Help pages

Contact us

If your question isn't answered here, post your question to our discourse community, or you just wanted to let us know something about the site, contact us.

Your privacy #

Imamo pravo znati is run by the civil society organisations.

For full details of Code for Croatia structure, governance, and other relevant details see: Who makes Imamo pravo znati?.

Working in the fields of transparency and accountability, both Code for Croatia and Gong thinks hard and cares very much about the privacy and security of our users: the length of this privacy policy is one result of that. We know that no-one goes through privacy policies for fun, though, so we’ve tried to keep it a clear and reasonably quick read.

We hope it covers everything you need to know, but if you still have any questions please feel free to contact us.

What personal information we collect #

When you make an FOI request #

In using Imamo pravo znati to send an FOI request, you are providing us with the following personal information:

  • Your name
  • Your email address
  • Your IP address

Some of this information is passed on to the public authority who receive your request, and is published on the website. This page explains:

  • what we do with each type of information
  • who sees it
  • how it is used
  • how long it is retained
  • our protocols for altering or removing information
  • what to do if you are unhappy with the way we have handled your data

When you email Imamo pravo znati through our contact form, directly, or via Code for Croatia or Gong #

Support mail is handled by the Imamo pravo znati volunteer admin team via a central mailbox, which they must access with adherence to our strict security protocols.

As with any other email, this results in us holding your email address and, if provided, your name, along with the content of your message.

Who gets to see your personal information #

Your name #

When you submit an FOI request through Imamo pravo znati, your name (or the name you are making your request under) is:

  1. sent to the public authority, and
  2. published on the website along with the request.

See this section for more information on why this is the case.

Your email address #

Your email address is not shared with the public authority, nor is it published on the website. Imamo pravo znati automatically generates a @imamopravoznati.org email address specific to each request — your message will have this address in the ‘from’ line and it’s also the address that responses are sent to.

When the public authority replies via this custom email address, their response is published on your request’s page on Imamo pravo znati. At the same time, our system alerts you, by sending a message to the personal email address you have provided when creating your request, to let you know there is a response: this too is an automated process.

So, your email address is largely kept private. There are two exceptions to this. Firstly, site administrators may access your email address in the process of administering the site, and may use your email address to contact you about your use of the site. We also occasionally contact users who have made a particularly interesting request, as we like to write about these on our communication channels.

Secondly, if you send a message to another user on the site, your email address is shared with them. You’ll see an alert to warn you of this before you submit your message.

We will not disclose your email address to anyone else unless we are obliged to by law, or you ask us to.

Will your email address be used for any other purposes?

No. After you sign up to Imamo pravo znati we will only send you emails relating to a request you made, an email alert that you have signed up for, or for other reasons that you specifically authorise. We will never give or sell your email addresses to anyone else, unless we are obliged to by law, or you ask us to.

In theory, spam could be received via the ‘send this user an email’ function. Abuse of this service is not common and you can report any messages which you consider inappropriate to us via the Contact Us form. Upon consideration, we may suspend users who have abused this service.

Your request #

Your request is sent to the public authority from whom you are requesting information. At the same time, it is published on this website where anyone can see it.

Your IP address #

The IP address associated with your use of the site (which may or may not be sufficient to identify you, depending on circumstances), is recorded automatically to our logs. It will not normally be seen by anyone - see the section on our own logging for more information.

We do not share IP addresses with anyone else unless required to by law (for example in the course of a police investigation for which a court order has been received).

Your postal address #

You do not necessarily need to include a postal address with every request to submit an access to information request. If the public authority asks for your full physical address, tell them that you want to access the information electronically, and that the address through which they received the request is sufficient for the delivery of the requested information. In accordance with the Right of Access to Information Act (ZPPI), a request submitted electronically is considered a request submitted in writing.

The Information Commissioner has given guidance on this:

  • Even if you do not indicate how you want to receive the requested information, the public authority should deliver the information in the same way you submitted the request, i.e. in the most economical way that creates less costs and achieves the purpose (source) –
    "In the request, you can also indicate the way in which you want to access the information. You can ask for the information to be sent to you by post or electronic mail, or announce that you will pick up copies of the information yourself from the public authority and thus save possible postal costs, and you can, especially if you are not sure what exactly you are looking for, request and view the documents and indicate that you will choose which documents you will request a copy of. If you do not indicate how you want to receive the requested information, the public authority will deliver the information in the same way you submitted the request, or in another more economical way that creates less costs and achieves the purpose."
  • Although the e-mail address according to the interpretation of the law does not represent the address of the user, the e-mail address is sufficient for the delivery of the requested information (source) –
    "Through electronic mail, the information officer can provide the user with the requested information and achieve faster communication with user, given the short deadlines for processing. ...[the information officer should] take into account that insisting on the address in the case of a request submitted by electronic mail, and when it can already be determined with certainty that authority will provide the information to the user, contrary to the principles of economy in handling and the principle of cooperation and assistance."
  • Exceptionally, there is a case when the information officer needs a postal address (source), and in such cases, the applicant can provide postal address in some other way - for example through direct contact (e-mail, phone) with the information officer to protect personal data when the applicant is a physical person. –
    "...the information officer has the obligation to make a decision, and the user's [postal] address is a necessary integral part of the decision. In addition, the delivery of the decision is important for determining the regularity of the delivery and determining the timeliness of the complaint filed with the Information Commissioner or the initiation of an administrative dispute before by the High Administrative Court of the Republic of Croatia."

We do not recommend publishing a personal postal address on these pages.

What to do if the authority asks for a postal address to send a paper response #

If the public authority only has a paper copy information you want, you may be asked for a postal address. Since one of Imamo pravo znati's principles is to provide resources for everyone to use by publicly posting responses to access to information requests, it's natural that we prefer when public authorities deliver information by email.

So you can try to get them to scan documents for you. You can even offer them a scanner as a gift if they don't already have one.

If that doesn't work and you want to send them your mailing address privately so you can receive the documents, mark your request as "They are going to reply by postal mail" (under "Actions" > "Update the status of this request") and you will get an email address which you can then use to send them your personal mailing address privately via your personal email.

Sometimes public authorities insist on the delivery of a personal postal address for the reason that they want to list it in the register, and for this purpose additionally in the private message in which you submit your personal postal address to the public authority, indicate that you want to receive the requested information on the same way and to the same electronic address through which they received your original request - in this way you will ensure that the response of the public authority will be received and displayed on these websites. At the same time, remind the public authority that they do not send your personal data (e.g. home address) in response to the Imamo pravo znati address.

Our own logging #

In addition to the information you give us about yourself in order to use the site (e.g. your name and email address), we collect and log some additional information in order to analyse and fix problems with the site.

Our webserver logs maintain a history of page requests. This includes information about requests, including the client IP address, data submitted (which might include your email address when you log on to the site), request date and time, page requested, browser version and referrer. We routinely keep this information for 60 days. Note that in normal circumstances, this data is infrequently accessed by a human, and when it is, they are likely to be assessing it in bulk, in order to understand an issue with the site, rather than at a granular level of individual users.

Research #

Code for Croatia and Gong sometimes analyses data such as requests and responses from Imamo pravo znati for research. We adhere to strict internal privacy policies which mean that any personal data is kept secure. Data such as names and email addresses is excluded from the research datasets, and where possible redacted from the body of the text.

We would also like to share non-personal data from Imamo pravo znati with external researchers and are currently working on a policy which will allow us to take precautions against the release of sensitive personal information in cases where such data has been released in error. These precautions include excluding certain file attachments that could contain unintended releases but have low research value (such as Excel XLS or CSV files); a delay of 3 months to give time for leaks to be detected; and maintaining a register of researchers who have access to the datasets. Data passed to third parties will never exceed what is publically available on the website.

Our Research Data Release policy can be viewed here.

Encrypted Transfer of Data #

Sometimes we will want to send a copy of sensitive material to the Information Commissioner to assist them with their investigation into a public body’s breach of the Data Protection Act or the General Data Protection Regulations. In the case of bulk sensitive personal information we do this by encrypting the data with an AES algorithm using at least a 256bit key. The encrypted data will be sent by email or made available for download via the web, FTP or USB and the decryption password is provided via a separate channel.

Names #

Why do users’ names and requests appear publicly on the site? #

Your name is an integral part of your request, so has to be published with it. It is only fair, as we are also going to publish the name of the civil servant who writes the response to your request. Using your real name also helps people get in touch with you to assist you with your research or to campaign with you.

But perhaps most importantly, it means that our users think twice before making a request: if you know that your name will be permanently attached to it for all to see, then you are far more likely to make a responsible, valid and useful request.

By law, you must use your real name for the request to be a valid Freedom of Information request — but see the next question for alternatives if you do not want to publish your full name.

Your requests will be grouped together and appear on your profile on the site.

Can FOI requests be made under a pseudonym? #

Technically, you must use your real name for your request to be a valid Freedom of Information request in law. See this guidance from the Information Commissioner (October 2007).

Be aware, though, that even if the authority follows this good practice, the pseudonym will probably make it impossible for you to complain to the Information Commissioner later about the handling of your request.

There are several good alternatives to using a pseudonym.

  • Use a different form of your name. For example "Mr Marko Horvat" can identify as "Marko Horvat" or "Mr. Horvat" or "Mr. M. Horvat" or "M. Horvat". Avoid using only initials like "M.H."
  • Women may use their maiden name.
  • In most cases, you may use any name by which you are “widely known and/or is regularly used”.
  • Use the name of an organisation, the name of a company, the trading name of a company, or the trading name of a sole trader.
  • Ask someone else to make the request on your behalf.
  • You may, if you are really stuck, ask us to make the request on your behalf. Please contact us with a good reason why you cannot make the request yourself and cannot ask a friend to. Do not impersonate someone else. This is an abuse of our terms of service - read more in our House Rules.

Sometimes, for various reasons including proven endangerment to the individual, we will remove a user’s name from the site; when we do so we make this clear; typically by replacing the name with “[name removed]”. For more information, see our section on your right to erasure.

What are the possible or definite consequences of using Imamo pravo znati? #

When making an FOI request #

As you have seen from the points above, using Imamo pravo znati results in the publication of your name and request online, in most cases permanently. Some possible consequences of this are:

  • Your request appearing in results when your name is put into search engines.
  • Contact from others with an interest in your request, potentially including the press, via the user contact facility.

When registering with the site #

Creating an account on the site allows you to make FOI requests, but it’s also a required step for those who wish to sign up for email alerts (“following” a specific request, user or authority) or add annotations to request pages.

  • We collect your name and email address; these are only looked at if there’s a problem with an account.
  • Users with accounts gain a public profile page on the site: this may be accessed by anyone who clicks on the name attached to any FOI request you have sent through the site or any annotation you have made.
  • Your profile page displays:
    • Your name
    • The date you joined the site
    • Any text you provide to describe yourself
    • A list of the requests and annotations you have made

    The page does not display your email address, but does allow others to get in touch with you via a messaging system.

    The page does not display details of alerts you have subscribed to, although these are visible to you (and only you) when you are logged in.

This data (your name, email address, alert subscriptions) is not used for any purpose other than the running of the site and will not be shared externally.

Retention periods #

FOI requests #

As detailed above, sending an FOI request through this site results in your name and email address being stored, along with the body of your request, on our servers. Your email address is accessible only to site administrators. At the current time, the policy is to retain this information indefinitely.

Information released inadvertently in breach of data protection law #

Sometimes public bodies accidentally release personal data in bulk. Imamo pravo znati does not want to hold this information longer than necessary and treats it with due care.

Volunteers will only download from Imamo pravo znati whatever information is necessary to handle a suspected breach of the data protection law by an authority, encrypting the data using a strong algorithm, protecting their device with a strong password, and deleting the data as soon as possible and in all circumstances within four hours. If the data needs to be retained after that period, it is kept on Code for Croatia’s servers and Code for Croatia is responsible for holding and deleting it.

For material that needs to be retained for a relatively short period e.g. where we give the ICO four weeks to request the material from us before we delete it, the material will remain hidden on Imamo pravo znati and will usually be deleted at the end of the retention period. In exceptional circumstances, such as where we are in correspondence with the ICO about the case, we may extend the retention period.

In any, rare, case where a retention period over four weeks is deemed necessary and it is considered the release of the material would pose a significant risk of harm, Code for Croatia staff are responsible for moving the material to non-web accessible storage on Code for Croatia’s servers and deleting it when the retention period is complete.

Support emails #

We retain emails sent to and from this central mailbox for two years — correspondence is automatically and permanently deleted after that point, although any email that needs to be kept on file for specific legal reasons, such as in-progress police investigations or lawsuits, is retained separately. Misdirected mail of a sensitive nature, such as a request for help with personal circumstances, is kept for a shorter period of thirty days.

In most cases our legal basis for processing personal information is "legitimate interest" (this is as laid out in 6(1)(f) – of the GDPR, in force from 25 May 2018). We believe that we are pursuing a legitimate interest in processing personal data to provide our service to benefit of our users and the benefit of society. There is a benefit to our users in that we offer an easy way to make, track and publish Freedom of Information requests. The service also has a benefit to the public as any information released in response to the request is publicly available in a historic archive for anyone to use. There is also a benefit to authorities responding to requests, in that the automatic publication of the requests reduces duplicate requesting.

We believe that our processing of our users' data is as they would expect when they use our service. If you use Imamo pravo znati to make a FOI request, you are consenting to your data being processed as described on this page. We make clear how we handle users' data, and link to this page, at appropriate places within our service, including during the process of signing up, and making a request.

On rare occasions the legal basis of "compliance with a legal obligation" will apply when we are legally obliged to hold material, for example where a court order has been issued (6(1)(c) of the GDPR).

In almost all cases our processing of personal information will be lawful under Article 6 of the GDPR but we may also rely on the "special purposes" derogations in the Data Protection Act 2018, especially those applying to academic and journalistic purposes. Often use of our service is academic or journalistic in nature, and the provision of our service as a whole may be considered a journalistic endeavour.

Your rights #

Your right to erasure #

See also your right to object.

Your own requests, annotations and user profile

Imamo pravo znati, as well as providing a service by which you can easily make an FOI request, also acts as an online archive of information.

Requests We publish your request on the internet so that anybody can read it and make use of the information that you have found. Even though you may not find the response to a request useful any more, it may be of interest to others, and may have been used to support research, news articles, lobbying or other activities. For this reason, we will not normally delete the substance of requests and responses.

Names If you have made requests for information via our site and are considering asking us to remove your name, please do take a moment to reflect and reconsider. Typically Freedom of Information requests made via our service form a positive part of an individual’s online footprint; a public record of civic activism is something to be proud of.

That said, we understand that there can be good reasons why you may want us to remove your name and will make our best efforts to do so if you ask us to. Similarly, we may also remove other personal information. Note that if your name has been released as part of an authority’s response, we may not be able to remove it easily, however we will of course consider formal “right to be forgotten” / “right of erasure” requests and remove material if we are unable to justify continuing to hold and process it.

If you’re worried about your name being associated with your request, and you’ve not made it yet, then see our advice on using pseudonyms.

Email addresses We also hold your email address. If you ask us to cease holding your email address while you are awaiting a response, we will not be able to notify you when a response does come in. For this reason we strongly advise keeping an active email address associated with your account while you have correspondence in progress. As a user you can change the email address associated with your account at any time yourself, or you can get in touch with us an ask us to remove your email address from your account.

Other information we hold on users of our service is described under: “When registering with the site” and “Our own logging”. As a user you can view and edit much of this material yourself, but if you feel the need to ask us to delete material do get in touch.

Removal of personal information from requests and responses

If you see any personal information about you on the site which you’d like us to remove or hide, then please let us know. Specify exactly what information you believe to be problematic and why, and let us know where it appears on the site.

We will consider any such notice, and balance it against any public interest in publishing the material. There is some guidance about this on the ICO’s website.

If it is sensitive personal information that has been accidentally posted, then we will usually remove it. Normally we will only consider requests to remove personal information which come from the individual concerned, but for sensitive information or large volumes of breached personal data we would appreciate being notified by anyone.

Removal of public servants’ personal information from responses

We automatically publish responses to requests made through the site in full. Where these responses include the personal information of public servants, we consider the legal basis for our processing of this information to be that we have a legitimate interest as described in Article 6(1)(f) of the GDPR. Our legitimate interest is in benefiting society by preserving and promoting transparency and openness, and the accountability of those in positions of power and in maintaining a historic public archive of Freedom of Information requests and responses. We will consider requests to remove the names of public servants when it seems that the interests, rights and freedoms of the data subject outweigh the public interest in publishing.

This means that:

  • If you are a decision-maker of any seniority, or if you are responding to an FOI request, we will not normally remove your details from documents and emails sent by a public body or from FOI requests. Accountability of decision-making is at the heart of good government.
  • If you hold a junior, non-decision making post we will consider requests to remove your details. Removing these details is time-consuming for our volunteers, so please let us know why this really matters to you. If we are not required to act by law but agree to remove your details we will take reasonable steps to do so — but in some cases may not be able to as it can be difficult to remove material from some types of document, such as images and PDFs.

We are happy try to assist FOI officers who want us to help them remove their signatures from the website, but generally in such circumstances we require replacement responses to be prepared and sent to the requester before we will remove the original documents. We are generally unable to edit attachments which have been released via our service.

Your right to access #

You may contact us at any time to ask to see what personal data we hold about you. If you have used our service to make a request, then the vast majority of information we hold about you is shown publicly on our website or visible to you on your user profile.

Your right to object #

See also your right to erasure.

The General Data Protection Regulation gives you the right to object to our processing of your personal information and to ask us to stop processing it. However, it also gives us the right to continue to process it if we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms. To exercise your right to object, you must contact us, giving specific reasons why you are objecting to the processing of your personal data. These reasons should be based upon your particular situation.

Your right to lodge a complaint #

You have the right to complain if you believe that we have mishandled your personal data. For the Croatia, the relevant supervisory body is the Croatian Personal Data Protection Agency. You can report a concern here (but do contact us first, so that we can try and help — see our complaints procedure here).

Cookies and third party services #

Like many other websites, we sometimes use cookies and Google Analytics to help us make our websites better. These tools are very common and used by many other sites, but they do have privacy implications, and as a charity concerned with socially positive uses of the internet, we think it’s important to explain them in full. If you don’t want to share your browsing activities on our sites with other companies, you can adjust your usage or install opt-out browser plugins.

Cookies

To make our service easier or more useful, we sometimes place small data files on your computer or mobile phone, known as cookies; this is very common practice and most websites do this.

Cookies help our websites to, for example, remember that you have logged in so you don’t need to do that on every page, or to measure how people use the website so we can improve it and make sure it works properly. Below, we list the cookies and services that this site may use.

Name Typical Content Expires
_wdtk_cookie_session A random unique identifier When web browser is closed, or 1 month if ‛Remember me’ is used
seen_foi2 The number 1 if you have seen a notice 7 days
has_seen_country_message The number 1 if you have seen a notice about FOI services in other countries 1 year
last_request_id A number, identifying the last FOI request you looked at on the site When web browser is closed
last_body_idA number, identifying the last public authority you looked at on the siteWhen web browser is closed
widget_voteA random identifier for an ‛I also want to know’ vote you've made for a requestWhen web browser is closed

Measuring website usage (Google Analytics)

We use Google Analytics to collect information about how people use this site. We do this to make sure it’s meeting its users’ needs and to understand how we could do better. Google Analytics stores information such as what pages you visit, how long you are on the site, how you got here, what you click on, and information about your web browser. IP addresses are masked (only a portion is stored) and personal information is only reported in aggregate. We do not allow Google to store browser cookies on your machine or device. We also do not allow Google to use or share our analytics data for any purpose besides providing us with analytics information, and we recommend that any user of Google Analytics does the same.

If you’re unhappy with data about your visit to be used in this way, you can install the official browser plugin for blocking Google Analytics.

Please note that this website initialises Google Analytics with the following settings:

anonymizeIp
This masks the last part of your IP address before any analytics data is stored.
storage: none
This instructs Google to not create and store browser cookies on your machine or device.

Google’s Official Statement about Analytics Data

“This website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.”

More general information on how third party services work

Credits

Bits of wording taken from the gov.uk cookies page (under the Open Government Licence).

Learn more from the help for FOI officers -->