Data Protection Declaration

1. Introduction

With the following information we would like to give you as the “data subject “an overview about how we process your personal data and inform you about your rights in accordance with data protection laws. Our websites can generally be used without providing any personal data. However, if you want to make use of special services offered by our company through our internet site, a processing of personal data might me required. If the processing of personal data is necessary and where there is no legal basis for such a processing, we will always seek your prior consent.

The processing of personal data, for example your name, the address or email address is always carried out in accordance with the General Data Protection Regulation (GDPR) and in compliance with country-specific data protection laws applicable for "Lay-Z d.o.o.". With this data protection declaration, we would like to inform you about the scope and purpose of personal data collected, used and processed by us.

Being the responsible party for the processing, we have implemented numerous technical and organisational measures to ensure the most complete protection of the personal date processed through this website. Yet internet-based data transfers may generally have security vulnerability Thus absolute protection cannot be guaranteed. For this reason, you are free to transmit personal data to us using an alternative method such as by phone or by mail.

2. Responsible party

The responsible party according to GDPR is:

Lay-Z d.o.o.
Marčelji, Mavri 1/1
51216 Viškovo
Telefon: 051 547 690
Telefax: 051 547 670

3. Data protection supervisor

The external data protection of the responsible party can be reached at:

Lay-Z d.o.o.
Ana Juričević
Marčelji, Mavri 1/1
51216 Viškovo
Telefon: 051 547 690

You can contact our data protection supervisor directly and at any time in case of questions or information about data protection.

4. Definitions

The data protection declaration is based on the terminology used by the European issuers of directives and regulations when the General Data Protection Regulation (GDPR) was adopted. Our data protection declaration should be easy to read and understand for both the public and our customers and business partners. In order to ensure this, we would like to explain the terminology used in this data protection declaration.
The following terms are used in this data protection declaration:

a. Personal data
Personal data is any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification, such as a name, identification number, online identification data or to one or several specific factors to his physical, physiological, genetic, mental, economic, cultural or social identity.
b. Data subject A data subject is every identified or identifiable natural person whose personal data is processed by the party responsible for the processing (our company).
c. Processing The processing is any operation or set of operations, carried out with or without the assistance of automated processes upon personal data such as collection, recording, organisation, sorting, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion or destruction.
d. Limitation of the processing Limitation of the processing means the marking of stored personal data with the aim of limiting their processing in future.
e. Profiling Profiling is any form of automated processing personal data for the purpose of using this personal data to assess certain personal aspects relating to a natural person, in particular to analyse and predict aspects concerning work performance, economic situation, health, personal preferences, interests, reliability, behaviour, residence or his relocation.
f. Pseudonymisation Pseudonymisation is the processing of personal data in such a way that the personal data cannot be assigned to a specific data subject without using additional information, if this data is stored separately and if the data is subject to organisational and technical measures ensuring that the personal data cannot be assigned to an identified or identifiable natural person.
g. Processors A processor is a natural person or a legal entity, authority, institution or any other body processing the personal data on behalf of the responsible party.
h. Recipients A recipient is a natural person or a legal entity, authority, institution or any other body to whom personal data are disclosed whether it is a third party or not. However, authorities which may receive personal data in the framework of a particular inquiry according to Union law or the rights of the Member States shall not be regarded as recipients.
i. Third-party A third-party is a natural person or a legal entity, authority, institution or any other body except the data subject, the responsible party, the processor and those persons who, under the direct responsibility of the responsible party or the processor, are authorised to process the personal data.
j. Consent A consent is any voluntarily declaration of intent provided unmistakeably and clearly given by the data subject for a specific case and in the form of a statement or through another clear confirmatory act where the data subject indicates his or her agreement with the processing of the respective personal data.

5. Legal basis of the processing

Art. 6 (1) a of the GDPR serves our company as the legal basis of processing operations where we obtain your consent for a particular purpose of processing.

If the processing of personal data is required to perform a contract to which you are a party to, for example in case of processing operations necessary to supply goods or perform other services or any consideration, the processing is in accordance with Art. 6 (1) b of the GDPR. The same applies to processing operations which are required to perform pre-contractual measures for example in cases of enquiries about our products or services.

Where our company is subject to a legal obligation requiring the processing of personal data such as the fulfillment of tax obligations, the processing is based on Art 6 (1) c of the GDPR.

In rare circumstances the processing of personal data may be required for the protection of vital interests of the data subjects or another natural person. This might be the case, for example, if a visitor to our company was injured and consequently his or her name, age, health insurance details or additional vital information would have to be given to a physician, a hospital or other third-parties. In this case the processing would be pursuant to Art. 6 (1) d GDPR.

Eventually, processing operations could be based on Art. 6 (1) f GDPR. This is the legal basis for processing operations which are not regulated by none of the abovementioned legal basis, and where the processing is required for safeguarding the legitimate interest of our company or a third-party except where such interests are overridden by the need to protect fundamental rights and freedoms of the data subject. In particular, we are allowed to such processing operations as they have been specially mentioned by the European legislator. In that regard, he considers you being a customer of our company as a legitimate interest (recital 47 second sentence of the GDPR).

6 Technology

6.1 SSL/TLS encryption

This site uses an SSL/TLS encryption to ensure security of the data processing and to protect the transmission of confidential data such as orders, login files or contact enquiries you send to us being the operator. You can check you have an encrypted connection if you see "https://" instead of "http://" in the address bar of the browser and by the lock symbol in your browser line.
If the SSL or TLS encryption respectively is activated, the data you send to us cannot be read by third-parties.

6.2 Data collection when accessing the website

When visiting our website for information purposes only, i.e. if you do not register or otherwise transmit information to us, we only collect the data your browser transmits to our server (in so- called "server log files"). Whenever you or an automated system visits one of our websites, our website collects a number of general data and information. This general data and information is stored in the log files of the server. The following data and information may be collected:

1. browser types used and versions,
2. the operation system used by the accessing system,
3. the website through which an accessing system reaches our website (so-called referrers),
4. the sub-sites through which an accessing system navigates to our website,
5. the date and time when our website is accessed,
6. an internet protocol address (IP address),
7. the internet service provider of the accessing system.

When using this general data and information we do not draw any conclusions about your person. The information is rather used to

1. deliver the content of our website accurately,
2. optimise the content of our website as well as the advertising for the website,
3. ensure the permanent functionality of our IT systems and the technology of our website as well as
4. provide law enforcement authorities with the necessary information in case of a cyber attack.

Thus, collected data and information will be statistically evaluated with the purpose to improve data protection and security in our company to ultimately ensure an optimum level of protection of the personal data processed by us. The data of the server log files will be stored separately from all other personal data provided by a data subject. The legal basis for the data processing is Art. 6 (1) first sentence f of the GDPR. The purposes listed above constitute our legitimate interest in data collection.

7 Cookies

7.1 General information about Cookies

On our website we use cookies. These are small files which are created automatically by your browser and are stored on your IT system (laptop, tablet, smartphone or similar) whenever visiting our website. Cookies do not cause any damage on your devices and do not contain any viruses, Trojans or other malware.

Information which each arise in connection with the specific terminal, is filed in the cookie. This does not mean, however, that we are becoming immediately aware of your identity.

The use of cookies serves the purpose to make the use of our offer more pleasant for you. That is why we use session cookies so that we can recognise that your have already visited individual pages of our website. These will be deleted automatically after leaving our website.

In order to optimise the user-friendliness, we also use temporary cookies which will be stored on your terminal device for a specified period of time. If you access our website again to make use of our services, the system will recognise automatically that you have already visited us, which information and settings you made so that there is no need to enter this information again.

We also use cookies to produce statistics about the use of our website and to optimise our offer for you. These cookies enable us to recognise automatically that you have already visited us. The cookies will be deleted automatically after a specified period of time.

The data processed by cookies are required for the mentioned purposes for the protection of our and third-parties’ legitimate interests according to Art. 6 (1) first sentence f GDPR.

Most browsers accept cookies automatically. You can, however, configure your browser in such a way that no cookies are stored on your computer or that you are always asked for permission before a cookie is stored. If you deactivate cookies, however, you may not be able to use all features of our website.

8 Content of our website

8.1 Application management / Job portal

We collect and process the personal data of applicants for application procedure purposes. The processing can also be carried out electronically. This is particularly the case where an applicant submits his/her application documents electronically, for example by email or through a web form available on the website. If we conclude an employment contract with an applicant, the data transmitted will be stored for the purpose of processing the employment relation taking into consideration the legal requirements. If we do not conclude any employment contract with the applicant, the application documents will be deleted automatically two months after the rejection letter was sent provided there are no other legitimate interests on our part in conflict therewith. Another legitimate interest in this sense is, for example, burden of proof relating in a proceeding in accordance with the General Equal Treatment Act (AGG).

In this respect, the data processing is only carried out based on our legitimate interest pursuant to Art. 6 (1) f of the GDPR.

9 Plugins and other services

9.1 Google Maps

On our website we use Google Maps (API) from Google LLC., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google Maps is a web service for the representation of interactive maps to visualise geographic information. When using this service, our location may be displayed, and you may find us easier.

When accessing the respective sub-site containing Google Maps, information about how to use our website (e.g. your IP address) will be transmitted to the server of Goggle in the USA and stored there. This is carried out regardless of whether you log in via your Google user account or without a user account. If you are logged in to Google, your data is assigned directly to your account. If you do not wish to have your data assigned to your profile, you have to log out from your Google user account. Google stores your data (even for users which are not logged in) as user profiles for evaluation. Such an evaluation is carried out particularly in accordance with Art. 6 (1) f GDPR based on Google´s legitimate interest in inserting personalised advertising, market research and/or to obtain a website tailored to suit the market needs. You are entitled to object to the creation of these user profiles; for this you have to contact Google to exercise this right.

Google LLC with registered offices in the USA is certified in accordance with the US-European data protection convention "Privacy Shield" ensuring compliance with the data protection level applicable in the EU.

If you do not agree with the future transmission of your data to Google when using Google Maps, you can fully deactivate the web service of Google Maps by switching off JavaScript in your browser. In this case you cannot use Google maps and the map screen.

Through our opt-in cookie you gave your consent pursuant to Art. 6 (1) a GDPR.

Your can check Google´s terms of use at and the additional terms of use for Google Maps are available at

Detailed information about data protection in connection with the use of Google Maps are available on the Google website ("Google Privacy Policy"):

10 Your rights as a data subject

10.1 Right to obtain confirmation

Your have the right to obtain confirmation from us as to whether or not personal data of you are being processed.

10.2 Right to obtain information according to Art. 15 GDPR

At any time, you are entitled to obtain information from us free of charge with regard to your stored personal data as well as to obtain a copy of this data.

10.3 Right to rectification of incorrect data Art. 16 GDPR

You are entitled to demand rectification with regard to inaccurate personal data. Furthermore, the data subject has the right taking into account the purposes of processing, to demand integration of incomplete personal data.

10.4 Deletion 17 GDPR

You have the right to demand immediate deletion of your personal data by us for a reason provided by law where a processing is not necessary.

10.5 Right to restriction of processing Art. 18 GDPR

You are entitled to demand from us the limitation of processing if one of the legal conditions is met.

10.6 Right to data portability Art. 20 GDPR

You have the right to obtain your personal data you provided to us in a structured, commonly used and machine-readable format. Furthermore, you are entitled to transmit those data to another responsible party without hindrance from us to which the personal data have been provided where the processing is based on consent pursuant to Art. 6 (1) a GDPR or Art. 9 (2) a GDPR or is based on a contract pursuant to Art. 6 (1) b GDPR and if the processing is carried out by automated means unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

Furthermore, you have the right to data portability pursuant to Art. 20 (1) GDPR to have your personally data transmitted directly from one responsible party to another responsible party, where technically feasible and if these rights do not adversely affect the rights and freedoms of other persons.

10.7 Right to object Art. 21 GDPR

You have the right to object, on grounds relating to your particular situation, at any time, to processing of personal data concerning you which is based on Art. 6 (1) e (data processing for reasons of public interest) or f (data processing based on balance of interest) GDPR.

This also applies to profiling based on one of the conditions pursuant to Art. 4 no. 4 GDPR.

If you file an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

In individual cases we process personal data for direct marketing purposes. You have the right to object at any time to the processing of personal data for such purposes of direct marketing. This also includes profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, we will no longer process your data for these purposes.

Furthermore, you have the right on grounds relating to your particular situation to object to processing of personal data which are processed for scientific or historical research purposes or statistical purposes pursuant to 89 (1) GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

In the context of the use of information society services, you are at liberty and notwithstanding directive 2002/58/EC, to exercise your right to object by means of automated means using technical specifications.

10.8 Withdrawal of a data protection consent

You have the right to withdraw the consent to processing personal data at any time with effect for the future.

10.9 Complaints to a supervisory authority

Your have the right to complain to an authority responsible for data protection about our processing of personal data.

11 Routine storage, deletion and blocking of personal data

We process and store your personal data only for the period required for the storage purpose or where our company is required by law to do so.

If the storage purpose ceases to apply or if the required storage period expires, the personal data will be blocked or deleted according to legal provisions as a matter of routine.

12 Duration for data retention

The duration for data retention of personal data is based on the respective legal obligation to retain data. Upon expiry of this period the corresponding data will be deleted as a matter of routine, unless they are no longer needed for the performance of a contract or contract initiation.

13 Validity and modification of the data protection declaration

This data protection declaration is the currently valid version as of May 2018.
Due to further development of our websites and offers or change of legal and regulatory requirements respectively, it may be necessary to modify this data protection declaration. The respective current version of the data protection declaration can be accessed and printed at any time at Privacy Policy.