Privacy Policy and GDPR

38^TH ICTCT CONFERENCE, ZAGREB: INFORMATION ABOUT DATA PROTECTION

This Data Protection Declaration outlines the principles and procedures applied by University of Zagreb Faculty of Transport and Traffic Sciences (hereinafter: the Organizer) for 38^th ICTC Conference in the collection, processing, use, and protection of personal data of conference participants, speakers, partners, contractors, and any other individuals whose data may be processed in connection with the event.

As an incorporated entity under Croatian civil law, we are subject to the provisions of the General Data Protection Regulation (GDPR) (EU regulation 2016/679), the Act of the implementation of General data protection regulation (NN 42/2018-805) and other applicable data protection and privacy regulations of the Republic of Croatia.

This website uses SSL – that is, TLS encryption – in order to protect the transfer of personal data and other confidential information (for example, orders or enquiries sent to the controller). A connection is encrypted if you see the character sequence ‘https://’ and the padlock icon in your browser’s address bar.

We herewith advise you that the transmission of data via Internet (i.e., through e-mail communications) may be prone to security gaps. It is not possible to completely protect data against third-party access.

1. Definition of terms

Among others, we use the following terms in this Privacy Policy, set out in the General Data Protection Regulation (EU regulation 2016/679) and the Act of the implementation of General data protection regulation (NN 42/2018-805):

1. Personal data

Personal data refers to any information relating to an identified or identifiable natural person (hereinafter: ‘data subject’). An identifiable natural person is one who can be identified – directly or indirectly – in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1. Data subject

A data subject is any identified or identifiable natural person whose personal data is processed by the controller.

1. Processing

Processing is any operation or set of operations performed on personal data or on sets of personal data – whether or not by automated means – such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion or destruction.

1. Restriction of processing

Restriction of processing means the marking of stored personal data with the aim of limiting its processing in the future.

1. Profiling

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

1. Pseudonymization

Pseudonymization means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

1. Controller or data processing controller

Controller or data processing controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

1. Processor

Processor means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.

1. Recipient

Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities that may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

1. Third party

Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

1. Consent

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

1. General information on data processing

1. Scope of the Processing of Personal Data

The Organizer processes personal data of users and participants only to the extent necessary to ensure the proper functioning of the conference website, as well as the organization, administration, and delivery of conference-related content and services.

As a general rule, personal data is processed on the basis of the data subject’s consent. In certain cases, personal data may be processed without prior consent where such processing is necessary for the performance of a contract, the fulfilment of a legal obligation, or where obtaining consent is not feasible and the processing is otherwise permitted by applicable law.

1. Legal Basis for the Processing of Personal Data

The processing of personal data is based on the following legal grounds in accordance with Article 6(1) GDPR:

Consent of the data subject, where the data subject has given explicit consent for one or more specific purposes;

Performance of a contract or pre-contractual measures, where processing is necessary for participation in the conference or related services;

Compliance with a legal obligation, where processing is required by applicable laws of the European Union or the Republic of Croatia (e.g. accounting or tax regulations);

Protection of vital interests, where processing is necessary to protect the vital interests of the data subject or another natural person;

Legitimate interests, where processing is necessary for the legitimate interests of the Organizer or a third party, provided that such interests are not overridden by the fundamental rights and freedoms of the data subject.

1. Data Deletion and Storage Duration

Personal data shall be deleted or restricted as soon as the purpose for which it was collected no longer applies.

Personal data may be stored for a longer period where required by European Union law or the laws of the Republic of Croatia, in particular where statutory retention obligations apply.

Once the applicable retention period expires, personal data shall be deleted, unless further storage is necessary for the establishment, exercise, or defense of legal claims or for the performance of a contractual relationship.

1. External Hosting

1. Online Participant Management and Conference Website

The conference website and the online participant management system are hosted by external service providers (“hosts”). Personal data collected through these platforms are stored on the servers of the respective hosts.

Such personal data may include, in particular:

• IP addresses,
• registration and contact details,
• communication metadata,
• contractual and billing information,
• website access logs,
• other data generated through the use of the website or registration systems.

The use of external hosting providers is carried out:

• for the performance of a contract or pre-contractual measures with participants, and
• on the basis of the legitimate interest of the Organizer in ensuring secure, stable, and efficient provision of online services through professional service providers.

Where applicable, processing based on consent is carried out in accordance with Article 6(1)(a) GDPR. Any consent granted may be withdrawn at any time with future effect.

The hosting providers process personal data only to the extent necessary to fulfil their contractual obligations and strictly in accordance with the instructions of the Organizer.

cyber_Folks d.o.o.
Stjepana Radića 10,
48350 Đurđevac
Croatia

1. Server log files

The provider of this website automatically collects and stores information in so-called server log files, which are transmitted by your browser automatically. This information includes:

• browser type and version
• operating system used
• referrer URL
• host name of the accessing device
• date and time of the server request
• IP address

This data is not merged with other data sources.

The legitimate interest of the website operator lies in ensuring the security, stability, error-free operation, and technical optimization of the website.

The collection and temporary storage of server log files is technically necessary for the provision of the website and the protection against misuse and security incidents.

1. Use of cookies

Our website uses so-called “cookies”. Cookies are small text files that are stored on a user’s device and do not cause any damage. Cookies may be stored temporarily for the duration of a session (“session cookies”) or permanently on the user’s device (“persistent cookies”). Session cookies are automatically deleted after the end of a visit, while persistent cookies remain stored on the device until they are deleted by the user or automatically removed by the web browser.

In some cases, third-party cookies may also be stored on the user’s device when visiting our website. These cookies enable certain services provided by third parties (e.g. payment processing or embedded content).

Cookies serve various functions. Some cookies are technically necessary, as certain website functions would not operate properly without them (e.g. security-related functions or navigation). Other cookies may be used to analyze user behavior or to improve the quality and performance of the website.

Technically necessary cookies, which are required for the operation of the website and the provision of specific functions requested by the user, are processed on the basis of Article 6(1)(f) GDPR (legitimate interest). The legitimate interest lies in ensuring the secure, stable, and technically error-free operation of the website.

All other cookies, in particular those used for analytical or marketing purposes, are processed only on the basis of the user’s consent in accordance with Article 6(1)(a) GDPR and the applicable EU ePrivacy rules as implemented in Croatian law. Consent may be withdrawn at any time with effect for the future.

Users can configure their browser settings to be informed about the placement of cookies, to allow cookies only in individual cases, or to generally exclude cookies. Users may also activate automatic deletion of cookies when closing the browser. Please note that disabling cookies may limit the functionality of this website.

Where third-party cookies or cookies for analytical purposes are used, users will be informed separately within this Privacy Policy and, where required, asked for their consent via an appropriate cookie consent mechanism.

1. Registration on our website

Users have the option to register on this website in order to access additional website functions and to participate in the conference. The personal data entered during the registration process will be processed exclusively for the purpose of providing the services and features for which the user has registered.

All mandatory information requested during the registration process must be provided in full. Failure to do so may result in the rejection of the registration.

The email address provided during registration may be used to inform registered users about important organizational information related to the event, including changes to the program, technical updates, or other essential conference-related communications.

Legal Basis for Processing

Personal data entered during the registration process are processed on the basis of:

• Article 6(1)(b) GDPR – processing necessary for the performance of a contract or pre-contractual measures related to participation in the event, and
• where applicable, Article 6(1)(a) GDPR – consent, for any additional voluntary services or communications.

1. Purpose of Data Processing

The personal data provided in the registration form are processed exclusively for the purposes of:

• managing and organizing the conference,
• handling registrations and participation,
• communicating organizational and logistical information related to the event,
• fulfilling legal and administrative obligations related to event organization.

Only data that are necessary for these purposes are collected and processed.

1. Duration of Data Storage

Personal data collected during the registration process are stored only for as long as necessary to fulfil the purposes for which they were collected.

After the conclusion of the event, personal data will be deleted or anonymized, unless:

• a longer retention period is required by applicable legal obligations, or
• continued storage is necessary for the establishment, exercise, or defense of legal claims.

1. Possibility of Cancellation and Withdrawal

Users may cancel their registration for the event at any time.

For this purpose, users may contact the Organizer using the contact details provided on the website.

Where processing is based on consent, consent may be withdrawn at any time with effect for the future. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.

1. Request by e-mail, telephone, or fax

If you contact us by email, telephone, or other means of communication, your enquiry and the personal data resulting from it (such as your name, contact details, and the content of the enquiry) will be stored and processed by us solely for the purpose of handling your request.

Personal data will not be disclosed to third parties without your consent, unless such disclosure is required to fulfil your request or is required by applicable law.

The processing of personal data is carried out on the basis of:

• Article 6(1)(b) GDPR, where the enquiry is related to the performance of a contract or pre-contractual measures;
• Article 6(1)(f) GDPR, based on our legitimate interest in the efficient and appropriate handling of enquiries; or
• Article 6(1)(a) GDPR, where consent has been obtained.

Personal data transmitted to us in the course of contact requests will be retained only for as long as necessary to process the enquiry. Data will be deleted upon request, withdrawal of consent, or once the purpose of processing has been fulfilled, unless statutory retention obligations require longer storage.

1. VIII.Rights of the data subject

As a data subject under the EU General Data Protection Regulation (GDPR), you have the following rights in relation to the processing of your personal data by the controller:

1. Right to Information

You have the right to obtain confirmation from the controller as to whether your personal data is being processed. Where processing occurs, you are entitled to obtain the following information:

• purposes of processing;
• categories of personal data processed;
• recipients or categories of recipients of the data;
• planned storage period or criteria used to determine the storage period;
• the existence of rights to rectification, deletion, restriction, or objection;
• the right to lodge a complaint with a supervisory authority;
• the origin of the data if not collected from you directly;
• information about automated decision-making, including profiling, if applicable;
• whether data is transferred to a third country or international organization and the safeguards in place.

You have the right to receive a copy of the personal data being processed. Additional copies may be subject to a reasonable administrative fee. Electronic copies will be provided in a commonly used machine-readable format unless otherwise requested.

1. Right to Rectification

You have the right to request the correction of inaccurate personal data and the completion of incomplete data, taking into account the purpose of processing.

1. Right to Restrict Processing

You may request restriction of processing when:

• the accuracy of the data is contested,
• processing is unlawful and you oppose deletion, requesting restriction instead,
• the data is no longer necessary for processing but required for legal claims,
• you have objected to processing under Article 21(1) GDPR, pending verification of legitimate grounds.

Restricted data may only be processed with your consent or for legal claims, protection of others’ rights, or important public interest.

1. Right to Deletion (‘Right to be Forgotten’)

You have the right to request deletion of personal data when:

• data is no longer necessary for the purposes it was collected,
• consent is withdrawn and no other legal basis applies,
• you object to processing and there are no overriding legitimate grounds,
• data has been unlawfully processed,
• deletion is required by law,
• data is collected from children under the applicable provisions.

If the data has been made public, the controller must take reasonable steps to inform other controllers of your deletion request.

Exceptions: Deletion may not apply if processing is necessary for freedom of expression, legal obligations, public interest (e.g., public health, research, statistics), or legal claims.

1. Right to Notification

When your data is corrected, deleted, or restricted, the controller shall inform all recipients to whom the data was disclosed, unless this proves impossible or involves disproportionate effort. You may request information on these recipients.

1. Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller where processing is based on consent or a contract and is automated. This must not negatively affect others’ rights.

1. Right to Object

You may object to processing of your data based on legitimate interest or for scientific/historical/statistical purposes. You also have the right to object to processing for direct marketing at any time, including profiling related to marketing.

1. Right to Withdraw Consent

Consent can be withdrawn at any time for the future. Withdrawal does not affect the lawfulness of prior processing.

1. Automated Individual Decision-Making (Including Profiling)

You have the right not to be subject to decisions based solely on automated processing, including profiling, that significantly affect you, unless:

• necessary for entering into or performing a contract,
• authorized by law with safeguards, or
• based on explicit consent.

In these cases, you are entitled to human intervention, to express your view, and to contest the decision.

1. Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a supervisory authority, particularly in your Member State of residence, work, or where the alleged infringement occurred, if you consider that GDPR has been violated.

The authority must inform you about the progress and outcome of the complaint, including your right to judicial remedy.