PERSONAL DATA PROTECTION POLICY
INTRODUCTION
DELECTA d.o.o. pays particular attention to personal data protection, in accordance with the best business practices and applicable Croatian and European regulations, including the General Data
Protection Regulation (EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016). The purpose of this policy is to provide all interested parties with all the necessary information on the method of processing and protection of personal data and the rights that data subjects have in regard to personal data processing.
DELECTA d.o.o. is committed to provide the service of protection of Client’s personal data in a way that only essential basic information about Client that are necessary for fulfilling Seller’s obligations are collected; Client is also informed about the way the collected information is used, and is regularly given an option about how their information will be used, including the possibility to decide whether their name should be included or omitted from the lists used for marketing campaigns. All user information is strictly guarded and all the employees and business partners of DELECTA d.o.o. are responsible for abiding by the principles of confidentiality protection.
DATA COLLECTION / TRANSPARENCY
Personal data shall be processed lawfully, fairly and in transparent manner. We will process your data in accordance with the relevant legal provisions regulating the protection of personal data. The client provides personal information of his/her own free will. Personal information is required for processing requested services. The same information shall be used for intercommunication. DELECTA d.o.o. is under obligation that the personal information about the client will not be given to a third party except for the purpose of carrying out requested services. The personal information will be kept in a database in accordance with the Management’s decision on the method used for collecting, processing and securing personal information. With the acceptance of these General Terms, the client gives permission for his/her personal information to be used for promotional offers of DELECTA d.o.o.
The principle of transparency is manifested in the fact that we inform data subjects how personal data relating to them are collected, used, consulted or otherwise processed, as well as the extent to which the personal data are processed or shall be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed.
We take every reasonably justified step to ensure that inaccurate personal data are rectified or deleted. We process personal data in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorized access to or use of personal data and the equipment used for the processing.
THE CONTROLLER
Prior to collecting your personal data, we will inform you of the data processor, its details and contacts, purpose of the processing. A data controller is the individual or legal person who controls and is responsible to keep and use personal data in paper or electronic files. We are the data controller as defined by relevant data protection laws and regulation and these are our contact details:
DELECTA d.o.o.
Castropola 41
52100 Pula
Croatia
Croatian ID: HR-A-52-130000935, VAT: 45726041402
APPLICATION
The policy applies to all Clients’ personal data processed by DELECTA d.o.o. as well as data processed by DELECTA d.o.o. partners on behalf of DELECTA d.o.o.
The Client / data subject is an individual whose identity has been identified or can be identified, and whose personal data is processed; an individual whose identity can be established is a person who can be identified directly or indirectly, in particular with the help of identifiers such as name, identification number, location information, network identifier or with the help of one or more factors that are specific for the physical, physiological, genetic, mental, economic, cultural or social identity of that individual. Personal data is any data relating to an individual whose identity has been established or can be established.
Data processing means any procedure or set of procedures performed on personal data or on sets of personal data.
LEGAL BASIS FOR PERSONAL DATA PROCESSING
We process your personal data because certain legal regulations require us to do so, or because processing is necessary for the performance of the contract, or to take action before the contract is
concluded, or to protect the key interests of the Client / data subject or another person, or on the basis of our legitimate interests, except when the interests or fundamental rights and freedoms of individuals who require personal data protection are greater than our interests. If personal data cannot be processed on the legal basis prescribed by binding regulations, we shall request your consent. If the data is processed for another purpose, before processing, we shall provide you with information about this other purpose and any other relevant information.
Restriction of the time of processing and data retention
We process and retain the data only for as long as it is necessary to fulfill the purpose for which the data were collected or as required by applicable regulations. We keep certain personal data in a time period prescribed by the law or any regulation obliging us to keep the data. Also, the deadlines for data filing depend on the interest of our clients to contact as per contacting data which are also personal data of the Client / data subject. As a rule, we retain the personal data for six years from the date of execution of the service, unless otherwise stipulated in the legal regulations. If we process the data based on the Client`s /subject’s consent, we retain the data until the Client / subject withdraws such consent. The data from the video surveillance system are regularly erased and is retained for a maximum of six months, except when they are necessary to conduct the proceedings before the competent authorities.
Data accuracy
We pay particular attention to the accuracy of the collected data. The Client /data subject has at any time the right to inspect data and rectify his/her data. We take every reasonable measure to ensure that personal data that is not accurate are rectified without delay.
Security of personal data
We pay the utmost attention to personal data security. In doing so, we are supported by a quality management system certified by ISO 9001 certification and internal security procedures.
RIGHTS OF DATA SUBJECTS
In accordance with the General Data Protection Regulation, the Client / data subject has the following rights:
Right of access to data
The Client / data subject has the right to obtain confirmation whether we are processing his/her personal data and, where that is the case, has the right to access the personal data and the following information: on the purposes of the processing, on the categories of personal data we process, on the recipients or categories of recipients of the data we process, on the envisaged period for which the personal data shall be stored or the criteria used to determine that period, on the right to request rectification, erasure or restriction of processing of personal data, or to object to such processing, on the right to lodge a complaint with a supervisory authority, information on the source of data if they are not collected from the Clients / data subjects, information on the system for automated decision-making, including profiling, on the safeguards if the personal data are transferred to a third country. DELECTA d.o.o. provides a copy of the personal data undergoing processing. For any further copies requested by the Client / data subject, DELECTA d.o.o. may charge a reasonable fee based on
administrative costs. Where the Client/ data subject makes the request by electronic means, and unless otherwise requested by the Client / data subject, the information shall be provided in a commonly used electronic form. Your right to obtain a copy is exercised to the extent in which it shall not adverselyaffect the rights and freedoms of others.
Right to rectification
The Client / data subject has the right to obtain the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the Client / data subject has the right to have incomplete personal data completed.
Right to erasure
The Client / data subject has the right to obtain the erasure of personal data concerning him or her, where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed,
- the Client / data subject has withdrawn consent on which the processing is based and where there is no other legal ground for the processing,
- the Client / data subject has objected to the processing, especially if the data subject is a child,
- the personal data have been unlawfully processed,
- the personal data have to be erased for compliance with a legal obligation in European Union or in the Republic of Croatia,
Right to restriction of processing
The Client / data subject has the right to obtain the restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject, for a period enabling the
controller to verify the accuracy of the personal data, - the processing is unlawful and the data subject opposes the erasure of the personal data and
requests the restriction of their use instead, - the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims,
- Client / data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
Right to data portability
The Client / data subject has the right to receive the personal data concerning him or her, which he or she has provided to us, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from DELECTA d.o.o.
Right to object
The Client / data subject has the right to object, at any time, to processing of personal data concerning him or her. Where personal data are processed for direct marketing purposes, the Client / data subject has the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing, in which case we shall no longer use the data for that purpose.
Automated decision-making including profiling
The Client / data subject has the right not to be subject to a decision based solely on automated processing, including profiling.
METHOD OF PERSONAL DATA COLLECTION
We collect the data on the data subjects in the following ways:
Data collection in branch offices
When making a reservation or a quote, we request from the data subject the personal data necessary for the reservation or the quote. The data subject may leave his/her data personally, or another person may do it instead of the data subject, or the data subject may communicate the data by telephone or email.
Data collection via the web
On our website when making a reservation or requesting a quote, we collect the data needed to make the reservation or the quote. The data subject provides his/her data via the form on our website.
Client`s / Data subject’s consent
Client `s / data subject’s consent means any voluntary, special, informed and unambiguous expression of the data subject’s wishes by which he/she gives consent for the processing of personal data concerning him/her with a statement or a clear acknowledgment action. Without the Client`s / data subject’s consent we shall never use his/her personal data for any purposes for which consent is required by the applicable regulations.
The Client / data subject has the right at any time to withdraw the consent, in a manner described above. Such withdrawal shall not affect the legitimacy of the consent-based processing prior to the withdrawal.
TYPES OF PERSONAL DATA WE COLLECT
We collect the personal data on the previously mentioned legal bases. The data we collect are, for example, name and surname, the date of birth of the child for the purpose of obtaining a discount, phone number and email address for contact, location, gender, citizenship, number of passport or another appropriate personal document where necessary due to legal obligations (for example when crossing a border), credit card number or data on another means of payment. Due to the nature of travel services, there may be a need for processing specially protected categories of personal data revealing, for example, religious or philosophical beliefs, and data relating to the health of the data subject, solely for the purpose of executing the contract between DELECTA d.o.o. and the Client/ data subject or performing activities prior to the conclusion of the contract. It shall be considered that the Client / data subject who gave DELECTA d.o.o. the data from a special category of personal data thereby expressed his consent in processing such data.
Special categories can also be processed when:
- processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the Client / data subject in the field of employment and social security and social protection law in so far as it is authorized,
- processing is necessary to protect the vital interests of the Client / data subject or of another person where the Client / data subject is physically or legally incapable of giving consent,
- processing relates to personal data which are manifestly made public by the Client / data subject,
- processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity,
- processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the Client / data subject,
- processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.
PURPOSE OF PERSONAL DATA COLLECTION
We collect personal data for the following purposes:
For performance of contract or preparation for performance of contract
We collect personal data to be able to provide a service to the Client /data subject or to draw up a quote for the service to the data subject and to respond to the data subject’s inquiries.
For notifying clients about services and products
If the Client / data subject has given his/her consent, we may use the data of the Client /data subject to familiarize the Client / data subject with our services and products that may be of interest to him/her.
For internal needs
We process the Client`s / data subject’s data to comply with the legal regulations, to fulfill the rights and obligations from contractual relations, for our legitimate interests and other legal bases. This may include, for example, keeping the data of the Clients / data subjects in order to best respond to clients’ complaints, using client data to prevent, detect and process misuse at the expense of the client or DELECTA d.o.o., ensuring the security of employees, clients, products and services of DELECTA d.o.o., creating services and offers tailored to the needs and wishes of clients, providing top-level user experience, personalized customer support, market research and analysis by conducting surveys, optimizing sales channels etc.
For the purpose of fulfilling legal obligations
Pursuant a written request based on applicable regulations, DELECTA d.o.o. is obliged to provide or allow access to certain personal data of the Client / data subject to the relevant state bodies (e.g. courts, police, tourist inspections etc.).
The legal basis for processing data for these purposes is fulfilling the legal obligations of DELECTA d.o.o. If a judicial, administrative or out-of-court proceeding has been initiated, personal data may be stored until the end of such proceedings, including a possible period for stating legal remedies.
PERSONAL DATA RETENTION
We shall process the collected data only as long as necessary for the above purposes, or until you withdraw your consent. If a judicial, administrative or out-of-court proceeding has been initiated,
personal data may be stored until the end of such proceedings, including a possible period for stating legal remedies.
DELECTA d.o.o. shall keep certain personal data in a time period prescribed by the law or a regulation binding DELECTA d.o.o. to data retention.
FORWARDING DATA
We forward the data to third parties in the following cases:
For the purpose of performance of contract or preparation for performance of contract with the Client
/ data subject
We forward the data to third parties whenever necessary to provide the Client / data subject with the agreed service or required information. This includes, for example, sending the data of Clients / data subjects to a hotel or a transportation carrier located within the Republic of Croatia, within the EU or outside the EU, whenever it is necessary to carry out a service or draw up a quote for a service.
When the data subject has given consent
We forward the data to third parties if it is necessary for the purpose for which the Client / data subject has given his/her explicit consent.
When we engage subcontractors for performance of certain tasks
If we engage subcontractors as processors for performing certain tasks, in such cases we forward the personal data to the subcontractor. In doing so we use only the subcontractors from the EU, and these subcontractors work exclusively at the order of DELECTA d.o.o. and as per contract concluded with DELECTA d.o.o. which ensures data protection measures as if the data were processed by DELECTA
d.o.o.
PERSONAL DATA PROTECTION
In order to protect our clients’ personal data, we use the best business practices in the fields of tourism and information and communication technologies. We continuously adjust our internal processes to achieve the optimal level of personal data protection. We use different organizational measures and technical means to protect the data of data subjects from unauthorized access, change, loss, theft or other misuse of data.
Persons who understand the need for data protection and security and are subject to confidentiality obligations have access to the data.
CONTACT
Client/data subject can exercise his/her rights under the General Data Protection Regulation by submitting a request to the following email address: info@bestcroatiacruises.com
If you believe your rights have been violated, you have the right to file a complaint to the Croatian Personal Data Protection Agency.
AMENDMENTS AND TRANSITIONAL PROVISIONS OF THE POLICY
The policy comes into force and begins to apply on the day of its publication and is available on the DELECTA d.o.o. website and in DELECTA d.o.o. office. Clients / data subjects shall be timely informed of possible amendments to the Policy, including through publication on the website. Client/ data subject has the right to data portability, data erasure and restriction of personal data processing no later than the date of application of the General Data Protection Regulation, i.e. from 25 May 2018.