SweetTravel d.o.o. Gabra Rajčevića 4, Dubrovnik, Croatia; OIB: 24804378307 is your reliable partner for the organization of various events. We provide a range of services, such as renting vehicles and boats, and private accommodation. We pride ourselves on the high level of our services, which we are constantly trying to improve and thus further strengthen the quality of Croatia's tourist offer.
Our business is primarily oriented towards our clients and their desires, so we are at our disposal for our partners and clients 24 hours a day, every day of the week. SweetTravel is committed to high standards and best practices in the delivery of its services. That's why we have published this privacy policy to explain how we treat personal information we handle.
For us, every client is VIP and therefore we attach special importance to the protection of personal and business data we handle. We always process personal information in accordance with our fundamental values and principles, this privacy policy and applicable European and Croatian regulations relating to the protection of personal data.
We collect and process personal information solely for the purpose of quality, timely, complete and unhindered provision of our services. We collect and process personal information solely in a legitimate, fair and transparent manner, taking into account that we process only those data that are necessary for providing a particular service with the application of appropriate organizational and technical protection measures.
We process all personal information only during the duration of the contracted service or some other legal transaction, and when the need for their processing ceases to be deleted or anonymised, in the manner of removing all personal data and exclusively for statistical purposes.
The terms used in this privacy policy, which have a gender meaning, relate equally to men and women.
Principles of personal data processing
When processing personal data we follow the principles and rules established by Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the non-application of Directive 95 / 46 / EC (General Data Protection Regulation).
We process all personal data in a lawful manner, and the processing of personal data is primarily based on the execution of a contractual relationship or the respect of contractual and legal obligations, and with clear and unambiguous, affirmative consent.
When processing personal data, we take care of the obligation to keep a professional secret in the way that is regulated by the law of the European Union or the Republic of Croatia. We pay special attention to confidentiality, especially when it comes to data from our clients and partners, as well as employees. That is why our employees protect your personal information and as a business secret, even after the termination of employment.
Personal information is exclusive:
• lawful, fair and transparent;
• for specific, well-defined and legitimate purposes;
• using only accurate, up-to-date, relevant and relevant data that are limited to the purpose in which they are processed;
• only as long as necessary to achieve the purpose of processing and
• protecting them from any unauthorized or illegal processing and from accidental loss, destruction or damage.
We pay special attention to processing special categories of personal data.
We usually process special categories of personal data of our employees, for which employees give explicit consent to be processed or processed in order to protect and realize the rights and interests of employees in the field of labor law and social security and social security rights.
Sometimes we process personal data under the age of 16, exclusively for the purpose of providing a contracted service, based on a clear and informed source of information or the guardian, and then only to the extent and extent to which it is granted. According to such data, we are dealing with special attention because the safety of children and young people is extremely important to us.
We do not use automated processing of personal data, including making profiles, in order to make a decision that produces or can produce legal effects against respondents or otherwise significantly affect the respondent and the realization of his rights.
We take care that we collect personal data directly from the respondent to whom the personal data are related, wherever possible. When collecting personal data, respondents are always informed about the reason and purpose of the processing of personal data, as well as the legal basis for such processing, stating the expected retention period.
If we collect personal information from a third party, we take all necessary steps to ensure that this third person has a valid authority, consent or other legal basis for the provision of such personal information. We take the security of personal data seriously, so we ask you to understand if one of our protection measures seems too serious or extensive.
We process the data
We primarily process personal data of persons with whom we have a contractual or business relationship, or a justified interest or a clear, informed and unquestioned consent, such as our clients, business partners, suppliers, employees, etc.
As a rule, we process personal data only from the information that is necessary for us to perform the service or to fulfill our legal obligations. The most common is the name and surname, address, contact telephone number and e-mail address, depending on the type of service and citizenship and the type and number of travel documents.
In order to provide our customers with top-class service, we can also process data that are not necessary for providing our services, but only when they are provided by volunteers for the sole purpose and for the duration of such value-added services. Some of these data may also fall into special categories of personal data such as health-related information (eg allergies, intolerance to certain foodstuffs, etc.), and we always seek clear, informed, and unequivocal consent to the processing of such data. We protect such data in particular, and, if necessary, we also conduct an assessment of the impact on the protection of personal data.
The eVisitor Tourist Information and Registration System
eVisitor is an online information system that connects all tourist communities in the Republic of Croatia, provides an insight into the state of tourism traffic, and an up-to-date database of accommodation facilities and providers of accommodation services, as well as control of the collection of residence tax.
If we or our partners make a check-in and check-out of guests, eVisitor system is used in accordance with current regulations in the Republic of Croatia. In this case, we ask the guests to provide personal information such as name and surname, address, date and place of birth, citizenship, and type and number of identification document.
For the needs of the eVisitor system, we can use a manual data entry or a mobile application that logs in to the eVisitor system by photographing an identification document. By using the photo we use the system exclusively for the convenience of our guests, in order to make the necessary application quick and accurate, thus enabling our guests to enjoy the holiday as smoothly as possible.
If we use an entry through the photograph of an identification document, we do so on request or with explicit consent, and we delete the photo immediately after entering. After entering personal data in eVisitor, regardless of the way, we delete all such data and do not process them in any way.
After deleting or ending processing, guests can contact the eVistor for realization of their rights, and we will be happy to help them.
Rental of vehicles (vessels) and transfer of passengers
When we provide rent-a-car service, we are obliged to collect and process a whole range of personal information, which sometimes includes a copy of personal documents, such as a driver's license and identification document. All such data are solely collected in order to fulfill our legal obligations towards the competent state bodies and insurance companies, which arise from the laws and bylaws.
All such data are stored until the rental is terminated and deleted or anonymised within 7 days for exclusive use for statistical purposes, unless the legal obligation, court or other legal proceedings before the competent authorities or legal or other binding order commits us to the longer storage time.
When we provide a passenger transfer service, we do so on the basis of a contract or search of our business partners, such as travel agencies, hotels, etc. with the goal of fast, safe, comfortable and simple transportation. That is why our business partners send us certain personal information of passengers, which are most often related to name and surname, flight number and time of arrival. Our driver visibly holds the inscription with the name and surname of the person for whom the contract is transferred, and on the request of the transport contractor, on the travel order or other appropriate document, indicate the name and surname of the passengers in order to fulfill the contractual obligation.
In case of a larger group of passengers, we usually receive a list of all guests with the name and surname of the leader or group representative, whose name is then on the inscription. Upon execution of the transfer service, all such inscriptions and lists are destroyed, in accordance with our privacy policy and the principle of reducing the amount of personal data.
All our drivers take care of confidentiality within the high level of service we provide, applying the principles and standards expressed in this privacy policy in accordance with the rules of the profession and examples of good practice.
Confidentiality and security
We approach all personal data with confidentiality, always applying the appropriate level of security and technical, or organizational protection. Confidentiality and security, integrity and honesty are the foundation of our business. That's why we never make personal information without a valid and robust legal basis, we always inform people whose personal information we are processing.
When we process personal data, then our employees are solely responsible for the personal information they need in their work and for which processing they are authorized. We process the processing within the limits of the authorization, or exclusively for the purpose for which the data were collected or for which they are processed.
In working with personal data, we are guided by a "need-to-know" principle to ensure that only and exclusively authorized employees have access to personal data for a specific period of time.
If we decide to introduce new technologies that can be used for the processing of personal data, we approach a thorough risk assessment and analysis and adaptation of technical and organizational measures in order to ensure the highest standards of personal data protection.
Guidelines for the treatment of our employees
Our employees work in accordance with the principles and measures from the General Data Protection Regulation, this privacy policy and applicable national legislation related to the protection of personal data.
Access to personal data is limited to those employees who need such access in order to carry out their work or to perform their work tasks.
Our employees do not share personal data with each other in an informal or unsafe manner, but in accordance with our value, every approach requires approval from the person in charge of the specific job, or the person who ordered the order.
We are aware of the speed of changing the technology and the way it is used, as well as the risk for personal data that may arise. Therefore, at least once a year we organize education or otherwise familiarize our employees with the latest in the field of personal data protection and their obligations and regulations related to the protection of personal data. In this way, we ensure a high level of service and relationship to personal data that our clients and business partners expect rightly. We always take care of the application of good practices for the protection of personal data in accordance with the recommendations of the Agency for the Protection of Personal Data and other bodies in charge of data protection in the European Union and the Republic of Croatia.
When processing personal data, our employees take appropriate measures of organizational and technical protection in order to minimize the risk to personal data, in particular:
• use powerful passwords on computers and mobile devices, which are known only to them, that change regularly and are not given to third parties for inspection;
• regularly check the up-to-date and thoroughness of the personal data they handle.
If personal data are no longer required or are not accurate and without the possibility of updating, such data is deleted or anonymised;
• always lock or shut down computers on which they work with personal data when they leave them unattended;
• consult with the competent person when they are in doubt about any aspect of personal data protection.
Personal data storage
Regardless of whether personal information is on paper, in an electronic or some other form, we take care of the adequate storage of personal data.
When personal information is on paper, no matter what
Whether it is a printing of data that is otherwise stored in electronic format, we format them in a closed drawer or file cabinet and are then available exclusively for authorized persons;
Personal data in electronic form is protected from unauthorized access, accidental modification or deletion, or unauthorized intrusion into the system by applying a whole set of organizational and technical protection measures such as: strong passwords that are regularly changed and which are known only to authorized persons, Back-ups are performed regularly, ensuring that unnecessary multiple copies are created, all servers and computers containing personal data are protected by appropriate technical protection measures, such as encryption programs, firewalls, and the like.
To store personal data in electronic form, we use exclusively certified storage media, servers, and selected sound services, which guarantee the use of adequate technical protection.
Transfer of personal data
Before transferring personal data to third parties, we ensure that recipients comply with the General Data Protection Act and national legislation, and we may, if necessary, request guarantees or direct insight into their security and protection measures.
In every transfer of personal data, we use appropriate organizational and technical protection measures that correspond to categories of personal data and risk assessment, taking into account the particularities of each individual case of transfer of personal data and their recipients.
We will never disclose personal information to third parties without explicitly requesting and clearly given, unequivocal and precisely determined consent of the respondents or when necessary for the purpose of accomplishing the contracted service.
Exceptionally, we can disclose the personal data of the respondents to the competent international, state and public bodies, if necessary for the fulfillment of legal obligations, to protect your life interests or the life interests of other natural persons. Likewise, we can disclose your personal information in the scope and limits of a court order to the court, and for the needs of the court proceedings (regardless of the stage of the proceedings). In this case, the respondents are informed about it, unless a valid court or other appropriate order does not interfere with it.
When acting as the executor of processing, the name of the processing manager, we guarantee the implementation of appropriate technical and organizational measures in accordance with the General Data Protection Regulation and this privacy policy, taking into account the protection of the rights of the respondents.
Such processing of personal data shall be governed by a written contract or other legal act in accordance with European Union law or the law of the Republic of Croatia, by which the head of processing determines the object and duration of processing, the nature and purpose of the processing, the type of personal data and the category of respondents and their obligations and rights. In this case, we process personal data only according to the specified and clearly defined instructions or orders of the processing manager.
When we are executors of processing we do not process personal information, whether or not we can access them, except when and when explicitly requested by the processing manager, and then only in the manner and in the extent in which the leader asked, in accordance with the General Data Protection Act and this privacy policy.
We apply the same principles when providing our services. We use the appropriate technical methods of protection, such as encryption, and by respecting and enforcing this policy of assertiveness, we ensure that our employees do not access or in any other way do not come into contact with personal data for which they are not authorized or which are not necessary for the provision of the contracted service.
Impact assessment on data protection
We are aware that some kind of processing, especially through new technologies and taking into account the nature, scope, context and purposes of processing, will cause a high risk to the rights and freedoms of individuals, then we will conduct an assessment of the effect of the foreseen processing procedures on the protection of personal data before processing.
When we perform an impact assessment, it generally contains a systematic description of the foreseen processing and processing purposes, the assessment of the necessity and proportionality of the processing procedures in relation to the purpose of the processing, the assessment of risks to rights and freedoms, and measures to address the risk problem and to demonstrate compliance with the General data protection.
Risk assessment and risk management are an important part of our processing of personal data.
International transfer of personal data
We do not transfer personal data to third countries or international organizations (international transfers), except for the fulfillment of contractual obligations, legally prescribed cases or your explicit request with a clear, unambiguous and accurate consent.
The eventual transfer of personal data to a third country or an international organization is based exclusively on:
• a list of countries and international organizations that provide an appropriate level of protection, in accordance with a publicly announced European Commission decision;
• envisaged by appropriate protective measures, such as binding corporate rules, public authority instruments, approved codes of conduct, together with binding and enforceable obligations of processing or processing executors in a third country relating to the consistent application of appropriate safeguards, and
• the existence of appropriate institutional legal protection for respondents in a third country.
We will not act on any kind of court hearing or decision of a third-country governing body requiring us to transfer or disclose personal information, unless it is based on an international agreement that binds the Republic of Croatia, such as a mutual legal assistance contract.
Accuracy and updating of personal data
The accuracy and timeliness of personal data is exceptional, both for achieving the purpose of processing and for the realization of your rights and protection of personal data. Therefore, we take appropriate technical and organizational measures to ensure the accuracy and timeliness of the personal data we process, in accordance with the purpose of the processing.
In a simple and accessible way, using examples of good practice, we allow all respondents whose personal data are processed to quickly update their personal information.
If during the processing or the use of personal data it is determined that certain personal data are inaccurate or not accurate and can not be updated or such an update would result in disproportionate efforts or costs, such data will be deleted.
Retain and delete personal information
In accordance with the principles on which our privacy policy is based, personal data of respondents are processed only to the extent and for as long as is necessary to achieve the purpose of processing, or as required by law or by-law.
If we are unable to accurately determine the deadline or the duration of retention of personal data, we provide respondents with a framework assessment based on past experience and good practice.
Twice a year we perform the control and audit of the personal data we process to ensure that all personal data for which the purpose has been achieved, or which we no longer need, are deleted or anonymised. Control is performed by an authorized employee or an external contractor, who is obliged to make a report and possible recommendations.
Exceptionally, we can retain the personal data of the respondents and longer than we have stated if necessary for the purpose of acting under a court order or order of an authorized body, and solely for the purpose of fulfilling legal obligations, in order to protect your life interests or the life interests of other natural persons.
The right respondents
Realizing the rights of respondents is of particular importance to us, so every request for the realization of rights is accessed seriously and professionally, following the requirements of the General Data Protection Act and the principles on which this privacy policy is based.
Reviewing your rights in this privacy policy has been simplified to make it easier and easier to navigate. The general regulation on data protection and national legislation regulates in detail the complex procedure for the realization of rights; Therefore, we suggest that you become familiar with the regulations that provide a comprehensive description of your rights and the way they are implemented.
Each respondent has the right to obtain a confirmation whether his personal information is processed or not. If his personal data are processed, then the respondent may request access to his or her personal data, indicating the purpose of the processing, the categories of spatial data in question, and any recipients whose personal data have been disclosed (or will be disclosed on the basis of a valid legal basis).
The respondent whose personal data are processed has the right to ask for the correction or deletion of his / her personal data, that is, limiting the processing of personal data, as well as the data portability.
If the processing of personal data is based on consent, the respondent can withdraw at any time in a simple and transparent manner, after which we no longer process such data.
In addition, the respondent may request the deletion of personal data without undue delay as personal data are no longer necessary in relation to the purposes for which they were collected or must be deleted in order to comply with the regulations of the European Union or the Republic of Croatia.
Exercising the rights of respondents from our foreign language may affect the right of the respondent to contact the Personal Data Protection Agency or other supervisory authority.
The respondent can apply for the realization of the rights via e-mail info@sweet-travel.hr
SweetTravel can create a special electronic form on its web pages, which will serve as a standardized way of applying for the rights of the respondents, but this will not affect the ability to send respondents' requests to the specified email address and receive a timely response.
When we receive a request for the exercise of the rights of the respondents, we first take appropriate steps to undoubtedly establish the identity of the requester before providing any information relating to personal information. Security of personal data is taken very seriously and therefore we carry out security verification measures to reduce the risk of injury or unauthorized access to personal data.
Information relating to the exercise of rights is provided in an electronic form, without charge. In the case of requesting a copy of such information or repeated requests relating to the substantially equal exercise of rights or, in the case of obviously unfounded or excessive claims, we will collect a funded fee at the actual administrative costs of completing such a request.
Procedure in case of personal data breach
In case of violation of personal data, and in particular unauthorized incursion into our IT system, we will inform the Agency for Personal Data Protection of such violation within 72 hours of its knowledge.
If a personal data breach can cause a high risk to the rights and freedoms of an individual, we will immediately notify all those respondents whose personal information is hurt.
Internal acts and protocols, which are reviewed at least once a year, prescribe the behavior of our employees, from the moment of the violation found until the completion of the procedure.
Final provisions
If for any reason you think that according to your personal information we do not deal appropriately or feel that processing your data is in line with the General Data Protection Act and national legislation, you have the right to contact the Personal Data Protection Agency, but we would be pleased contact us before contacting us directly to respond to your inquiries and jointly removing doubts about handling personal information.
SweetTravel updates this privacy policy as needed and at least once a year, taking into account examples of good practice and data in the field of data protection.
|
