INTRODUCTORY PROVISIONS

Kompas d.o.o. pays particular attention to personal data protection, in accordance with the best business practices and applicable Croatian and European regulations, including the General Data Protection Regulation (EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016).

The purpose of this policy is to provide all interested parties with all the necessary information on the method of processing and protection of personal data and the rights that data subjects have in regard to personal data processing.

THE CONTROLLER

The controller is Kompas d.o.o. with seat in Poreč, Mate Vlašića 20, PIN: 13785319050. We have a Personal Data Protection Officer who can be contacted by e-mail: zastita.osobnih.podataka@kompas-travel.com or at following address: Personal Data Protection Officer, Kompas d.o.o., Mate Vlašića 20, Poreč.

SCOPE OF APPLICATION

The policy applies to all clients’ personal data processed by Kompas d.o.o. as well as data processed by Kompas’ partners on behalf of Kompas.

The data subject is an individual whose identity has been identified or can be identified, and whose personal data is processed; an individual whose identity can be established is a person who can be identified directly or indirectly, in particular with the help of identifiers such as name, identification number, location information, network identifier or with the help of one or more factors that are specific for the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.

Personal data is any data relating to an individual whose identity has been established or can be established.

Data processing means any procedure or set of procedures performed on personal data or on sets of personal data.

LEGAL BASIS FOR PERSONAL DATA PROCESSING

We process your personal data because certain legal regulations require us to do so, or because processing is necessary for the performance of the contract, or to take action before the contract is concluded, or to protect the key interests of the data subject or another natural person, or on the basis of our legitimate interests, except when the interests or fundamental rights and freedoms of individuals who require personal data protection are greater than our interests. If personal data cannot be processed on the legal basis prescribed by binding regulations, we shall request your consent. If the data is processed for another purpose, before processing, we shall provide you with information about this other purpose and any other relevant information.

THE PRINCIPLES OF PERSONAL DATA PROCESSING

Lawful, fair and transparent processing

We process the data in accordance with applicable regulations relating to the processing of personal data and in accordance with the best business practice of data protection.

The principle of transparency is manifested in the fact that we inform data subjects how personal data relating to them are collected, used, consulted or otherwise processed, as well as the extent to which the personal data are processed or shall be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed.

We take every reasonably justified step to ensure that inaccurate personal data are rectified or deleted. We process personal data in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorized access to or use of personal data and the equipment used for the processing.

Processing in accordance with the purpose of data collection

We process the collected data only in accordance with the purpose for which this data was collected.

Restriction of the quantity of data

We collect and process only those data that are necessary to achieve the purpose of processing.

Restriction of the time of processing and data retention

We process and retain the data only for as long as it is necessary to fulfill the purpose for which the data were collected or as required by applicable regulations.

We keep certain personal data in a time period prescribed by the law or any regulation obliging us to keep the data.

Also, the deadlines for data filing depend on the interest of our clients to contact as per contacting data which are also personal data of the data subject.

As a rule, we retain the personal data for six years from the date of execution of the service, unless otherwise stipulated in the legal regulations. If we process the data based on the subject’s consent, we retain the data until the subject withdraws such consent.

The data from the video surveillance system are regularly erased and is retained for a maximum of six months, except when they are necessary to conduct the proceedings before the competent authorities.

Data accuracy

We pay particular attention to the accuracy of the collected data. The data subject has at any time the right to inspect data and rectify his/her data.

We take every reasonable measure to ensure that personal data that is not accurate are rectified without delay.

Restriction of the time of processing and data retention

We process and retain the data only for as long as it is necessary to fulfill the purpose for which the data were collected or as required by applicable regulations.

We keep certain personal data in a time period prescribed by the law or any regulation obliging us to keep the data.

Security of personal data

We pay the utmost attention to personal data security. In doing so, we are supported by a quality management system certified by ISO 9001 certification and internal security procedures.

THE RIGHTS OF DATA SUBJECTS

In accordance with the General Data Protection Regulation, the data subject has the following rights:

The right of access to data

The data subject has the right to obtain confirmation whether we are processing his/her personal data and, where that is the case, has the right to access the personal data and the following information: on the purposes of the processing, on the categories of personal data we process, on the recipients or categories of recipients of the data we process, on the envisaged period for which the personal data shall be stored or the criteria used to determine that period, on the right to request rectification, erasure or restriction of processing of personal data, or to object to such processing, on the right to lodge a complaint with a supervisory authority, information on the source of data if they are not collected from the data subjects, information on the system for automated decision-making, including profiling, on the safeguards if the personal data are transferred to a third country.

Kompas d.o.o. provides a copy of the personal data undergoing processing. For any further copies requested by the data subject, Kompas d.o.o. may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. Your right to obtain a copy is exercised to the extent in which it shall not adversely affect the rights and freedoms of others.

The right to rectification

The data subject has the right to obtain the rectification of inaccurate personal data concerning him or her.

Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed.

The right to erasure

The data subject has the right to obtain the erasure of personal data concerning him or her, where one of the following grounds applies:

  1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed,
  2. the data subject has withdrawn consent on which the processing is based and where there is no other legal ground for the processing,
  3. the data subject has objected to the processing, especially if the data subject is a child,
  4. the personal data have been unlawfully processed,
  5. the personal data have to be erased for compliance with a legal obligation in Union or in the Republic of Croatia,

Right to restriction of processing

The data subject has the right to obtain the restriction of processing where one of the following applies:

  1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data,
  2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead,
  3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims,
  4. the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.

The right to data portability

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to us, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from Kompas.

The right to object

The data subject has the right to object, at any time, to processing of personal data concerning him or her.

Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing, in which case we shall no longer use the data for that purpose.

Automated decision-making including profiling

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling.

THE METHOD OF PERSONAL DATA COLLECTION

We collect the data on the data subjects in the following ways:

Data collection in branch offices

When making a reservation or a quote, we request from the data subject the personal data necessary for the reservation or the quote.

The data subject may leave his/her data personally, or another person may do it instead of the data subject, or the data subject may communicate the data by telephone or email.

Data collection via the web

On our website when making a reservation or requesting a quote, we collect the data needed to make the reservation or the quote.

The data subject provides his/her data via the form on our website.

Data subject’s consent

Data subject’s consent means any voluntary, special, informed and unambiguous expression of the data subject’s wishes by which he/she gives consent for the processing of personal data concerning him/her with a statement or a clear acknowledgment action.

Without the data subject’s consent we shall never use his/her personal dana for any purposes for which consent is required by the applicable regulations.

The data subject has the right at any time to withdraw the consent, in a manner described above. Such withdrawal shall not affect the legitimacy of the consent-based processing prior to the withdrawal.

If you have any questions about the consent withdrawal process, feel free to contact Kompas via email: zastita.osobnih.podataka@kompas-travel.com or at Poreč, Mate Vlašića 20.

THE TYPES OF PERSONAL DATA WE COLLECT

We collect the personal data on the previously mentioned legal bases.

The data we collect are, for example, name and surname, the date of birth of the child for the purpose of obtaining a discount, phone number and email address for contact, location, gender, citizenship, number of passport or another appropriate personal document where necessary due to legal obligations (for example when crossing a border), credit card number or data on another means of payment.

Due to the nature of travel services, there may be a need for processing specially protected categories of personal data revealing, for example, religious or philosophical beliefs, and data relating to the health of the data subject, solely for the purpose of executing the contract between Kompas and the data subject or performing activities prior to the conclusion of the contract. It shall be considered that the data subject who gave Kompas the data from a special category of personal data thereby expressed his consent in processing such data.

Special categories can also be processed when:

– processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorized,

– processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent,

– processing relates to personal data which are manifestly made public by the data subject,

– processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity,

– processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject,

– processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.

THE PURPOSE OF PERSONAL DATA COLLECTION

We collect personal data for the following purposes:

For performance of contract or preparation for performance of contract

We collect personal data to be able to provide a service to the data subject or to draw up a quote for the service to the data subject and to respond to the data subject’s inquiries.

For notifying clients about services and products

If the data subject has given his/her consent, we may use the data of the data subject to familiarize the data subject with our services and products that may be of interest to him/her.

For internal needs

We process the data subject’s data to comply with the legal regulations, to fulfill the rights and obligations from contractual relations, for our legitimate interests and other legal bases. This may include, for example, keeping the data of the data subjects in order to best respond to clients’ complaints, using client data to prevent, detect and process misuse at the expense of the client or Kompas, ensuring the security of employees, clients, products and services of Kompas, creating services and offers tailored to the needs and wishes of clients, providing top-level user experience, personalized customer support, market research and analysis by conducting surveys, optimizing sales channels etc.

Telephone conversations between data subjects and Kompas employees may be recorded and further used for the purpose of improving the quality of the work of Kompas employees, solving possible client complaints as well as for security purposes, of which the data subject shall be notified prior to the start of the conversation. The legal basis for the processing of data for this purpose is the legitimate interest of Kompas, unless the interests or fundamental rights and freedoms which require the protection of data subjects’ rights and/or the legal grounds for the protection of key interests of the data subject or another natural person are greater than our legitimate interest.

For the purpose of fulfilling legal obligations

Pursuant a written request based on applicable regulations, Kompas is obliged to provide or allow access to certain personal data of the data subject to the relevant state bodies (e.g. courts, police, tourist inspections etc.).

 

The legal basis for processing data for these purposes is fulfilling the legal obligations of Kompas.

If a judicial, administrative or out-of-court proceeding has been initiated, personal data may be stored until the end of such proceedings, including a possible period for stating legal remedies.

PERSONAL DATA RETENTION

We shall process the collected data only as long as necessary for the above purposes, or until you withdraw your consent. If a judicial, administrative or out-of-court proceeding has been initiated, personal data may be stored until the end of such proceedings, including a possible period for stating legal remedies.

Kompas shall keep certain personal data in a time period prescribed by the law or a regulation binding Kompas to data retention.

FORWARDING DATA

We forward the data to third parties in the following cases:

For the purpose of performance of contract or preparation for performance of contract with the data subject

We forward the data to third parties whenever necessary to provide the data subject with the agreed service or required information. This includes, for example, sending the data of data subjects to a hotel or a carrier located within the Republic of Croatia, within the EU or outside the EU, whenever it is necessary to carry out a service or draw up a quote for a service.

When the data subject has given consent

We forward the data to third parties if it is necessary for the purpose for which the data subject has given his/her explicit consent.

When we engage subcontractors for performance of certain tasks

If we engage subcontractors as processors for performing certain tasks, in such cases we forward the personal data to the subcontractor. In doing so we use only the subcontractors from the EU, and these subcontractors work exclusively at the order of Kompas and as per contract concluded with Kompas, which ensures data protection measures as if the data were processed by Kompas.

The consultants with whom we cooperate in maintaining our business systems can have access to the personal data of the data subjects. It is possible we share personal data with our trusted partners who provide us with e.g. IT support, who operate outside Kompas. We have a relationship based on trust with these support providers and have committed them to adequate protection of the personal data of the data subjects.

PERSONAL DATA PROTECTION

In order to protect our clients’ personal data, we use the best business practices in the fields of tourism and information and communication technologies. We continuously adjust our internal processes to achieve the optimal level of personal data protection. We use different organizational measures and technical means to protect the data of data subjects from unauthorized access, change, loss, theft or other misuse of data.

Persons who understand the need for data protection and security and are subject to confidentiality obligations have access to the data.

CONTACT

A data subject can exercise his/her rights under the General Data Protection Regulation by submitting a request to the following email address: zastita.osobnih.podataka@kompas-travel.com or address: Personal Data Protection Officer, Kompas d.o.o., Mate Vlašića 20, Poreč.

If a client suspects a violation of his/her personal data, he/she may send a complaint to the email address: zastita.osobnih.podataka@kompas-travel.com or address: Personal Data Protection Officer, Kompas d.o.o., Mate Vlašića 20, Poreč.

If you believe your rights have been violated, you have the right to file a complaint to the Croatian Personal Data Protection Agency.

AMENDMENTS AND TRANSITIONAL PROVISIONS OF THE POLICY

The policy comes into force and begins to apply on the day of its publication and is available on the Kompas website and in Kompas offices. Data subjects shall be timely informed of possible amendments to the Policy, including through publication on the website. A data subject has the right to data portability, data erasure and restriction of personal data processing no later than the date of application of the General Data Protection Regulation, i.e. from 25 May 2018.