Zagreb University of Applied Sciences as Data Controller is committed to protecting the rights of individuals in legitimate and transparent processing and protection of their personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable regulations.

The University has appointed a Data Protection Officer, who you can contact at mail:

Personal data may also be collected from other constituents of the University (Alumni Association, Student Union, Student Sports Association, Innovators Association, etc.) who are in this case the Data Processors.

What information is being collected?

Zagreb University of Applied Sciences collects, stores and processes personal data about students, including information on family and social circumstances, citizenship, academic performance reports, qualifications obtained, employment information, financial information and sensitive information, such as health status, all in accordance with legal regulations or internal acts, or obligations to execute contracts with the department ministry and other institutions whose activities are related to the higher education activities and for the purpose of exercising individual student rights (eg. scholarships, subsidise meals, etc.)

The personal data of students and enrollment candidates for study programs are collected directly from respondents in accordance with the regulations on personal data protection and legal acts from third parties participating in the matriculation process and enrollment programs at the national level.

The University collects and processes personal information for the purpose of performing all services related to studying at the university departments, including application to study programs, enrollment, calculation of tuition fees, teaching and monitoring of students’ performance, assessment, promotion, as well as other services in career and other counseling. By doing so, only the information necessary to provide the services required are collected and processed, which may be shared between multiple organizational units in accordance with internal privacy and security policies and the binding secrecy. Legal basis for the provision of such personal data is contract with student.

Also, Zagreb University of Applied Sciences processes data for the purpose and with legal basis of fulfilling the legal obligations with national regulator (eg. drafting and sending reports to the Higher Education Agency and realizing mobility under the Erasmus Agreement) and performing tasks of public interest (eg. sending statistical forms upon study completion), as well as protecting the key interests of respondents (such as securing assets and students through video surveillance, exercising the right to a subsidized meal), and the need for the legitimate interests of the processing manager or third party (e.g., posting photos and student data on the intranet site). All legitimate interests relate to the effective, lawful and proportionate provision of services and are not detrimental to the interests or rights of individuals. If any of the legal bases does not apply, the University has developed a mechanism for the consent management to process personal data.

Zagreb University of Applied Sciences collects and processes personal information of students as Data Controller for the following purposes:

  • student enrollment
  • to secure the rights of students and to represent them through the Student Association organization
  • to secure the activities and provide services of the Counseling Center
  • to ensure student mobility through Erasmus program
  • for operations of student sports associations
  • for operations of Alumni association
  • for operations of Poduzmi@TVZ platform
  • for operations and promotion of innovators association
  • for operations of StudentCuts festival and related media
  • for TVZ Mc2 competition and related events
  • to ensure project implementations
  • to ensure student internships
  • to gain access to library materials and literature
  • to promote the University’s reputation and brand to interested groups and the public through online and other channels
  • to give recommendations for student’s hirings or promoting their employment
  • organizing studnet promotion ceremony and printing diploma (supplements)
  • plagiarism check through Turnitin system
  • keeping records student honors and awards
  • for attendance records
  • for management of Lifelong learning Center programs
  • for carrying out other activities that are or will be carried out within the regular activity of the University.

In order to protect the staff, students, visitors and property of the University and to prevent and/or detect criminal offenses or violations of disciplinary responsibilities of employees, video surveillance of the institution premises is carried out. Only authorized persons have access to the control of physical and video surveillance. Authorization is granted exclusively by the Dean in writing.

The website of the Zagreb University of Applied Sciences uses cookies, small files with visitor information, which can be stored on a user’s computer when they visit the site. The University also uses Google Analytics services to collect, through cookies, data for site usage reports: user behavior, device and browser, user location, viewed videos on the YouTube channel.

How is the data used?

The collection and processing of sensitive and special categories of data for the purpose of protecting the interests of data subjects and the public interest, with the execution of legal provisions and other orders is done lawfully, at the personal request (application) of students (applications for scholarships) and in other situations and with explicit consent by data subjects. Information used for monitoring and control purposes will, if possible, be anonymized.

Upon graduation, students become members of the Alumni association. The University uses data to conduct systematic analyzes of the employability of its students, implementing data protection and user privacy measures in accordance with the principles of Article 5 of the GDPR and the Privacy Policies of the Alumni association.

For the purposes of the teaching process, personal data of students (jmbag, first name, last name, picture, enrolled subject and grade) are accessible to a narrow circle of persons through systems maintained and supported by the IT Support of the University (, LMS Moodle system, TCExam, Grader).

Data sharing

Zagreb University of Applied Sciences reserves the right to share the special categories of students’ personal data with external organizations to which they have an obligation (in the field of higher education and state/public authorities). It retains the same right vis-à-vis the supervisory authorities and representatives of the legislative and executive branches, as well as the necessary suppliers, data processors and research organizations with which it has regulated legal obligations.

For the purpose of realizing the incoming and outgoing mobility of the Erasmus program, the University transfers the personal data of students to other institutions necessary for the implementation of international mobility agreements, in accordance with the contractual rules of the Erasmus program.

For the purpose of the student internship realization, Zagreb University of Applied Sciences shares students’ personal data with organizations in accordance with contractual rules and process documentation.

Any information sharing is in accordance with the contractual obligations, protecting the interests of students and data subjects.

In accordance with the Rules of Study all oral exams are public, as well as the success of the exam.

A student survey

During their studies, students have the right and obligation to participate in the completion of an anonymous student survey in order to improve the quality of teaching process. The process of the student survey is based on the provisions of the Rules of Study, and its implementation and data collection are subject to the special Rulebook as an internal act. Completed questionnaires and processed results are considered to be the business secret of the University.

Data retention period

All user documentation and accompanying personal data are stored and extracted in accordance with the legal and other regulations governing particular fields of activity, the Rulebook on the organization of keeping and recording archival and registration material with the consent and approval of the Croatian National Archives.

Data security

Zagreb University of Applied Sciences will respect data confidentiality and take all appropriate measures to prevent unauthorized access and disclosure of information by students and users. Only staff members who need access to relevant parts or all of the information are authorized to access the data. Student information in electronic media are protected by a password and other security restrictions, and paper files are stored in secure locations with controlled access.

Organizations processing personal data on behalf of the University are obliged to perform processing in accordance with the applicable laws on personal data protection.

Your rights

In accordance with the GDPR, users have the right to access their personal data, to object to their processing, to rectify, delete, restrict and transfer personal data, unless otherwise stated in legal regulations.

  1. the right to access information and information about the processing of data subjects’ personal data
  2. Right to rectify: if we process your personal information that is incomplete or inaccurate, you may at any time request us to correct or supplement it
  3. Right of erasure: you may request us to delete your personal information if we have processed it illegally or that processing constitutes a disproportionate encroachment on your protected interests. Please note that there are reasons to prevent immediate deletion, such as statutory filing obligations.
  4. Right to Data Transfer: you may request us to supply you with your private information in a structured format, machine readable format:
    • if we process this information on the basis of the consent you have given us and which you can revoke or to fulfill our agreement and
    • if processing is done using automated processes.
  5. Right to object: if we distribute your data for the performance of public interest or public authority duties, or to invoke our legitimate interests, you can file a complaint against such processing.
  6. Right of appeal: if you believe that we have violated Croatian or European data protection rules when processing your personal data, please contact us to clarify any issues. You are certainly entitled to file a complaint with the Croatian Data Protection Agency or to other authority in force, and from 25 May 2018 to a supervisory authority within the EU.
  7. Exercise of rights: If you wish to exercise any of these rights, please contact us using our contact information referred in this Statement.
  8. Identity verification: In case of doubt, we may ask you for additional information to verify your identity, which serves in your rights protection.
  9. Abuse of rights: if you use any of these rights too often and with a clear intent to abuse, we may charge an administrative fee or refuse to process your request
  10. Right to Restrict Processing: you may ask us to restrict the processing of your data:
    • if you dispute the accuracy of the data during a period that allows us to verify the accuracy of that data
    • if the processing was unlawful, but you refuse deletion of data and instead seek a restriction on the use of the data
    • if we no longer need the information for intended purposes, but still need it to meet the legal requirements, or
    • if you have objected to the processing of that information

Any request or complaint should be made in writing to the Data Protection Officer:

Marta Alić, prof.
Vrbik 8, 10 000 Zagreb

If students and other data subjects consider that a breach of data protection law has occurred during processing, they have the legal right to file a complaint with the data protection supervisory authority in the EU Member State where they reside, or in the country of the alleged data breach. In Croatia, the supervisory authority is the Personal Data Protection Agency.

Student and data subject responsibilities

Students are responsible for updating their personal information. Throughout their studies, students and users have access to their personal information through the intranet, and are required to handle this information in a responsible and professional manner, in accordance with professional ethics and legal regulations.

For access to personal data of other persons and students, or in case of their misuse or sharing, each person bears his own responsibility in accordance with the applicable regulations.

Zagreb University of Applied Sciences undertakes to protect data correctly and to the fullest extent reasonably possible, in accordance with available technical, human and financial capabilities.