Menu
+385 91 194 3397

Privacy Policy

 

Tko smo mi

Adresa naše web stranice je:  http://gavanturizam.hr

Sadržaj:

  • POLITIKA PRIVATNOSTI
  • POLITIKA ZAŠTITE PODATAKA/OSOBNI PODACI, POLITIKE I POSTUPCI

 

————————————————– ——————————————-

POLITIKA PRIVATNOSTI

Sadržaj

1. SUBJEKT
2. VODITELJ OBRADE OSOBNIH PODATAKA
3. VRSTE OBRADE OSOBNIH PODATAKA
4. SVRHA OBRADE, PRAVNI OSNOVI, RAZDOBLJE POHRANE PODATAKA
5. Prava nositelja podataka (ispitanika)
6. Evidencija o aktivnostima obrade osobnih podataka
7. Zaštita podataka
8. Upravljanje incidentima
9. Iznimke
10. Odgovornosti
11. Valjanost i upravljanje dokumentima

 

1. PREDMET

Voditelj obrade osobnih podataka dokumentom Politika privatnosti (u daljnjem tekstu Politika) pruža punu podršku sustavu upravljanja osobnim podacima. Sustav upravljanja osobnim podacima mora biti u potpunosti usklađen s Uredbom (EU) 2016/679 o zaštiti pojedinaca u vezi s obradom osobnih podataka i slobodnom kretanju takvih podataka. Svrha zaštite osobnih podataka je zaštita privatnosti i drugih ljudskih prava i temeljnih sloboda u prikupljanju, obradi i korištenju osobnih podataka. Osobni podatak je svaka informacija koja se odnosi na identificiranu ili fizičku osobu koja se može identificirati. Ovi podaci moraju se tretirati s posebnom pažnjom i njima se mora upravljati u skladu s najvišim etičkim načelima. Potrebno je raditi na podizanju svijesti da su osobni podaci vrlo vrijedna i povjerljiva imovina. Potrebno je razviti i implementirati program izgradnje korporativne kulture očuvanja vjerodostojnosti osobnih podataka.

U našim dokumentima i na našim web stranicama ( www.gavanturizam.hr ) objašnjavamo kako tvrtka Gavanturizam, doo sa sjedištem u Zagrebu, Ulica Krajiška 42, kao registrirana putnička agencija, koristi Vaše osobne podatke.

2. VODITELJ OBRADE PODATAKA

Voditelj obrade podataka:
GAVAN TURIZAM doo
Krajiška 42, 10000 Zagreb
gsm: +385 911943397
e-mail: info@gavanturizam.hr
Web: www.gavanturizam.hr
Podaci o službeniku za zaštitu podataka:
• nije primjenjivo

 

3. VRSTE OBRADE OSOBNIH PODATAKA

Vaše osobne podatke prikupljamo samo kada je to potrebno, a koje bilježimo, pohranjujemo, prenosimo, strukturiramo ili na drugi način obrađujemo:

  • Ime i prezime,
  • Kontakt podaci kao što su e-mail, broj telefona, broj mobilnog telefona, kućna adresa,
  • Datum rođenja, dob osobe, državljanstvo, spol, datum i vrijeme odlaska i dolaska u ustanovu,
  • broj osobne iskaznice,
  • IP address of the computer through which individuals visited our website (using cookies) and interacted with the communication materials we send you (e.g. opening and clicking on emails),
  • Credit card details for transactions,
  • Health data,
  • Appearance of the person in video surveillance footage and photographs,
  • Preference data (activities, interests, dietary requirements, etc.),
  • Reservation history.

 

4. PURPOSE OF PROCESSING, LEGAL BASIS, DATA STORAGE PERIOD

The collection and processing of personal data is carried out exclusively when there is a legal obligation, an obligation based on a contractual relationship or the processing is necessary for the legitimate interests of the controller or a third party. All other processing of personal data is carried out with the express consent of the data subject or his authorized representative.

When collecting personal data, the data subject is provided with information about the identity and contact details of the controller, the purpose of the processing and the legal basis for the processing of data, recipients, transfer to third countries, storage period. , as well as the possibility of withdrawing consent.

Only those personal data that are necessary for the performance and performance of regular business activities, and that are voluntarily made available, obtained from third parties or publicly available sources, are used. The data must be accurate, complete and proportionate to the purpose for which they are processed. The data collected cannot be known with certainty that they relate to persons under the age of 16. If the child is under 16 years of age, such processing is lawful only if and to the extent that consent has been given or approved by the holder of parental responsibility over the child.

Based on a contractual obligation, for the purposes of creating accommodation (hotels, apartments, villas, rooms, camps, etc.), and before authorizing a credit card, we collect personal data (30 days – retention period):
• name and surname,
• gender
• credit card information.

Based on a contractual obligation, for the purpose of concluding purchase contracts, we collect (6 months – retention period):
• name and surname,
• date of birth

In the case of paying for our services by credit card, we store your data in accordance with accounting regulations (11 years – retention period)

Within the framework of business operations and fulfilling legal obligations (if there is a legal interest) in accordance with the e-visitor regulation, we collect the following data:
• name and surname
• gender,
• place, country and date of birth,
• citizenship,
• type and number of identity document,
• place of residence (residence) and address,
• date and time of arrival, departure from the facility,
• basis for exemption from paying the tourist tax or for reducing the payment of the tourist tax (11 years – storage period).

The data in question is collected by the accommodation service provider and is processed by the accommodation service provider, tourist boards and public authorities of the Republic of Croatia for lawful purposes.

The following categories of personal data are processed within the scope of business:
employee data (for the purpose of implementing an employment relationship) – name and surname, OIB personal identification number, gender, day, month and year of birth, citizenship, place of residence or residence and other data necessary for exercising rights arising from employment that are described in detail in the records of processing activities (Employee personnel records, Working hours, holidays and leave, Wages and salary compensation, sick leave, health insurance, pension insurance, etc.).
Records of processing activities related to employment relationships are provided to employees when signing an employment contract. Legal basis (Labor Act, Ordinance on the content and manner of keeping records of employees, Accounting Act), establishment of records – legal obligation. (permanent – storage period),
data on persons for the competition (for the purpose of implementing the competition procedure for employment) on the basis of a contract or in order to take actions before concluding a contract of a job candidate – name, surname, CV, certificate of citizenship, proof of professional qualifications, proof of work experience. (until the end of the tender procedure – storage period),
customer data (for the purpose of customer records – name and surname, address, city, postal code, country, OIB, telephone, e-mail. Legal basis for establishing records – legitimate interest. (Data storage period – contract, consent, legal obligation).

Completing and managing accommodation reservations and related requests:
• Legal basis for processing (Contract, Consent, Legitimate interest),
• Legitimate interest – when applicable (Record keeping and provision of quality services).

For statistical purposes:
• Legal basis for processing (Legitimate interests),
• Legitimate interest – when applicable (assessment of our services).

Personalization of your future visits to our websites:
• Legal basis for processing (Consent).

Implementation of promotional activities – in addition to sending brochures, we also use cookie data to display relevant advertisements on websites and social networks:
• Legal basis for processing (Consent, Legitimate interests),
• Legitimate interest – when applicable (Determining services that may interest you and sending you notifications about them).

Managing inquiries and complaints:
• Legal basis for processing (Legitimate interests),
• Legitimate interest – when applicable (Improving services and resolving issues).

Managing your entries for prize draws and other promotional activities:
• Legal basis for processing (Consent).

Managing your entries for prize draws and other promotional activities:
• Legal basis for processing (Consent).

Sending inquiries for a review of the accommodation and/or services provided:
• Legal basis for processing (Legitimate interests),
• Legitimate interest – when applicable (Understanding perceptions of our society and improving services).

Understanding perceptions of our society and improving services:
• Legal basis for processing (Legitimate interests),
• Legitimate interest – when applicable (Informing customers).

Compliance with legal obligations, procedures or requirements:
• Legal basis for processing (Contract, Legitimate interest),
• Legitimate interest -where applicable (Protection of business).

Detection or prevention of crime, including fraud:
• Legal basis for processing (Legal basis, Legitimate interest),
• Legitimate interest -where applicable (Protection of business and customers. Assistance to law enforcement and government authorities).

Resolution of security or technical issues:
• Legal basis for processing (Contract, Legitimate interest),
• Legitimate interest -where applicable (Protection of business and customers).

Protecting the rights, property or safety of our company, users, property owners, customers, employees, contractors, third parties or the public:
• Legal basis for processing (Legal obligation, Contract, Legitimate interest),
• Legitimate interest -where applicable (Protection of business, customers, third parties or the public).

Testing, developing and improving services:
• Legal basis for processing (Legitimate interests),
• Legitimate interest – where applicable (Business improvement).

Establishing, exercising or protecting our legal rights:
• Legal basis for processing (Legitimate interests),
• Legitimate interest – where applicable (Business protection).

We collect your health data (allergy data, special needs)
• Legal basis for processing (Consent, Customer warning, Contract, Document as evidence, Legitimate interests),
• Legitimate interest – where applicable (Customer protection, Preventing the customer from coming into contact with food to which they are allergic, and in order to provide you as a customer and guest with customized services in the event of, for example, disability or illness).

data collected through video surveillance – video recordings of employees, visitors and passers-by. Legal basis for establishing records – legitimate interest. (2 months – storage period),
data on occupational safety and fire protection – name and surname, training, health care and examinations, records of injuries, reports to the competent authority. Legal basis for establishing records – legal obligation. (5 years – storage period),
• other data necessary for the performance of business activities are described in detail in the records of processing activities and are provided to respondents when collecting the aforementioned personal data,

Cookies are used on official websites. Cookies are small text files used by websites to improve the user experience. Cookies can be classified into different types based on different characteristics.

Why we use your personal data:
We only use your personal data if we have a legal basis for using them, which includes cases:
• when we have your consent,
• when we want to perform or enter into a contract with you,
• when we want to pursue our legitimate interests or the legitimate interests of a third party; and/or
• when we need to comply with our legal obligation.

Data retention period:
Personal data is retained only for as long as is necessary for the purposes for which the personal data are processed, unless a longer retention period is prescribed by law or if they are evidence in judicial, administrative, arbitration or other equivalent proceedings. The data retention period for each category of personal data is described in detail in the individual records of processing activities.

Recipients of personal data:
Access to the collected personal data is granted to employees who have signed a confidentiality statement, and other persons who are authorized to receive the collected personal data based on legal regulations, contractual provisions or consent. The collected personal data will not be disclosed to unauthorized third parties.

Transfer of personal data from the EU to third countries or international organizations:
Collected personal data is not provided for use by persons or institutions outside the European Union except for data for which we have consent or a contract for the purpose of realizing a tourist arrangement.
Also

Automated individual decision-making, including profiling:
Not provided

Your personal data is stored only as long as necessary for the relevant purposes, in accordance with relevant industry standards or legal provisions. When your data is no longer needed, we remove or delete it in a secure manner or anonymize it so that it can no longer be associated with you.

 

5. Rights of the data subject (data subject)

 

The data subject shall be provided with all information relating to the processing of personal data, in a concise, transparent, intelligible and easily accessible form,
• The data subject shall have the right of access to the personal data relating to him or her, including the right to a copy of the personal data.
He or she shall also have the right to be informed of:
• the purposes of the processing,
• the categories of personal data,
• the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations,
• where possible, the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period,
• the existence of the right to lodge a complaint with a supervisory authority;
• where the personal data have not been collected from the data subject, all available information on their source,
• he or she shall have the right to obtain information as to whether personal data are being transferred to a third country or an international organisation. If this is the case, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.
• the existence of automated decision-making, including profiling referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.
The data subject has the right to have inaccurate personal data concerning him or her rectified without undue delay. He or she has the right to have incomplete personal data completed, including by means of a supplementary statement. He or she has the right to have relevant data completed in cases where the personal data we store are incomplete. If he or she wishes to exercise this right to rectification, he or she may contact the company at any time.
The data subject has the right to have personal data concerning him or her erased (right to be forgotten) and for which he or she has given consent without undue delay.
The controller shall erase personal data without undue delay where one of the following reasons applies, provided that the processing is not necessary:
• the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed,
• the data subject withdraws consent on which the processing is based on Article 6(1) GDPR or point (a) of Article 9(2) GDPR, and there is no other legal ground for the processing,
• the data subject is subject to processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) GDPR,
• the personal data have been unlawfully processed.
• the personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject,
• the personal data were collected in connection with the offering of information society services,
• the data subject shall have the right to restriction of processing of personal data and the possibility to have the processing restricted where one of the following applies:
• the data subject contests the accuracy of the personal data for a period enabling the controller to verify the accuracy of the personal data,
• the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead,

• the controller no longer requires the personal data for the purposes of the processing, but the data subject requests them for the establishment, exercise or defence of legal claims,
• the data subject has objected to the processing pursuant to Article 21(1) of the GDPR, pending the verification whether the legitimate grounds of the controller override those of the data subject,
If one of the conditions for the right to restriction of processing is met and the data subject wishes to request the restriction of processing of personal data stored by the company, he or she may at any time contact the controller who will arrange for the restriction of processing.
• the data subject has the right to data portability and to receive the personal data concerning him or her, which have been provided to the controller, in a structured, commonly used and machine-readable format. He or she has the right to transmit those data to another controller without hindrance from the controller to whom the personal data have been provided, provided that the processing is based on consent or on a contract, the processing is carried out by automated means, the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Furthermore, in exercising his right to data portability, the data subject has the right to have personal data transmitted directly from one controller to another, where technically feasible and where doing so does not adversely affect the rights and freedoms of others.
In order to exercise the right to data portability, the data subject may at any time contact the company.
The data subject also has the right to request that we send a copy of his personal data that we hold to a third party in a commonly used format.

The data subject has the right to withdraw his consent to the processing of his personal data and to request the cessation of the processing of his personal data,
The data subject has the right to withdraw (withdraw) his consent for data protection at any time. If the data subject wishes to exercise the right to withdraw his consent, he may, at any time, contact the company.
The data subject has the right to object, for reasons relating to his personal situation, to the processing of personal data concerning him. This also applies to profiling based on these provisions. The Company will no longer process the personal data in the event of the objection, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, legal claims. If the Company processes personal data for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing. This shall apply to profiling to the extent that it is related to such direct marketing. If the data subject objects to the Company for such processing for direct marketing purposes, the Company shall no longer process the personal data for these purposes.
In addition, the data subject shall have the right, on grounds relating to his or her particular situation, to object to processing of personal data concerning him or her by the Company for scientific or historical research purposes, or for statistical purposes, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
In order to exercise the right to object, the data subject may contact the controller. In addition, the data subject is free in the context of using information society services, and notwithstanding Directive 2002/58/EC, to exercise his or her right to object by automated means using technical specifications.
The data subject has the right to object to the supervisory authority. In accordance with Article 34 of the Act on the Implementation of the General Data Protection Regulation (“Official Gazette”, No. 42/18), anyone who believes that a right guaranteed by this Act and the General Data Protection Regulation has been violated may submit a request to the Agency (form available at www.gavanturizam.hr) for the determination of a violation of rights.
The data subject may request that we restrict the ways in which we use your personal data.
The data subject may request that we send a copy of his or her personal data that we store to a third party in a commonly used format.

Automated individual decision-making, including profiling – The data subject, or their legal representative, may request the exercise of the right to access, rectification, erasure, portability, restriction of processing, the right to object and the right to contest a decision based solely on automated processing of personal data relating to the data subject and for which they have given consent. No fee is required for requests.

Request forms can be downloaded from the website www.gavanturizam.hr, or upon request from the manager or the Agency.
The request can be submitted in person, by post or by e-mail.

Personal data processing manager:

GAVAN TURIZAM d.o.o.
Krajiška 42, 10000 Zagreb
gsm: +385 911943397
e-mail: info@gavanturizam.hr
Web: www.gavanturizam.hr

 

6. Records of personal data processing activities

The controller shall establish a central record of all personal data processing activities. For each record, a person responsible for processing shall be appointed (if applicable). Furthermore, each record of processing activities shall contain the identity of the controller with contact details, the purpose of the processing, the categories of data subjects and categories of personal data, the recipients of the data, information on the transfer of data to third countries and the envisaged data storage periods.

 

7. Data protection

The controller shall take all necessary technical, administrative and physical measures to protect personal data in order to protect the data from unauthorized access and possible misuse. When building new information systems, the GDPR requirements for the protection of personal data must be taken into account from the very beginning and their implementation must be ensured.

Adequate technical, administrative and physical measures are taken, such as:
• use of strong secure passwords,
• each employee uses their own secure password and username to access personal data,
• antivirus protection,
• encryption,
• personal data is secured against unauthorized copying, modification and deletion,
• SSL (Secure Socket Layer) protocol
• privacy policy,
• confidentiality statements,
• regular employee training on data protection,
• records of processing activities,
• floppy disks, USBs, external drives that are locked or in a safe or in locked cabinets,
• paper documentation in filing cabinets is locked in locked cabinets.

 

8. Incident management

The controller shall establish:
• a response plan to incidents related to the breach of personal data security,
• a register of incidents of personal data security breaches,
• a process for notifying the competent supervisory authority and the injured party of incidents of personal data security breaches.

In the event of a breach of personal data security, the competent supervisory authority shall be notified without delay, and at the latest within 72 hours of the discovery of the incident. In the event of a “leak” of personal data, the owners whose data have been compromised shall also be notified of the personal data breach using clear and simple language.

 

9. Exceptions

If there are justified reasons, the Data Protection Officer may approve temporary processing of personal information that is not in accordance with this Policy. The Data Protection Officer is obliged to keep records of such approvals, responsibilities and deadlines for compliance, and report them to the Management.

 

10. Responsibilities

All employees are required to comply with the measures defined in this Policy, as are third parties who, within the framework of their cooperation with the controller, have access to personal data. The Data Protection Officer is appointed (if necessary) by the Management Board and is directly responsible to the Management Board. The Data Protection Officer is responsible for establishing and maintaining the personal data management system and coordinating all activities related to personal data management.

The Data Protection Officer is also responsible for:
• informing and advising the controller or processor, as well as employees who process personal data, on their obligations under the Regulation,
• monitoring compliance with the Regulation, internal policies and other regulations related to the protection of personal data,
• establishing and maintaining records of processing activities,
• assigning responsibility for the protection of personal data to employees and third parties involved in the collection and processing of personal data,
• raising awareness and training in the field of personal data protection,
• incorporating privacy protection into business processes and information systems,
• incorporating privacy protection into audit processes,
• advising on the implementation of data protection impact assessments,
• cooperating with supervisory authorities,
• monitoring the risk management process in the processing of personal data,
• reporting to the Management Board on the effectiveness of the personal information management system.

 

11. Document validity and management

Ovaj dokument stupa na snagu nakon dana odluke o prihvaćanju Politike privatnosti. Politika privatnosti će se revidirati najmanje jednom godišnje i po potrebi mijenjati. Ovaj dokument će se izmijeniti ako se značajnije promijeni broj ili struktura zaposlenih ili ako kontrolor promijeni svoju poslovnu politiku.

Zagreb, 20.12.2018.

—————————————————————————————————————

DATA PROTECTION RULES PROCEDURES AND PROCEDURES

The company Gavan turizam, d.o.o. conducts its business in accordance with all legal, subordinate and internal regulations, including European regulations and regulations as well as the EU Regulation GDPR – REGULATION (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), and the Decision of the Croatian Parliament on the promulgation of the Act on the Implementation of the General Data Protection Regulation, which entered into force on 25 May 2018.
We conduct our business in accordance with the highest standards of ethical conduct. These procedures and rules determine the expected behavior of the company Gavan turizam d.o.o., which collects and uses certain personal data about individuals.
The procedures and policies:
 describe how personal data must be collected, processed and stored in order to comply with the
Regulation,
 set out measures to protect individuals with regard to the processing of personal data and respect their rights,
 set out how we approach the protection of personal data and ensure that employees understand these policies,

which govern the use of personal data to which they have access in the course of their work,

Require employees to consult with the Data Controller before initiating new data processing activities to ensure that the steps they take are in compliance with the General Data Protection Regulation,

 describe what Personal Data is (this is all data relating to an individual that can be used to
identify that person),

Describe which personal data are subject to legal regulations that impose restrictions on how organisations

može obrađivati ​​osobne podatke.
Procedure i pravila osiguravaju:
 usklađenost poslovanja sa zakonskim propisima o zaštiti osobnih podataka,
 zaštitu prava zaposlenika,
 zaštitu prava klijenata,
 zaštitu prava poslovnih partnera,
 zaštitu prava drugih pojedinaca čije osobne podatke podaci koje prikupljamo.
Zakonita obrada osobnih podataka Zaštita od rizika povrede osobnih podataka Unutar tvrtke čuvamo osobne
podatke o našim zaposlenicima, klijentima, poslovnim partnerima, osobama prijavljenim na naše Newsletter
liste i drugim osobama vezanim uz razne poslovne svrhe.

Procedure i pravila odnose se na:
 upravu Gavan turizam doo,
 sve zaposlenike Gavan turizam doo,
 sve pojedince koji rade u ime Gavan turizam doo,
 sve pojedince i dobavljače s kojima Gavan turizam doo radi,
 sve osobne podatke obrađuje tvrtka (svi ostali osobni podaci)
Postupci i pravila štite Gavan turizam doo od sigurnosnih rizika uključujući:
 rizik povrede povjerljivosti,
 rizik krađe,
 rizik od nepoštivanja zakonskih propisa koji Gavan turizam doo može izložiti tužbama,
regulatornim mjerama, kaznama, reklamacijama, narušavanju ugleda tvrtke.

  1. SMJERNICE

Pristup osobnim podacima mogu imati samo ovlaštene osobe za potrebe obavljanja posla. Voditelj obrade
zaposlenicima odobrava pristup podacima. Podaci se ne smiju neformalno dijeliti.
 Gavan turizam doo će svim zaposlenicima omogućiti obuku kako bi razumjeli
svoje odgovornosti pri rukovanju osobnim podacima,
 zaposlenici trebaju čuvati sve podatke sigurnim poduzimanjem mjera opreza i prihvaćanjem smjernica
sadržanih u ovom dokumentu,
 zaposlenici moraju koristiti jake lozinke koje nikada ne smiju biti dijeliti,
 osobne podatke ne treba otkrivati ​​neovlaštenim osobama, unutar i izvan tvrtke,
 podatke treba redovito pregledavati i ažurirati (podaci koji se više ne obrađuju i više nisu potrebni, moraju se trajno izbrisati,
 zaposlenici trebaju potražiti pomoć službenika za zaštitu podataka ako nisu sigurni u bilo koji aspekt zaštite podataka,
 Uprava Gavan turizam doo je u potpunosti predana osiguranju kontinuirane i učinkovite provedbe ovog politike i očekuje da svi zaposlenici i treće strane koje djeluju u ime tvrtke dijele ovu obvezu,
 kršenja ovih postupaka bit će shvaćena ozbiljno i mogu rezultirati disciplinskim koracima i sankcije koje se poduzimaju.

Odobrio:

MIRA BREŠIĆ, dipl.oec.
direktorica Gavan turizam doo

2. DEFINICIJE

osobni podaci – svi podaci koji se odnose na pojedinca, a koji se mogu koristiti za identifikaciju te osobe.
Subjekt podataka (Ispitanik) – osoba koju je moguće identificirati na temelju jednog ili više osobnih podataka koje pohranjujemo, osoba čije osobne podatke pohranjujemo.
Obrada – Obrada je svaka radnja koja se provodi na osobnim podacima, uključujući radnje kao što su prikupljanje,
snimanje, organizacija, strukturiranje, pohrana, prilagodba, konzultacija, uporaba, otkrivanje, usklađivanje
ili kombinacija, ograničavanje, brisanje ili uništavanje.
Privola – Prema članku 4. Opće uredbe o zaštiti podataka, privola ispitanika je svaka slobodno dana,
određena, informirana i nedvosmislena naznaka želja ispitanika kojom on ili ona, izjavom ili jasnom potvrdnom radnjom, označava pristanak na obradu osobnih podataka koji se na njega ili nju odnose. Ako je u pisanom obliku, privola mora biti kratka i jasna, napisana jednostavnim jezikom i sadržavati sve potrebne podatke. Ispitanik može povući privolu u bilo kojem trenutku i to mora biti jasno navedeno u privoli.
Profiliranje – Svaki oblik automatizirane obrade osobnih podataka gdje se osobni podaci koriste za procjenu određenih osobnih aspekata koji se odnose na pojedinca.

3. PODRUČJE PRIMJENE

Ova se Pravila odnose na sve obrade osobnih podataka (automatizirane i neautomatizirane).
Osobni podaci obrađuju se:
• za obavljanje poslovnih aktivnosti Gavan turizam doo,
• za pružanje ili nuđenje proizvoda ili usluga pojedincima,
• za aktivno praćenje ponašanja pojedinaca,
• praćenje ponašanja pojedinaca uključuje korištenje tehnika obrade podataka. kao što su kolačići
web preglednika
Ova Pravila vrijede za sve zaposlenike Gavan turizam doo Svi zaposlenici moraju biti upoznati s ovim
Pravilima i pridržavati se ovih Pravila.
Voditelj obrade podataka, Gavan turizam doo ima cjelokupnu odgovornost za svakodnevnu provedbu ovih Pravila.

 

4. POLITIKA
4.1. PROVEDBA POLITIKE

Tvrtka Gavan turizam doo mora osigurati da svi zaposlenici odgovorni za obradu osobnih podataka budu upoznati s ovim Pravilima i da ih se pridržavaju. Tvrtka Gavan turizam doo mora osigurati da sve treće osobe
koje u njihovo ime obrađuju osobne podatke budu upoznate s ovim Pravilima i da ih se pridržavaju.

4.2. PRAĆENJE SUKLADNOSTI

In order to confirm a sufficient level of compliance of the business with these Rules, the Controller shall conduct an annual compliance audit to assess:
 compliance with the Rules in relation to the protection of personal data (assignment of responsibilities, raising awareness, training of employees),
 the effectiveness of operational procedures related to data protection (respect for the rights of data subjects, transfers of personal data, management of possible complaints, etc.),
 the level of understanding of the Rules and the Privacy Policy,
 the accuracy of personal data stored, personal data breaches,
 the Controller shall correct any identified deficiencies within a defined and reasonable time frame.

4.3. DATA PROTECTION PRINCIPLES

The company Gavan turizam d.o.o. respects the following principles to regulate the collection, use, storage, transfer, disclosure and destruction of personal data (processing of personal data):
 lawfulness, fairness, transparency – the processing of personal data should be lawful, fair,
transparent. This means that it must provide the data subject with all the information required by the Regulation (transparency), the processing must correspond to the description of the purpose (fairness) and must be for one of the specified
purposes prescribed in Article 6 of the Regulation (lawfulness),
 purpose limitation – personal data are collected for explicit and legitimate purposes and may not be further processed for other purposes,
 data minimization – only personal data that is necessary in relation to the purpose for which they are processed may be collected,
 accuracy – personal data must be accurate and up-to-date. This means that Gavan turizam d.o.o. must establish procedures for identifying and resolving outdated, inaccurate and redundant personal data,
 storage limitation – personal data may only be kept for as long as is necessary in relation to
the purpose for which they are processed,
 integrity and confidentiality – security. Gavan turizam d.o.o. must use appropriate technical
and organizational measures to ensure the integrity and confidentiality of personal data at all times.
The controller is responsible for compliance with these principles and must be able to prove it in each
moment. Adherence to these principles ensures RELIABILITY.

 

4.4. DATA COLLECTION

Gavan turizam d.o.o. collects personal data lawfully and fairly. Where there is a need to
request an individual’s consent before collecting and processing personal data, Gavan turizam d.o.o. requests consent.
The controller must ensure a procedure for lawfully obtaining consent and document the consents obtained:
 consent can be obtained in paper form – by completing the Consent form (available at
www.gavanturizam.hr ),
 consent can also be obtained by checking the box when visiting the website, selecting
technical settings of information society services and any other statement or behavior that
clearly indicates acceptance of the proposed data processing activities,
 consent is given by taking a clear action by the data subject,
 the request for consent must ensure an unambiguous expression of the data subject’s (respondent’s) wishes,
 the consent form must be understandable, easily accessible and use clear and plain language
 consent must be voluntary,
 the controller documents the date of obtaining consent, methods and contents of consent,
 the controller ensures a simple procedure for withdrawing consent at any time.

4.5. PRIVACY POLICY

Website of the company Gavan turizam d.o.o. contains an online “Privacy Policy” and a cookie notice. The Privacy Notice is approved by the Controller.

4.6. DATA PROCESSING

The company Gavan turizam d.o.o. uses personal data for general business and business management and for providing services to clients.
The company Gavan turizam d.o.o. will not process personal data unless at least one of the following conditions is met:
 the data subject (respondent) has given valid consent to the processing of his or her personal data, the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject (respondent) prior to entering into a contract,

 the processing is necessary for compliance with a legal obligation to which the controller is subject,

 the processing is necessary to protect the vital interests of the data subject (respondent) or another natural person,

 the processing is necessary for the performance of a task carried out in the public interest or in the exercise of the controller’s official authority,

 the processing is necessary for the purposes of the legitimate interests of the controller or third parties, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject (data subject), in particular where the data subject (data subject) is a child.

There are some circumstances in which personal data may be further processed for purposes other than the original purpose for which the personal data were collected. When deciding on the compatibility of the new reason for processing, instruction and approval must be obtained from the Company’s management before such processing can begin.

4.6.1. Special categories of data

In the event of the need to process special categories of data (sensitive data), Gavan turizam d.o.o. will carry out the processing if the data subject (data subject) expressly consents to such processing or if one of the conditions laid down in Article 9 of the Regulation is met.

4.6.2. Children’s data
The processing of a child’s personal data is lawful if the child is at least 16 years old. For those under 16, the processing is lawful if consent has been granted by a parent or guardian.

4.7. DATA QUALITY

The company Gavan turizam d.o.o. will take all necessary measures to ensure that the personal data it collects and processes are complete, accurate and up-to-date so that they reflect the current situation of the data subject.
Measures to ensure data quality include:
 correcting personal data that is known to be inaccurate, incomplete, ambiguous, misleading or outdated, even if the data subject (data subject) does not request correction,
 retaining personal data only for the time necessary to fulfill the permitted purpose
 removing personal data if it violates any of the data protection principles or if the personal data are no longer necessary.

4.8. DIRECT MARKETING

The company Gavan turizam d.o.o. will not send promotional material and other direct marketing materials to contacts through channels such as mobile phones, e-mail and the Internet without first obtaining valid consent. If the data subject (data subject) objects to processing for direct marketing purposes, the personal data may no longer be processed for such purposes, their processing must cease immediately.

4.9. DATA RETENTION

We may not retain personal data for longer than necessary. How long this is necessary will depend on the circumstances of each case, taking into account the purpose for which the personal data was collected. In order to ensure fair processing, Gavan turizam d.o.o. will not retain personal data for longer than is necessary in relation to the purposes for which it was collected.
 We store data from the personal data collection “Employees” PERMANENTLY
 We store data from the personal data collection “Company Management” PERMANENTLY
 We store data from the personal data collection “Exhibitors” PERMANENTLY
 We store data from the personal data collection “Lessees” PERMANENTLY
 We store data from the personal data collection “Carriers” PERMANENTLY
 We store data from the personal data collection “Suppliers” PERMANENTLY
 We store data from the personal data collection “Contractors” PERMANENTLY
 We store data from the personal data collection “Student Service” PERMANENTLY

4.10. DATA PROTECTION AND STORAGE

The company Gavan turizam d.o.o. implements technical and organizational measures to ensure the security of personal data. This includes preventing loss or damage, unauthorized modification, unauthorized access or processing,
prevention of other risks to which the data may be exposed. These rules describe how and where the data should be stored.
Basic measures:
 prevent unauthorized persons from accessing systems in which personal data are processed,
 prevent persons with access rights from using them outside of business needs and authorization,
 ensure that personal data during electronic transmission cannot be read, copied, modified or
removed without authorization (data must be encrypted before being transferred electronically),
 when processed in processing systems, ensure that access data is established in a way that
it can be determined who entered, modified or removed them from the system,
 ensure protection against unwanted destruction or loss,
 ensure that personal data is not kept longer than necessary,
 employees may not save copies of personal data on their own computers or other media,
 personal data on paper – papers should be kept in a safe place that is not accessible to unauthorized persons,
 keep papers in a locked cabinet or office,
 do not leave papers in places where unauthorized persons can see them,
 destroy papers that you no longer need (e.g. use a document shredder),
 electronically stored data must be protected from unauthorized access, accidental deletion and
malicious hacking attempts,
 data should be protected with strong passwords that should be changed regularly. Passwords should never be shared with anyone,
 employees should ensure that their computer screens are always locked when left unattended,
 if data is stored on external media (external hard drive, DVD, CD, USB…), they should be kept (in a safe or cabinet) locked when not in use,
 only use verified and approved drivers and servers,
 servers containing personal data should be located in a secure location, away from the office, protected by approved security software and a firewall,
 data should be backed up regularly (in accordance with the prescribed backup procedures if you have them),
 computers should be protected with antivirus software.

4.11. REQUIREMENTS OF DATA BEARERS (RESPONDENTS)

The company Gavan turizam d.o.o. at any time enables the exercise of the rights of the data subject (data subject) over the data:
 the right to access (insight) information,
 the right to rectification,
 the right to erasure (“right to be forgotten”),
 the right to restriction of processing,
 the right to data portability,
 the right to withdrawal,
 the right to object (objection to Gavan turizm d.o.o. and the supervisory authority),
 objection to automated decision-making and profiling
If an individual submits a request in relation to any of the above rights, Gavan turizm d.o.o. will consider each such request in accordance with legal regulations. No administrative fee will be charged for considering and/or complying with such a request, unless the request is considered unnecessary or excessive in nature.
The controller shall communicate to the individual any rectification or erasure of personal data or restriction of processing that has been carried out and to any recipient (data subject/respondent) to whom the personal data have been disclosed, unless this proves impossible or involves a disproportionate effort. The controller shall inform data subjects (respondents) of these recipients if they so request.

4.11.1. Request for access to personal data.

Data subjects (Respondents) whose personal data are stored by Gavan turizam d.o.o., based on a request sent in writing and after successful proof of identity, have the right to:
 request information about what personal data we store and why,
 find out the source of personal data, if it was not obtained from the data subject (respondent),
 have the right to information about the intended storage period of personal data,
 have the right to an explanation for determining the storage period,
 request access to information,
 be informed about the use of any automated decision-making, including profiling,
 be informed about how to keep them up to date,
 be informed about how the company fulfills its data protection obligations,
 when the data subject (respondent) contacts the company Gavan turizam d.o.o. requesting information, the Controller sends him the Request for Access to Personal Data form or the data subject (respondent) downloads the form himself from our website www.gavanturizam.hr .
The data subject (respondent) should fill in the form and send it to Gavan turizam d.o.o. All requests for access / correction / deletion / restriction / portability of personal data are submitted to the Controller and must be reported immediately upon receipt. The Controller shall respond to each request within 30 days of receipt of the data subject’s written request. The Controller shall always be required to establish the identity of anyone who submits a request for access before disclosing any data.

4.11.2. Disclosure by force of law
In certain circumstances, prescribed by the Regulation, it is permissible for personal data to be shared without the knowledge or consent of the data subject (data subject) for the purpose of preventing or detecting a crime, arresting or prosecuting an offender, or by order of a court.
In such circumstances, Gavan turizam d.o.o. will disclose the requested data. The Controller shall ensure that the request is legitimate, seeking advice from other legal advisors where necessary.

4.11.3. Complaints procedure
Data subjects (data subjects) who object to the processing of their personal data should submit a complaint in writing. The Controller shall respond to the data subject’s request without undue delay and no later than within one month. If the Data Controller does not intend to comply with the data subject’s request, he must explain such action.

4.12. DATA PROTECTION TRAINING

All employees of Gavan turizam d.o.o. who have access to personal data have a responsibility according to these Rules and other internal documents.
The Data Controller will ensure regular training on data protection and provide all necessary guidelines for employees. Employees should be trained in:
 data protection principles,
 employee obligations to use personal data with the approval of an authorized person and for authorized purposes,
 guidelines on the use of passwords and the importance of limiting access to personal data by using screen savers,

 guidelines for the secure storage of data and the proper disposal of personal data
by using secure destruction devices,
 protective measures to prevent misuse or unlawful access or transfer,
 all other relevant information related to specific activities or duties in the company.

4.13. REPORTING A PERSONAL DATA BREACH

Any person who suspects that a personal data breach has occurred must immediately notify the Controller by providing a description of what happened. Notification of an incident can be reported to info@gavanturizam.hr The Controller
will investigate all reported incidents to confirm whether or not a personal data breach has occurred.
If a personal data breach is confirmed, the Controller shall follow the appropriate authorised procedure based on the criticality and amount of personal data involved, as follows:
 in accordance with Article 33 of the Regulation, in the event of a personal data breach, the Controller shall, without undue delay and, where feasible, not later than 72 hours after having become aware of the breach, notify the supervisory authority (Personal Data Protection Agency) of the personal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals.
 if the notification is not made within 72 hours, it must be accompanied by reasons for the delay.
 it is also necessary to notify the data subject (data subject) of the personal data breach only if such a breach is “likely to result in a high risk” to the rights and freedoms of individuals. The Guidelines also emphasize the obligation to keep internal records of breaches in each individual case.
 the Controller is obliged to keep a record of breaches in each individual case.

4.14. RESPONSIBILITIES

4.14.1. Responsibilities of the Data Controller

implementing technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in accordance with the Regulation,
 keeping the team informed of data protection responsibilities, risks and issues,
 regularly reviewing data protection procedures and rules,
 organizing training and consultations on data protection for all team members,
 being available to employees, data subjects (respondents) and others covered by these rules for all data protection issues,
 resolving requests for access to personal data,
 ensuring compliance of these Rules with the Data Protection Act and the Regulation,
 cooperating with the Management Board of the Company in fulfilling its tasks,
 other according to the EU GDPR Regulation.
4.14.2. Responsibilities of the Processor (if applicable)
 the processing carried out by the processor is governed by a contract or other legal act in accordance with Union or Member State law,
 compliance with these Rules and Regulations,
 processes personal data on the instructions of the Controller,
 ensures that the persons authorised to process personal data have undertaken to respect confidentiality or are subject to legal obligations of confidentiality,
 takes all necessary measures to ensure the security of the processing in accordance with Article 32 on the security of processing,
 assists the Controller by means of appropriate technical and organisational measures,
 at the Controller’s choice, deletes or returns all personal data to the Controller after completion of
the provision of services related to the processing,
 the processor notifies the Controller without undue delay after becoming aware of a personal data breach,
 otherwise in accordance with the EU GDPR.

4.14.3. Responsibilities of the IT Manager (Contract)
 signs the “Confidentiality Statement for Employees – Gavan turizam” with the contract
 ensures that all systems, software and equipment meet acceptable security standards,
 regularly checks and scans hardware and software security to ensure smooth functioning,
 checks third-party services (cloud) used by the company in storing or processing data,
 warns of security risks.

5. MAINTENANCE OF THE RULES

The Data Controller takes care of keeping these Rules up to date. All inquiries about these Rules, including requests should be sent to the Data Controller via e-mail info@gavanturizam.hr

6. PUBLICATION

These Rules must be available to all employees of Gavan turizam d.o.o.

7. AMENDMENTS

The Data Controller is responsible for the maintenance and accuracy of these Rules. Notification of changes is provided to employees.

 

8. INFORMATION PROTECTION

The company Gavan turizam d.o.o. strives to ensure that data subjects (data subjects) are aware that their data is being processed and that they understand how the data is used and how they can exercise their rights. The company Gavan turizam d.o.o. has its own Privacy Policy that sets out how the company uses data related to data subjects. The statement is available upon request. You can also find it on the company’s website ( www.gavanturizam.hr ).

The rules come into force on: 26.06.2022.

————————————————————————————————–

PRIVACY POLICY COOKIES

We value your right to confidentiality and are committed to preserving the privacy and security of the information you share with us through these pages. No information will be passed on to third parties without your permission. This privacy policy explains how we use your information, how you can contact us, and for this reason it is important to us that you understand our information practices. By using these pages, we assume that you understand all of the above and that you agree to this privacy policy.
We only collect information that is essential to achieving the purpose of these websites. We do not collect personal data by visiting these websites. Your data is available to us only as information that you provide to us when communicating with us via email and the contact form.
We guarantee that none of the personal data listed will be used for any other purpose
other than the one for which the personal data was provided, except in the case of your exclusive approval/consent.
In order for this website to work properly, to be able to make further improvements to the site, and to improve your browsing experience, this site must store a small amount of information (called “cookies”) on your computer. Over 90% of all websites use this practice, but according to European Union regulations of March 25, 2011, I am required to ask for your consent before storing cookies. By using the website, you agree to the use of cookies. A cookie is information stored on your computer by the website you visit. Cookies usually store your settings, preferences for the website, such as your preferred language or address. Later, when you open the same website again, the browser sends back the cookies belonging to that website. This allows the website to display information tailored to your needs. Cookies can store a wide range of information, including personal information (such as your name or email address). However, this information can only be stored if you allow it – websites cannot access information that you have not given them and cannot access other files on your computer. The default cookie saving and sending activities are not visible to you. However, you can change your browser settings to allow you to choose whether to accept or reject cookie requests, delete saved cookies automatically when you close your browser, and so on. By turning off cookies, you decide whether you want to allow cookies to be stored on your computer. Cookie settings can be controlled and configured in your web browser. For information about cookie settings, select the web browser you are using.

If you disable cookies, you will not be able to use some of the functionality on websites. There are
several types of cookies.
Temporary or session cookies are removed from your computer when you close your browser.
They are used by websites to store temporary information, such as items in your shopping cart.
Permanent or saved cookies remain on your computer after you close your browser.
They are used by websites to store information, such as your login name and password, so that you do not have to log in each time you visit. Permanent cookies will remain on your computer for days, months, or even years.
First-party cookies come from websites that you visit, and they can be either permanent or temporary. These cookies allow websites to store information that they will use again the next time you visit those websites.
Third-party cookies come from advertisements on other websites (such as pop-ups or other advertisements) that appear on the websites you visit. These cookies allow websites to track your use of the Internet for marketing purposes.
We may use a service for measuring traffic, namely Google Analytics.
If you wish to prevent the service from storing cookies for you, you can prohibit it on Google Analytics.
There are several websites for disabling the storage of cookies for different services.
All information you leave by sending possible comments or filling out public forms on the site
remains exclusively in the place for which it was filled in and is not used for other purposes.
If there is a change or amendment to the privacy policy, it will be valid only from the moment it is
published on these pages. Any further use of the website implies that you accept the changed or amended provisions.
This website may contain links to other websites. We are not responsible for the content of these pages or for the privacy policies of these pages. If you discover that such websites lead to third-party websites with inappropriate content or an unfavorable privacy policy, please notify us and we will remove such links immediately.
Likewise, if anyone believes that their right to the protection of personal data from any part of these pages has been violated, or that the publication of texts on these pages has violated your right to the protection of personal data, please notify us immediately and we will immediately remedy the said deficiency. Thank you for using our pages.

——————————————————————————————–

OBJECTION TO THE PROCESSOR

Your contact information: _________________________________________________________

Name and address of company (organization): __________________________________

Dear Sir/Madam,
I have a question/objection regarding the processing of my personal data.

 

______________________________________________________________________________________________

[Please provide details of why you believe your rights have been violated, explaining clearly and simply what happened and, where appropriate, how the violation affected you. If you have evidence to support your claims, please attach it]

 

I am sending you this complaint in order to give you, as the controller, the opportunity to consider my complaint and, if possible, remedy the violation and/or explain why you believe that there has been no violation of the provisions of the General Data Protection Regulation.
Please provide me with a response within 30 days in accordance with the provisions of the General Data Protection Regulation. If you are unable to respond within that period, please inform me within what period I can expect a response.
If you require additional information to resolve this complaint, please contact me at the contact details provided above.
Furthermore, I would like to inform you that I have the right to forward the relevant correspondence regarding the subject of this complaint to the Personal Data Protection Agency, if I believe that your actions regarding the processing of my personal data, even after the resolution of the complaint, are not in accordance with the provisions of the General Data Protection Regulation and/or the Act on the Implementation of the General Data Protection Regulation.

Sincerely,

                                    ___________________________
                                                [Signature]

————————————————————————————————-

 

CONSENT FOR THE PROCESSING OF PERSONAL DATA

 

(in accordance with the conditions prescribed in Article 7 of the General Data Protection Regulation)

Special notes:

– for a child, consent is given by the parent/legal guardian, except in the case of offering information society services directly to a child over 16 years of age

– it is necessary to inform the individual about the processing of data for automated decision-making and about the possible risks of data transfer due to the absence of a decision on adequacy and appropriate safeguards

 

Important!!!

This consent form must be adapted to each specific case!

 

I GIVE CONSENT TO THE PROCESSING OF PERSONAL DATA FOR THE FOLLOWING SELECTED PURPOSES:
 
  1. ________________________________________________________________________________
  2.  _______________________________________________________________________________
  3. _______________________________________________________________________________
  4. _______________________________________________________________________________

I confirm that I am aware that I can refuse or withdraw this consent at any time and that the processing is lawful until the moment of withdrawal.

Place:
Date:

                                        _________________

                                            (Signature)

 

————————————————– ————————————————-

**NAPOMENA: Privola se odnosi samo na navedene svrhe obrade i navedene kategorije osobnih podataka, a obrada osobnih podataka ne smije se koristiti u druge svrhe. Obrada navedenih kategorija osobnih podataka provodit će se sukladno Općoj uredbi o zaštiti podataka i Zakonu o provedbi Opće uredbe o zaštiti podataka. Ukoliko pojedinac želi povući privolu, može to učiniti pisanim putem na gore navedene kontakt podatke voditelja obrade osobnih podataka.

—————————

1 Npr. broj indeksa studenta, a ne OIB studenta (kako bi se student ipak mogao identificirati prilikom povlačenja privole)

1 Na primjer, fotografija studenta

1 Na primjer: prikupljanje, snimanje, organizacija, strukturiranje, pohranjivanje, prilagodba ili izmjena, pronalaženje, konzultacija, uporaba, otkrivanje prijenosom, širenje ili na drugi način stavljanje na raspolaganje, usklađivanje ili kombinacija, ograničavanje, brisanje ili uništavanje

 

Kontrolor osobnih podataka:

GAVAN TURIZAM doo

Krajiška 42, 10000 Zagreb

gsm: +385 911943397

e-mail: info@gavanturizam.hr

web: www.gavanturizam.hr

 

DAJEM PRISTANU NA OBRADU OSOBNIH PODATAKA U SLJEDEĆE ODABRANE SVRHE:

  1. _____________________________________________________________________________________________
  2. _____________________________________________________________________________________________
  3. _____________________________________________________________________________________________