Information on Data Processing by TANKERSKA PLOVIDBA d.d.

This notice is provided by TANKERSKA PLOVIDBA d.d. (hereinafter referred to as “the Company”) in its capacity as the Data Controller under the General Data Protection Regulation (EU) 2016/679 ("GDPR"). The following information is provided to ensure transparency regarding the processing of your data, including contact details, the identity of the Data Protection Officer (DPO), the legal basis for data processing, data retention periods, potential recipients of your data, your rights under the GDPR, the transfer of data outside the European Union, the right to lodge a complaint, and the procedure for withdrawing consent where applicable.

This document aims to furnish you with comprehensive details on the processing of personal data that we collect about you if you are a visitor to our website, a visitor to our business premises, a business partner, an applicant for donation allocation, an applicant for employment onshore or as a seafarer within the fleet managed by the Company, or a shareholder (investor) within the ownership structure of the Company or an affiliated entity. This information is relevant exclusively to natural persons.

The protection of your personal data is of paramount importance to us. We therefore request that you carefully read the information below.

Contact Details of the Controller

TANKERSKA PLOVIDBA d.d.
Tax ID: 44952903763
Address: Ulica Božidara Petranovića 4, 23000 Zadar, Republic of Croatia
Phone number: +385 23 202 202
Email address: info@tankerska.hr

Data Protection Officer (DPO)

For any queries regarding the processing of your personal data, or to exercise your rights under the GDPR, please contact our Data Protection Officer at feralis@feralis.hr.

The contact details of the Controller's Data Protection Officer are publicly available, and the relevant supervisory authority has been duly notified of the DPO's appointment.

Purposes for Processing your personal data

The website www.tankerska.hr is primarily intended to provide information about the Company’s operations to potential clients, stakeholders, and seafarers interested in employment within the fleet managed by the Company. The legal basis for processing data collected via the website is the Company’s legitimate interest in identifying candidates for seafarer positions.

The website www.tankerska.hr does not use cookies for data collection. Cookies are small text files stored locally in your web browser's memory when browsing a website, used for the functionality of the website, improving user experience, and enabling website analytics and advanced online advertising. The Company does not collect personal data from website visitors through cookies.

Other websites that can be accessed through www.tankerska.hr may have their own privacy policies and data processing practices. The Company is not responsible for the data processing practices of third parties.

The Company maintains a business profile on LinkedIn. Information on LinkedIn’s privacy policy and how they process your personal data can be found at:

LINKEDIN ONLINE https://www.linkedin.com/legal/privacy-policy

LINKEDIN IRELAND UNLIMITED COMPANY, Wilton Plaza, Wilton Place, Dublin 2, Ireland

Contact Data Protection Officer: https://www.linkedin.com/help/linkedin/ask/TSO-DPO

Should you have any concerns about how your personal data is collected and processed by LinkedIn, you may contact the lead supervisory authority for LinkedIn, the Irish Data Protection Commissioner, or the Croatian Data Protection Agency (AZOP).

Through our website, applicants for seafarer positions within the fleet managed by the Company may submit job applications, thereby providing the Company with their personal data. The legal basis for processing this data is the performance of pre-contractual measures. When submitting a job application, the applicant for a seafarer position consents to the processing of their personal data and may also download a form for withdrawing consent if necessary.

The Company primarily processes the following categories of personal data provided by applicants when applying for a job position: name, surname, date of birth, place of birth, address, contact telephone number, email address, name and surname of the closest relative, and contact details of the stated closest relative, passport details, seaman's book, visa information, educational background, seafarer certificates, previous maritime experience, criminal record, drug and alcohol test results, details of medications used, mother tongue, proficiency in English and other languages, and other relevant data.

The purpose of processing personal data collected through video surveillance is to ensure and protect the private spaces and property of the data controller and the property of employees of the data controller. Visitors to our business premises are informed about video surveillance upon entering the surveillance area. Public areas nearby are shaded, which means that passersby on public surfaces are not recorded.

The company primarily collects and processes the following categories of personal data from visitors to our business premises: image, position, time, date.

Surveillance footage is retained by the Data Controller for a maximum of 31 days from the date of recording, unless there is another legal basis for processing. Footage will not be used for any special, unusual, or further processing, and will not be exported to third countries. Viewing, use, or sharing of footage is only permitted for legally defined purposes or purposes stated in this information. The footage records the image, time, and date. The footage does not contain sound.

Processor and processing services entrusted to the processor: SECURITAS HRVATSKA d.o.o., Oreškovićeva ulica 6n/2, Zagreb, Croatia – provides video surveillance system services. Phone number: +385 23 314 111. Website: https://www.securitas.com.hr/.

The Data Controller has entered into a master agreement with the Processor to provide video surveillance system services and an additional Data Processing Agreement.

Contact details of employees at potential business partners and partners. The purpose of processing is the conclusion and execution of all contracts where data about individuals is received, whether they are buyers, suppliers, tenants, lessors, or individuals from other business relationships.

The Company collects and processes primarily the following categories of personal data from business partners: contact details of an individual in the legal entity of the business partner, contact of the responsible person: name and surname, phone number, email address, mobile number, address (street, city, postal code), VAT number, function, whether the individual is a responsible person, and other related data necessary for the execution of transportation contracts, procurement contracts for short-term and long-term tangible assets, rental contracts for business premises, lease contracts for business premises, and other contracts related to the company’s business activities.

The Company processed data that has been received directly from business partners, from third parties, or from publicly available sources, for the purpose of concluding and executing sales, lease, and/or consent agreements for lease, sublease, or necessary investments, to undertake actions on the data subject’s request before concluding the contract, to comply with legal requirements by the Company (e.g., issuing invoices), and to satisfy legitimate interests (e.g., responding to inquiries and complaints, pursuing and defending legal claims (e.g., debt collection), and conducting legal proceedings).

The purpose of processing is to determine whether applicants meet the conditions prescribed by the Company’s Donation and Sponsorship Rules for granting donations. The rules also provide for the option of approving sponsorships; however, the company currently does not practice being a sponsor.

The Company collects and processes primarily the following categories of personal data from applicants for donations: data from the donation request form, full name of the applicant, address – street, number, postal code, and city, Tax ID number, registration number (court register, register of associations, artistic organizations), name, surname, and position of the authorized representative, name, surname, and position of the contact person, phone, email address, bank account (IBAN) of the applicant and the bank where it is held, event name and description for which donation is requested, or if it is a project – name of the program/project for which donation is requested, duration and geographical area of implementation, if it concerns the purchase of equipment or items, total cost and collected offers, and suggested selection. If it is a project/program, management structure, project team, possible inclusion of volunteers, total amount requested in euros for acquisition, organization of the event - implementation of the program/project, structure of the donation recipients and how they will be covered by the project (if users include children, youth, or adults with disabilities, special needs, etc., indicate how project activities will be adapted to their needs), institutions that are partners or have confirmed support for the project, and briefly on the success of the previous event/meeting, description of how the implementation will be monitored and success evaluated (list of activities and measurable results expected after the event/program/project), notes, signature of the authorized representative, etc.

All submitted documentation related to donations is considered confidential and may not be made available to third parties, except in compliance with mandatory regulations of the Republic of Croatia.

The purpose of processing is to find candidates for specific land-based job positions.

The Company collects and processes primarily the following categories of personal data from land-based job applicants: data from the application documentation provided by the applicant, name, surname, gender, address, and phone number, date of birth, profile photo, professional career, qualifications, education details, professional qualifications, language skills, certificates of training, residency and work permit status, nationality, and identification data.

When needing to employ land-based staff, the company undertakes certain activities related to finding candidates for job positions, usually using specialized job portals such as https://mojposao.hr, https://burzarada.hzz.hr, https://www.linkedin.com.

Data collected during the hiring process will be used for contract execution to the extent necessary. Data is kept until the purpose for which it was collected is fulfilled, or until an appropriate candidate is found or longer based on consent collected, and until withdrawal of consent. Data of candidates who are not selected is kept based on the given consent. If a candidate has given consent for further storage of personal data for future job advertisements or related communications, the company will retain personal data for a maximum of five years or until the consent is withdrawn, whichever comes first. Candidates may withdraw consent at any time by submitting a completed withdrawal form. Data of candidates who did not consent to further storage will be deleted or destroyed after all activities related to the application have been completed.

When applicants submit their CVs for potential employment through "open applications," since these actions are undertaken at the applicant’s request for the purpose of establishing an employment relationship, the Company will retain personal data for a maximum of five years, until the deadline specified by the candidate when submitting the CV or until consent is withdrawn (using a form available upon request from the Company), whichever comes first. It is common practice for applicants to include certain data in their applications. In such cases, it is necessary to respect the given consent and adhere to the specified retention periods.

Data about the shareholders of the Company and its related entities is received from the legally authorized entity for maintaining the share register: SKDD d.d., Vjekoslava Heinzela 62A, Zagreb, based on applicable legal regulations. The purpose of processing data from the shareholder register includes insight into the ownership structure of the issuer, review of other holders of securities when the Company is an investor (related entities), processing data on shareholders for statistical purposes for reporting to government institutions, and processing data related to obligations towards shareholders for dividend payments and squeeze-out compensation according to the Companies Act and the Takeover Act.

The Company collects and processes primarily the following categories of personal data from shareholders: investor or account holder designation, basic investor details, nationality/country of registration, tax ID number, date of birth, language of reporting, type of investor, address of residence/headquarters, data needed for tax calculation and payment, domestic tax number, basic account details, other information about the account holder (email address), instructions for dividend payment and other corporate action disbursements to the primary account, instructions for payments to accounts abroad, data on share transfers, data from share purchase and transfer contracts, and inheritance decisions.

Legal Basis for Processing Your Personal Data

We process your personal data in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter: "Regulation"), and the Act on the Implementation of the General Data Protection Regulation (hereinafter: "Act").

We process your personal data for the purposes specified in this Notice (or for purposes consistent with those) and strictly in accordance with the following legal bases:

1. Compliance with Legal Obligations

We process your data for the purpose of fulfilling legal obligations. Like all other business entities, we are subject to a range of statutory obligations. Personal data is processed for the purposes of verifying identity and age, complying with obligations under tax regulations, mandatory reporting to the Central Depository & Clearing Company Inc. (SKDD d.d.), archiving data, and providing information to public authorities upon request.

2. Pre-contractual Actions, Contract Formation, and Execution

The personal data we have obtained from you through contract offers, the contract itself, and other documentation are processed for the purpose of entering into and executing a contract to which you are a party.

During the contractual relationship related to the services we provide, we communicate with you regarding the contract, verify transactions, monitor quality through appropriate documentation, and respond to complaints, objections, claims, compliments, and other actions related to maintaining a good reputation.

3. Legitimate Interests

We process your personal data on the basis of our legitimate interests, except where your interests or your fundamental rights and freedoms, which require the protection of personal data, override those interests. In doing so, we will take into account your reasonable expectations regarding the processing of personal data.

Furthermore, our legitimate interest includes processing your personal data for the purpose of fraud prevention and criminal activity, protecting the security of our information systems, safeguarding confidential information, and ensuring the security and protection of the Controller's private premises and property, as well as the property of the Controller's employees.

When the legal basis for data processing is a legitimate interest, the Company conducts a legitimate interest assessment.

4. Consent

If we process your personal data based on consent, you have the right to withdraw consent at any time, as described in the section "How Long We Keep Your Personal Data".

If we intend to further process your personal data for a purpose different from that for which it was collected, we will provide you with all necessary information and seek consent for the new purpose.

Data Retention Period

We retain your personal data for as long as necessary to fulfill the purpose for which they are processed, unless we are bound by statutory or contractual retention periods.

The retention period may also be determined by the duration of the contractual relationship. However, as we are also subject to legal obligations to retain your data, we may continue to store personal data even after the contractual relationship has ended. The retention periods mentioned above are governed by specific regulations.

Additionally, we will retain your personal data as long as there is a legal possibility for you to bring legal claims based on the contractual relationship.

If we process certain personal data based on your consent, in the event of withdrawal of consent, we will delete your personal data.

With Whom Your Data Will Be Shared

If necessary to achieve the aforementioned purposes of processing or as required by regulations, we may share your personal data with individuals, legal entities, public authorities, or other bodies (recipients).

Regardless of the recipients to whom we provide your personal data, we will only share the data that is essential to achieve the specific purpose of processing.

In accordance with specific regulations, we may share your personal data with public authorities to fulfill their official powers.

We may also share your personal data with other recipients, i.e., individuals and legal entities with whom we have a business relationship related to the provision of claims, IT, and other services (e.g., technicians, IT service providers, lawyers, etc.).

When we engage other individuals or legal entities to process your personal data on our behalf and according to our instructions (data processors), in accordance with regulations, we will only engage processors who provide sufficient guarantees regarding the implementation of appropriate technical and organizational protection measures that meet the requirements of the General Data Protection Regulation and other data protection laws. This will be done based on a written contract.

Data Transfer Outside the EU

Your personal data is processed within the EU or the European Economic Area (EEA), or in third countries (countries outside the EEA).

When transferring personal data to recipients in third countries, this will only be done if the European Commission has determined that those countries provide an adequate level of data protection as required by the General Data Protection Regulation or if appropriate safeguards are in place (e.g., standard data protection clauses). For information on security measures, please contact our Data Protection Officer.

Your Data Protection Rights

As an individual whose personal data we process, you have the following rights under GDPR:

Right to Lodge a Complaint with a Supervisory Authority

If you believe that your rights under the GDPR have been infringed, you have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your habitual residence, place of work, or place of the alleged infringement. In Croatia, this is the Croatian Data Protection Agency (AZOP).

Without prejudice to your right to lodge a complaint with the supervisory authority, we recommend that you first contact our Data Protection Officer to attempt to resolve the complaint.

How We Protect Your Personal Data

The protection and security of your personal data are of paramount importance to us. We implement and enforce appropriate technical and organizational measures aimed at ensuring the security and confidentiality of your personal data processing. This particularly includes protecting personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

The technical and organizational measures for protection include security policies, data ownership responsibilities, employee training to raise awareness about data security, the use of modern security software, physical access controls, delineated access rights to personal data, electronic logging of data access, pseudonymization or encryption of personal data, especially for special categories of data, data backup procedures, and other measures to defend against external and internal threats.

Individuals who process your personal data are permitted to do so only in compliance with these technical and organizational security measures. All individuals who, directly or indirectly, may access your personal data have signed a Confidentiality Statement.