Pursuant to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and other related regulations (hereinafter: Regulations), the Company Grand Tour d.o.o. adopts the following:
GRAND TOUR d.o.o., a company established under the Croatian law, based in Split, Majstora Jurja 9, OIB: 72135626612 (hereinafter: Grand Tour) shall be obliged to comply with and enforce the Regulations, as follows:
- The basic terms of the Regulations:
- Controller – means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes, conditions and means of the processing of personal data; where the purposes and means of such processing are determined by Union law or Member States law, the controller or the specific criteria for its nomination may be foreseen by Union or Member States law;
-Processing – means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, synchronization or combination, restriction, erasure or destruction;
- Personal data – means any information relating to an identified or identifiable natural person or (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- Processor – means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
-Third Party- means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
-Recipient – means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
- Principles relating to processing of personal data:
Grand Tour as a Controller or a Processor of personal data, shall be obliged to adjust the technical and organizational processes in order to deal with personal data with special care by collecting, storing and processing personal data according to the following principles:
- lawfulness, fairness and transparency of processing: the processing shall be performed in accordance with a certain legal basis, and the principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes, the controller shall provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed, furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling;
- purpose limitation: the data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; however, further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall be allowed;
- data minimisation: the data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- data are is accurate and up-to-date: the data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- storage limitation: the data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate protection measures provided for in the Regulation;
- integrity and confidentiality: meaning that the data shall be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage;
- accountability: the controller shall be responsible for, and be able to demonstrate compliance with the principles.
Grand Tour procedures in accordance with this Privacy Notice shall apply to all natural and legal persons who disclose or make available any kind of personal data to us (employees, external clients, business associates and any other third party).
- Lawfulness of processing and legal basis:
Grand Tour, as Controller or Processor shall lawfully process personal data on the following basis:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes
- processing is necessary for the performance of a contract to which the data subject is party
- for the purpose of a legal obligation to which the controller is subject
- protection of the vital interests of the data subject or of another natural person
- for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- for the purposes of the legitimate interests pursued by the controller or by a third party.
The legal basis for the processing of data shall be determined in accordance with the Union law or the law of the Member States to which Grand Tour is subject.
- The purpose of the processing:
Personal data shall be collected for the purpose of meeting the legal obligations of Grand Tour and fulfilling the operation of the business in accordance with the company’s valid registration.
Data shall be collected for the use and management of human resources, including monitoring the quality of professional work, exercising the rights and obligations from employment, as well as rights and obligations based on service of travel agency and other official or business purposes.
The data collected shall be appropriate and relevant and only in the amount necessary to achieve the purpose of processing personal data.
- Category of persons to whom the data relate
Data collections relate primarily to all persons who have entered into employment contracts directly with Grand Tour as an employer (fixed-term employment contract, permanent work contract, service contract, etc. ), as well as all persons who, as clients , are using the services of Grand Tour.
With prior consent, personal data may be collected, processed and further used for all clients who are using travel services of Grand Tour or any other services relating to the legal activity of Grand Tour.
These persons shall have the right to withdraw their consent at any time and to request the cessation of further processing and retention of their data, except for the processing and retention of data according to the purposes and deadlines laid down by law.
The Collections shall also apply to all other external clients and business associates, as well as other third parties as referred to in point 5 of this Privacy Notice and the Regulations.
- Data categories and collections:
Grand Tour shall as the Controller or the Processor process the following categories of personal data:
- employee’s personal information
- external clients’ personal information
- business partners’/associates’/third parties’ personal information.
Pursuant to the Regulations, Grand Tour shall establish and keep collections of personal data as well as records containing basic information about the collection.
Name of the data collection:
Collection of employees’ personal data
Collection of employees’ salaries and accounts
Collection of external clients
Collection of business associates and third parties
Data collections may be added, modified and deleted depending on business needs, in accordance with the Regulations.
- Method of collecting and storing data
Grand Tour Management shall appoint persons responsible for the protection of personal data / officer / as well as a decision on persons, other than the employer, authorized to supervise, collect, process, use and submit personal data. The data of the aforementioned persons shall be available on the notice board and on the website of Grand Tour.
Prior to collecting any personal data, Grand Tour employees shall inform the data subject on the identity of the Controller or the Processor, the purpose of the processing and the legal basis for the processing.
Personal data shall be collected directly from the data subject either verbally or in writing, as well as in other legitimate ways.
In order to avoid unauthorized access to personal data, data in a written form (Personal Data Collections) are stored in registers, in locked rooms or cabinets with restricted accesses, and data on computers is protected by assigning individual username and password known to employee who process this data and are for further security and confidentiality stored on a server that is protected by adequate IT and technical protection.
Destruction of personal documentation shall be carried out with special care (cutting, shredding, etc.).
- The time period for storage and use of data
Keeping of employees’ records / collections shall begin on the day of employment, and ceases on the day of termination of employment. Employee data is a documentation of enduring value that is kept on the basis of legal regulations, including special rules for keeping archives and records with document retention deadlines.
The records/collections of other external clients and business associates, as well as third parties, shall be kept from the moment the contractual or other business relationship is established and cease to be kept upon the completion of the purpose for which the data was collected, , agreement expiration between the parties hereto or its termination i.e or upon the specific written requests of the aforementioned persons. The data on the aforementioned persons under this paragraph which present a documentation of enduring value that is kept on the basis of legal regulations, shall be kept in accordance with special legal regulations, including on the basis of special rules for keeping archives and records with document retention deadlines.
- Providing personal data to other users
Personal data contained in the Collections shall be submitted to other users if necessary for the purpose of performing business within the framework of legal regulations, consents, contractual or other business relationships in accordance with the legally established activity of Grand Tour and other users, all in accordance with the Regulations, Grand Tour Data Protection Policy, this Privacy Notice, and other acts of Grand Tour.
A special record on personal data submitted to other users, on other users and the purpose for which the data is collected shall be kept.
- Personal Data Protection Measures
Grand Tour shall, as the Controller or the Processor process personal data in a manner guaranteeing the security of personal data, protecting it from unauthorized access, illegal processing, accidental loss, destruction or damage.
Grand Tour shall carry out all the above mentioned according to organizational and technical measures.
Grand Tour shall, as the Controller or the Processor, carry out the following IT, organizational and technical measures regarding:
- the protection of the system against internal and external risks
- the protection against unauthorised access
- the protection of data in physical form
- minimization of processing, pseudonymization
- provision of rules – data protection policy
- the data owner’s responsibility
- periodical training of staff.
Grand Tour staff that process personal data shall comply with the technical and organizational data protection measures necessary to protect personal data in accordance with the provisions of the Regulations, Grand Tour Data Protection Policy, this Privacy Notice and other acts of Grand Tour.
- Obligations of the Controller or the Processor:
Grand Tour as the Controller or as the Processor, shall within 30 days of the submission of the request at the latest, to each data subject at their request, or the request of their legal representatives or proxies:
- issue copies of their personal data processed, without charging the costs for the first copy (compliance with the principle of fairness and transparency and the right of the data subject to access data),
- correct inaccurate personal data pertaining to the data subject (compliance with the principle of timeliness and accuracy and with the right of the data subject to rectify their data)
- delete personal information in one of the above mentioned cases (compliance with the principle of storage limitation and the right of the data subject to have their data erased (right to be forgotten))
- delete the personal data of the data subject from the internet and any links containing these personal data, copy or reconstruction (compliance with the principle of storage limitation and the right of the data subject to the limitation of processing)
- restrict processing of personal information in one of the above mentioned cases (compliance with the principle of storage limitation and the right of the data subject to limitation of processing)
- transfer the data subject’s personal data to the other Controller in a structured, machine-readable form (USB, CD, e-mail), if the data subject requests it after the termination of the contract with the Controller (compliance with the right of the data subject to data transfer)
- warn or facilitate the submission of complaint by the data subject, if the data subject (potential buyer) is first contacted for the purpose of offering products or services for direct marketing purposes, the data is processed on the basis of legitimate interest (compliance with the principle of transparency and the right of the data subject to the complaint)
- authorize the person in charge of receiving the requests of the data subjects and managing the request resolution process (if a personal data protection officer has not been appointed)
- provide a method for the data subject to object the decision of the Controller based on the profile and implement the protective measures specified.
- Rights of the data subject:
- the right to be informed – the data subject has the right to know which data will be collected, why, who will collect the data, for what purpose and where will the data be transferred,
- the right to access – the data subject may request to see which information about the data subject is available to the Controller,
- the right to correction – the data subject may request the correction of data in case they consider the data incorrect,
- the right to erasure – the data subject may request the erasure of data if it is no longer required, except where there is a legal basis for refusing to delete the data,
- the right to restriction of processing – the data subject has the right to request the pause of data processing if there are reasons to do so,
- the right to portability of (a part of) the data – the data subject has the right to request from the Controller to submit their personal data on the portable medium in order to transfer them to the other Controller,
- the right to object – the data subject has the right to stop data processing,
- the right for the automated individual decision-making, including profiling, not be applied to the data subject.
The data subject will be informed of any processing of personal data as to how personal data relating to them are collected, used, disclosed or otherwise processed and to the extent to which these personal data are processed or will be processed.
Any information and communication related to the processing of personal data shall be easily accessible and understandable to the data subject as it shall provide information written in a clear and simple language.
The data subject shall be acquainted with the identity of the Controller and the purpose of processing on the web site or in the premises of the head office / business premises of the Controller.
Grand Tour shall inform the data subject of the risks, rules, protective measures and rights relating to the processing of personal data and the manner in which they may exercises the rights in relation to the processing of the data through the web site or in the premises of the head office / business premises in which they perform their the activity.
- The Legal Value of the Privacy Notice
This Privacy Notice is a general act of Grand Tour, with all documents necessary for compliance of processing of personal data with respect to the entire business process, as well as relations with other Controllers, Processors and technical services (whether internal or external), being an integral part of this Declaration.