How Moberg d.o.o. collects, uses, retains and protects personal data, in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR"), the Croatian Act Implementing the General Data Protection Regulation (Zakon o provedbi Opće uredbe o zaštiti podataka, OG 42/18) and Directive 2002/58/EC on privacy and electronic communications (the "ePrivacy Directive").
The controller of personal data within the meaning of Article 4(7) GDPR is:
Strojarska cesta 20, 10000 Zagreb, Republic of Croatia
Email: info@moberg.hr
Telephone: +385 91 555 8875 (HR), +354 853 5353 (IS)
Full statutory identification of the controller is set out in the Impressum.
For all data-protection enquiries, including requests to exercise the rights set out in Section 8 below, please contact: info@moberg.hr with the subject line "Data Protection Request".
The Company has not currently designated a Data Protection Officer (DPO) under Article 37 GDPR, as the criteria of that Article do not apply to its current scale and activities. This determination is reviewed annually.
We process personal data only where one or more legal bases under Article 6(1) GDPR apply.
To respond to commercial enquiries, prepare proposals, conclude and perform Master Service Agreements and Statements of Work, deliver agreed services, manage invoicing and provide support during and after the engagement.
To comply with statutory obligations under Croatian and EU law, including accounting and tax-record retention (e.g. the General Tax Act), employment law and anti-money-laundering legislation where applicable.
To operate and secure our website, prevent fraud and abuse, conduct lawful direct outreach to business contacts, manage internal administration and pursue or defend legal claims. A balancing test is documented in each case, with overriding rights of data subjects respected.
For non-essential cookies, optional analytics, marketing communications by email or LinkedIn and any processing not otherwise covered by the bases above. Consent may be withdrawn at any time with effect for the future (Article 7(3) GDPR).
Where personal data falls within the special categories of Article 9(1) GDPR, it is processed only where a specific exception in Article 9(2) GDPR applies.
Personal data is accessed only by personnel of Moberg d.o.o. on a need-to-know basis and by carefully selected sub-processors acting on our documented instructions under written data-processing agreements that meet the requirements of Article 28 GDPR. Categories of recipients include:
An up-to-date list of sub-processors is available on request at info@moberg.hr.
Personal data is primarily processed within the European Economic Area (EEA). Where personal data is transferred to a country outside the EEA, we rely on one of the mechanisms in Chapter V GDPR:
We implement appropriate technical and organisational measures within the meaning of Article 32 GDPR to protect personal data — including encryption in transit (TLS) and at rest, access controls aligned to the principle of least privilege, multi-factor authentication, logging and monitoring, regular review of supplier security, staff training and documented incident-response procedures.
In the event of a personal-data breach likely to result in a risk to the rights and freedoms of data subjects, we will notify the Croatian Personal Data Protection Agency (AZOP) within 72 hours of becoming aware of the breach (Article 33 GDPR) and the affected data subjects without undue delay where the risk is high (Article 34 GDPR).
To obtain confirmation as to whether personal data concerning you is processed and a copy with the prescribed information.
To have inaccurate personal data corrected and incomplete data completed.
"Right to be forgotten" — where the grounds in Article 17(1) apply.
To restrict processing in the situations listed in Article 18(1).
To receive your data in a structured, commonly used, machine-readable format.
To object to processing based on legitimate interests, and to direct marketing at any time.
To withdraw any consent previously given, with effect for the future.
To lodge a complaint with a supervisory authority — see Section 10.
Requests are handled within one month of receipt (Article 12(3) GDPR), with a possible extension of up to two further months where necessary. We may ask for additional information to verify your identity.
You can withdraw or change your consent at any time via the cookie-preferences link in the footer. Cookie names, purpose and retention are listed in the cookie banner and detailed notice. We follow the European Data Protection Board's Guidelines 03/2022 on deceptive design patterns.
You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement (Article 77 GDPR).
For Croatia: Croatian Personal Data Protection Agency (AZOP — Agencija za zaštitu osobnih podataka), Selska cesta 136, 10000 Zagreb, azop.hr.
For Iceland: Persónuvernd, Rauðarárstígur 10, 105 Reykjavík, personuvernd.is.
We do not subject visitors to this website to decisions based solely on automated processing that produce legal effects or similarly significantly affect them within the meaning of Article 22 GDPR.
Where, in the course of client engagements, we design or operate systems that involve such automated decision-making — for example, credit-risk scorecards or AI-assisted decision support — we do so as a processor on the documented instructions of the controller (the client), under separate written agreements that include the safeguards required by Article 22(2) and (3) GDPR and, where applicable, Regulation (EU) 2024/1689 (the AI Act). Decisions of this kind always remain accountable to a human reviewer.
We may update this Privacy Policy from time to time to reflect changes in our processing activities, applicable law or supervisory guidance. The current version, with its effective date, is always available on this page. Material changes will be communicated by clearly visible notice on the website for a reasonable period before they take effect.
Effective from: [ date to be inserted on publication ]. Version: 1.0.
Contact us about your data