GDPR Terms & Conditions
Pursuant to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and other related regulations (hereinafter: Regulations), the Company Golden Leaf Tours d.o.o. d.o.o. adopts the following:
GOLDEN LEAF TOURS D.O.O. d.o.o., a company established under the Croatian law, based in Split, Mostarska 104, OIB: 95003721612 (hereinafter: Golden Leaf Tours d.o.o.) shall be obliged to comply with and enforce the Regulations, as follows:
1. The basic terms of the Regulations:
– Controller – means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes, conditions and means of the processing of personal data; where the purposes and means of such processing are determined by Union law or Member States law, the controller or the specific criteria for its nomination may be foreseen by Union or Member States law;
-Processing – means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring or otherwise making available.
– Personal data – all data relating to an individual whose identity has been identified or can be determined directly or indirectly.
Personal information in the agency is handled in such a way that the manager of processing in all its organizational units strictly adheres to the following principles:
a) lawfulness, fairness and transparency; data controller processes the data according to all applicable legal provisions, protecting all the necessary rights of the respondent; the data controller will provide the respondent with all the additional information necessary to ensure fair and transparent processing, taking into account the special circumstances and context of personal data processing; the data controller does not perform the profiling of the respondents nor automated decision-making
(b) purpose limitation; the data will be collected for special, explicit and legitimate purposes and will not be processed in a way that is not in accordance with those purposes; but further processing can be made for purposes of archiving public interest, scientific or historical research or for statistical purposes
(c) reducing the amount of data; the data will be appropriate, relevant and limited to what is necessary in relation to the purposes for which they are being processed
(d) reliability: the data controller is responsible for the principles and will be able to demonstrate compliance with these principles.
The conduct of Golden Leaf Tours d.o.o. is in accordance with this Notice and refers to all natural and legal persons who give us knowledge or use of any kind of personal data (employees, external clients, business associates and all other third parties).
– Processor – means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
-Third Party- means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
-Recipient – means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
2. Lawfulness of processing and legal basis:
Golden Leaf Tours d.o.o., as Controller or Processor shall lawfully process personal data on the following basis:
– the data subject has given consent to the processing of his or her personal data for one or more specific purposes
– processing is necessary for the performance of a contract to which the data subject is party
– for the purpose of a legal obligation to which the controller is subject
– protection of the vital interests of the data subject or of another natural person
– for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
– for the purposes of the legitimate interests pursued by the controller or by a third party.
The legal basis for the processing of data shall be determined in accordance with the Union law or the law of the Member States to which Golden Leaf Tours d.o.o. is subject.
3. The purpose of the processing:
Personal data shall be collected for the purpose of meeting the legal obligations of Golden Leaf Tours d.o.o. and fulfilling the operation of the business in accordance with the company’s valid registration.
Data shall be collected for the use and management of human resources, including monitoring the quality of professional work, exercising the rights and obligations from employment, as well as rights and obligations based on service of travel agency and other official or business purposes.
The data collected shall be appropriate and relevant and only in the amount necessary to achieve the purpose of processing personal data.
4. Category of persons to whom the data relate
Data collections relate primarily to all persons who have entered into employment contracts directly with Golden Leaf Tours d.o.o. as an employer (fixed-term employment contract, permanent work contract, service contract, etc. ), as well as all persons who, as clients , are using the services of Golden Leaf Tours d.o.o..
With prior consent, personal data may be collected, processed and further used for all clients who are using travel services of Golden Leaf Tours d.o.o. or any other services relating to the legal activity of Golden Leaf Tours d.o.o..
These persons shall have the right to withdraw their consent at any time and to request the cessation of further processing and retention of their data, except for the processing and retention of data according to the purposes and deadlines laid down by law.
The Collections shall also apply to all other external clients and business associates, as well as other third parties as referred to in point 5 of this Privacy Notice and the Regulations.
5. Data categories and collections:
Golden Leaf Tours d.o.o. shall as the Controller or the Processor process the following categories of personal data:
– employee’s personal information
– external clients’ personal information
– business partners’/associates’/third parties’ personal information.
Pursuant to the Regulations, Golden Leaf Tours d.o.o. shall establish and keep collections of personal data as well as records containing basic information about the collection.
Name of the data collection:
Collection of employees’ personal data
Collection of employees’ salaries and accounts
Collection of external clients
Collection of business associates and third parties
Data collections may be added, modified and deleted depending on business needs, in accordance with the Regulations.
6. Method of collecting and storing data
Golden Leaf Tours d.o.o. Management shall appoint persons responsible for the protection of personal data / officer / as well as a decision on persons, other than the employer, authorized to supervise, collect, process, use and submit personal data. The data of the aforementioned persons shall be available on the notice board and on the website of Golden Leaf Tours d.o.o..
Prior to collecting any personal data, Golden Leaf Tours d.o.o. employees shall inform the data subject on the identity of the Controller or the Processor, the purpose of the processing and the legal basis for the processing.
Personal data shall be collected directly from the data subject either verbally or in writing, as well as in other legitimate ways.
In order to avoid unauthorized access to personal data, data in a written form (Personal Data Collections) are stored in registers, in locked rooms or cabinets with restricted accesses, and data on computers is protected by assigning individual username and password known to employee who process this data and are for further security and confidentiality stored on a server that is protected by adequate IT and technical protection.
Destruction of personal documentation shall be carried out with special care (cutting, shredding, etc.).
7. The time period for storage and use of data
Keeping of employees’ records / collections shall begin on the day of employment, and ceases on the day of termination of employment. Employee data is a documentation of enduring value that is kept on the basis of legal regulations, including special rules for keeping archives and records with document retention deadlines.
The records/collections of other external clients and business associates, as well as third parties, shall be kept from the moment the contractual or other business relationship is established and cease to be kept upon the completion of the purpose for which the data was collected, , agreement expiration between the parties hereto or its termination i.e or upon the specific written requests of the aforementioned persons. The data on the aforementioned persons under this paragraph which present a documentation of enduring value that is kept on the basis of legal regulations, shall be kept in accordance with special legal regulations, including on the basis of special rules for keeping archives and records with document retention deadlines.
8. Providing personal data to other users
Personal data contained in the Collections shall be submitted to other users if necessary for the purpose of performing business within the framework of legal regulations, consents, contractual or other business relationships in accordance with the legally established activity of Golden Leaf Tours d.o.o. and other users, all in accordance with the Regulations, Golden Leaf Tours d.o.o. Data Protection Policy, this Privacy Notice, and other acts of Golden Leaf Tours d.o.o..
A special record on personal data submitted to other users, on other users and the purpose for which the data is collected shall be kept.
9. Personal Data Protection Measures
Golden Leaf Tours d.o.o. shall, as the Controller or the Processor process personal data in a manner guaranteeing the security of personal data, protecting it from unauthorized access, illegal processing, accidental loss, destruction or damage.
Golden Leaf Tours d.o.o. shall carry out all the above mentioned according to organizational and technical measures.
Golden Leaf Tours d.o.o. shall, as the Controller or the Processor, carry out the following IT, organizational and technical measures regarding:
– the protection of the system against internal and external risks
– the protection against unauthorised access
– the protection of data in physical form
– minimization of processing, pseudonymization
– provision of rules – data protection policy
– the data owner’s responsibility
– periodical training of staff.
Golden Leaf Tours d.o.o. staff that process personal data shall comply with the technical and organizational data protection measures necessary to protect personal data in accordance with the provisions of the Regulations, Golden Leaf Tours d.o.o. Data Protection Policy, this Privacy Notice and other acts of Golden Leaf Tours d.o.o.
10. Obligations of the Controller or the Processor:
Golden Leaf Tours d.o.o. as the Controller or as the Processor, shall within 30 days of the submission of the request at the latest, to each data subject at their request, or the request of their legal representatives or proxies:
– issue copies of their personal data processed, without charging the costs for the first copy (compliance with the principle of fairness and transparency and the right of the data subject to access data),
– correct inaccurate personal data pertaining to the data subject (compliance with the principle of timeliness and accuracy and with the right of the data subject to rectify their data)
– delete personal information in one of the above mentioned cases (compliance with the principle of storage limitation and the right of the data subject to have their data erased (right to be forgotten))
– delete the personal data of the data subject from the internet and any links containing these personal data, copy or reconstruction (compliance with the principle of storage limitation and the right of the data subject to the limitation of processing)
– restrict processing of personal information in one of the above mentioned cases (compliance with the principle of storage limitation and the right of the data subject to limitation of processing)
– transfer the data subject’s personal data to the other Controller in a structured, machine-readable form (USB, CD, e-mail), if the data subject requests it after the termination of the contract with the Controller (compliance with the right of the data subject to data transfer)
– warn or facilitate the submission of complaint by the data subject, if the data subject (potential buyer) is first contacted for the purpose of offering products or services for direct marketing purposes, the data is processed on the basis of legitimate interest (compliance with the principle of transparency and the right of the data subject to the complaint)
– authorize the person in charge of receiving the requests of the data subjects and managing the request resolution process (if a personal data protection officer has not been appointed)
– provide a method for the data subject to object the decision of the Controller based on the profile and implement the protective measures specified.
11. Rights of the data subject:
– the right to be informed – the data subject has the right to know which data will be collected, why, who will collect the data, for what purpose and where will the data be transferred,
– the right to access – the data subject may request to see which information about the data subject is available to the Controller,
– the right to correction – the data subject may request the correction of data in case they consider the data incorrect,
– the right to erasure – the data subject may request the erasure of data if it is no longer required, except where there is a legal basis for refusing to delete the data,
– the right to restriction of processing – the data subject has the right to request the pause of data processing if there are reasons to do so,
– the right to portability of (a part of) the data – the data subject has the right to request from the Controller to submit their personal data on the portable medium in order to transfer them to the other Controller,
– the right to object – the data subject has the right to stop data processing,
– the right for the automated individual decision-making, including profiling, not be applied to the data subject.
The data subject will be informed of any processing of personal data as to how personal data relating to them are collected, used, disclosed or otherwise processed and to the extent to which these personal data are processed or will be processed.
Any information and communication related to the processing of personal data shall be easily accessible and understandable to the data subject as it shall provide information written in a clear and simple language.
The data subject shall be acquainted with the identity of the Controller and the purpose of processing on the web site or in the premises of the head office / business premises of the Controller.
Golden Leaf Tours d.o.o. shall inform the data subject of the risks, rules, protective measures and rights relating to the processing of personal data and the manner in which they may exercises the rights in relation to the processing of the data through the web site or in the premises of the head office / business premises in which they perform their the activity.
For all information regarding the Regulation the data subject can contact Golden Leaf Tours d.o.o. appointed Data Protection Officer Mr. Maksimilijan Sprung. Email: [email protected]
12. The Legal Value of the Privacy Notice
This Privacy Notice is a general act of Golden Leaf Tours d.o.o., with all documents necessary for compliance of processing of personal data with respect to the entire business process, as well as relations with other Controllers, Processors and technical services (whether internal or external), being an integral part of this Declaration.
Place and date:
Split, 1 May 2019