Data subject category: Association members

As a data controller, CRO Startup Association processes personal data of its members (natural persons or legal persons’ representatives). When becoming a member, Data Subject provides the following categories of personal data:

  • First and last name of natural person or legal person’s representative and their birth date
  • Company name
  • Job title 
  • Personal identification number (OIB)
  • Phone number
  • E-mail

Association processes these categories of personal data to meet its legal obligations under the Law on Associations and CRO Startup’s Statute.

Association is obliged to keep a list of its members according to art. 12, par. 3 of Law on Associations. President of the Association keeps the list of members in electronic form and the list contains the name of the member, OIB, date of joining the association, membership category and date termination of membership in the association (art. 11 CRO Startup Statute). 

The Association processes this data to fulfill the purpose of informing the members about its news, convening the Association’s Assembly, annual membership fee settlement and in other justified cases related to the functioning of the Association. Contact data can be used for other purposes only if Data subject provided their consent.

According to art. 12, par. 5 of Law on Associations, list of members must be available to all members and competent authorities upon their request. Members’ personal data can be shared with third parties only with their consent or other appropriate legal basis and prior notice to Data subject.

Upon membership termination, personal data will be deleted, anonymized or pseudonymized, except for first and last name of natural person or legal person’s representative and the membership termination date (art. 12, par. 4 of the Law on Associations).

Data subject category: Participants in events held by the Association

When holding an event, Association collects following categories of personal data:

  • Participant’s first and last name 
  • Company name
  • Signature
  • Photographs

Association collects personal data upon registration on Entrio platform (participant’s first and last name and company name) for the purposes of planning and organizing the event. Participants are required to sign upon entering the event. In case the event is sponsored, the Association needs to share the participant list with the sponsor. 

The participant list is stored for one year since the event. Participant data is kept in Entrio records for 12 years since the end of the event.

Association’s events are photographed and uploaded on social networks for the purpose of promoting the Association and the event itself and informing the members and sponsors of Association’s activities. 

Personal data safety

Personal data can be accessed only by Association’s Board members and specific members of personnel. Personal data is stored safely in structured form and is deleted once there is no purpose for its processing.


  1. Right to erasure (“right to be forgotten”) – the data subject has the right to obtain the erasure of personal data concerning him or her without undue delay and Association will erase personal data without undue delay if one of the following grounds is fulfilled:
  2. a) personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed,
  3. b) the data subject withdraws consent on which processing is based and there is no other legal ground for the processing,
  4. c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing,
  5. d) personal data have been unlawfully processed,
  6. e) personal data must be erased for compliance with a legal obligation.
  7. Right of access – the data subject has the right to receive confirmation from Association as to whether his or her personal data are being processed, and where that is the case, access to personal data and the information about purposes of processing, categories of data concerned, potential categories of recipients to whom the personal data will be disclosed and similar.
  8. Right to rectification – the data subject has the right, without undue delay, to obtain from Association the rectification of inaccurate personal data concerning him. Considering the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement. In addition, data subjects have an obligation to notify Association of any changes of their personal information.
  9. Right to data portability – the data subject has the right to receive personal data concerning him or her, which he or she has provided to Association, in a structured, commonly used, and machine-readable format and has the right to transmit those data to another data controller, without hindrance from the controller to which the personal data have been provided. It should be in mind that the right of transfer relates solely to the personal data of the data subjects.
  10. Right to object – the data subject has the right, at any time, to the object to personal data processing, on grounds relating to his or her situation, at any time to processing of personal data concerning him or her. In such a case, Association may no longer process personal data unless it demonstrates compelling legitimate grounds for processing that override interests, rights, and freedoms of the data subjects or for establishment, exercise or defense of legal claims. In relation to the processing of personal data for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning him or her for such marketing. If the decision-making is based on automatic data processing, it will be carried out in accordance with the Regulation.
  11. Right to restriction of processing – the data subject has the right to obtain from Association restriction of processing if:

– the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data,

– believes that processing is unlawful and data subject opposes the erasure of personal data and instead requests a restriction on their use instead, and

– the data subject has objected to processing and pending the verification whether the legitimate grounds of the controller override those of the data subject.

Exercising data subject’s rights

The data subject may request the exercise of rights at any time. Association will provide information on the undertaken actions related to the mentioned rights at the request of the data subjects no later than one month from the receipt of the request, and depending on the quantity and complexity if requests, it may be extended by a further month. 

If Association cannot not respond to the request of the data subjects, it shall inform the data subject without delay and no later than one month after receiving the request of the reasons for not acting.

Complaint to Supervisory authority

The data subject has the right to complain to the supervisory authority (Personal Data Protection Agency) in the event of an incident concerning his personal data or if he considers that Association violates his rights as defined in the General Data Protection Regulation.


Any person who has suffered material or non-material damage because of an infringement of GDPR has the right to receive compensation from the data controller or the processor for damage suffered. Any controller involved in processing is liable for damage caused by processing that infringes GDPR. A processor shall be liable for damage caused by processing only where it has not complied with the obligations of GDPR specifically directed to processors or where it has acted outside or contrary to the lawful instructions of the controller. The data controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.