PRIVACY POLICY

This Statement describes how the audit firm MOORE REVIDENS d.o.o. Varaždin, as an employer, collects, uses, stores, and transfers personal data of employees and any other persons whose work it engages in any capacity, its clients, and all other persons with whom it conducts business in any way, whose products it purchases or whose services it uses, with whom it has any contractual or business relationship or business contact.

This Statement also describes how audit firm MOORE REVIDENS d.o.o. Varaždin (hereinafter: we) collects, uses, stores, and transfers personal data of its clients – users of audit and non-audit services – as well as all other natural persons whose personal data it collects and processes for the purpose of performing audit and non-audit services.

This Statement also applies to personal data of users of our website and senders or recipients of our email messages.

It is our duty and goal to protect your privacy in accordance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR), as well as the Act on the Implementation of the General Data Protection Regulation (Official Gazette 42/18). In protecting personal data, we are also obliged to apply the relevant provisions of the Audit Act (Official Gazette 127/2017) and the Anti-Money Laundering and Counter-Terrorist Financing Act (Official Gazette 108/17).

If you are our client, potential client, supplier, if you use our other services, enter into a business relationship with us, or are in business communication with us, you should be aware that we process your personal data necessary for the performance of our business activities.

If you are one of the persons whose personal data we process, you have the right to be informed about it, and we have the obligation to inform you of the purpose and manner of processing your personal data, as well as the way in which we protect your privacy by implementing specific personal data protection policies.

We kindly ask that, whenever you come into any form of contact with us — whether by sending us or receiving an email, visiting our website, entering into any business or legal relationship with us, or engaging in any other form of business communication — you carefully read this Statement so that you are aware of our processing of your personal data, the implications of such processing, and your rights with regard to your personal data.

By entering into any of the aforementioned types of contact, business, or legal relationships, you confirm that you are familiar with this Statement.

The auditing company MOORE REVIDENS, Zagrebačka 87, Varaždin

tel: +385 42 240 004

e-mail: [email protected]

is the data controller of the personal data of natural persons – data subjects – as specified below in this document.

Depending on your relationship with us, we collect different types of personal data about you.

The most common, though not exclusive, types of personal data we process include:

- first and last name,

- address,

- personal identification number (OIB),

- date of birth,

- telephone numbers,

- e-mail address.

Employees and other persons whose work we engage, children and dependent family members, job applicants

We collect the types of personal data prescribed by laws regulating employment relations, laws on mandatory insurance and taxation, other laws governing our activities, and related by-laws.

If you are applying for a job with us, we process the personal data necessary to determine whether you meet the required conditions and possess the knowledge, experience, and abilities for employment.

Providers of intellectual and other types of services

We collect the types of personal data necessary to conclude and execute a contract, make payments and public contributions, and perform accounting records.

Suppliers

We collect the types of personal data necessary to conclude and execute a contract, make payments and public contributions, and perform accounting records.

Website visitors and persons communicating via e-mail

Personal data about website visitors are collected during website visits, such as the IP address.

If you send us a contact form, we will collect and further process the following data about you: first and last name, company, email address and telephone number.

For individuals with whom we exchange e-mail messages, we collect data such as name and surname, e-mail address, phone number, position, and possibly other data.

Clients and users of audit and non-audit services

If we have agreed to provide a specific audit service, in order to perform the contract, it is necessary for us to collect and process certain personal data about you as a client, your members/shareholders, members of your management and supervisory bodies, employees, customers, and suppliers, as required to carry out audit procedures prescribed by law.

It is also possible that we will collect and process the same data while performing certain non-audit services.

We also collect and process the personal data prescribed by the Anti-Money Laundering and Counter-Terrorist Financing Act.

We process personal data of employees and other persons whose work we engage in order to conclude an employment contract or another type of contract, fulfill all our legal obligations related to that contract, and enable the exercise of the legal and contractual rights of those individuals.

We process this data based on our obligations under the Labour Act and other regulations governing rights and obligations related to employment or other legal relationships, tax regulations, and regulations on mandatory insurance. If we require any additional personal data, we will request the individual’s consent.

We collect personal data about employees’ children and dependent family members to meet the legal requirements for applying personal tax deductions, determining non-taxable income, and exercising other rights. This data is collected based on our obligations under tax regulations.

If you have applied for employment with us, we may store the personal data from your application to consider you for future job openings, which we do on the basis of our legitimate interest.

We collect personal data from individuals who provide various intellectual services (such as lawyers, notaries, translators, consultants, etc.) for the purpose of concluding and performing contracts with such service providers, as well as fulfilling legal obligations related to those contracts.

We collect personal data from our suppliers for the purpose of concluding and performing contracts and fulfilling legal obligations related to those contracts.

We process personal data of individuals with whom we are only in business communication to establish and maintain communication in any form. This processing is based on our legitimate interest.

We may process personal data of clients, suppliers, and potential service users for the purpose of carrying out marketing activities, such as sending information about services, brochures, catalogs, and other publications, conducting market research, and similar activities. This processing is carried out based on our legitimate interest.

We process personal data of users of our website to enable the use of the site. This processing is also carried out based on our legitimate interest.

We collect personal data about our clients and their data subjects to fulfill our audit or non-audit service contracts, as well as to comply with the Audit Act and the Anti-Money Laundering and Counter-Terrorist Financing Act.

We usually collect personal data by requesting it directly from the data subjects themselves. Such data are collected when we establish communication for the purpose of concluding a contract or entering into a legal or business relationship. For certain types of data, we are required by law to request that you provide us with specific documents, certificates, or similar evidence.

Personal data related to the use of our website are automatically recorded at the moment you access our site, as your computer automatically discloses certain technical and other data (such as your IP address).

If you send us an inquiry via the contact form on our website, we record and process the personal data you provide in that form.

If you send us an e-mail message, personal data are automatically recorded at the moment the message is received.

We collect personal data about clients’ data subjects from the client, either before or during the performance of an audit or non-audit service.

We disclose your personal data to recipients – public authorities – in order to fulfill our legal obligations. The recipients of your personal data include state administration bodies, other governmental organizations, and institutions.

If you have outstanding financial obligations toward us that require the initiation of enforcement proceedings or if there is another legal dispute between you and us that necessitates court or administrative proceedings, we will forward your data to our legal representatives (attorneys).

If you are our business partner or supplier, we may disclose your contact details to third parties who have a legitimate business interest in establishing communication.

Personal data about clients and their data subjects may, in certain cases, be transferred to a third party – another auditor, when required by the Audit Act. Such data may also be provided to competent supervisory authorities in order to enable oversight of our operations or to comply with the procedures prescribed by the Anti-Money Laundering and Counter-Terrorist Financing Act. Additionally, these data may be made available to another auditor during a quality control review of our work, which represents our contractual obligation.

If you refuse to provide personal data that we are required to process based on a legal obligation, we will not be able to fulfill our legal duties (for example, to conclude an employment contract, register you for mandatory insurance, or calculate and pay your salary or other compensation for work performed). As a result, you may be denied certain rights that you would otherwise be entitled to exercise.

If you refuse to provide personal data that are necessary for the conclusion and performance of a contract, we will not be able to enter into or fulfill that contract, nor meet our contractual or legal obligations related to it.

If you refuse to provide personal data that we process based on our legitimate interest, this may affect your ability to use our services.

If you are our client to whom we provide audit or non-audit services and you refuse to provide the requested personal data, this may result in our inability to perform the service, or it may affect the type of opinion issued, the outcome of the service, or even lead to the implementation of certain procedures as required by the Anti-Money Laundering and Counter-Terrorist Financing Act.

We retain personal data for the periods prescribed by law.

If the retention period is not specified by law or by our Data Protection Policy, we will determine it ourselves in accordance with the principle of storage limitation.

Personal data are deleted:

- upon the expiry of the retention period, or

- upon the approval of a deletion request submitted by the data subject.

We implement appropriate technical and organizational measures to protect the personal data we collect and to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

In protecting your personal data, we are obliged to act in accordance with our Personal Data Protection Policy.

The procedures defined by our Data Protection Policy ensure that: your personal data are used only for the purpose for which they were collected, the data are accessed only by authorized persons, your data are not disclosed to third parties except in specifically defined cases, and your data are retained only as long as necessary.

We apply technical protection measures that ensure access to your data contained in written documents is limited to authorized personnel who perform tasks related to personal data processing within our company. Through IT security measures, we ensure that your personal data stored in digital form are protected against unauthorized access, transfer, or loss.

All our employees are aware of their duties and responsibilities in the processing of your personal data, as defined by our Data Protection Policy.

If the processing of a certain type of personal data is based on consent, or if the disclosure or transfer of personal data requires consent, we will obtain such consent from you in written form.

When requesting your consent, we will inform you of the purpose for which the consent is being given and the consequences of refusing to provide it. Your consent must be voluntary and unambiguous.

The written consent is retained for the same period as the personal data to which it relates.

If you have given consent for a specific data processing activity, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. You will be informed of this right at the time consent is given. You may withdraw your consent by submitting a written statement.

Form Consent Withdrawal is available on our website.

You have the right to submit a request to us to exercise any of the rights you are entitled to as a data subject:

- Right of access to personal data,

- Right to rectification,

- Right to erasure (“right to be forgotten”),

- Right to restriction of processing,

- Right to data portability (if applicable),

- Right to object (if applicable).

To ensure proper and documented processing, we require that requests to exercise these rights be submitted in writing using the prescribed Data Subject Request Form. The form is available at our headquarters and on our website.

Requests may be submitted in person at our headquarters or by mail. They may also be sent by email, provided that the email is sent from the email address of the person making the request. The requester must identify themselves. If the request is anonymous and we cannot verify the identity in an easy and accessible manner, the request will not be processed.

If you are our client receiving audit or non-audit services, in certain cases specified by the Anti-Money Laundering and Counter-Terrorist Financing Act, we may not allow access to certain personal data.

We will inform you of our decision and any actions taken within one month of receiving your request.

If you do not receive our response to your request regarding the processing of personal data within one month, you have the right to file a complaint with the Personal Data Protection Agency. You also have the right to file a complaint if you believe that our decision or actions have violated your rights.

Depending on our needs, we may update this Privacy Statement to improve our practices, enhance the protection of your privacy rights, or to comply with changes in applicable laws and regulations.

Any changes to this Statement will be appropriately published. We encourage you to periodically check whether this Privacy Statement has been updated.

This Privacy Statement is published on our website and on our notice board.

Effective date: 25.05.2018

Last updated: 08.08.2025.