of call recording

Purpose of processing:

The processing is necessary to execute the contract in which the data subject is a party or to take actions at the request of the data subject before entering into a contract (Article 6 paragraph 1 point b) GDPR). We require this data to quickly identify the service/package related to your inquiry and provide the requested response.

Recipients of data:

Transfer to third countries:

The data collected in this manner will not be transferred to third countries.

Data retention period:

We will retain this data for as long as necessary for the statute of limitations for damage compensation to expire (5 years after the occurrence of the damage).

WEBSITE VISITOR

If you visit our websites, whether it is https://gls-group.com/HR/hr/ or https://www.paket.hr/ , certain data will be processed. If you visit the website www.paket.hr as a postal service user, data processing will occur as detailed in the sections of this document referring to the Recipient and/or Sender.

Data processing also occurs through the use of cookies. You can learn more about this in our cookie policies for each individual site, which can be found at the following link: https://gls-group.eu/HR/en/cookie-policy/ .

USER OF THE WEB APPLICATION

If you use our GLS application, you can find a separate Privacy Policy regarding data processing in the GLS Application at the following link: https://api.gls-group.net/gls-loyalty-assets-ee-v0/legal-docs/hr/privacy_policy_hr.htm

CANDIDATE

If you contact us as a candidate for a job position, we will need to process certain personal data:

- First and last name

- Date of birth

- Residence address

- Contact details (mobile number and email address)

- Education or other qualifications required for the specific job position

- Information from your CV

Purpose of Processing:

The processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract (Article 6, paragraph 1, point b of the GDPR). This data is necessary for us to assess whether you meet the required criteria for the job position.

Recipients of the data:

We do not share this data with third parties.

Transfer to third countries:

The data collected in this way is not transferred to third countries.

Dana retention period:

We will retain this data for as long as the recruitment process for the specific job position is ongoing. After that, the data will be deleted. The only exception is if you have sent us an open job application. In this case, the legal basis for processing your personal data is your consent, which you provide voluntarily by submitting an open job application. Likewise, if you applied for a job and were not selected, but gave consent for us to retain your data for future job openings, the legal basis for processing your personal data is your consent. Every time the basis for processing is your consent, the processing will cease when you inform us of its withdrawal, which you can do by sending an email to our Data Protection Officer at (dataprotection@gls-croatia.com).

RESTRICTIVE MEASURES

Like all other business entities in the Republic of Croatia, GLS Croatia is also subject to the Law on Restrictive Measures. This specifically means that certain data of yours (namely, your name and surname, country of residence, or, in the case of a legal entity, the company name and country of registration) are entered into an information system that automatically compares them with various global sanction lists.

In the event of a match, to ensure that it is a case of mistaken identity, we may use other known data about you that you have provided to us or that are available through public registers, such as court registers, trade registers, registers of beneficial owners, etc.

If a match is found and we are unable to determine that it is a case of mistaken identity, we are obligated to take appropriate actions and report to the relevant authorities, all in accordance with the mandatory provisions of the Law on Restrictive Measures.

6. DATA PROTECTION

GLS Croatia is committed to protecting the personal data of its customers, partners, and employees, ensuring the highest level of protection in the processing of personal data. To achieve this, appropriate technical and organizational measures are implemented, including:

· Pseudonymization and encryption of personal dana

· Ensuring the confidentiality, integrity, availability, and resilience of processing systems and services

· Timely restoration of availability and access to personal data in the event of a physical or technical incident

· Regular testing, assessment, and evaluation of the effectiveness of technical and organizational measures to ensure data processing security

As a postal service provider, GLS Croatia is obligated to ensure the confidentiality of postal shipments and, in connection with this, is required to implement measures in accordance with specific laws. Furthermore, every GLS employee is obligated to maintain the confidentiality of data.

GLS Croatia is required, provided that legal conditions are met and upon request, to hand over or present any postal shipment, text message, or communication to authorized institutions for examination of its contents. It also enables tracking and storing of data, as well as any other type of intervention concerning the shipment or text message.

As the data controller, GLS Croatia takes all necessary measures to ensure that data is processed securely. It is responsible for protecting personal data and preventing its loss or misuse, ensuring that no unauthorized person can access, disclose, transmit, alter, or delete the data being processed.

7. DATA TRANSFER
GLS Croatia does not sell or rent personal data to third parties. However, there are certain circumstances (as described in the previous sections regarding the processing of personal data) when GLS Croatia may share personal data without further notifying the data subject:

With GLS subsidiaries for the purpose of delivering packages from the sender to the recipient.
With partners employed by GLS or companies with which GLS has a business relationship for the purpose of delivering packages from the sender to the recipient.
With data processors legally employed by the Data Controller (GLS Croatia).
With partners or other service providers for the purpose of fulfilling obligations.
With public authorities and regulatory bodies if required by legal obligations.

With other recipients based on legal grounds, such as courts, for the purpose of fulfilling legal obligations of cooperation and data delivery.

8. LEGAL BASIS FOR DANA PROCESSING

In its logistics activities related to the provision of postal services, which include the collection, processing, transport, and delivery of packages, GLS Croatia (as outlined in the descriptions of specific personal data processing above) will process data based on the following legal grounds:

· Based on the consent of the data subject given for the processing of their personal data for one or more specific purposes (hereinafter referred to as "consent"), pursuant to Article 6 paragraph 1 point a) of the GDPR

· Based on contractual obligation when the processing is necessary for the performance of a contract in which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract (hereinafter referred to as "contract performance"), pursuant to Article 6 paragraph 1 point b) of the GDPR.

· If the processing is necessary for compliance with a legal obligation of the data controller, based on Article 6 paragraph 1 point c) of the GDPR.

9. RIGHTS OF DATA SUBJECT

GLS Hrvatska poštuje temeljna prava i slobode ispitanika te aktivno primjenjuje odredbe GDPR-a koje pružaju najvišu razinu zaštite osobnih podataka na području svih država članica EU. Temeljem GDPR-a svi ispitanici u procesu obrade osobnih podataka imaju sljedeća prava:

9.1. Right to information (right of access): The data subject has the right to obtain from the data controller confirmation as to whether personal data concerning them are being processed, and if so, access to the personal data and the following information: the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipients to whom the personal data have been or will be disclosed, particularly recipients in third countries or international organizations, where possible, the envisaged period for which the personal data will be stored or, if that is not possible, the criteria used to determine that period, the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject, or the right to object to such processing, the right to lodge a complaint with a supervisory authority, if the personal data are not collected from the data subject, any available information as to their source, the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4), and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject (*Article 15 of GDPR).

If personal data are transferred to a third country or international organization, the data subject has the right to be informed of the appropriate safeguards.

The data controller shall provide a copy of the personal data undergoing processing. For any additional copies requested by the data subject, the data controller may charge a reasonable fee based on administrative costs. If the data subject submits a request electronically, unless the data subject requests otherwise, the information will be provided in a commonly used electronic format.

9.2. Right to rectification:

The data subject has the right to obtain from the data controller without undue delay the rectification of inaccurate personal data concerning them. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

9.3. Right to erasure and right to be forgotten:

The data subject has the right to obtain from the data controller the erasure of personal data concerning them without undue delay, and the data controller has the obligation to erase personal data without undue delay if one of the following conditions is met:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) the data subject withdraws the consent on which the processing is based;

(c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for direct marketing purposes;

(d) the personal data have been unlawfully processed;

(e) the personal data must be erased for compliance with a legal obligation under Union or Member State law to which the data controller is subject;

(f) the personal data have been collected in relation to the offer of information society services to a child.

9.4. Right to restriction of processing: The data subject has the right to obtain from the dana

controller the restriction of processing if one of the following applies:the accuracy of the personal data is contested by the data subject, for a period enabling the data controller to verify the accuracy of the personal data; the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; the data controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims; the data subject has objected to the processing based on Article 21(1) pending the verification whether the legitimate grounds of the data controller override those of the data subject.

9.5. Right to data portability: The data subject has the right to receive the personal data concerning them, which they have provided to the data controller, in a structured, commonly used, and machine-readable format, and the right to transmit those data to another data controller without hindrance from the data controller to whom the personal data have been provided, if the processing is based on consent or on a contract and the processing is carried out by automated means.

9.6. Right to withdraw consent: When the processing is based on the consent of the data subject, the data subject has the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

9.7. Right to object: The data subject has the right, on grounds relating to their particular situation, to object at any time to the processing of personal data concerning them, in accordance with Article 6 paragraph 1 point e) or (f) of the GDPR, including profiling based on those provisions. The data controller shall no longer process the personal data unless the data controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.

If personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning them for such marketing, including profiling to the extent that it is related to such direct marketing. If the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

9.8. Lodging complaints/appeals:

All complaints and appeals, as well as requests to exercise the rights mentioned above, can be submitted at any time using the following contact information:

By email: dataprotection@gls-croatia.com
By post: GLS Croatia d.o.o., Stupničke Šipkovine 22, 10255 Donji Stupnik, Hrvatska
In person: GLS Croatia d.o.o., Stupničke Šipkovine 22, 10255 Donji Stupnik, Hrvatska

The data controller will initiate an investigation when a complaint is submitted to the above addresses. We will respond to your inquiries/complaints without undue delay, and in any case, within one month of receiving the request. This period may be extended by a further two months, taking into account the complexity and number of requests. You will be notified of any such extension within one month of receiving the request, along with the reasons for the delay.

If the requests of the data subject are manifestly unfounded or excessive, particularly due to their repetitive nature, we may charge a reasonable fee based on administrative costs for providing the information or notifications or for taking action on the request, or refuse to act on the request.

Every data subject has the right to lodge a complaint with a supervisory authority if they believe that the processing of personal data relating to them infringes the GDPR. Complaints can be lodged with the Croatian Personal Data Protection Agency (AZOP) at the following addresses:

In person (oral declaration for record)
By post: Personal Data Protection Agency (AZOP), Ulica grada Vukovara 54, 10 000 Zagreb
By filling out the online form on the Agency's website
By email azop@azop.hr
By fax: 01/ 46-090-99

No appeal is allowed against the decision of AZOP, but an administrative dispute can be initiated before the competent administrative court.

10. CHANGES TO PRIVACY POLICY

We reserve the right to change the content of this Privacy Policy. This Privacy Policy comes into effect on the date it is published on our website. The last update was made on February 3 , 2025.