GDPR Compliance

Our commitment to protecting your data rights under European law

Overview

Shadow Falcon d.o.o. is committed to complying with the General Data Protection Regulation (GDPR) and Croatian data protection legislation. As a company operating within the European Union, we take our obligations seriously and have implemented comprehensive measures to protect your personal information and respect your data rights.

This page explains how we comply with GDPR requirements and outlines the specific rights you have regarding your personal data.

Data Controller Information

For the purposes of GDPR, Shadow Falcon d.o.o. acts as the data controller for personal information collected through our website and services.

Data Controller:
Shadow Falcon d.o.o.
Poljička cesta 45
21000 Split
Croatia
Registration Number: HR-98234567
Email: [email protected]

Lawful Basis for Processing

GDPR requires that we process personal data only when we have a valid legal basis. We process your information under the following lawful grounds:

Contractual Performance

We process personal data necessary to provide the automotive services you have requested. This includes information needed to diagnose vehicle issues, perform repairs, maintain service records, and process payments.

Legitimate Interests

We process certain data to pursue our legitimate business interests, provided these interests do not override your fundamental rights. Legitimate interests include:

  • Improving our services and customer experience
  • Maintaining business records and quality control
  • Analyzing website usage to enhance functionality
  • Protecting against fraud and ensuring security
  • Communicating about services you may find relevant

Legal Compliance

We process data when required by Croatian and EU law, including tax regulations, consumer protection requirements, and automotive service standards.

Consent

For certain processing activities, such as marketing communications or non-essential cookies, we obtain your explicit consent. You may withdraw this consent at any time.

Your Rights Under GDPR

GDPR grants you comprehensive rights regarding your personal data. Shadow Falcon respects these rights and has established procedures to facilitate their exercise.

Right to Access

You have the right to request confirmation of whether we process your personal data and, if so, to receive a copy of that data. This includes information about how we use your data, who we share it with, and how long we retain it.

How to exercise: Send an email to [email protected] with "Data Access Request" in the subject line. We will respond within 30 days.

Right to Rectification

If your personal information is inaccurate or incomplete, you have the right to request correction. We will update our records promptly upon receiving verified corrections.

How to exercise: Contact us with the specific information that needs correction and provide supporting documentation if applicable.

Right to Erasure

Also known as the "right to be forgotten," you may request deletion of your personal data in certain circumstances, including:

  • The data is no longer necessary for the purposes for which it was collected
  • You withdraw consent on which processing is based
  • You object to processing and there are no overriding legitimate grounds
  • The data was unlawfully processed

Please note that we may be required to retain certain information to comply with legal obligations, such as tax records or warranty documentation.

How to exercise: Submit a deletion request via email, specifying which data you wish to be deleted.

Right to Restriction of Processing

You may request that we limit how we use your personal data in certain situations, such as when you contest the accuracy of the data or object to processing. During the restriction period, we will store the data but not actively process it except with your consent.

How to exercise: Contact us explaining why you believe processing should be restricted.

Right to Data Portability

You have the right to receive personal data you provided to us in a structured, commonly used, and machine-readable format. You may also request that we transmit this data directly to another service provider where technically feasible.

How to exercise: Request data portability via email, specifying your preferred format and destination if applicable.

Right to Object

You may object to processing based on legitimate interests or for direct marketing purposes. When you object to marketing communications, we will cease such processing immediately. For objections based on legitimate interests, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

How to exercise: Contact us stating your objection and the specific processing you wish to object to.

Rights Related to Automated Decision-Making

Shadow Falcon does not use automated decision-making or profiling that produces legal effects or similarly significantly affects individuals. All service decisions are made by qualified technicians based on professional assessment.

Data Protection Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Technical Safeguards

  • Encryption of data in transit using TLS/SSL protocols
  • Secure storage systems with access controls
  • Regular security updates and vulnerability assessments
  • Firewall protection and intrusion detection systems
  • Secure backup procedures with encryption

Organizational Safeguards

  • Strict access controls limiting who can view personal data
  • Regular staff training on data protection and GDPR compliance
  • Confidentiality agreements with employees and contractors
  • Clear data retention and deletion policies
  • Vendor management ensuring third parties meet GDPR standards

Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected or as required by law:

  • Service Records: 7 years (for warranty, legal, and quality purposes)
  • Financial Records: 7 years (tax and accounting requirements)
  • Contact Information: Until you request deletion or we determine it's no longer needed
  • Marketing Consent: Until withdrawn or after 3 years of inactivity
  • Website Analytics: 26 months maximum

Data Breach Procedures

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the Croatian Data Protection Authority (AZOP) within 72 hours of becoming aware of the breach
  • Notify affected individuals without undue delay if the breach poses a high risk
  • Provide clear information about the nature of the breach and steps being taken
  • Offer guidance on measures you can take to protect yourself

International Data Transfers

Your personal data is primarily processed within the European Union. If we need to transfer data outside the EU, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions recognizing equivalent data protection in destination countries
  • Binding corporate rules for transfers within international companies

Third-Party Processors

When we engage third-party service providers who process personal data on our behalf, we ensure they:

  • Comply with GDPR requirements
  • Process data only according to our documented instructions
  • Implement appropriate technical and organizational measures
  • Maintain confidentiality of personal data
  • Assist us in responding to data subject requests
  • Delete or return data upon termination of services

Children's Data

We do not knowingly process personal data of children under 16 years of age without parental consent. Our services are not directed toward children, and we request that minors do not provide personal information through our website.

Updates to Our Practices

We regularly review our data protection practices to ensure ongoing GDPR compliance. Any significant changes to how we process personal data will be communicated through updates to our Privacy Policy and, where appropriate, direct notification to affected individuals.

Supervisory Authority

You have the right to lodge a complaint with the Croatian Data Protection Authority if you believe your data protection rights have been violated:

Croatian Personal Data Protection Agency (AZOP)
Selska cesta 136
10000 Zagreb
Croatia
Phone: +385 1 4609 000
Email: [email protected]
Website: azop.hr

Contact Our Data Protection Officer

For questions about GDPR compliance, to exercise your data rights, or to raise concerns about how we handle your personal information, please contact:

Email: [email protected]
Subject Line: "GDPR Inquiry" or "Data Rights Request"

We will respond to all inquiries within 30 days. For complex requests, this period may be extended by an additional 60 days, and we will inform you of any such extension.

Record of Processing Activities

In accordance with GDPR Article 30, we maintain records of our data processing activities. Upon request, we can provide information about:

  • Categories of personal data we process
  • Purposes of processing
  • Categories of data subjects and recipients
  • Data retention periods
  • Security measures implemented