Information about the porocessing of personal data

Applicable from 25 May 2018

This data privacy protection statement describes how we collect and use the information that may also include personal data that you provide to us in person, by mail or by visiting our website. This statement also defines how we handle your personal data and how you can access and modify them.

Controller

Adriatic Tourist Resorts d.o.o., Jurišićeva 2a, 10000 Zagreb, Croatia, tel. +385 1 6396 301

Contact person (Data Protection Officer)

mail address dpo@atr.hr

Definition of processing of personal data

The processing of personal data means any operations or a set of operations which the Controller, Processor or an authorised third party systematically performs on the personal data of a Data Subject; they mainly include  collection, recording, making available, adaptation or alteration, retrieval, use, disclosure by transmission, dissemination, storage, exchange or combination, blocking and destruction of the clients’ personal data.

Principles relating to processing of personal data

When processing personal data of the Data Subjects, the Controller shall, to the greatest extent possible, respect and observe the highest personal data protection standards while abiding in particular by the following principles:

  • personal data are processed in accordance with the applicable legislation (namely with Act No. 18/2018 Coll. on the protection of personal data and with the EU General Data Protection Regulation (GDPR)), correctly and in a transparent manner;
  • when processing personal data, the Controller shall ensure the protection of the rights of the Data Subjects and fully respect them;
  • personal data are always processed for a clearly and comprehensibly specified purpose by specified means and in a specified manner;
  • only such personal data are collected the processing of which meets the specified purposes (i.e., it is adequate, relevant and necessary in relation to those purposes);
  • personal data are only stored for a period necessary in relation to the purposes for which they are processed.

Types of collected personal data

You can always choose which personal data you want to share with us. If you decide not to share certain data with us, we will accept your decision, but please note that it may affect the quality of information we will provide to you. This does not apply, however, if a certain type of personal data is necessary to be processed in order to comply with legal obligations.

Personal data we collect include: name, surname, phone number, email address.

Automatically collected personal data and third parties

Our website uses cookies to improve the quality of services we provide to you. Cookies are small text files containing specific information which the Controller uses to identify a Data Subject’s computer when communicating with the Controller.

Cookies are stored by means of a web browser on a hard disk of the Data Subject’s computer. Cookies are always stored with the Data Subject’s consent; you may disable cookies at any later time in your web browser settings.

Service providers using cookies are bound by a confidentiality agreement that is also valid across the EU and are prohibited to use your personal data for their own or any other purposes.

How we obtain your personal data

Email communication

Newsletter subscriptions

E-shop registrations

Legal bases and purposes of processing

Applicable legal bases:

  1. In order to meet legal obligations:
  • the provided personal data may in some cases be used in the preparation of pre-contractual relationships or for the application of terms and conditions of a contract(s) (for example, a donation agreement, cooperation agreement, etc.); or
  • in order to comply with the requirements of law enforcement authorities if so required by law.
  1. In order to meet legitimate interests:
  • such as provision of suitable website, email and newsletter content, or to improve and promote our products, services and website content;
  • administrative purposes.

When using your personal data in the pursuit of our legitimate interests, we always give preference to your rights and interests over our rights and interests.

If required by applicable laws, we will ask you to give your consent to the processing of your personal data. You may withdraw your consent at any time by an email addressed to a Data Protection Officer.

We further use your personal data for the following purposes:

  • sending news on promotion campaigns
  • sending news and updates on our activities
  • replying to your questions asked, for example, via a contact form on a respective website;
  • improving your user experience on our website. We use personal data for surveys and analyses that may be carried out for us by a third party on our behalf. We may share or disclose the results of such surveys, in an anonymised and aggregate format, to third parties. We also use your personal data for analytical purposes and to improve our services, your user experience, and functionality and quality of our online services. If we use automated means to process personal data that may have a legal or substantial effect on you, we will implement adequate measures to protect your rights and freedoms;
  • displaying relevant advertisements based on an analysis of your behaviour on our website.

International transfer of personal data

We are processing your personal data using the MailChimp service that serves for the administration and delivery of electronic communication to email addresses. This service is operated by The Rocket Science Group, LLC, registered office at 675 Ponce de Leon Avenue NE, Suite 5000, Atlanta, Georgia 30308, the United States of America. The US is included on a list of third countries which, according to the European Commission, ensure an adequate level of personal data protection.

Storing personal data

Where your personal data are processed for the purpose of contractual performance, the Controller is required by law to process such data for the time of the duration of the contractual relationship, usually for a period of five years, unless the applicable regulations specify a longer period.

In other cases, we will store your personal data until you withdraw your consent and/or for a period of two years and/or for such a longer time as may be necessary in order to provide services to you, comply with the applicable regulations and/or resolve disputes with any parties.

Your rights

We want you to have full control over how we use your data. You have the following rights:

Right of access to personal information: you have the right to request a confirmation as to whether your personal data are actually being processed and if they are, you have the right of access to the personal data and to the specified information. In that case, the Controller shall provide the Data Subject with a copy of the processed personal data.

Right to erasure (“right to be forgotten”): you have the right to request the Controller to erase without undue delay your personal data where one of the grounds specified by the applicable regulation applies, in particular if the client withdraws his/her consent to the processing of personal data. In certain cases, however, the Controller is not obliged and authorised to satisfy such a request, especially if the processing of personal data is necessary for compliance with a legal obligation.

Right to restriction of processing: you have the right to request the Controller to restrict the processing of your personal data where one of the grounds specified by the applicable regulation applies; e.g., due to the inaccuracy of the processed personal data or where their processing is unlawful.

Right to data portability: If you have provided your personal data to the Controller, the processing of such personal data is based on your consent, or is carried out for the purposes of a contract and performed by automated means, you have the right to obtain such personal data in a structured, commonly used and machine-readable format and transmit them to another controller.  You may also request the Controller to directly transmit the personal data to another controller.

Right to rectification: you have the right to request the Controller to rectify without undue delay any inaccurate personal data the Controller is processing about you. You also have the right to have your incomplete personal data completed, including by means of providing an additional statement.

Right to object and withdraw consent for the processing of personal data: where your personal data are being processed based on your consent, you have the right to withdraw such consent at any time in accordance with the applicable regulations.

Right to complain: If you believe that the processing of your personal data violates the applicable regulations, especially the GDPR regulation, you may file a complaint with the Office for Personal Data Protection of the Croatia through its website at www.dataprotection.gov.sk or at its mailing address: Agencija za zaštitu osobnih podataka / Croatian Personal Data Protection Agency – https://azop.hr

Inquiries and complaints

If you have any inquiries or doubts concerning the processing of your personal data, or if you wish to exercise any of the rights arising from this data protection statement, you may contact the Data Protection Officer specified above in this statement. You may also send your inquiries and complaints to the Office for Agencija za zaštitu osobnih podataka / Croatian Personal Data Protection Agency – https://azop.hr.

Changes in this statement

If we are to make any changes in this statement that may concern you (e.g. if we want to process your personal data for purposes other than those specified above), we will notify you of any such changes before they become effective.