Menu

Terms and Conditions

DATA PROTECTION RULES PROCEDURES AND PROCEDURES

The company Gavan turizam, d.o.o. conducts its business in accordance with all legal, subordinate and internal regulations, including European regulations and regulations as well as the EU Regulation GDPR – REGULATION (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), and the Decision of the Croatian Parliament on the promulgation of the Act on the Implementation of the General Data Protection Regulation, which entered into force on 25 May 2018.
We conduct our business in accordance with the highest standards of ethical conduct. These procedures and rules determine the expected conduct of the company Gavan turizam d.o.o., which collects and uses certain personal data about individuals.
Procedures and policies:

  • describe how personal data must be collected, processed and stored in order to comply with the Regulation,
  • establish measures to protect individuals with regard to the processing of personal data and respect their rights,
  • determine how we approach the protection of personal data and ensure that employees understand these policies that govern the use of personal data to which they have access in the course of their work,
  • require employees to consult with the Data Controller before initiating new data processing activities to ensure that the steps they take are in compliance with the General Data Protection Regulation,
  • describe what Personal Data is (this is all data relating to an individual that can be used to identify that person),
  • describe which personal data is subject to legal regulations that impose restrictions on how organizations can process personal data.
    Procedures and policies ensure:
  • compliance with legal regulations on personal data protection,
  • protection of employee rights,
  • protection of client rights,
  • protection of business partners’ rights,
  • protection of the rights of other individuals whose personal data we collect.

Lawful processing of personal data Protection against the risk of personal data breaches Within the company, we keep personal data about our employees, clients, business partners, persons registered on our newsletter lists and other persons related to various business purposes.

The procedures and rules apply to:

  • the management of Gavan turizam d.o.o.,
  • all employees of Gavan turizam d.o.o.,
  • all individuals working on behalf of Gavan turizam d.o.o.,
  • all individuals and suppliers with whom Gavan turizam d.o.o. works,
  • all personal data processed by the company (all other personal data)

The procedures and rules protect Gavan turizam d.o.o. from security risks including:

  • risk of breach of confidentiality,
  • risk of theft,
  • risk of non-compliance with legal regulations that may expose Gavan turizam d.o.o. to lawsuits, regulatory measures, fines, complaints, damage to the company’s reputation.

GUIDELINES

Only authorized persons may have access to personal data for the purposes of performing their job. The data controller grants employees access to the data. The data may not be shared informally.

  • Gavan turizam d.o.o. will provide all employees with training to help them understand their responsibilities when handling personal data,
  • employees should keep all data secure by taking precautions and accepting the guidelines contained in this document,
  • employees should use strong passwords that should never be shared,
  • personal data should not be disclosed to unauthorized persons, both inside and outside the company,
  • data should be regularly reviewed and updated (data that is no longer processed and is no longer needed must be permanently deleted,
  • employees should seek the assistance of the Data Protection Officer if they are unsure about any aspect of data protection,
  • the management of Gavan turizam d.o.o. is fully committed to ensuring the continuous and effective implementation of this policy and expects all employees and third parties acting on behalf of the company to share this commitment,
  • violations of these procedures and rules will be taken seriously and may result in disciplinary action and sanctions.

Approved by:
MIRA BREŠIĆ, B.Sc. father
Director of Gavan turizam d.o.o.

  1. DEFINITIONS

Personal data – all data relating to an individual that can be used to identify that person.
Data subject (Respondent) – a person who can be identified from one or more personal data that we hold, the person whose personal data we hold.
Processing – Processing is any operation which is performed on personal data, including collection, recording, organisation, structuring, storage, adaptation, consultation, use, disclosure, alignment or combination, restriction, erasure or destruction.
Consent – According to Article 4 of the General Data Protection Regulation, the consent of the data subject is any voluntary, specific, informed and unambiguous indication of the data subject’s wishes by which, by a statement or by a clear affirmative action, he or she signifies agreement to the processing of personal data relating to him or her. If in writing, the consent must be short and clear, written in plain language, and contain all necessary information. The data subject may withdraw his or her consent at any time and this should be clearly indicated in the consent.
Profiling – Any form of automated processing of personal data where personal data is used to evaluate certain personal aspects relating to an individual.

  1. SCOPE OF APPLICATION

These Rules apply to all processing of personal data (automated and non-automated).
Personal data is processed:

  • for carrying out business activities of Gavan turizam d.o.o.,
  • for providing or offering products or services to individuals,
  • for actively monitoring the behavior of individuals,
  • monitoring the behavior of individuals includes the use of data processing techniques such as web browser cookies
    These Rules apply to all employees of Gavan turizam d.o.o. All employees must be familiar with these Rules and comply with these Rules.
    The Data Controller, Gavan turizam d.o.o. has overall responsibility for the day-to-day implementation of these Rules.
  1. POLICY

4.1. IMPLEMENTATION OF THE POLICY
The company Gavan turizam d.o.o. must ensure that all employees responsible for the processing of personal data are aware of these Rules and that they comply with them. The company Gavan turizam d.o.o. must ensure that all third parties engaged to process personal data on their behalf are aware of these Rules and that they comply with them.

4.2. COMPLIANCE MONITORING
In order to confirm a sufficient level of compliance of the business with these Rules, the Data Controller will conduct an annual compliance audit to assess:

  • compliance with the Rules in relation to the protection of personal data (assignment of responsibilities, raising awareness, training of employees),
  • effectiveness of operational procedures related to data protection (respect for the rights of data subjects, transfers of personal data, management of possible complaints, etc.),
  • level of understanding of the Rules and Privacy Policy,
  • accuracy of personal data stored, personal data breaches,
  • the Data Controller will correct any identified deficiencies within a defined and reasonable timeframe.
    4.3. DATA PROTECTION PRINCIPLES
    The company Gavan turizam d.o.o. respects the following principles to regulate the collection, use, storage, transfer, disclosure and destruction of personal data (processing of personal data):
  • lawfulness, fairness, transparency – the processing of personal data should be lawful, fair, transparent. This means that it must provide the data subject with all the information required by the Regulation (transparency), the processing must correspond to the description of the purpose (fairness) and must be for one of the stated purposes prescribed in Article 6 of the Regulation (lawfulness),
  • purpose limitation – personal data are collected for explicit and legitimate purposes and may not be further processed for other purposes,
  • data minimization – only personal data that is necessary in relation to the purpose for which they are processed may be collected,
  • accuracy – personal data must be accurate and up-to-date. This means that Gavan turizam d.o.o. must establish procedures for identifying and resolving outdated, inaccurate and redundant personal data,
  • storage limitation – personal data may only be kept for as long as necessary in relation to the purpose for which they are processed,
  • integrity and confidentiality – security. Gavan turizam d.o.o. must use appropriate technical and organizational measures to ensure the integrity and confidentiality of personal data at all times.
    The controller is responsible for compliance with these principles and must be able to demonstrate this at all times. Compliance with these principles ensures RELIABILITY.

4.4. DATA COLLECTION
Gavan turizam d.o.o. collects personal data lawfully and fairly. Where there is a need to seek the consent of an individual before collecting and processing personal data, Gavan turizam d.o.o. requests consent.
The controller must ensure a procedure for lawfully obtaining consent and document the consents obtained:

  • consent can be obtained in paper form – by completing the Consent form (available at www.gavanturizam.hr),
  • consent can also be obtained by checking the box when visiting the website, selecting the technical settings of information society services and any other statement or behavior that clearly indicates acceptance of the proposed data processing activities,
  • consent is given by taking a clear action by the data subject,
  • the request for consent must ensure an unambiguous expression of the data subject’s (respondent’s) wishes,
  • the consent form must be understandable, easily accessible and use clear and plain language
  • consent must be voluntary,
  • the controller documents the date of obtaining consent, methods and contents of consent,
  • the controller ensures a simple procedure for withdrawing consent at any time.

4.5. PRIVACY POLICY
Website of the company Gavan turizam d.o.o. contains an online “Privacy Policy” and a cookie notice. The Privacy Notice is approved by the Data Controller.

4.6. DATA PROCESSING
The company Gavan turizam d.o.o. uses personal data for general business and business management and for providing services to clients.
The company Gavan turizam d.o.o. will not process personal data unless at least one of the following conditions is met:

  • the data subject (respondent) has given valid consent to the processing of his/her personal data, the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject (respondent) prior to entering into a contract,
  • the processing is necessary for compliance with the legal obligations of the data controller,
  • the processing is necessary to protect the vital interests of the data subject (respondent) or another natural person,
  • the processing is necessary for the performance of a task carried out in the public interest or in the exercise of the official authority of the data controller,
  • the processing is necessary for the purposes of the legitimate interests pursued by the data controller or a third party, except where these interests are overridden by the interests or fundamental rights and freedoms of the data subject (data subject), in particular where the data subject (data subject) is a child.
    There are some circumstances in which personal data may be further processed for purposes which go beyond the original purpose for which the personal data were collected. When deciding on the compatibility of a new ground for processing, guidance and approval must be obtained from the Company’s management before such processing can commence.

4.6.1. Special categories of data
In the event of the need to process special categories of data (sensitive data), Gavan turizam d.o.o. will carry out the processing if the data subject (data subject) expressly consents to such processing or if one of the conditions set out in Article 9 of the Regulation is met.
4.6.2. Children’s data
The processing of a child’s personal data is lawful if the child is at least 16 years old. For those under 16, processing is lawful if consent has been granted by a parent or guardian.

4.7. DATA QUALITY

The company Gavan turizam d.o.o. will take all necessary measures to ensure that the personal data it collects and processes are complete, accurate and up-to-date so that they reflect the current situation of the data subject.
Measures to ensure data quality include:

  • correcting personal data that is known to be inaccurate, incomplete, ambiguous, misleading or outdated, even if the data subject (data subject) does not request correction,
  • retaining personal data only for the time necessary to fulfill the permitted purpose
  • removing personal data if it violates any of the data protection principles or if the personal data is no longer needed.

4.8. DIRECT MARKETING

The company Gavan turizam d.o.o. will not send promotional material and other direct marketing materials to contacts via channels such as mobile phones, e-mail and the Internet without first obtaining valid consent. If the data subject (respondent) objects to processing for direct marketing purposes, the personal data may no longer be processed for such purposes and their processing must cease immediately.

4.9. DATA RETENTION

We shall not retain personal data for longer than is necessary. How long this is necessary will depend on the circumstances of each case, taking into account the purpose for which the personal data was collected. In order to ensure fair processing, Gavan turizam d.o.o. will not retain personal data for longer than is necessary in relation to the purposes for which they were collected.

  • We store data from the personal data collection “Employees” PERMANENTLY
  • We store data from the personal data collection “Company Management” PERMANENTLY
  • We store data from the personal data collection “Exhibitors” PERMANENTLY
  • We store data from the personal data collection “Lessees” PERMANENTLY
  • We store data from the personal data collection “Carriers” PERMANENTLY
  • We store data from the personal data collection “Suppliers” PERMANENTLY
  • We store data from the personal data collection “Contractors” PERMANENTLY
  • We store data from the personal data collection “Student Service” PERMANENTLY

4.10. DATA PROTECTION AND STORAGE
The company Gavan turizam d.o.o. implements technical and organizational measures to ensure the security of personal data. This includes prevention of loss or damage, unauthorized changes, unauthorized access or processing, prevention of other risks to which data may be exposed. These rules describe how and where data should be stored.
Basic measures:

  • prevent unauthorized persons from accessing systems in which personal data are processed,
  • prevent persons who have the right to access them from using them outside of business needs and authorization,
  • ensure that personal data during electronic transmission cannot be read, copied, modified or removed without authorization (data must be encrypted before being transmitted electronically),
  • when processed in processing systems, ensure that access data is established in a way that it can be determined who entered, modified or removed them from the system,
  • ensure protection against unwanted destruction or loss,
  • ensure that personal data is not kept longer than necessary,
  • employees may not save copies of personal data on their own computers or other media,
  • personal data on paper – papers should be kept in a safe place that is not accessible to unauthorized persons,
  • keep papers in a locked cabinet or office,
  • do not leave papers in places where unauthorized persons can see them,
  • destroy papers that you no longer need (e.g. use a document shredder),
  • electronically stored data must be protected from unauthorized access, accidental deletion and malicious hacking attempts,
  • data should be protected with strong passwords that should be changed regularly. Passwords should never be shared with anyone,
  • employees should ensure that their computer screens are always locked when left unattended,
  • if data is stored on external media (external hard drive, DVD, CD, USB…), these should be kept (in a safe or cabinet) locked when not in use,
  • use only verified and approved drivers and servers,
  • servers containing personal data should be located in a secure location, away from the office premises, protected by approved security software and a firewall,
  • data should be backed up regularly (in accordance with the prescribed backup procedures if you have them),
  • computers should be protected with antivirus software.

4.11. REQUESTS OF DATA SUBJECTS (RESPONDENTS)
The company Gavan turizam d.o.o. enables the exercise of the rights of data subjects (respondents) over data at any time:

  • right to access (insight) information,
  • right to correction,
  • right to erasure (“right to be forgotten”),
  • right to restriction of processing,
  • right to data portability,
  • right to withdrawal,
  • right to object (objection to Gavan turizam d.o.o. and the supervisory authority),
  • objection to automated decision-making and profiling
    If an individual submits a request in relation to any of the above rights, Gavan turizam d.o.o. will consider each such request in accordance with legal regulations. No administrative fee will be charged for considering and/or complying with such a request, unless the request is considered unnecessary or excessive in nature.
    The controller shall communicate to the individual any rectification or erasure of personal data or restriction of processing that has been carried out and to any recipient (data subject/respondent) to whom the personal data have been disclosed, unless this proves impossible or involves a disproportionate effort. The controller shall inform data subjects (respondents) of these recipients if they so request.
    4.11.1. Request for access to personal data.
    Data subjects (Respondents) whose personal data are stored by Gavan turizam d.o.o., upon a written request and after successful proof of identity, have the right to:
  • request information about what personal data we store and why,
  • find out the source of personal data, if it was not obtained from the data subject (respondent),
  • have the right to information about the intended storage period of personal data,
  • have the right to an explanation for determining the storage period,
  • request access to information,
  • be informed about the use of any automated decision-making, including profiling,
  • be informed about how to keep them up to date,
  • be informed about how the company fulfills its data protection obligation,
  • when the data subject (respondent) contacts the company Gavan turizam d.o.o. requesting information, the Data Controller sends him/her the Request for Access to Personal Data form or the data subject (respondent) downloads the form himself/herself from our website www.gavanturizam.hr .
    Data subjects (respondent) should fill out the form and send it to Gavan turizam d.o.o. All requests for access / rectification / erasure / restriction / portability of personal data shall be submitted to the Controller and must be reported immediately upon receipt. The Controller shall respond to each request within 30 days of receipt of the written request from the data subject. The Controller shall always be obliged to establish the identity of anyone who submits a request for access before disclosing any data.
    4.11.2. Disclosure by force of law
    In certain circumstances, prescribed by the Regulation, it is permissible for personal data to be shared without the knowledge or consent of the data subject (data subject) for the purpose of preventing or detecting a crime, arresting or prosecuting offenders, or by court order.
    In such circumstances, Gavan turizam d.o.o. will disclose the requested data. The Controller shall ensure that the request is legitimate, seeking advice from other legal advisors when necessary.

4.11.3. Complaints procedure
Data subjects (respondents) who object to the processing of their personal data must submit a complaint in writing. The controller is obliged to respond to the request of the data subject without undue delay and no later than one month. If the controller does not intend to comply with the request of the data subject, it must explain such action.

4.12. DATA PROTECTION TRAINING

All employees of Gavan turizam d.o.o. who have access to personal data are responsible for these Rules and other internal documents.
The controller will ensure regular training on data protection and provide all necessary guidelines for employees. Employees should be briefed on:

  • data protection principles,
  • employee obligations to use personal data only with the approval of an authorized person and for authorized purposes,
  • guidelines on the use of passwords and the importance of limiting access to personal data using screen savers,
  • guidelines on the secure storage of data and the proper disposal of personal data using secure shredding devices,
  • safeguards to prevent misuse or unlawful access or transfer,
  • all other relevant information related to specific activities or duties in the company.

4.13. REPORTING A PERSONAL DATA BREACH

Any person who suspects that a personal data breach has occurred must immediately notify the Controller, providing a description of what has happened. The incident notification can be reported to info@gavanturizam.hr The Controller will investigate all reported incidents to confirm whether or not a personal data breach has occurred.
If a personal data breach is confirmed, the Controller will follow the appropriate authorized procedure based on the criticality and amount of personal data involved, as follows:

  • in accordance with Article 33 of the Regulation, in the event of a personal data breach, the Controller shall, without undue delay and, where feasible, not later than 72 hours after having become aware of the breach, notify the supervisory authority (the Personal Data Protection Agency) of the personal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals.
  • if the notification is not made within 72 hours, it must be accompanied by reasons for the delay.
  • it is also necessary to notify the data subject (data subject) of a personal data breach only if such a breach is “likely to result in a high risk” to the rights and freedoms of individuals. The guidelines also emphasize the obligation to keep internal records of breaches in each individual case.
  • the controller is obliged to keep records of breaches in each individual case.

4.14. RESPONSIBILITIES


4.14.1. Responsibilities of the Data Controller

  • implementing technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in accordance with the Regulation,
  • keeping the team informed of data protection responsibilities, risks and issues,
  • regularly reviewing data protection procedures and rules,
  • organizing data protection training and consultations for all team members,
  • being available to employees, data subjects (respondents) and others covered by these rules for all data protection issues,
  • resolving requests for access to personal data,
  • ensuring compliance of these Rules with the Data Protection Act and the Regulation,
  • cooperating with the Company’s Management Board in fulfilling its tasks,
  • otherwise in accordance with the EU GDPR Regulation.
    4.14.2. Responsibilities of the Processor (if applicable)
  • the processing carried out by the processor is governed by a contract or other legal act in accordance with Union or Member State law,
  • compliance with these Rules and Regulations,
  • processing personal data on the instructions of the Controller,
  • ensuring that the persons authorised to process personal data have undertaken to respect confidentiality or are subject to legal obligations of confidentiality,
  • taking all necessary measures to ensure the security of the processing in accordance with Article 32 on the security of processing,
  • assisting the Controller by means of appropriate technical and organisational measures,
  • at the Controller’s choice, erasing or returning all personal data to the Controller after the completion of the provision of services related to the processing,
  • the processor notifies the Controller without undue delay after becoming aware of a personal data breach,
  • otherwise in accordance with the EU GDPR.

4.14.3. Responsibilities of the IT Manager (Contract)

  • signs the “Confidentiality Statement for Employees – Gavan turizam” with the contract in person
  • ensures that all systems, software and equipment meet acceptable security standards,
  • regularly checks and scans hardware and software security to ensure smooth functioning,
  • checks third-party services (cloud) used by the company in storing or processing data,
  • warns of security risks.
  1. MAINTENANCE OF THE RULES
    The Data Controller takes care of keeping these Rules up to date. All inquiries about these Rules, including requests, should be sent to the Data Controller via e-mail info@gavanturizam.hr
  2. PUBLICATION
    These Rules must be available to all employees of Gavan turizam d.o.o.
  3. AMENDMENTS
    The Data Controller is responsible for the maintenance and accuracy of these Rules. Notification of changes is provided to employees.
  4. INFORMATION SECURITY
    The company Gavan turizam d.o.o. strives to ensure that data subjects (data subjects) are aware that their data is being processed and that they understand how the data is used and how they can exercise their rights. The company Gavan turizam d.o.o. has its own Privacy Policy that sets out how the company uses data related to data subjects. The statement is available upon request. You can also find it on the company’s website ( www.gavanturizam.hr ).

The rules come into force on: 26.06.2022.