GENERAL INFORMATION ON THE PROCESSING OF PERSONAL DATA, RESPONDENTS’ RIGHTS AND THE MANNER OF EXERCISING THE RESPONDENTS’ RIGHTS

Based on Regulation (EU) No. 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as the Regulation) and the Act on the Implementation of the General Data Protection Regulation (OG 42/2018, hereinafter referred to as the Act), Autobusni Kolodvor d.o.o. has adopted guidelines for establishing compliance with the Regulation in the form of a Personal Data Management System Policy.

The Regulation establishes rules related to the protection of the Respondent (natural person) with regard to the processing of personal data and rules related to the free movement of personal data, protecting the fundamental rights and freedoms of the Respondent, in particular their right to the protection of personal data.

Data controller and contact details of the Data Protection Officer:

Processing manager: Autobusni Kolodvor Split d.o.o. Obala Kneza Domagoja 12 21 000 Split Tel.: +385 (021) 329-180 E-mail: [email protected]

Data Protection Officer: Autobusni Kolodvor Split d.o.o.. Obala Kneza Domagoja 12 21 000 Split Tel.: +385 (021) 329-180 E-mail: [email protected]

 

We process the personal data of the Respondent lawfully, fairly and transparently, for specific, explicit and legitimate purposes, taking care to process only those data that are necessary in relation to the purpose of the processing, the accuracy of such data and their storage period. We process this data in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage by applying appropriate technical or organizational measures.

RIGHTS OF THE RESPONDENT, MANNER OF EXERCISING RIGHTS, STORAGE PERIOD OF SUBMITTED REQUESTS OR OBJECTIONS

1.Right to access their personal data: The respondent has the right to obtain confirmation as to whether personal data relating to them are being processed and, if such personal data are being processed, access to personal data and the following information: the purpose of the processing, the type/category of personal data processed, including access to their data, the recipients or categories of recipients and the envisaged storage period.

2. Right to rectification: The respondent has the right to request rectification or completion of their personal data if the data is not accurate, complete and up-to-date.

3. Right to erasure (right to be forgotten): The data subject has the right to request the erasure of their personal data if one of the following conditions is met: Right to restriction of processing:

• the personal data of the data subject are no longer necessary in relation to the purposes for which they were collected or processed;
• the data subject has withdrawn the consent on which the processing is based and there is no other legal basis for the processing;
• the data subject has objected to the processing of their personal data and the controller has no overriding legitimate grounds for the processing;
• the data subject’s personal data have been unlawfully processed;
• the data subject’s personal data must be erased for compliance with a legal obligation under Union law or the law of a country to which the controller is subject;
• the data subject’s personal data were collected in connection with the provision of information society services.

The data subject’s personal data will not be erased in the following cases:

• for the exercise of the right to freedom of expression and information;
• for compliance with a legal obligation under Union or Member State law to which the controller is subject to, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• for reasons of public interest in the area of ​​public health pursuant to Article 9(2)(h) and (i) of the Regulation and Article 9(3) of the Regulation;
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Article 89(1) of the Regulation to the extent that the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of such processing;
• for the establishment, exercise or defence of legal claims.

4. The data subject shall have the right to obtain restriction of processing if: he contests their accuracy, if the processing is unlawful and opposes their erasure, if the data must be stored for the establishment or defence of legal claims, if he has objected to the processing of his personal data.

5. Right to data portability: The data subject has the right to receive his/her personal data, which he/she has previously provided to the controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller.

to the controller without hindrance from the controller to whom the personal data have been provided, if the processing is carried out by automated means and is based on consent or a contract.

6. Right to object: The data subject has the right, on grounds relating to his or her particular situation, to object at any time to the processing of personal data concerning him or her:

• where the lawfulness of the processing is based on the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or where the processing is based on the legitimate interests pursued by the controller or by a third party, including profiling based on those legitimate interests. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
• where the personal data of the data subject are processed for direct marketing purposes, including profiling to the extent that it is related to such direct marketing. In such a case, the personal data shall no longer be processed for such purposes.

7. Automated decisions: The data subject has the right to object to automated individual decisions, including profiling, or the data subject has the right not to be subject to a decision based solely on automated processing, including profiling without any human intervention.

The data subject has the right to subsequently, at any time, withdraw the previously given consent to the processing of his or her personal data for one or more purposes, with the note that the withdrawal of consent does not affect the lawfulness of the processing that was based on consent before it was withdrawn. By validly withdrawing consent, the controller will cease further processing and delete the personal data of the Respondent that were based on consent, assuming that there is no other purpose and lawfulness of the processing that justifies the further retention of such data.

The Respondent exercises his rights by submitting a request or complaint: in writing or by personally delivering it to the address Autobusni Kolodvor Splt d.o.o., Obala Kneza Domagoja 12, 21 000 Split, Data Protection Officer, with the indication on the envelope “Personal data” or electronically to the e-mail address: [email protected]

The submission and fulfillment of a request or complaint is not subject to payment of a fee.

The controller may request the provision of additional information from the Respondent who submits a request or complaint, which may include data to confirm the identity of the Respondent, such as a copy of an official identification document (ID card, passport or driver’s license). In the event that the Respondent provides a copy of an official identification document, the copy should clearly contain: name and surname, personal identification number (OIB) or for foreign citizens, national ID number, place of residence (street and number and city), document number and date of validity of the document. All other data contained in the copy of the identification document, such as date of birth, photograph, etc., should be appropriately protected (blacked out). The processing of data from the copy of the official identification document is strictly limited by the controller and will be used only for the purpose of confirming the identity of the Respondent in order to prevent fraud (e.g. false identity, misuse of personal data, etc.) and the same data will not be stored longer than necessary for that purpose.

In the event that the identity of the Respondent cannot be established, the controller has the right to refuse to act on the request or complaint, as well as in the event that they are clearly unfounded or excessive, especially due to their frequency.

The Controller shall respond to the Data Subject within one month of receipt of a valid request or complaint, noting that this period may, if necessary, be extended by an additional two months, taking into account the complexity and number of such requests. The Controller shall inform the Data Subject of any such extension within one month of receipt of a valid request or complaint, together with the reasons for the delay in providing a response.

For submitting appropriate requests regarding the Data Subject’s rights, submitting a complaint or any information in the field of personal data protection, the Data Subject has at his disposal a Data Protection Officer who can be contacted at the contact details provided above.

If the Respondent believes that any of his/her guaranteed rights under the Regulation and the Act have been violated, he/she has the right to file a complaint, or a request for the determination of a violation of rights, with the supervisory authority, the Personal Data Protection Agency (AZOP), Selska cesta 136, 10000 Zagreb, e-mail: [email protected]

It is suggested that the Respondent, before submitting a request for the determination of a violation of rights to the AZOP, contact the Data Protection Officer to clarify the disputed issues.

The storage period of the Respondent’s personal data in connection with the request or complaint is 1 year from the end of the year in which they were validly submitted, with the note that even after the storage period.

 

Statement on the protection and collection of personal data and their use

 

Autobusni Kolodvor Split d.o.o. is committed to providing protection to customers’ personal data, by collecting only the necessary, basic data about customers/users that are necessary to fulfill our obligations; informs customers about the use of the collected data, regularly gives customers the opportunity to choose how their data is used, including the option to decide whether or not they want their name to be removed from lists used for marketing campaigns. All user data is strictly kept and is only available to employees who need this data to perform their job. All employees of Autobusni Kolodvor Split d.o.o. and business partners are responsible for respecting the principles of privacy protection.

 

Statement on the use of Monri WSPay

Autobusni Kolodvor Split d.o.o uses Monri WSPay for online payments.

Monri WSPay is a secure system for online payments, real-time payments, credit and debit cards and other payment methods. Monri WSPay provides both the buyer and the merchant with secure entry and transmission of entered card data, which is confirmed by the PCI DSS certificate that Monri WSPay holds. Monri WSPay uses a 256-bit SSL certificate and the TLS 1.2 cryptographic protocol as the highest levels of protection for entry and transmission of data.