In addition to our mission of creating unforgettable travel experiences, all of us at CROATIA NA CAŠA pay special attention to protecting the privacy of all our users. For this purpose, based on Regulation (EU) 2016/679 of the European Parliament and the Council of April 27, 2016 on the protection of individuals in connection with the processing of personal data and on the free movement of such data (hereinafter: General Regulation), and in accordance with the Law on the Implementation General Decree on Data Protection (Official Gazette 42/18) and other positive regulations, we issue this Privacy Statement for the purpose of informing all interested parties about the method of collection, processing, use, storage and protection of personal data as part of our business, and about the rights that our users and employees have in connection with the processing of personal data. This data protection policy applies to all personal data that we process.
1. DEFINITIONS OF BASIC TERMS
For the sake of easier familiarization and use of this Statement, below is an explanation of the basic terms used in the content, which are defined in accordance with the provisions of positive regulations:
"Personal data" means any data relating to an individual whose identity has been determined or can be determined.
"Processing" means any process or set of processes performed on personal data or sets of personal data, whether by automated or non-automated means such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, inspection, use, disclosure by transfer, dissemination or otherwise making available, matching or combining, restriction, erasure or destruction.
"Respondent/user" is a natural person whose identity can be determined directly or indirectly, especially on the basis of one or more characteristics specific to his physical, psychological, mental, economic, cultural or social identity. Simply put, in this situation, the respondent/user is you.
"Controller" means a natural or legal person or other body that alone or together with others determines the purposes and means of personal data processing.
"Processor" means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
"Third party" means a natural or legal person, public authority, agency or other body that is not the data subject, controller, processor or persons authorized to process personal data under the direct authority of the controller or processor.
"Recipient" means the natural or legal person, public authority, agency or other body to which personal data is disclosed, regardless of whether it is a third party.
"Consent" of the respondent/user means any voluntary, specific, informed and unequivocal expression of the wishes of the respondent/user by which he consents to the processing of personal data relating to him by a statement or a clear affirmative action.
"Personal Data Breach" means a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of personal data that has been transmitted, stored or otherwise processed.
2. PROCESSING MANAGER
The responsible controller of your personal data is: HRVATSKA NA ČAŠU d.o.o., touristic agency, Labinska 8, 10000 Zagreb, Republic of Croatia, OIB: 63569146827 (hereinafter: Controller/Agency).
Contact of the Data Controller:
e-mail: info@hrvatskanacasu.hr
post office: Labinska 8, 10000 Zagreb, Republic of Croatia
phone: +385 98 663 569
In certain situations, the agency can also be the executor of personal data processing, for example when it processes your personal data when mediating in obtaining package arrangements and/or other services organized by other travel agencies or service providers. In that case, the manager of your personal data is another travel agency or service provider.
3. PRINCIPLES OF PERSONAL DATA PROCESSING
LEGALITY, TRANSPARENCY AND HONESTY
The Agency approaches the processing of your personal data in accordance with the principles of legality, transparency and honesty, which means that every processing is in accordance with a certain legal basis, and you are informed about the processing procedure and its purposes. In doing so, the Agency provides you with all the information necessary to ensure fair and transparent processing, taking into account the special circumstances and context of personal data processing.
LIMITATION OF PURPOSE
Personal data is collected for specific, explicit and lawful purposes and is not further processed in a way that is inconsistent with these purposes.
REDUCING THE QUANTITY OF DATA
The Agency processes only those personal data that are appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed. This means that the Agency will not ask you for personal data that is not necessary for the fulfillment of the purpose for which the personal data is provided.
ACCURACY OF PERSONAL DATA
Personal data must be accurate and, if necessary, up-to-date, therefore the Agency will take every reasonable measure to ensure that personal data that are not accurate,
taking into account the purposes for which they are processed, they are deleted or corrected without delay.
LIMITATION OF PERSONAL DATA STORAGE
Personal data is stored in a form that enables your identification only as long as is necessary for the purposes for which the personal data is processed or as required by positive regulations.
If personal data is processed based on your consent, the data is stored until you withdraw your consent. You can withdraw your consent at any time by sending a request to the e-mail address: info@hrvatskanacasu.hr or the regular mail address: Labinska 8, 10000 Zagreb, Republic of Croatia.
INTEGRITY AND CONFIDENTIALITY
The Agency processes personal data in a way that ensures an adequate level of security, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage.
RELIABILITY
The Agency is responsible for compliance with all principles of personal data processing, and is able to demonstrate compliance with the provisions of the General Regulation at any time.
4. LEGAL BASIS AND PURPOSES OF PERSONAL DATA PROCESSING
Personal data is collected from you as a respondent/user, from third parties, or from publicly available sources. Personal data can be collected based on your consent, but also in accordance with other lawful legal bases for collecting personal data.
Personal data is collected for:
• execution of contractual obligations - when processing is necessary for executing the contract or for taking actions at your request, and before concluding the contract
• necessary compliance with the Agency's legal obligations - for example, to process employee data (sending data about employees to HZMO, HZZO, Tax Administration, accounting service, etc.)
• satisfying the legitimate interests of the Agency - when necessary, the Agency processes personal data outside of the contractual relationship, to satisfy its legitimate interests. For example, but not exclusively, such a legitimate interest can be: conducting court proceedings and keeping records of them, detecting perpetrators of criminal offenses and preventing fraud, protecting persons and property
• protection of vital interests of respondents/users or other natural persons
• improving the Agency's operations or for the Agency's internal needs, such as auditing, data analysis and research to improve our products, services and communication with respondents/users
• responding to your inquiries and comments
• sending promotional offers and other information related to the Agency's operations, based on your consent
• promotions of the Agency, based on the consent you have given us
In the event that there is a need to process personal data for purposes not described here or outside the purpose for which you have given us consent, before such processing we will provide you with information about that other purpose and all other relevant information about the processing and, if necessary, request consent for such processing .
All data that the Agency receives from you, you voluntarily give to the Agency for processing.
The agency can process your personal data for marketing purposes, based on your specific consent.
5. PERSONAL DATA PROCESSED
The Agency processes your personal data that are necessary for the fulfillment of assumed contractual and legal obligations, as well as the satisfaction of legitimate interests, i.e. for the performance of actions as part of our business, such as: name and surname, place of residence or place of residence, city/town and postal code, country, OIB, type and number of travel document, date of validity of travel document, issuer of travel document, number of identity card, date of validity of identity card, issuer of identity card, number, date and place of visa issuance, day, month and year of birth, gender, citizenship , e-mail address, phone number, photo, credit/debit card number or other means of payment, handwritten signature, IP address, etc.
Within the scope of the business/contractual relationship for the purpose of organizing and implementing travel and providing other services of the Agency, all previously mentioned personal data may be processed, and in the specific situation, those personal data that are necessary for the Agency to establish and realize the business/contractual relationship and fulfill the related contractual obligations. Without this information, we are usually forced to refuse to conclude a contract, implement an order or suspend implementation and terminate an existing contract. You are not obliged to provide personal data for processing that are not relevant or required by law for the execution of the contract.
As part of the employment relationship between the employee and the Agency, the Agency processes personal data of the employee, such as: first and last name, place of residence, city/town and postal code, country, OIB, type, number and validity period of the identification document, day, month and year of birth, gender, citizenship, e-mail address, telephone number, handwritten signature, professional qualification of the worker, work experience of the worker, bank account number, etc.
As part of marketing activities, based on your consent, we process the following personal data: name and surname, electronic address
e-mail address, telephone number.
As part of the promotion of the Agency, based on your consent, we process the following personal data: name and surname, email address, phone number, photos, video materials, etc.
The agency can also process your personal data from a special category of personal data, namely data related to your health. Personal health data is collected for the purpose of organizing and implementing travel and other Agency services, based on your express consent, and if it is necessary to protect your vital interests or that of another individual.
Personal data related to health are also processed when it is necessary for the purposes of fulfilling obligations and exercising special rights of the Agency or respondents/users in the field of labor law and the law on social security and social protection, i.e. for the purpose of preventive medicine or occupational medicine for the assessment of work employee abilities.
6. RIGHTS OF RESPONDENTS/USERS
In accordance with all positive regulations, the respondent/user has the following rights:
RIGHT TO INFORMATION AND ACCESS TO DATA
You have the right to receive confirmation from us as to whether we process personal data relating to you, and if we process such personal data, access to personal data as well as the following information: on the purpose of processing, categories of personal data in question, recipients or categories of recipients personal data disclosed or will be disclosed to them, about the anticipated period in which personal data will be stored or the criteria for determining that period, about the right to request correction, deletion and restriction of processing of personal data or the right to object to such processing, about the right to submit complaints to the supervisory authority, if personal data are not collected from you any available information about their source, information about the system for automated decision-making, which includes the creation of profiles, about protective measures if personal data is transferred to a third country.
The agency provides a copy of the personal data being processed. You can submit your request through the already indicated contacts of the Agency, and unless you request otherwise, the information will be provided to you in the usual electronic form. The right to obtain a copy is exercised to the extent that it will not negatively affect the rights and freedoms of others.
RIGHT TO CORRECTION
You have the right to obtain the correction of incorrect data relating to you without undue delay.
Taking into account the purposes of the processing, you have the right to supplement incomplete personal data, and in that case the Agency is obliged to act in accordance with your request without undue delay.
RIGHT TO DELETE
You have the right to obtain the deletion of personal data relating to you without undue delay, if one of the following conditions is met:
• personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed,
• you have withdrawn the consent on which the processing is based and there is no other legal basis for the processing,
• you have objected to the processing, especially if the data subject is a child,
• personal data were illegally processed,
• personal data must be deleted in order to comply with legal obligations in accordance with positive regulations
The right to erasure is not an absolute right and does not apply in cases where processing is necessary to exercise the right to freedom of information and expression, to comply with legal obligations to which the Agency is subject, to establish, exercise or defend legal claims and the like.
RIGHT TO LIMITATION OF PROCESSING
You have the right to request the restriction of personal data processing, if one of the following conditions is met:
• you dispute the accuracy of personal data, for the period during which the Agency is enabled to verify the accuracy of personal data,
• the processing is illegal and you object to the deletion of personal data and instead request a restriction of their use,
• The agency no longer needs personal data for processing purposes, but you request them in order to establish, fulfill or defend legal claims,
• you filed an objection to the processing, expecting confirmation whether the Agency's legitimate reasons exceed those of the respondent/user.
THE RIGHT TO DATA PORTABILITY
You have the right to receive the personal data you have provided to the Agency in a structured, common and machine-readable format and to transfer them to another data controller without interference from the Agency.
RIGHT TO OBJECT
You have the right to object to the processing of personal data relating to you at any time.
If you believe that the Agency. has no legal basis to process your data, you can file a complaint at any time with the Agency at the email address: info@hrvatskanacasu.hr or regular mail: Labinska 8, 10000 Zagreb, Republic of Croatia and the national supervisory body, the Agency for the Protection of Personal Data (AZOP). .
In this case, the Agency will no longer process your personal data, but may not be able to provide you with its services and be in a business relationship with you because of this.
AUTOMATED DECISION MAKING INCLUDING PROFILE CREATION
You have the right not to be subject to a decision based solely on automation
processing, including the creation of a profile, unless it is necessary for the conclusion or execution of a contract between you and the Agency, i.e. based on your express consent.
7. ISSUES OF IDENTITY CONFIRMATION AND ABUSE OF RIGHTS
In case of doubt regarding your identity, we may request additional information to verify your identity. Such verification serves to protect your rights.
If you would use any of the indicated rights too often and with the obvious intent of abuse, we may charge an administrative fee or refuse to process your request.
8. METHOD OF COLLECTION OF PERSONAL DATA
The agency collects your personal data through the website through your access to the website and through registration/profile creation, through contact and inquiry forms, through "cookies", through electronic mail and through documentation and communication that is forwarded and takes place between you and Agencies, by any means of communication. The Agency can also collect your data through third parties, for example, but not exclusively, through merchants and intermediaries who sell the Agency's services, through state authorities, etc.
9. RESPONDENT/USER CONSENT
Without your consent, the Agency will not use your personal data for any purpose for which consent is necessary according to current regulations.
You have the right to withdraw your consent at any time by sending a request to:
• e-mail: info@nomadik.travel
• post office: Dravska 22A, 10000 Zagreb, Republic of Croatia
Withdrawal of consent will not affect the lawfulness of processing based on consent prior to its withdrawal.
If personal data of minors are processed for which consent is required, such consent is given or approved by the holder of parental care over the child.
It is considered that by making an inquiry, applying for a reservation, signing a package travel contract or using other services of the Agency, regardless of the possible simultaneous application of other legal bases for the processing of personal data that are applicable to the situation, you give your consent to the processing of personal data necessary in the purpose of responding to an inquiry, processing a reservation, concluding and fulfilling a contract or other services, and that this data is used in communication as well as during the implementation of the Agency's activities related to travel. At the same time, you give consent to the Agency for the transfer of personal data to third parties for the purpose of providing the travel service.
At the same time, with the aforementioned consents, you also give consent that your personal data can be used for the following purposes: direct sales, market research, conducting business analysis, customer segmentation, statistical processing and informing about the Agency's offer. If you do not want to give such consent, you must state this when making an inquiry or applying for a reservation.
You are not obliged to provide personal data, but keep in mind that in certain cases, if you refuse to provide the requested data, the Agency will not be able to conclude a contractual relationship with you, or fulfill its contractual and legal obligations.
10. STORAGE OF PERSONAL DATA
The agency processes the collected personal data only as long as it is necessary to achieve a specific purpose, that is, until you withdraw your consent. If judicial, administrative or extrajudicial proceedings have been initiated, personal data may be stored until the end of such proceedings, including the period for filing legal remedies.
The Agency keeps certain personal data for the period of time prescribed by positive regulations.
11. TRANSFER OF PERSONAL DATA
To achieve certain purposes for which personal data is processed, the Agency must forward your data to third parties. Only necessary personal data is forwarded to third parties. The Agency forwards your data to third parties in the following cases:
• to execute the contract or prepare for the execution of the contract - when it is necessary to provide you with the contracted service or requested information. Personal data is forwarded, for example, but not exclusively: to employees of direct service providers, i.e. accommodation facilities, airlines, bus carriers, catering facilities, travel agencies, tour guides, tour guides, embassy or consulate employees in case of visa issuance, insurance company employees, employees of banks, etc.
• when you gave your consent for it - if it is necessary for the purpose for which you gave your express consent
• when the Agency hires other companies to perform certain tasks - then these companies act as processors (for example, but not exclusively: bookkeeping service, IT companies, etc.)
Personal data is disclosed to competent state authorities as part of our performance of legal obligations, and may also be disclosed in the event of a court order or to prevent criminal activity by a competent state authority. Also, personal data will be disclosed to the court, lawyers or notaries public for the purpose of the procedures they lead. Personal data may be disclosed in case of status changes of the Agency (reorganization, association with other companies, etc.).
In addition to the above, there is my
the ability to process and keep records of respondents/users both in the home country and abroad, all due to the realization of services.
12. PROTECTION OF PERSONAL DATA
In order to protect your personal data, the Agency uses the most up-to-date business practices and information and communication technologies, applying appropriate technical and security measures to protect personal data from unauthorized access, misuse, disclosure, loss or destruction.
Only authorized persons have access to personal data, both employees of the Agency and employees of third parties. Personal data is never transferred to unauthorized persons, nor will it ever be sold or illegally given to third parties.
We use secure protocols for communication and data transfer on our website. All personal data and the devices on which they are located are protected by appropriate passwords. Personal data stored in physical/paper form are located in the designated premises under the supervision of an authorized person of the Agency.
The Agency's website may contain links to other websites. Therefore, respondents/users are advised that the privacy protection and personal data protection policy on them may be different from the rules and policies of the Agency. If you access these pages, please familiarize yourself with the personal data protection rules that apply to those pages before providing personal information. In no case is the agency responsible for the content, products, services and actions of other companies. Links do not constitute affiliation with these companies. If you find out that the links on the website lead to third-party websites with inappropriate content or an unfavorable personal data protection policy, please contact us so that we can take appropriate measures in this regard.
The Agency takes all available measures to prevent unauthorized access to your personal data, but cannot guarantee that some of the data will not be accidentally disclosed. Therefore, the Agency excludes responsibility for damage caused to respondents/users or third parties to the maximum extent permitted by law. All unauthorized attempts to change data on the Agency's website are strictly prohibited.
13. NOTICE OF BREACH OF PERSONAL DATA
In the event of a breach of personal data, we will notify the competent state authority and you by e-mail within 72 hours of learning about the breach, about the nature and extent of the breach, the probable consequences and impact on our services, and the measures taken and planned to solve the problem and reduce possible adverse consequences .
We will not send you a notice of infringement in the case of:
• if there are technical and organizational protection measures (such as encryption) that have been applied to personal data affected by a personal data breach that make the data unintelligible to any person who is not authorized to access it,
• if we have taken follow-up measures to ensure that a high risk to your rights and freedoms is no longer likely to occur,
• if this would require a disproportionate effort (in which case we will notify you via public notification or a similar equally effective measure).
If you suspect a violation of your personal data, you can send a notification or inquiry to the following addresses:
• e-mail: info@hrvatskanacasu.hr
• post office: Labinska 8, 10000 Zagreb, Croatia
If you believe that your rights have been violated, you have the right to file a complaint with the Agency for the Protection of Personal Data (AZOP).
14. PERSONAL DATA AND THE WEBSITE
USE OF "COOKIES"
Our website uses "cookies" in its work, which enable the proper operation of the site and its improvement, all for the purpose of providing the best possible user experience. By accessing our website, your personal data is collected through "cookies".
"Cookies" are small files that the internet browser (eng. "web browser") stores on a computer, mobile device or some other device with which the respondent/user visited an internet site, and which are used for various purposes, e.g. for web analysis , measuring the number of visitors, analyzing searches, language settings, etc. "Cookies" provide the possibility of storing the characteristic preferences of website visitors, optimizing technical processes and continuously improving the offer. Placing "cookies" on the devices of respondents/users and reading information already stored on the device is done with the consent of the respondents/users and prior clear information about which data will be collected and for what purpose. It is also possible to prevent the storage of "cookies", but in this connection a limited offer of our website is also possible. Only "cookies" that are technically necessary for communication between the respondent's/user's equipment and our website or providing a service at the respondent's/user's request are exempt from consent.
15. FINAL REMARKS
This data protection policy comes into force on the day it is published on the website www.hrvatskanacasu.hr. We reserve the right to change this data protection policy, at any time, without any notice limitations and/or liability. Any changes regarding our data protection policy will be announced in the Privacy Statement located on our website.
In Zagreb, 27.12.2023.
HRVATSKA NA ČAŠU
društvo s ograničenom odgovornošću
za turizam i usluge, turistička agencija
Labinska 8, 10000 Zagreb
Republika Hrvatska
OIB: 63569146827
Statement on protection of personal data transfer
"Protection of personal data in accordance with the General Data Protection Regulation of the European Parliament and the Council No. 2016/679-Regulation and Implementation of the General Data Protection Regulation
Monri WSPay, as an executor of credit card authorization and billing, handles personal data in its capacity as a processor and handles personal data in accordance with the General Data Protection Regulation of the European Parliament and the Council No. 2016/679 and according to the strict rules of the PCI DSS L1 regulation on data protection and data transmission."
Monri WSPay Usage Statement
"Hrvatska na cašu d.o.o. uses Monri WSPay for online payments.
Monri WSPay is a secure system for online payments, real-time payments, credit and debit cards and other payment methods. Monri WSPay provides customers and merchants with secure entry and transfer of entered card data, which is confirmed by the PCI DSS certificate that Monri WSPay has. Monri WSPay uses an SSL certificate of 256-bit encryption and TLS 1.2 cryptographic protocol as the highest level of protection when entering and transferring data."
Statement on the protection and collection of personal data and their use
"Hrvatska na cašu d.o.o. undertakes to provide protection to customers' personal data, in such a way that it collects only necessary, basic data about customers/users that are necessary for the fulfillment of our obligations; informs customers about the use of the collected data, regularly gives customers the opportunity to choose about the use of their data, including the ability to decide whether or not they want their name removed from lists used for marketing campaigns. All user data is strictly kept and is only available to employees who need this data to perform their work. All employees of HRVATSKA NA ČAŠU and business partners are responsible for respecting the principles of privacy protection."