Privacy Policy
Introduction
This Privacy Policy informs respondents about how personal data collected during the use of the LEI service is handled. The controller ensures that personal data is processed lawfully, fairly, transparently and in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), the Act on the Implementation of the General Data Protection Regulation (Official Gazette 42/2018) and other regulations governing the protection of personal data.
The LEI code (Legal Entity Identifier - LEI) is a unique global identifier used to identify legal entities participating in financial markets. The system is managed globally by the Global Legal Entity Identifier Foundation (GLEIF), a supranational non-profit organization established to increase transparency and reduce risk in financial transactions, and the Financial Agency (Fina) issues LEIs as an accredited local issuer (Local Operating Unit - LOU) for the Republic of Croatia.
Data Controller
Financial Agency (Fina)
Ulica grada Vukovara 70, 10 000 Zagreb
e-mail: lei@fina.hr
Data Protection Officer: dpo@fina.hr
Purpose of data processing
Fina processes personal data for the following purposes:
- Issuance and management of the LEI (entity identification, assignment of the LEI, transfer of the LEI and maintenance of the local register).
- Administration and billing (management of user profiles, communication with users and processing of payments).
- Ensuring the accuracy and integrity of data (verification of data in public registers when issuing the LEI and through daily data updates).
- Global system alignment (daily data submission to GLEIF for publication in the global registry).
Legal basis for data processing
Fina processes personal data on the basis of the following legal grounds:
- Performance of a contract (Art. 6, para. 1, (b) of the General Data Protection Regulation): processing is necessary for the conclusion and performance of the contract for the issuance of an LEI code (acceptance of the General Terms and Conditions of Use of the Fina LEI Service) with the user.
- Compliance with legal obligations (Art. 6, para. 1, (c) of the General Data Protection Regulation): Fina, as an accredited local issuer (LOU), is obliged to meet the accuracy requirements prescribed by the international standard ISO 17442 and to meet the requirements of GLEIF as a global regulatory standard. Checking in official registers and sending data to GLEIF are legal/regulatory obligations of Fina as an accredited local issuer.
Data collection method
Personal data is collected in the following ways:
- Directly from respondents: by entering data into interactive web forms during registration, submitting a request for the issuance, renewal or transfer of an LEI code, and by uploading digitally signed documentation (e.g. power of attorney).
- By downloading from official registers: the system validates data on persons authorized to represent, by downloading information from official registers, such as the Court Register, Trade Register, Register of Associations, Register of Business Entities, List of Budget Users, HANFA-Register of Funds, etc.
- By daily data update: the system checks data in official registers on a daily basis. If a change is detected in these sources that affects personal data or the status of the entity, the system synchronizes the data in the LEI database to ensure accuracy according to GLEIF standards and notifies the user of the same.
- Through the NIAS system: when logging in using the e-Citizens / e-Business system credentials, identity data is downloaded via secure exchange with the National Identification and Authentication System.
Categories of data collected
Data on registered users: name, surname, e-mail address (also username) and contact phone number of the natural person who manages the user profile.
Data on legal representatives, craftsmen and authorized persons: name, surname and OIB of persons authorized to represent (directors, procurators). Personal data that directly identifies them is processed for co-owners and natural persons performing activities. This category also includes data specified in the authorization documentation (applications, consents, powers of attorney) and data from digital certificates used for signing.
Technical data: activity records (e.g. IP address) that can be linked to a specific natural person to ensure an audit trail, etc.
Authentication data (via NIAS): in the case of registration via the e-Citizens/e-Business system, data obtained through the authentication system is processed.
Data sharing
Given that the LEI mark is an internationally recognized identifier, data on issued marks are submitted to GLEIF daily in XML (CDF) format. This data is made publicly available through the search system on the Fina and GLEIF websites. In case of transfer of the LEI mark, the data is exchanged with other local issuers (LOU) from which or to which the LEI mark is transferred. When transferring the LEI code to another operator's system, contact data is exchanged solely for the purpose of verifying requests and preventing unauthorized transfers.
Personal data may be shared with competent authorities in accordance with their orders or requests based on applicable regulations.
Personal data is processed within the European Union, but personal data from processing for the LEI process may be transferred to third countries outside the European Union in the event of a requested transfer of the LEI mark assigned by Fina to the service of another local operator or when the LEI mark assigned by another local operator is transferred to the Fina LEI service. Since LEI data form part of a public register intended to inform the public about participants in financial markets, data transfers to third countries are carried out in accordance with Article 49(1)(g) of the General Data Protection Regulation, to the extent necessary for the access to public data or the execution of individual requests for the transfer of the designation.
Data retention periods
In accordance with the General Terms and Conditions of Use of the Fina LEI Service and regulatory requirements for financial documentation, Fina retains personal data for a period of 11 (eleven) years from the date of the last update of the data. After this period, the data is deleted, unless a longer retention period is prescribed by applicable regulations.
Rights of the data subject
The data subject has the right to request access to his/her data, its correction or transfer. In the event of a request for deletion of data or restriction of processing of data necessary for validation according to the GLEIF standard, Fina cannot provide the LEI tag maintenance service and in such cases, in accordance with the General Terms and Conditions of Use of the Fina LEI Service, Fina is not liable for the inability to provide the service.
To exercise his/her rights or to file a complaint, data subjects may contact the data controller Financial Agency (Fina), Ulica grada Vukovara 70, 10 000 Zagreb or the e-mail address of the Data Protection Officer dpo@fina.hr.
Data subjects have the right to file a complaint with the Personal Data Protection Agency at Ulica Metela Ožegovića 16, 10 000 Zagreb, at the e-mail address azop@azop.hr or by filling out the online form on the website www.azop.hr.
Privacy Policy Changes
The Privacy Policy may be updated from time to time to reflect applicable regulations, changes in the way personal data is processed, or changes in system functionality. The updated version is available to users via a link when accessing the system.