Access Control Policy at INA Group locations managed by INA d.d.
1 GENERAL
- This Access Control Policy at INA Group locations managed by INA, d.d. in the Republic of Croatia (hereinafter: Access Control Policy) applies to all access control systems at INA, d.d. locations (hereinafter: INA), as well as all access control systems of INA Group companies’ locations managed by INA, d.d. in the Republic of Croatia (hereinafter: Affiliated Company).
- Access control is used at locations with the aim of protecting the facilities and overall property of INA, d.d. and to reconstruct and investigate security incidents, possible dangers or unauthorized access to protected areas. The access control system can be computer-supported (electronic record) or access to sites can be recorded manually.
- Facility access control is the basic security measure that must be in place in order for the other security measures to be effective. All locations must have established procedures deterring unauthorized persons from entering protected premises
- The access control system for INA Group is managed by INA d.d.
2 RECORDS
- INA, d.d. keeps records of access control for employees, visitors, external contractors and other persons who access and are present in protected areas, as well as for access control for their vehicles. Records are kept in a computer-supported database and manually kept records of access control in the books.
- Data in the access control records from paragraph (1) are kept for 2 years, after which they are destroyed.
- Removal of data older than 2 years from computer-supported access control records for employees, visitors, external contractors and other persons who access and are present at protected areas will be performed automatically once per year in January of each year for the period that ended 2 years before the date of removal.
- Record books of manually kept access control for employees, visitors, external contractors and other persons who access and are present at protected areas are kept at the place of generation for 2 years.
- After the end of the current year, the books are sealed with security labels. Each access record book should be sealed with a security label so that it cannot be opened without destroying the seal or security label.
- In the event that data records must be kept for the purposes of judicial, administrative, arbitration or other equivalent proceedings after 2 years have elapsed, they will be kept by Corporate Security until the final conclusion of the proceedings, in accordance with the instruction provided by Legal Affairs. All records are the property of INA and constitute a trade secret.
- Workers and visitors are issued identification cards (ID cards) for the purpose of recording entry and movement around protected facilities.
- Workers and visitors are obliged to use the ID card every time they enter and leave the area protected by the access control system, whether it is a passage for pedestrians or for vehicles. It is not allowed to lend the ID card to other people, nor to “let” other people through the access control system using one ID card. In locations where the access control system is not implemented using barriers (“carousels”) that allow only one person to pass at a time, it is not allowed passing (“tail gating”) behind a person who opened the door with their ID card before. In locations where the access control system is implemented to manage vehicle ramps, it is not allowed to pass without registering with an ID card behind a vehicle/person who has raised the ramp in front of the person/vehicle. In case of need (e.g. forgotten ID card), a temporary ID card for entrance can be obtained at the facility’s reception desk or from the recorder and security guard.
- The procedure for issuing a new/replacing an old ID card for access control, the procedure in case of loss of an ID card can be found on the intranet pages of the Corporate Security.
3 LEGAL BASIS AND INFORMING
- INA is an independent data controller regarding the processing of data related to access to premises owned by Ina, i.e. INA and the relevant Affiliated Company are considered joint data controllers regarding the processing of data related to access to premises owned by the relevant Affiliated Company.
- The Privacy Notice for access control at INA Group locations is available at the official website of INA (at the following LINK), that is, at each INA Group company location that has access control. All information about personal data processing is available in the aforementioned document.
- In addition to the above, there is a special notice at each location that informs all employees, visitors, external contractors and other persons who access and are present in protected areas about the implementation of access control. Content-wise, this notice is shorter than the Privacy Notice, and it contains basic information about personal data processing.
- The access control Privacy Notice referred to in Item 3 is made in accordance with the applicable best business practices at the time, in a format that is visible and transparent with regard to the data subjects and shall contain at least the following brief information in Croatian and English:
- the information that access control is implemented in the specific area;
- the information that all items brought in or taken out and all means of transport used to enter or leave protected areas are subject to inspection in accordance with the Private Security Act;
- contact information of the data controller (one or several);
- contact information of the data protection officer that data subjects can address,
- concise information on the purpose and legal basis of data processing;
- information on where more details can be found regarding data processing and exercising data subject rights (at the reception/entry gates, at the website – where it is also possible to use a QR code for easier access to information, etc.).
- All employees, visitors, external contractors and other persons entering the protected area are considered informed about the processing of personal data during access control.
4 RIGHT OF ACCESS
- Access, organization and management of the access control system are managed by the Corporate Security staff at INA, d.d.
- The control and processing of personal data through the access control system is assigned by INA, d.d. to a contractual provider of physical security services as the data processor.
5 DATA PROTECTION
- INA, d.d. has established a manual and computer-based system for processing personal data through the access control system.
- In relation to the computer-supported access control records, user records have been established, which contains overviews of possibilities and established access rights to the database.
- A log system has been established to record access to the computer-supported access control system, which contains the time and place of access, as well as the designation of the person who accessed the data.
- All access control records represent a trade secret and are the property of INA, d.d. It is prohibited to provide them and make them available to unauthorized persons in any manner and in any form.
6 COOPERATION WITH PUBLIC AUTHORITIES, EXERCISE OF DATA SUBJECT RIGHTS
- Competent public authorities have the right to inspect and have data submitted to them within the scope of their duties as determined by applicable regulations.
- Data subjects have the right to request the exercise of their rights prescribed by the General Data Protection Regulation, as described in detail in the Privacy Notice regarding the processing of personal data in relation to access control to INA.
- The request for exercising rights is referred to the Data Protection Officer. In the event that the request for exercising the rights of the data subjects is delivered to INA Corporate Security, the request shall be forwarded to the INA Data Protection Officer as soon as possible.
- The Data Protection Officer will take over the request and, in cooperation with all the relevant organizational units, coordinate the exercise of rights, i.e. communicate to the data subjects why it is not possible to exercise a certain right in a specific case.
- INA Data Protection Officer, as well as other persons involved in the procedure described in this section, are obliged to comply with the applicable internal rules of INA Group regarding personal data protection and the exercise of data subject rights while taking action on the data subjects’ requests.
7 PROCEDURE IN CASE OF PERSONAL DATA BREACH
- In the event that a certain person notices a possible personal data breach, they will notify the competent responsible person/manager or employee authorized for personal data protection without delay, and they shall inform the INA Data Protection Officer thereof without undue delay.
- Further procedure is regulated by the applicable internal rules laid down in the Plan of Action in Case of Personal Data Breach.
Zagreb, December 2022