Personal data protection policy

INTRODUCTION

Terra Travel, a tourist agency which operates within the Terra Travel d.o.o. company,

implements personal data protection measures in accordance with the General Data Protection Regulation (GDPR) and statutory and regulatory obligations.

The Director of Terra Travel is fully committed to ensuring continuous and effective implementation of this policy, and expects the same from her employees and business partners. Any breach of this policy may result in disciplinary measures or business sanctions.

This policy determines the expected behaviour of Terra Travel, its permanent, temporary and part-time employees, as well as of business partners and third parties, related to the collection, use, storage,transmission, disclosure or destruction of personal data processed in the course of business processes of Terra Travel.

DEFINITIONS

Personal dat ameans any information relating to an identified or identifiable natural person (‘dana subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental,economic, cultural or social identity of that natural person;

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future;

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes andmeans of such processing are determined byUnionor Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether at hird party or not. However, public authorities which may receive personal dana in the frame work of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

Third party means a natural or legal person, public authority, agency or body other than the dana subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Personal dana breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Genetic dana means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;

Biometric data means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;

Dana concerning health means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

Enterprise means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;

supervisory authority means an independent public authority which is established by a Member State;

DATA THAT WE COLLECT

In the course of interacting with Terra Travel through various channels (via the web page, sending inquiries/requests via e-mail, by post) personal data are collected that include, but are not limited to the following:

-Name, surname

-Home address

-Phone number and/or e-mail address

-Date of birth

and for the purpose of registering the customers into the eVisitor system, based on the authorization of renters, the data are collected that include, but are not limited to the following:

-Name, surname,

-Place, country and date of birth,

-Citizenship;

-Identification document type and number;

-Residence (sojourn) and address;

-Arrival and departure date and time;

-Gender.

In the course of various forms of interaction, Terra Travel may also collect data that are not classified as personal data, including but not limited to the following:

-Data about the device that you use to connect to the Internet

-Type and version of the Internet browser that you use

-Ways of using the Terra Travel web pages

Datausage

Terra Travel uses personal data for the following purposes:

Provision of services to Terra Travel customers, in accordance with contractual obligations –Terra Travel may use personal data during the provision of contracted services, as well as for providing different forms of communication during the process of implementation of the cooperation.

Implementation of contractual relationships with suppliers (renters, tradesmen) for the purpose of performing registered business operations of Terra Travel – Terra Travel may use personal data during preparation and provision of contracted services, as well as for provision of various ways of communication before, during and after the process of implementation of the cooperation

Marketing and sales activities – Terra Travel may use personal data in order to inform about new promotional offers, discounts or similar activities

Protection of the Terra Travel employees –Terra Travel may disclose personal data about individuals if the company deems it necessary or appropriate in order to protect the health and safety of its employees, visitors, property and/or users

Registration of customers into the eVisitor system, in accordance with authorization given by private accommodation owners

Legal obligations of reporting and processing data

 

Data collection

Personal data are collected in one of the following ways:

Directly from individuals– when an individual contacts Terra Travel sending and inquiry about a particular service via e-mail, on-line booking, by visiting the Terra Travel premises, when Terra Travel,as an agentauthorised by renters, makes a registration into the e-Visitor system, …

Indirectly–when bookings are received from touroperators and/or internet portals belonging to sellers; through public information on web pages not belonging to Terra Travel (e.g. statuses on social media and open fora), through links and similar technologies

 

DIGITAL MARKETING

Terra Travel may send promotional materials through digital communication channels to the individuals who have consented to such a way of communication. Terra Travel’s customers have the right to disable the service of receiving promotional materials at any given moment, and Terra Travel will provide the tools to implement the right to be deleted from the notification data base.

At the time ofthe first contact or at any stage ofthe provision ofthe service,theuserwill be informed about the usage of his/her data for the purposes of digital marketing.

 

DATA SUBJECT’S REQUESTS

Terra Travel ensures the realization of user rights in relation to:

Access to information;

Objection to processing;

Restriction of processing;

Data transmission

Data correction;

Data erasure.

Requests for realization of user rights may be submitted either by written or by oral means. In case of receiving a request related to any of the above listed rights, Terra Travel will consider it in the light of all applicable laws and regulations on data protection. In exceptional cases when a user’s request is unreasonable, Terra Travel reserves the right to charge for the costs of processing such a request.

On the basis of the request submitted, after a successful confirmation of their identity, users have the right to be informed, about the following:

Purpose of the personal data processing;

Source of personal data, if not obtained by the user;

Personal data category;

Recipients or categories of recipients to whom personal data have been transmitted or may be transmitted, together with the locations of the recipients;

Personal data storage duration envisagedor justification for determining the storage duration;

  • Use of any automated decision making, including profiling;

The requests foraccess to or amendment of personal data shall be addressed to the Terra Travel Director, who will register each request upon receipt. A response to each request shall be sent within 30 days from the receipt of the written request from the user.

If a full response cannot be sent within 30 days upon a user’s request, a notification will be submittedabout the following:

  • Confirmation of the receipt of the request
  • All the information that have been collected
  • Details regarding any information requested, the modifications that will not be provided

to the user, the reason for rejection and any available procedures to appeal a decision.

  • Estimated date by which the remaining responses will be submitted.
  • Estimated costs charged to the user (if the request is exaggerated).
  • Name and contact information of the Terra Travel Director whom the data subject should

contact for further information.

  1. DATA RETENTION

Terra Travel shall not retain any personal data for a period longer than necessary for the purposes for which they have been originally collected or for which a legal or contractual deadline has been defined.

Exact time periods for data retention are stated in the document entitled “Data retention policy”, taking into account legal and contractual obligations, both minimum and maximum ones.

Upon expiry of the retention period,the organization will erase the personal data in a way that ensures that the data can be neither reconstructed nor read.

 

  1. DATA PROTECTION

Terra Travel implements physical, technical and organisational measures that guarantee the safety of personal data (e.g. prevention of the loss or damage, unauthorized changes, access or processing, as well as other threats to which personal data may be exposed, caused ether by human action or physical/natural environment).

Personal data and documentation, in written form, from previous years are archived in a locked area. Personal data that are to be kept permanently and the data from the ongoing business year are kept in afire-proofsafe atthe branch office premises, andthe branch office premises are protectedbyboth external and internal video surveillance. In addition, the premises are protected with anti-theft and intrusion protection and with external sirens. A video surveillance recorder is located in a locked cabinet. Access to video surveillance footage is availableonlyto authorized employees,who have their access codes. Access to certain personaldata in adigitalform is allowed to authorized employees who use their passwords. Upon employment, the employees oblige to confidentiality of data, signing the Confidentiality Statement. The Terra Travel director has access to all personal data, and the access accounts are protected by passwords. The Confidentiality Statementis an integralpart of the business

cooperation contracts with personal data processors (external accounting firm, IT service etc.). Upon the expiry of the deadline for the retention of written personal data, or upon the completion of usage of auxiliary notes with temporary record of personal data, they are destroyedby shredding or burning.

The minimum set of protective measures implemented by Terra Travel for the purpose of personal data protection is set out in Paragraph 2 of this Article, in the document entitled “Information Security Policy” and in other related policies and procedures. Protective measures are implemented with the aim to:

 

  • Prevent unauthorized persons to access the data processing systems in which personal data

are processed

  • Prevent the persons with authorised usage of the data processing system to access personal

data that are beyond their needs and authority.

  • Ensure that, during electronic transmission or during transmission, personal data cannot be

read, copied, modified or removed without permission.

  • Ensure accessibility to the system records with the aim of identifying the person who

registered, modified or removed personal data from the data processing system.

  • Ensure that, in the event when the processor processes the data, the data are processed only

in accordance with instructions of the controller.

  • Ensure that personal data are protected from accidental destruction or loss.
  • Ensure that personal data collected for various purposes may be processed separately.
  • Ensure that personal data are not retained longer than necessary.
  1. REQUESTS BY JUDICIAL BODIES

In specific circumstances, it is allowed to share personal data without the knowledge or agreement of the data subject. This is the case when disclosure of personal data is necessary for any ofthe following purposes:

  • To prevent or detect a crime
  • To arrest or prosecute an offender
  • To estimate or collect taxes or duties
  • By the court order or by any law
  1. DATA TRANSMISSION

Terra Travel reserves the right to transmit personal data within its business group, as well as to third parties, observing the principle of the appropriate level of legal protection of rights and freedoms of the users.

Data shall be transmitted only if at least one of the following conditions is met:

  • The transmission is necessary for the implementation of contracting obligations/services;
  • The transmission in necessary for the implementation of pre-contracting measures taken as a

response to a user’s request;

  • The transmission is necessary for enteringinto or for the execution of a contract signed with a

third party in the interest of the user;

  • The transmission is legally binding on the basis of important public interest;
  • The transmission is necessary for the establishment,enforcement or defence of legal requests;
  • The transmission is necessary in order to protect vital interests of the user.

10. Transmission  between the branch office and the head quarters or the data processor

With the aim of doing business efficiently,there may be cases when it is necessary to transmit personal data from the branch office to the head quarters of the company or vice versa, or from the branch office to the Terra Travel’s external accounting firm. In such cases, Terra Travel is responsible for the protection of personal data being transmitted.

During the transmission of personal data to another organization/legal entity, located at a different physical address, the following protective measures are implemented:

  • Delivery of only the minimum amount of personal data needed for a specific purpose of the

transmission (e.g. to complete a transaction or to render a specific service).

  • Provision of appropriate safety measures for the protection of personal data during the

transmission (including a courier transfer, password protection, etc., if needed).

  1. HAND LING COMPLAINTS

In case of complaints related to compliance with these and other rules concerning personal data protection, please contact us atthe following address: Matije Gupca 2a, 23000 Zadar,or at [email protected] In the event of a complaint, we will investigate the whole situation related to the use and disclosure of personal data in accordance with these rules, and we will strive to settle the complaint as soon as possible.

  1. PROTECTION OF PERSONAL DATA OF CHILDREN

Since Terra Travelis a Companyorientedto rendering contracted services, its web site is not intended for minors, with the exception of services implemented with aprior permission of parental care providers (e.g. parents, foster parents) (Parental consent).

  1. CONTACT DETAILS

Contact details of a person responsible for personal data protection at Terra Travel: Tomislav Fain, Director, mobile phone: 00385 (0) 756998

Address of the company seat and contact details: Terra Travel d.o.o., Matije Gupca 2a, 23000 Zadar

Document version: 1

Date of the last modification: 30.05.18.