Personal data protection policy
“ESA – Obrt za pružanje usluga u turizmu” pays special attention to protecting the personal information of its clients, in accordance with best business practices and applicable Croatian and European regulations, including the General Data Protection Regulation (EU Regulation 2016/679 of the European Parliament and of the Council of the EU from 27 April 2016)
The purpose of this policy is to provide all interested parties with all the necessary information on the processing and protection of personal data and the rights that the clients have regarding the processing of personal data.
The policy applies to all personal information of the clients that ESA collects and processes and the data collected and processed by ESA’s partners on behalf of and for the needs of ESA.
A client is a person who has requested a service or a service offer from ESA.
Personal data means any information relating to an individual whose identity has been confirmed or can be confirmed (Article 4 of the General Data Protection Regulation).
Data processing means any operation or set of operations which is performed on personal data or on sets of personal data (Article 4 of the General Data Protection Regulation).
PRINCIPLES FOR PROCESSING PERSONAL DATA
Lawful, fair and transparent processing
We process the data in accordance with applicable laws pertaining to the processing of personal data and in accordance with the best business practice of data protection.
Purpose limitation of processing
We process the collected data only in accordance with the purpose for which this data was collected.
We collect and process only the data necessary to achieve the purpose of processing.
The factual accuracy of data
We pay special attention to the accuracy of the data collected. The User has the right to inspect and correct his / her data at any time.
Time limitation for processing and storage of data
We process and store the data only for as long as is necessary to fulfill the purpose for which the data was collected or as required by the applicable regulations.
Security of personal data
We pay the utmost attention to personal data security. This is supported by a quality management system certified by ISO 9001 certification and internal security procedures.
RIGHTS OF CLIENTS
In accordance with the General Data Protection Regulation, the client has the following rights:
The right of data access
The Client is entitled to receive confirmation whether we are processing his / her personal data and if we do, he/she is entitled to receive the following information: information about the purpose of processing, the category of personal data we are processing, the recipients or categories of recipients of the data we are processing, the predicted period in which the data will be stored or criteria for determining that period, the right to request correction, deletion and limitation of data processing, the right to lodge a complaint with the supervisory body, information about the source of data if not collected from the client, automated decision-making system information, such as making a profile, information about protective measures if the data is transferred to a third country.
Right to rectification and erasure
The client has the right to obtain rectification of inaccurate data.
The client has the right to obtain erasure of the data unless the data is necessary for the purpose for which they were collected or should be kept in accordance with the applicable legal regulations.
Atlas has an obligation to notify the client about the rectification or erasure of data made at the client’s request.
Right to the restriction of processing
The client has the right to obtain the data processing restriction, under the terms defined in the General Data Protection Regulation.
Atlas has an obligation to notify the client about the processing restriction made at the client’s request.
Right to data portability
The client has the right to receive the information he has submitted to us in a structured, standard and machine-readable format, and to transfer them to another processing manager without restriction.
Right to object
The client has at all times the right to object to the processing of personal data.
The client has at all times the right to object to direct marketing, in which case the data will no longer be used for that purpose.
Automated decision making including profiling
The client has the right not to be the subject of the decisions based on automated processing, including profile creation.
PERSONAL DATA COLLECTION PROCEDURE
We collect our clients’ data using the following procedures:
Data collection in branch offices
When making a reservation or an offer, we ask the user for the personal information required for the reservation or the offer.
The user can leave his or her data personally, or another person can do it in the user’s name, or the user can contact us by phone or e-mail.
Data collection via web pages
When making a reservation or making a query for an offer on our web pages, we collect the information needed to make a reservation or an offer.
The client submits the information via the form on the website.
Consent of the client
Consent of the client means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her (Article 4 of the General Data Protection Regulation).
Without the client’s consent, we will never use any of the client’s personal information for any purpose that requires consent, according to the applicable regulations.
CATEGORIES OF PERSONAL DATA WE COLLECT
We only collect data that is necessary for the purpose of data collection and in accordance with applicable legal regulations.
The data we collect is: name and surname, date of birth of the children for the purpose of obtaining a discount, phone number and e-mail address for contact, location, gender, citizenship, passport number or of other appropriate personal document where necessary in order to enforce legal obligations (e.g. when crossing the border), credit card number or other payment method information.
Due to the nature of passenger services, there may be a need for processing specially protected categories of personal information that reveal, for example, religious or philosophical beliefs, trade union membership, and client’s health-related data, solely for the purpose of executing a contract between the atlas and the client, or completing actions preceding the conclusion of the contract. It will be considered that the client who gave Atlas data from a special category of personal data explicitly expressed his or her compliance to processing such data.
PURPOSE OF PERSONAL DATA COLLECTION
We collect personal data for the following purposes:
For the performance of a contract or the implementation of pre-contractual measures
We collect personal information in order to service a client or in order to make an offer for a service to the client.
For informing the users about services and products
If the client has given his consent, we can use the client’s data to familiarise the client with our services and products that may be of interest to him/her.
For internal use
Client’s data is kept to protect the legitimate interests of the client or our legitimate interests, in accordance with applicable legal regulations. For example, this may include keeping client data in order to best respond to potential customer complaints, use of client data to prevent, detect and process misuse at the expense of the clients or ESA, ensure employee, client, product and service safety, creation of services and offerings tailored to the needs and wishes of the clients, providing top-notch user experience, personalized customer support, market research and analysis, sales channel optimization, etc. Telephone conversations between users and employees of Atlas may be filmed and used further to improve the quality of work of ESA employees, the solving of client complaints as well as for security purposes, of which the client will be notified before starting the conversation. The legal basis for the processing of data for these purposes is the legitimate interest of ESA, unless such interests are overridden by interests or fundamental rights and freedoms that require the protection of client data and/or the legal basis for protecting the key interests of the client or other natural person. Exceptions are cases where the legal basis is consent.
For the fulfillment of legal obligations
Based on a written request set on applicable regulations, ESA is obliged to provide or allow access to certain personal data of the client to the relevant state bodies (e.g. courts, police, tourist inspections, etc.).
The legal basis for processing the data for these purposes is to fulfill the legal obligations of ESA.
DATA TRANSFER TO THIRD PARTIES
We transfer the clients’ data to third parties in the following cases:
For the performance of a contract or the implementation of pre-contractual measures with the client
We transfer the data to a third party when it is necessary in order to provide the client with a contracted service or required information. This includes, for example, sending client data to a hotel or carrier when it is needed to perform a service or make an offer for the service.
When the user has given his/her consent
We transfer the data to a third party if it is necessary for the purpose for which the user has explicitly granted his/her consent.
When we hire subcontractors for certain jobs
If we hire subcontractors for the processing, in that case, we will transfer the personal data to the subcontractor. We use only subcontractors from the EU and these subcontractors work exclusively by ESA’s order and under contract with Tempus Polaris, which ensures data protection measures as if the data were processed by ESA.
PROTECTION OF PERSONAL DATA
In order to protect personal information of our clients, we use the best business practices in the field of tourism and information-communication technologies. We continually adjust our internal processes in order to achieve the optimal level of personal data protection. We use different organizational measures and technical means to protect the user’s data from unauthorized access, change, loss, theft or other misuse of data.
The client can exercise his rights under the General Data Protection Regulation by submitting an application to the e-mail address email@example.com
If the client suspects there is a violation of his/her personal data, he/she may submit a complaint to the e-mail address firstname.lastname@example.org
The client may also submit a claim to the Personal Data Protection Agency.
AMENDMENTS, ADDITIONS AND TRANSITIONAL PROVISIONS OF THE POLICY
The policy enters into force and begins to apply on the day of its publication and is available on the internet sites. Customers will be promptly informed about possible changes to the Policy, including through the publication on the website. The client shall have the right to transfer of personal data, deletion of data and the limitation of personal data processing shall have the client no later than the date of coming into force of the General Data Protection Regulation, i.e. from 25 May 2018.
In Zagreb, 15.5.2018.,
ESA – Obrt za pružanje usluga u turizmu