Kompas d.o.o. pays special attention to protecting personal information of its clients, in accordance with best business practices and applicable Croatian and European regulations, including the General Data Protection Regulation (EU Regulation 2016/679 of the European Parliament and of the Council of the EU from 27 April 2016)
The purpose of this policy is to provide all interested parties with all the necessary information on the processing and protection of personal data and the rights that the clients have regarding the processing of personal data.
The policy applies to all personal information of the clients that Kompas d.o.o. collects and processes and the data collected and processed by Kompas ' partners on behalf of and for the needs of Kompas .
A client is a person who has requested a service or a service offer from Kompas .
Personal data means any information relating to an individual whose identity has been confirmed or can be confirmed (Article 4 of the General Data Protection Regulation).
Data processing means any operation or set of operations which is performed on personal data or on sets of personal data (Article 4 of the General Data Protection Regulation).
PRINCIPLES FOR PROCESSING PERSONAL DATA
Lawful, fair and transparent processing
We process the data in accordance with applicable laws pertaining to the processing of personal data and in accordance with the best business practice of data protection.
Purpose limitation of processing
We process the collected data only in accordance with the purpose for which this data was collected.
We collect and process only the data necessary to achieve the purpose of processing.
Factual accuracy of data
We pay special attention to the accuracy of the data collected. The User has the right to inspect and correct his / her data at any time.
Time limitation for processing and storage of data
We process and store the data only for as long as is necessary to fulfil the purpose for which the data was collected or as required by the applicable regulations.
Security of personal data
We pay the utmost attention to personal data security. We constantly monitor and improve internal processes and use appropriate ICT measures to insure the security and privacy of personal data.
RIGHTS OF CLIENTS
In accordance with the General Data Protection Regulation, the client has the following rights:
Right of data access
The Client is entitled to receive confirmation whether we are processing his / her personal data and if we do, he/she is entitled to receive the following information: information about the purpose of processing, the category of personal data we are processing, the recipients or categories of recipients of the data we are processing, the predicted period in which the data will be stored or criteria for determining that period, the right to request correction, deletion and limitation of data processing, the right to lodge a complaint with the supervisory body, information about the source of data if not collected from the client, automated decision-making system information, such as making a profile, information about protective measures if the data is transferred to a third country.
Right to rectification and erasure
The client has the right to obtain rectification of inaccurate data.
The client has the right to obtain erasure of the data unless the data is necessary for the purpose for which they were collected or should be kept in accordance with the applicable legal regulations.
Kompas has an obligation to notify the client about the rectification or erasure of data made at the client's request.
Right to restriction of processing
The client has the right to obtain the data processing restriction, under the terms defined in the General Data Protection Regulation.
Kompas has an obligation to notify the client about the processing restriction made at the client's request.
Right to data portability
The client has the right to receive the information he has submitted to us in a structured, standard and machine-readable format, and to transfer them to another processing manager without restriction.
Right to object
The client has at all times the right to object to the processing of personal data.
The client has at all times the right to object to direct marketing, in which case the data will no longer be used for that purpose.
Automated decision making including profiling
The client has the right not to be the subject of the decisions based on automated processing, including profile creation.
PERSONAL DATA COLLECTION PROCEDURE
We collect our clients' data using the following procedures:
Data collection in branch offices
When making a reservation or an offer, we ask the user for the personal information required for the reservation or the offer.
The user can leave his or her data personally, or another person can do it in the user's name, or the user can contact us by phone or e-mail.
Data collection via web pages
When making a reservation or making a query for an offer on our web pages, we collect the information needed to make a reservation or an offer.
The client submits the information via the form on the web site.
Consent of the client
Consent of the client means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her (Article 4 of the General Data Protection Regulation).
Without the client's consent, we will never use any of the client's personal information for any purpose that requires consent, according to the applicable regulations.
CATEGORIES OF PERSONAL DATA WE COLLECT
We only collect data that is necessary for the purpose of data collection and in accordance with applicable legal regulations.
The data we collect is: name and surname, date of birth of the children for the purpose of obtaining a discount, phone number and e-mail address for contact, location, gender, citizenship, passport number or of other appropriate personal document where necessary in order to enforce legal obligations (e.g. when crossing the border), credit card number or other payment method information.
Due to the nature of passenger services, there may be a need for processing specially protected categories of personal information that reveal, for example, religious or philosophical beliefs, trade union membership, and client's health-related data, solely for the purpose of executing a contract between the Kompas and the client, or completing actions preceding the conclusion of the contract. It will be considered that the client who gave Kompas data from a special category of personal data explicitly expressed his or her compliance to processing such data.
PURPOSE OF PERSONAL DATA COLLECTION
We collect personal data for the following purposes:
For the performance of a contract or the implementation of pre-contractual measures
We collect personal information in order to service a client or in order to make an offer for a service to the client.
For informing the users about services and products
If the client has given his consent, we can use the client's data to familiarise the client with our services and products that may be of interest to him/her.
For internal use
Client's data is kept to protect the legitimate interests of the client or our legitimate interests, in accordance with applicable legal regulations. For example, this may include keeping client data in order to best respond to potential customer complaints, use of client data to prevent, detect and process misuse at the expense of the clients or Kompas , ensure employee, client, product and service safety, creation of services and offerings tailored to the needs and wishes of the clients, providing top-notch user experience, personalized customer support, market research and analysis, sales channel optimization, etc. Telephone conversations between users and employees of Kompas may be filmed and used further to improve the quality of work of Kompas employees, the solving of client complaints as well as for security purposes, of which the client will be notified before starting the conversation. The legal basis for the processing of data for these purposes is the legitimate interest of Kompas , unless such interests are overridden by interests or fundamental rights and freedoms that require the protection of client data and/or the legal basis for protecting the key interests of the client or other natural person. Exceptions are cases where the legal basis is consent.
For the fulfilment of legal obligations
Based on a written request set on applicable regulations, Kompas is obliged to provide or allow access to certain personal data of the client to the relevant state bodies (e.g. courts, police, tourist inspections, etc.).
The legal basis for processing the data for these purposes is to fulfil the legal obligations of Kompas .
DATA TRANSFER TO THIRD PARTIES
We transfer the clients' data to third parties in the following cases:
For the performance of a contract or the implementation of pre-contractual measures with the client
We transfer the data to a third party when it is necessary in order to provide the client with a contracted service or required information. This includes, for example, sending client data to a hotel or carrier when it is needed to perform a service or make an offer for the service.
When the user has given his/her consent
We transfer the data to a third party if it is necessary for the purpose for which the user has explicitly granted his/her consent.
When we hire subcontractors for certain jobs
If we hire subcontractors for the processing, in that case we will transfer the personal data to the subcontractor. We use only subcontractors from the EU and these subcontractors work exclusively by Kompas 's order and under contract with Kompas , which ensures data protection measures as if the data were processed by Kompas .
PROTECTION OF PERSONAL DATA
In order to protect personal information of our clients we use the best business practices in the field of tourism and information-communication technologies. We continually adjust our internal processes in order to achieve the optimal level of personal data protection. We use different organizational measures and technical means to protect the user's data from unauthorized access, change, loss, theft or other misuse of data.
The client can exercise his rights under the General Data Protection Regulation by submitting an application to the e-mail address firstname.lastname@example.org@
If the client suspects there is a violation of his/her personal data, he/she may submit a complaint to the e-mail address email@example.com@
The client may also submit a claim to the Personal Data Protection Agency.
AMENDMENTS, ADDITIONS AND TRANSITIONAL PROVISIONS OF THE POLICY
The policy enters into force and begins to apply on the day of its publication and is available on the internet sites and at the Kompas sales points. Customers will be promptly informed about possible changes to the Policy, including through the publication on the web site. The client shall have the right to transfer of personal data, deletion of data and the limitation of personal data processing shall have the client no later than the date of coming into force of the General Data Protection Regulation, i.e. from 25 May 2018.
Kompas Ltd. is obliged not to misuse you personal information contained in order form. Personal information is considered to be all the data used for determining Buyer’s identity (such as first and last name, email address, home address etc.).
Kompas Ltd. will not deliver nor reveal Buyer’s personal information to third parties, apart from cases in which such actions are strictly mandated by the law in force and in cases when such actions are needed for fulfillment of obligations.
All Buyer’s information is strictly protected and is available only to those employees who need such information in order to perform their job. All employees and business partners of Kompas Ltd. are responsible for respecting privacy protection principles.
Kompas Ltd. is obliged to ensure the protection of Buyer’s personal information by collecting only basic information on the Buyer’s, i.e. only information needed for fulfillment of obligations.
Kompas Ltd. has the right to use information that is automatically recorded during each visit to the website, and is not considered as personal information (browser used, number of visits, time spent on the website etc.) for the sole purpose of making website visitation estimations and for website content and functionality enhancement.
Kompas Ltd. informs all Buyers regarding the usage of collected data and regularly offers its Buyers the choice when it comes to the usage of their information, including a possibility for a Buyer to decide whether he/she wants his/her name to be removed from the lists used in marketing campaigns.
In a case of change of any personal information (for example, home address, delivery address etc.) that was provided during registration process, the Buyer is obliged to inform Kompas Ltd. about such changes. In a case that Kompas Ltd. was not informed of such changes mentioned above, Kompas Ltd. shall not be considered responsible not viable regarding any order, i.e. delivery, problems.
The aforementioned provisions regarding personal information protection refer to the home web page of alternativa-webshop.com web shop only and to all pages inside alternativa-webshop.com domain, they do not refer to exterior pages connected to alternativa-webshop.com domain via links.
Apart from cases of electronic order, Kompas Ltd. shall not dispatch emails to the Buyer if he/she does not clearly agree to be contacted in that manner.
Credit card payment safety
Buyer’s personal information confidentiality is protected and ensured via SSL encryption.
Pages for internet payments are protected via Secure Socket Layer (SSL) protocol with 128-bit data encryption (SSL encryption is data encryption process used for prevention of unauthorized access to data during data transfer).
The aforementioned protection ensures safe data transfer and prevents unauthorized access to data during communication between Buyer’s PC and WSPay payment gateway service and vice-versa.
The aforementioned service and financial institutions (credit card issuers) exchange data via virtual private network (VPN) that is protected against unauthorized access. Credit card numbers are not stored and are not available to unauthorized persons.
WSPAy™ payment gateway
WSPAy™ is a system that allows simple connection between a store and one or more credit card issuers. WSPAy™ allows safe exchange of authorization questions and answers from credit card issuers.
HIGH LEVEL OF SELLER AND CUSTOMER PROTECTION
– 3D Secure protection for all sellers and customers. WSPay™ system uses the highest standards of protection and data privacy.
– All sellers using WSPay™ are a part of 3D Secure protection, which is a guarantee to web shop buyers that their shopping is safe.
– Buyer’s credit card numbers are not kept inside the system and their entry is protected via SSL data encryption.
– Certification according to PCI DSS standards
– WSPay™ system continuously works on safety enhancement and its confirmation. Starting this year, it will be confirmed that WSPay™ services function at the highest standards defined by credit card issuers.
PCI Data Security Standards (PCI DSS) is a norm that defines safety measures for processing, storing and transferring (communication) credit card data.