Kompas d.o.o. pays particular attention to personal data protection, in accordance with the best business practices and applicable Croatian and European regulations, including the General Data Protection Regulation (EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016).
The purpose of this policy is to provide all interested parties with all the necessary information on the method of processing and protection of personal data and the rights that data subjects have in regard to personal data processing.
The controller is Kompas d.o.o. with seat in Dubrovnik, Dr. Ante Starčevića 45, PIN: 13785319050. We have a Personal Data Protection Officer who can be contacted by e-mail: email@example.com or at following address: Personal Data Protection Officer, Kompas d.o.o., Mate Vlašića 20, Poreč.
The policy applies to all clients’ personal data processed by Kompas d.o.o. as well as data processed by Kompas’ partners on behalf of Kompas.
The data subject is an individual whose identity has been identified or can be identified, and whose personal data is processed; an individual whose identity can be established is a person who can be identified directly or indirectly, in particular with the help of identifiers such as name, identification number, location information, network identifier or with the help of one or more factors that are specific for the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.
Personal data is any data relating to an individual whose identity has been established or can be established.
Data processing means any procedure or set of procedures performed on personal data or on sets of personal data.
We process your personal data because certain legal regulations require us to do so, or because processing is necessary for the performance of the contract, or to take action before the contract is concluded, or to protect the key interests of the data subject or another natural person, or on the basis of our legitimate interests, except when the interests or fundamental rights and freedoms of individuals who require personal data protection are greater than our interests. If personal data cannot be processed on the legal basis prescribed by binding regulations, we shall request your consent. If the data is processed for another purpose, before processing, we shall provide you with information about this other purpose and any other relevant information.
We process the data in accordance with applicable regulations relating to the processing of personal data and in accordance with the best business practice of data protection.
The principle of transparency is manifested in the fact that we inform data subjects how personal data relating to them are collected, used, consulted or otherwise processed, as well as the extent to which the personal data are processed or shall be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed.
We take every reasonably justified step to ensure that inaccurate personal data are rectified or deleted. We process personal data in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorized access to or use of personal data and the equipment used for the processing.
We process the collected data only in accordance with the purpose for which this data was collected.
We collect and process only those data that are necessary to achieve the purpose of processing.
We process and retain the data only for as long as it is necessary to fulfill the purpose for which the data were collected or as required by applicable regulations.
We keep certain Personal data in a time period prescribed by the law or any regulation obliging us to keep the data.
Also, the deadlines for data filing depend on the interest of our clients to contact as per contacting data which are also personal data of the data subject.
As a rule, we retain the personal data for six years from the date of execution of the service, unless otherwise stipulated in the legal regulations. If we process the data based on the subject’s consent, we retain the data until the subject withdraws such consent.
The data from the video surveillance system are regularly erased and is retained for a maximum of six months, except when they are necessary to conduct the proceedings before the competent authorities.
We pay particular attention to the accuracy of the collected data. The data subject has at any time the right to inspect data and rectify his/her data.
We take every reasonable measure to ensure that personal data that is not accurate are rectified without delay.
We process and retain the data only for as long as it is necessary to fulfill the purpose for which the data were collected or as required by applicable regulations.
We keep certain personal data in a time period prescribed by the law or any regulation obliging us to keep the data.
We pay the utmost attention to personal data security. In doing so, we are supported by a quality management system certified by ISO 9001 certification and internal security procedures.
In accordance with the General Data Protection Regulation, the data subject has the following rights:
The data subject has the right to obtain confirmation whether we are processing his/her personal data and, where that is the case, has the right to access the personal data and the following information: on the purposes of the processing, on the categories of personal data we process, on the recipients or categories of recipients of the data we process, on the envisaged period for which the personal data shall be stored or the criteria used to determine that period, on the right to request rectification, erasure or restriction of processing of personal data, or to object to such processing, on the right to lodge a complaint with a supervisory authority, information on the source of data if they are not collected from the data subjects, information on the system for automated decision-making, including profiling, on the safeguards if the personal data are transferred to a third country.
Kompas d.o.o. provides a copy of the personal data undergoing processing. For any further copies requested by the data subject, Kompas d.o.o. may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. Your right to obtain a copy is exercised to the extent in which it shall not adversely affect the rights and freedoms of others.
The data subject has the right to obtain the rectification of inaccurate personal data concerning him or her.
Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed.
The data subject has the right to obtain the erasure of personal data concerning him or her, where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed,
- the data subject has withdrawn consent on which the processing is based and where there is no other legal ground for the processing,
- the data subject has objected to the processing, especially if the data subject is a child,
- the personal data have been unlawfully processed,
- the personal data have to be erased for compliance with a legal obligation in Union or in the Republic of Croatia,
- the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data,
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead,
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims,
- the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
The data subject has the right to receive the personal data concerning him or her, which he or she has provided to us, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from Kompas.
The data subject has the right to object, at any time, to processing of personal data concerning him or her.
Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing, in which case we shall no longer use the data for that purpose.
When making a reservation or a quote, we request from the data subject the personal data necessary for the reservation or the quote.
The data subject may leave his/her data personally, or another person may do it instead of the data subject, or the data subject may communicate the data by telephone or email.
Data subject’s consent means any voluntary, special, informed and unambiguous expression of the data subject’s wishes by which he/she gives consent for the processing of personal data concerning him/her with a statement or a clear acknowledgment action.
Without the data subject’s consent we shall never use his/her personal dana for any purposes for which consent is required by the applicable regulations.
The data subject has the right at any time to withdraw the consent, in a manner described above. Such withdrawal shall not affect the legitimacy of the consent-based processing prior to the withdrawal.
If you have any questions about the consent withdrawal process, feel free to contact Kompas via email: firstname.lastname@example.org or at Izidora Kršnjavoga 1, Hotel Westin, Zagreb.
The data we collect are, for example, name and surname, the date of birth of the child for the purpose of obtaining a discount, phone number and email address for contact, location, gender, citizenship, number of passport or another appropriate personal document where necessary due to legal obligations (for example when crossing a border), credit card number or data on another means of payment.
Due to the nature of travel services, there may be a need for processing specially protected categories of personal data revealing, for example, religious or philosophical beliefs, and data relating to the health of the data subject, solely for the purpose of executing the contract between Kompas and the data subject or performing activities prior to the conclusion of the contract. It shall be considered that the data subject who gave Kompas the data from a special category of personal data thereby expressed his consent in processing such data.
Special categories can also be processed when:
- processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorized,
- processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent,
- processing relates to personal data which are manifestly made public by the data subject,
- processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity,
- processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject,
- processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.
We process the data subject’s data to comply with the legal regulations, to fulfill the rights and obligations from contractual relations, for our legitimate interests and other legal bases. This may include, for example, keeping the data of the data subjects in order to best respond to clients’ complaints, using client data to prevent, detect and process misuse at the expense of the client or Kompas, ensuring the security of employees, clients, products and services of Kompas, creating services and offers tailored to the needs and wishes of clients, providing top-level user experience, personalized customer support, market research and analysis by conducting surveys, optimizing sales channels etc.
Telephone conversations between data subjects and Kompas employees may be recorded and further used for the purpose of improving the quality of the work of Kompas employees, solving possible client complaints as well as for security purposes, of which the data subject shall be notified prior to the start of the conversation. The legal basis for the processing of data for this purpose is the legitimate interest of Kompas, unless the interests or fundamental rights and freedoms which require the protection of data subjects’ rights and/or the legal grounds for the protection of key interests of the data subject or another natural person are greater than our legitimate interest.
Pursuant a written request based on applicable regulations, Kompas is obliged to provide or allow access to certain personal data of the data subject to the relevant state bodies (e.g. courts, police, tourist inspections etc.).
The legal basis for processing data for these purposes is fulfilling the legal obligations of Kompas.
If a judicial, administrative or out-of-court proceeding has been initiated, personal data may be stored until the end of such proceedings, including a possible period for stating legal remedies.
We shall process the collected data only as long as necessary for the above purposes, or until you withdraw your consent. If a judicial, administrative or out-of-court proceeding has been initiated, personal data may be stored until the end of such proceedings, including a possible period for stating legal remedies.
Kompas shall keep certain personal data in a time period prescribed by the law or a regulation binding Kompas to data retention.
We forward the data to third parties in the following cases:
We forward the data to third parties whenever necessary to provide the data subject with the agreed service or required information. This includes, for example, sending the data of data subjects to a hotel or a carrier located within the Republic of Croatia, within the EU or outside the EU, whenever it is necessary to carry out a service or draw up a quote for a service.
We forward the data to third parties if it is necessary for the purpose for which the data subject has given his/her explicit consent.
If we engage subcontractors as processors for performing certain tasks, in such cases we forward the personal data to the subcontractor. In doing so we use only the subcontractors from the EU, and these subcontractors work exclusively at the order of Kompas and as per contract concluded with Kompas, which ensures data protection measures as if the data were processed by Kompas.
The consultants with whom we cooperate in maintaining our business systems can have access to the personal data of the data subjects. It is possible we share personal data with our trusted partners who provide us with e.g. IT support, who operate outside Kompas. We have a relationship based on trust with these support providers and have committed them to adequate protection of the personal data of the data subjects.
In order to protect our clients’ personal data, we use the best business practices in the fields of tourism and information and communication technologies. We continuously adjust our internal processes to achieve the optimal level of personal data protection. We use different organizational measures and technical means to protect the data of data subjects from unauthorized access, change, loss, theft or other misuse of data.
Persons who understand the need for data protection and security and are subject to confidentiality obligations have access to the data.
A data subject can exercise his/her rights under the General Data Protection Regulation by submitting a request to the following email address: email@example.com or address: Personal Data Protection Officer, Kompas d.o.o., Mate Vlašića 20, Poreč.
If a client suspects a violation of his/her personal data, he/she may send a complaint to the email address: firstname.lastname@example.org or address: Personal Data Protection Officer, Kompas d.o.o., Mate Vlašića 20, Poreč.
If you believe your rights have been violated, you have the right to file a complaint to the Croatian Personal Data Protection Agency.
The policy comes into force and begins to apply on the day of its publication and is available on the Kompas website and in Kompas offices. Data subjects shall be timely informed of possible amendments to the Policy, including through publication on the website. A data subject has the right to data portability, data erasure and restriction of personal data processing no later than the date of application of the General Data Protection Regulation, i.e. from 25 May 2018.
Credit card payment safety
Buyer’s personal information confidentiality is protected and ensured via SSL encryption.
Pages for internet payments are protected via Secure Socket Layer (SSL) protocol with 128-bit data encryption (SSL encryption is data encryption process used for prevention of unauthorized access to data during data transfer).
The aforementioned protection ensures safe data transfer and prevents unauthorized access to data during communication between Buyer’s PC and WSPay payment gateway service and vice-versa.
The aforementioned service and financial institutions (credit card issuers) exchange data via virtual private network (VPN) that is protected against unauthorized access. Credit card numbers are not stored and are not available to unauthorized persons.
CorvusPay™ payment gateway
While conducting payments on our web shop you are using CorvusPay – an advanced system for secure acceptance of credit cards on the Internet.
CorvusPay system ensures complete privacy of your credit card data and personal data from the moment you type them into the CorvusPay payment form. Data required for billing is forwarded encrypted from your web browser to the bank that issued your payment card. Our store never comes into contact with your sensitive payment card data. Similarly, CorvusPay operators cannot access your complete cardholder data. An isolated system core independently transmits and manages sensitive data while at the same time keeping it completely safe.
The form for entering payment data is secured by an SSL transmission cipher of the greatest reliability. All stored data is additionally protected by hi-grade encryption, using hardware devices certified by FIPS 140 2 Level 3 standard. CorvusPay fulfills all of the requirements for safe online payment prescribed by the leading credit card brands, operating in compliance to the PCI DSS Level 1 standard – the highest security standard of the payment card industry. Payments made by cards enroled with the 3-D Secure program are further authenticated by the issuing bank, confirming your identity through the use of a token or a password.
All information collected by Corvus Pay is considered a secret and treated accordingly. The information is used exclusively for the purposes for which they were intended. Your sensitive data is fully
secure and it’s privacy is guaranteed by the state of the art safeguard mechanisms. We collect only the data necessary for performing the work in accordance with the demanding prescribed procedures for online payment.
Security controls and operating procedures applied within the CorvusPay infrastructure not only ensure current reliability of CorvusPay but permanently maintain and enhance the security levels of protecting your credit card information by maintaining strict access controls, regular security and in-depth system checks for preventing network vulnerabilities.