This Privacy Statement explains how Metamorfoza d.o.o. (“we”, “our”, “us”) processes personal data of suppliers and contractors in connection with the establishment and performance of business relationships.
If you are a representative or employee of a supplier or contractor, your personal data may be processed by us.The respective Privacy Statement for Suppliers and Contractors is made pursuant to the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: “GDPR”).
1. ABOUT US
We are METAMORFOZA d.o.o. with registered seat in Zagreb, Radnička cesta 43, Croatia, PIN [personal identification number]: 24880192958, RN [registration number]: 080714251 (hereinafter ‘We’).
We process your personal data and the personal data of your employees as a controller in accordance with GDPR.
To exercise all of your rights regarding the protection of personal data, see below under Section 5. WHAT ARE YOUR RIGHTS REGARDING THE PROTECTION OF PERSONAL DATA or contact us via our e-mail address [email protected].
You can also contact us via our Data Protection Officer on the e-mail address below:
E-mail address: [email protected]
2. WHAT IS PERSONAL DATA
“Personal data” means any information that relates to an identified or identifiable individual. An identifiable person is someone who can be recognized, directly or indirectly, in particular by reference to identifiers such as a name, identification number, location data, online identifier, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.
For the purposes of this Privacy policy when referring to the processing of personal data of our suppliers and contractors we mean the processing of the personal data of their employees, representative and other staff which act under their authority.
3. LEGAL BASIS FOR PROCESSING PERSONAL DATA
We process personal data of suppliers and contractors for the following purposes:
| Type of Processing | Legal Basis | Purpose of processing | Personal data | Categories of Recipients | Data Retention Period |
| Contractual Relationship Management | Legitimate interest | • Preparing, negotiating, and concluding contracts • Managing ongoing obligations (delivery, quality, performance) • Communicating about orders, timelines, and service standards • Handling renewals, amendments, or terminations. | • First and last name •Personal identification number (PIN) • Date and place of birth • E-mail, Phone number • Address • Bank account details (IBAN) • Any personal data delivered in CV | • Internal employees • IT support • External legal advisors | During the term of the contract and up to 5 years after the contract has ended |
| Financial and Administrative Processing | Legal obligation (Croatian Accounting Act) | • Processing invoices, payments, and refunds. • Accounting and bookkeeping. • Internal reporting (budgeting, audits).• Tax and financial compliance. | • First and last name • Personal identification number (PIN) • Employment data • Address • Bank account details (IBAN) | • Accounting service providers • Auditors • Tax authorities • Internal employees | 11 years (Croatian Accounting Act) |
| Compliance and Risk Management | Legal obligation and Legitimate interest | • Due diligence and background checks • Compliance with labour, health, safety, and environmental rules • Insurance and liability management • Issuing access cards or visitor passes | • First and last name • Personal identification number (PIN) • Date and place of birth • E-mail, Phone number • Health data • Address • Bank account details (IBAN) • First and last name • Personal | • Compliance officers • Internal employees • Legal advisors • Public authorities • Internal security team | During the term of the contract and up to 5 years after the contract has ended |
| Security and Access Control | Legitimate interest | • Issuing access cards or visitor passes • Maintaining logs, CCTV monitoring, visitor records • Monitoring IT system access for temporary permissions | •Photograph • Physical appearance • E-mail, Phone number • Entry and exit logs, presence times • Biometrics | • IT administrators • External security providers (if engaged) | Up to 6 months, in case there are ground for legal actions we shall retain data until the end of the leal proceeding |
| Communication and Relationship-Building | Legitimate interest | • Business communication (projects, services, delivery schedules) • Inviting to industry events, training, workshops • Maintaining long-term relationships | • First and last name • Personal identification number (PIN) • Photograph • Physical appearance • E-mail, Phone number • Entry and exit logs, presence times • Biometrics • IT system access dana • First and last name • Personal identification number (PIN) • E-mail address • Position in company • Communication History | • Internal employees • Marketing teams | Up to 5 years after last contact or termination of relationship |
| Legal Claims and Dispute Management | Legal obligation and Legitimate interest | • Establishing, exercising, or defending against legal claims • Warranty or indemnity claims | • First and last name • Personal identification number (PIN) • E-mail address • Position in company • Communication history and documentation related to disputes • Bank account details (IBAN) | • Internal legal department • External legal counsel • Courts and competent authorities • Arbitration bodies • Insurance companies | Until closure of dispute and up to 11 years (Croatian Accounting Act) Retained longer if required by ongoing proceedings – up to 5 years after the procedure has finished |
- Contractual Relationship Management
We use the personal data mentioned above in order to manage our contractual relationships with suppliers and contractors. More precisely, we use the personal data to prepare, negotiate, and conclude contracts, to monitor service delivery, quality, and performance, and to communicate regarding orders, deliveries, timelines, and service standards. Processing is necessary for the performance of a contract with you, to comply with our legal obligations, and to pursue our legitimate business interests in managing supplier relationships efficiently. If you do not provide us with your personal data or the personal data of your employees, we would be unable to conclude contracts or properly manage our contractual obligations.
- Financial and Administrative Processing
We use the personal data mentioned above in order to process invoices, payments, and refunds, to ensure accurate accounting and bookkeeping, and to comply with tax and financial regulations. Processing is necessary for compliance with legal obligations, for the performance of a contract, and to pursue our legitimate interest in maintaining proper financial records and internal reporting. If you do not provide us with your personal data, we would be unable to process payments or fulfil our statutory reporting obligations.
- Compliance and Risk Management
We use the personal data mentioned above in order to conduct due diligence, background checks, and verification of suppliers and contractors, and to ensure compliance with applicable labour, health, safety, and environmental regulations. Processing is necessary for compliance with legal obligations, for the performance of a contract, and to pursue our legitimate interest in managing risk and safeguarding our business operations. If you do not provide us with your personal data, we would be unable to assess compliance or potential risks associated with our suppliers or contractors.
- Security and Access Control
We use the personal data mentioned above in order to issue access cards, monitor on-site security, and control IT system access for contractors working on our premises. Processing is necessary for compliance with legal obligations, for the performance of a contract, and to pursue our legitimate interest in ensuring the safety and security of our premises and personnel. If you do not provide us with your personal data, we would be unable to grant access or maintain proper security measures.
- Communication and Relationship-Building
We use the personal data mentioned above in order to communicate with our suppliers and contractors about projects, services, deliveries, and industry events, as well as to maintain long-term professional relationships. Processing is necessary for the performance of a contract, to comply with legal obligations, and to pursue our legitimate interest in maintaining effective business communication and professional relationships. If you do not provide us with your personal data, we would be unable to communicate important updates or invitations.
- Legal Claims and Dispute Management
We use the personal data mentioned above in order to establish, exercise, or defend against legal claims and to manage warranty or indemnity claims under supply or service agreements. Processing is necessary for compliance with legal obligations, for the performance of a contract, and to pursue our legitimate interest in protecting our rights and resolving disputes. If you do not provide us with your personal data, we would be unable to enforce our legal rights or defend against claims.
- Processing on basis of our legal obligation
Furthermore, in line with the above-mentioned processing, in case you request to exercise your rights under GDPR, we process your personal data and personal data of your employees on basis of our legal obligation to provide the exercise of your rights over your personal data, see below under 5. WHAT ARE YOUR RIGHTS REGARDING THE PROTECTION OF PERSONAL DATA).
Automated individual decision-making, including profiling
We do not use automated individual decision-making, including profiling.
4. PERIOD OF STORAGE OF YOUR PERSONAL DATA
We keep the personal data you provide us with in accordance with aforementioned retention periods in the table, after which we erase it.
5. WHO ASSISTS US IN PROCESSING PERSONAL DATA
Based on our orders and instructions, in accordance with the GDPR, the following categories or individuals provide us with support in the processing of personal data (Processors):
- IT and cloud service providers: For the processing of personal data collected through online forms, we use Microsoft 365 Cloud. For more information on how Microsoft 365 Cloud processes personal data, please visit: Microsoft 365 Cloud Privacy Statement
- Financial and accounting service providers: Third-party providers assisting with invoice processing, payments, bookkeeping, and tax compliance.
- Legal and compliance advisors: External law firms or compliance consultants supporting us with due diligence, risk management, and dispute resolution.
- Security and access management providers: Companies providing access control systems, security monitoring, and IT system administration for contractors on-site.
- Event and communication service providers: Providers assisting with communication, invitations to training, workshops, or industry events, and management of professional relationships.
6. WHAT ARE YOUR RIGHTS REGARDING THE PROTECTION OF PERSONAL DATA?
| Your rights | What does that mean | Forms for exercising your rights |
| Right to information | You have the right to receive clear, transparent and easily understandable information on how we use your personal data and what are your rights regarding our processing of your personal data. For that reason, we provide you with the information from this Privacy Statement for Potential Franchisees. | LINK |
| Right of access | You have the right to access and receive a written report on your personal data that we have collected. | LINK |
Right to rectification | You have the right to obtain the rectification of inaccurate personal data concerning you and the right to complete your incomplete personal data. | LINK |
| Right to erasure (right to be forgotten) | In certain cases, you have the right to erase your personal data. We may erase your personal data if We have no legal or legitimate basis for the retention and/or further processing of your personal data. | LINK |
| Right to restriction of processing | In certain cases, you may request that the processing of your personal data be restricted, which means that during the restriction of the processing we do store your personal data but process it only for a purpose for which no restriction of use is requested. | LINK |
| Right to object to the processing of personal data based on our legitimate interest | You can object to our processing of your personal data based on our legitimate interest. We process the personal data of officers, directors, managers or owners of the potential franchisee on basis of our legitimate interest. | LINK |
| The right to lodge a complaint with the supervisory authority and the right to an effective judicial remedy against the decision of the supervisory authority | Any person may lodge a complaint with the Croatian Personal Data Protection Agency for finding of infringement of rights; Croatian Personal Data Protection Agency Web: www.azop.hr. You have the right, in accordance with GDPR and the Croatian data protection laws and regulations, to file a legal remedy against the decision of the Croatian Personal Data Protection Agency. If you are a resident of a EU member state, please note that you are also entitled to contact and lodge a complaint with the data protection supervisory authority operating in the country of your residence. |
7. OTHER INFORMATION
We do not sell your personal data to third parties.
We may transfer personal data to third parties if it is required by applicable laws and regulations, or if this is required in case of a due diligence procedure as part of a potential investment or acquisition of our company (including outside EU).
We maintain appropriate technical and organizational measures to preserve the confidentiality and integrity of your personal data which can be accessed only by authorized persons through access user data.
Published in May 2, 2025