PERSONAL DATA PRIVACY POLICY
INTRODUCTION
The company Aurantiaca Nova d.o.o, established at Vukovarska 10A, Rijeka 51000, VAT No. 51308452712 (hereafter referred to as Experience Istria), needs to collect and use certain personal data to run it's business.
This policy has been written and implemented to assure that Experience Istria operates in accordance with its legal, organizational and technical obligations regarding the protection of personal data.
All Experience Istria's employees are fully informed of the contents of this Policy. They assure its application when handling and processing personal data. The employees whose tasks include handling and processing personal data have been properly trained on their duties regarding protection of personal data.
This Policy applies to all personal data stored by Experience Istria, relating to any natural person, regardless of his/her relation to the business, whether he/she is, was or might become a client, a supplier or a contact-person.
This Policy has been implemented to prevent potential damages to Experience Istria and its employees and subjects as well as to assure that processing of personal data be fully aligned with the applicable laws and other regulations.
DEFINITIONS
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction as well as any application of logical, mathematical and other operations on such data.
Experience Istria collects and processes personal data mostly for providing services within the scope of its business. That is why Experience Istria needs to collect and process certain categories of data about persons whom it has contact with (subjects). Experience Istria handles this personal information in appropriate manner, regardless of whether the data is obtained, recorded, stored and used in a paper copy, on a computer or any other media.
When a subject gives his/her data to Experience Istria, the subject consents that Experience Istria processes his/her personal data in accordance with the declared purpose. The subject’s data privacy is permanently protected. At any moment, the subject can exercise his/her rights, as listed and explained below.
Experience Istria gathers and processes the subject's personal data in accordance with the Law on the Protection of Personal Data (OJ 103/03, 118/06, 41/08, 130/11, 106/12), other applicable Croatian regulations, the European Directive 95/46/EC and the General Data Protection Regulation (GDPR), (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016).
Experience Istria stores the collected data appropriately and assures it's confidentiality. Experience Istria shall not forward collected data to third parties without a subject’s consent, except when it may be needed to fulfill Experience Istria's legal obligations, when it is necessary to fulfill tasks of public interests or when the subject himself/herself has made this data publicly available and/or in other cases when it is imposed by applicable regulations.
Regarding a subject's personal data processed by Experience Istria, subjects have the following rights:
RIGHT TO INFORMATION
At any moment, the data subject has the right to demand information as to whether his/her personal data is being processed and for what purposes, who is the data controller, the contact information of the Data protection officer, which categories of personal data are being processed, who or what is the source of his/her personal data, who are recipients of his/her personal data and the right to information about his/her other rights listed in this Policy (right to access, right to rectification, right to deletion, right to restriction and other).
RIGHT TO ACCESS
Every data subject has the right to ask and obtain from Experience Istria a confirmation as to whether their personal data is being processed, obtain access to this data and to the information on: - the purposes of the processing; - the categories of personal data being processed; - the recipients or the categories of recipients to whom the personal data has been or will be disclosed; - where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; the existence of the right to request from Experience Istria rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; - the right to lodge a complaint with a supervisory authority; - where the personal data is not collected from the data subject, any available information as to their source; - existence of an automated decision-making, including profiling and its consequences.
RIGHT TO RECTIFICATION
The data subject shall have the right to obtain from Experience Istria without undue delay the rectification of inaccurate personal data concerning him or her. The data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
RIGHT TO ERASURE / RIGHT TO BE FORGOTTEN
The data subject has the right to have his/her personal data erased and no longer processed where the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed, where a data subject has withdrawn his/her consent and there is no other legal basis for processing of these data, if the data has been unlawfully processed, if the data needs to be erased to comply with the applicable Union law or national regulation of the member state having jurisdiction over Experience Istria, or if the data has been collected in relation to the information society services.
This is not applied if the data processing is necessary (and to the necessary extent) in order to exercise the right of freedom of expression and information, for compliance with a legal obligation which requires processing by Union or Member State law to which the Experience Istria is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in Experience Istria, for reasons of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes, for the establishment, exercise or defence of legal claims.
THE RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY
The data subject has the right to object, on grounds relating to his/her particular situation, at any time to processing of their personal data including profiling where the processing of the personal data is necessary for the performance of a task carried out in the public interest or in the exercise of legitimate Experience Istria's or third parties interest. Experience Istria shall no longer process the personal data unless Experience Istria demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data is processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of their personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.
RIGHT TO DATA PORTABILITY
The data subject has the right to receive the personal data concerning him/her, which he/she has provided to Experience Istria, in a structured, commonly used and machine-readable format and have the right to transmit this data to another controller without hindrance from Experience Istria if data processing is based on his/her consent and the data is being automatically processed.
Where technically feasible and when it does not impair other people's rights and freedoms, the data subject has the right to have the personal data transmitted directly from Experience Istria to another.
RIGHTS PERTAINING TO AUTOMATED DECISION MAKING AND PROFILING
The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him/her or similarly significantly affects him/her except if it is necessary for entering into, or performance of, a contract between the data subject and Experience Istria, when expressly authorized by Union or Member State law to which the Experience Istria is subject or it is based on the subject’s express consent.
RIGHT TO CONSENT WITHDRAWAL
The subject's consent is one of legal basis for processing the data concerning a data subject. The data subject has the right to withdraw his or her consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
RIGHT TO RESTRICTION OF PROCESSING
The data subject has the right to demand restriction of processing of his/her personal data if he/she contests the accuracy of the personal data, for a period enabling Experience Istria to verify the accuracy of the personal data; if his/her data has been unlawfully processed and he/she does not demand deletion, but only restriction of processing; if Experience Istria does not need his/her data any more, but it needs to exercise or execute its legal claims. If the subject objected to processing of his/her personal data, the subject has the right to demand restriction of processing for the period needed to establish whether Experience Istria's data controller's legitimate grounds override his/her rights from his/her objection.
DATA PROTECTION OFFICER
To exercise his/her rights, the data subject should contact the Data Protection Officer, by sending a written notice or a request to Experience Istria's Data Protection Officer, by e-mail, using the e-mail address he/she obtained from Experience Istria, or by street mail to the address: Vukovarska 10/A, Rijeka 51001, or with advanced notice via phone, supported with a valid personal ID.
Experience Istria has designated its Data Protection Officer:
Tanya Schmitt
Phone No: +1 416 399 4110
E-mail: tanya@experienceistria.com
All inquiries regarding the protection of personal data should be addressed to the Data Protection Officer.
PRINCIPLES RELATING TO THE PROTECTION OF PERSONAL DATA
Experience Istria acknowledges the importance of lawful and proper handling of personal data, so it makes its best efforts to assure that personal data is treated lawfully and properly. With this in mind, Experience Istria fully accepts and complies with the principles of Data Protection.
The general data protection principles require that data:
-
is processed fairly and legally, especially that it must not be processed if legal requirements are not fulfilled;
-
is collected for one or a limited number of specified, legal purposes and should never be processed further or in a way that would be incompatible with these purposes
-
processing must be appropriate, relevant and should not exceed the purpose or the purposes for which data are being processed, and the data should be accurate and up to date;
-
should not be kept for longer than needed for the accepted purpose;
-
should be processed in respect of data subjects’ rights in accordance with the applicable regulations:
-
appropriate technical and organizational measures should be taken to protect the personal data from unauthorized and illegal processing, as well as accidental loss, destruction, or damage;
-
Should not be transferred to another country or a territory outside the EU unless that country or territory assure an adequate protection of the subject's rights and freedoms relating to the protection of personal data.
EXPERIENCE ISTRIA'S ACTIVITES REGARDING DATA PROTECTION
Experience Istria:
-
Fully respects the conditions of rightful and fair collection and processing of personal data;
-
Observes its obligation to specify the purpose for which the personal data are being processed;
-
Collects and processes appropriate personal data, only to the extent to which it is necessary to fulfill operational requirements and in accordance with all applicable legal requirements
-
Submits all necessary data to the Personal Data Protection Agency;
-
Strictly controls the duration of storage of personal data;
-
Takes all due care to enable the execution of the rights of the persons whose data are being processed
-
Undertakes all appropriate technical and organizational safety measures to protect personal data;
-
Ensures that personal data are not transferred to other countries without adequate protection;
-
Treats all people fairly and honestly whatever their age, confession, disabilities, gender, sexual preference or ethnic origin, when reacting to their requests concerning the right to information;
-
Establishes clear procedures to react to the requests based on the right to information
Experience Istria can publish, on their web site, the contents of the cookies used to advertise and produce statistics of web traffic based on interests and information from the web page visitors from social networks. If a data subject uses Experience Istria’s social network or application content, a cookie from these sites or application could be stored on a subject’s device used to access Experience Istria's web page. Visitors have the right to disable the cookies. Web browsers are usually set so that they accept cookies by default, but the data subjects can easily change this setting in their browsers. If a data subject wants to limit or block all cookies including Experience Istria's web sites and applications (which can be prevent the use of some parts of these web sites) or other web sites or applications, the subject can do it in his/her web browser settings.
When a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, Experience Istria shall communicate the personal data breach to the data subject without undue delay unless Experience Istria has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, or unless Experience Istria has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize or if it would involve disproportionate effort. In this, latest case, Experience Istria will use public communication or a similar measure to assure that the data subjects be informed in an equally efficient way.