Terms and conditions

RULES ON PROCESSING PERSONAL DATA

("Regulations")

This Regulation defines the rules and guidelines on how KRIŠTO TURIZAM doo, headquartered in Zagreb, Prosenička ulica 14, OIB: 74581693165 (hereinafter referred to as: "KRIŠTO TURIZAM") collects, stores, analyzes, uses, deletes and performs all other actions related to the processing of personal data within its business.

The purpose of the Ordinance is to ensure compliance with the rules of the General Data Protection Regulation ("GDPR"), which is in force since May 25, 2018, and the Croatian Act on the Implementation of the General Data Protection Regulation (OG 42/2018), and to meet the requirements of transparency of personal data processing and guarantee security.

 

1.       PROCESSING MANAGER

As the controller, the controller guarantees the correct processing of personal data:

KRIŠTO TURIZAM d.o.o.

E-mail address: delminivm@hotel-delminivm.hr

2.       RECORDS OF PROCESSING ACTIVITIES (Art. 30 GDPR)

KRIŠTO TURIZAM fulfills the obligation under Article 30 of the GDPR and maintains and regularly updates records of personal data processing.

The record of processing activities is kept in the form of a Word document and contains the following information: data on the activities and purposes of processing that KRIŠTO TURIZAM carries out as part of its business; data that is processed as part of these purposes; data on the legal basis for data processing; data on the processors and joint managers, data on recipients and transfer of personal data, and on the storage locations and retention period of personal data.

3.       DATA PROTECTION OFFICER (Art. 37 – 39 GDPR)

The GDPR provides for the appointment of a data protection officer, which obligation exists in certain cases prescribed in Article 37 of the GDPR.

KRIŠTO TURIZAM conducted an analysis of the existence of an obligation and the need to appoint a personal data protection officer, and concluded that it is not obliged to appoint a person as a personal data protection officer.

4.       TRANSPARENCY OF PROCESSING AND INFORMATION TO RESPONDENTS (Articles 13 and 14 GDPR)

The GDPR imposes, as a fundamental obligation of the controller, the obligation to process personal data transparently and the obligation to inform data subjects of all information contained in Articles 13 and 14 of the GDPR.

KRIŠTO TURIZAM ensures that all its data subjects are properly and timely informed about all processing of their data by KRIŠTO TURIZAM and its associates/executors. The information of data subjects is ensured in the following ways:

•       Web privacy policy: XY;

•       Notice on the processing of employees' personal data (delivered and available for inspection by employees);

•       Notice on the processing of guests' personal data;

•       Notice on the processing of personal data of business partners.

 

5.       ASSESSMENTS OF LEGITIMATE INTEREST (Art. 6 (1) (f) and Art. 35 GDPR)

GDPR, as one of the legal bases for processing personal data, foresees the existence of a legitimate interest. However, the processing of personal data based on legitimate interest is permitted only if the specific legitimate interest overrides the interests or fundamental rights and freedoms of the data subject which require the protection of personal data.

KRIŠTO TURIZAM guarantees that for every processing purpose based on the existence of a legitimate interest, the legitimate interest of KRIŠTO TURIZAM prevails over the interests of the data subjects. For this purpose, in the case of processing based on legitimate interest, analyzes of legitimate interest will be carried out, in which its existence, necessity (that is, the absence of another way of realizing the interest) and proportionality in relation to the interests and rights of the respondent are examined and determined

6.       DATA SECURITY – technical and organizational measures (Art. 36 GDPR)

KRIŠTO TURIZAM takes all necessary technical and organizational measures to ensure the security of personal data. Technical and organizational measures are taken to ensure a level of security commensurate with the risk, and in accordance with the requirements imposed by the GDPR in Article 36.

The purpose of technical and organizational measures is to ensure confidentiality (information is available only to authorized personnel), integrity (information is accurate and up-to-date) and availability (data is available to authorized persons only when necessary) of the processing of personal data.

The security and technical measures implemented by KRIŠTO TURIZAM are as follows:

(i)                  Confidentiality:

•  Entrance control

 

KRIŠTO TURIZAM ensures that there is no unauthorized access to data processing devices, through:

keys, or 0-24 reception, video devices;

•  Access control

KRIŠTO TURIZAM ensures that there is no unauthorized use of the system through: (secure) password, double identity verification;

•  Usage control

KRIŠTO TURIZAM ensures that there is no unauthorized reading, copying, modification or removal within the system, and control is ensured by: the concept of authorization or appropriate use control, usage records; 

•  Separation control

KRIŠTO TURIZAM ensures separate processing of data collected for different purposes;

(ii)                Integrity:

•  Transmission control

KRIŠTO TURIZAM ensures that there is no unauthorized reading, copying, modification or removal during electronic transmission or transfer using: encryption;

•  Input control

KRIŠTO TURIZAM determines if and to whom personal data entered into the data processing system belongs or if they are changed or removed through: document management;

(iii)              Availability and resilience:

• Availability check

KRIŠTO TURIZAM ensures the implementation of protection against accidental or intentional destruction or loss of personal data using: backup strategies (online/ offline; on-site/ off-site).

       (iv)       Process for regular testing, evaluation and assessment 

•  Data protection management;

•  Managing responses to breaches (see separate section);

•  Settings that are appropriate for data protection (Art. 25 (2) GDPR).

7.       PROCESSORS (Art. 28 GDPR)

As part of its business and service provision, KRIŠTO TURIZAM cooperates with numerous business partners, without which cooperation it would not be possible to provide certain services (e.g. IT system maintenance, accounting, etc.).

The above service providers are processors and act in accordance with the instructions of KRIŠTO TURIZAM, which ensures the proper processing of personal data. For this purpose, KRIŠTO TURIZAM has concluded personal data processing agreements with all processors. The agreements were concluded in accordance with Article 28 of the GDPR and contain everything prescribed therein.

8.       RECIPIENTS AND TRANSFER OF PERSONAL DATA (Art. 44 – 50 GDPR)

In certain situations, personal data of KRIŠTO TURIZAM respondents is transferred to third parties. GDPR allows the transfer of personal data only if there is a valid legal entity for such transfer.

KRIŠTO TURIZAM ensures that there is a valid legal basis for each transfer of personal data, that personal data protection measures are applied, and that the data subject is informed of the transfers. This applies in particular to situations where data is transferred to service providers located outside the EU/EEA.

The security of the transfer and the existence of a valid legal basis are guaranteed, among other things, by contracts between KRIŠTO TURIZAM as the controller and the service provider as the processor (see above). In situations where data is transferred to third parties who are not the processors (nor public or other bodies with a legal obligation to transfer data), the security of personal data is guaranteed by concluding a confidentiality agreement with the third parties.

9.       PROCEDURE IN THE EVENT OF A PERSONAL DATA BREACH (Art. 32 – 35 GDPR)

A personal data breach is, as defined by the GDPR in Article 4(12), a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

The cause of a personal data breach can be internal (e.g. sending an email containing personal data to third parties who should not have access to that data), and external (e.g. disruptions in the IT system, hacking, viruses, etc.).

KRIŠTO TURIZAM is implementing a procedure for the purpose of remediating (potential) personal data breaches, and in order to meet the requirements imposed by the GDPR in Articles 33 and 34. The purpose of the procedure in the event of a personal data breach is:

  Ensuring the protection of the rights of respondents and their personal data;

•  Improvement of services and efficient management of personal data processing processes include;

Preventing risks and damage to data that may occur through human action or other

factors;

  Inform the respondents and the Personal Data Protection Agency (“AZOP”)

The procedure in case of a violation is carried out according to the following scheme:

•  Identification of the injury and risk level

This step involves assessing various factors, such as the type of breach, the nature and extent of the breach, the sensitivity of the personal data in question, the severity of the (potential) consequences, etc.;

•  Identification and implementation of appropriate technical and organizational measures for an efficient approach to the injury and its rehabilitation;

•  Documentation of all personal data breaches, including all facts of the breach the effects/consequences of the breach and the security measures adopted and implemented;

•  Reporting the violation to the AZOP (without undue delay and, where possible, within 72 hours of becoming aware of the violation);

•  Notifying the data subject about a breach of their personal data

KRIŠTO TURIZAM ensures that the data subject is informed of the breach of his/her personal data without undue delay. KRIŠTO TURIZAM will, where possible, inform the data subject of the nature, type and extent of the breach, the (potential) consequences of the breach and of any measures it has taken/intends to take to prevent any negative effects.

The person responsible for managing the personal data breach procedure is Pavo Batinić. The responsible person has the sole right and duty to make decisions and implement the procedure in the event of a personal data breach. Any person who becomes aware of a (potential) personal data breach is obliged to notify the responsible person.

10.   STORAGE AND DELETION OF PERSONAL DATA (Art. 5 (1) (e) GDPR)

The retention periods for personal data for certain purposes may be prescribed by law (e.g. employee records, tax and accounting data) or determined internally (e.g. retention of CVs of potential candidates).

In any case, KRIŠTO TURIZAM does not store personal data for longer than is necessary to achieve the purpose of processing personal data, except in the following cases:

  Data processing is necessary for the purpose of conducting current or potential legal proceedings/disputes, in which case KRIŠTO TURIZAM retains the data until the final conclusion of that proceedings/dispute, or until the expiration of the limitation period;

•  Data retention is necessary for the purpose of fulfilling KRIŠTO TURIZAM's legal obligation, in which in this case, the data is kept as long as it is necessary to fulfill this obligation.

Regardless of the data retention period, only authorized persons have access to the data. This applies to both personal data in paper form and digital data stored within IT systems

11.   RIGHTS OF RESPONDENTS (Art. 16 – 22 GDPR)

KRIŠTO TURIZAM ensures that its respondents exercise all rights stipulated in Articles 16 - 22.

Inquiries and requests addressed to KRIŠTO TURIZAM are processed without undue delay and in accordance with legal obligations. Respondents are informed of all measures taken to fulfill their requests for the exercise of their rights.

Contact KRIŠTO TURIZAM for exercising rights: delminivm@hotel-delminivm.hr

The rights of the data subject are exercised according to the scheme described below:

 

Right on withdrawal of consent

Respondents, if the legal basis for processing personal data is consent, have the right to withdraw their consent at any time, completely free of charge: 

Withdrawal of consent does not affect the lawfulness of processing that was based on consent before the consent was withdrawn

Right of access

Respondents have the right to receive from KRISTO TURIZAM confirmation of the processing of their data.

personal data (including a copy of those data) and access to information about the processing (e.g. purpose of processing, categories of personal data, recipients, storage period). In cases of transfers of personal data outside the EU, data subjects have the right to information about appropriate protective measures.

Right to erasure

Data subjects have the right to obtain the erasure of personal data concerning them without undue delay, unless there is a legitimate reason for the processing (e.g. the data are no longer necessary in relation to the purposes for which they were processed). If such a legitimate reason does exist, data subjects will be informed in detail about this in the response to their request Data subjects have the

 

right to obtain rectification if their personal data is inaccurate, which KRIŠTO TURIZAM.

Right to rectification

Data subjects have the right to obtain rectification if their personal data is inaccurate, which KRIŠTO TURIZAM is obliged to implement without undue delay. Taking into account the purposes of the processing, data subjects have the right to complete incomplete personal data, including by providing an additional statement.

Right to object

If the processing is based on the legitimate interests of KRIŠTO TURIZAM, data subjects have the right to object at any time to such processing to the extent that it relates to their personal data. In that case, KRIŠTO TURIZAM.

The data will not be further processed for the purpose to which the objection relates, unless it can demonstrate compelling legitimate grounds that override the interests, rights and freedoms of the data subject or if this is necessary for the exercise or defense of legal claims by KRIŠTO TURIZAM.

Right on processing restriction

Data subjects have the right to obtain restriction of processing of their personal data if: they dispute the accuracy; the processing is unlawful and they oppose deletion; they request it for the establishment, exercise or defense of legal claims, and KRIŠTO TURIZAM has not necessary for processing; they have lodged an objection regarding the processing of their personal data and are awaiting confirmation

Right on data portability

Data subjects have the right to receive the data concerning them, which they have provided to KRIŠTO TURIZAM, in a structured, commonly used and machine-readable format and to transmit it to another service provider. They have the right to have the data transmitted directly from KRIŠTO TURIZAM to another controller, if technically feasible.

CONTACT FOR REALIZATION RIGHTS:

The data subjects can exercise the above rights in the following manner: delminivm@hotel-delminivm.hr

COMPLAINT COMPETENT TO THE BODY

Data subjects can also exercise their rights by filing a complaint with the supervisory authority regarding the processing of their personal data. In the Republic of Croatia, this is the Personal Data Protection Agency , on whose website you can find additional information on how to contact them (http://azop.hr ).

 

 

KRIŠTO TURIZAM d.o.o.

DIRECTOR:

 

__________________

     Pavo Batinić