1. The controller of personal data collected through www.mediteran.travel website is EMPYREAL TRAVEL D.O.O., with its registered office at the following address: Zakučac 10/d, 21310 Omiš, service address: Zakučac 10/d, 21310 Omiš, entered into the Business Register under KRS no.: 060384117, NIP: HR78176032108, with share capital of HRK 20,000, e-mail address: firstname.lastname@example.org, hereinafter referred to as the Controller, which is at the same time the Service Provider, whose place of business is: Zakučac 10/d, 21310 Omiš, service address: ul. Zakučac 10/d, 21310 Omiš, NIP: HR78176032108, e-mail address: email@example.com, hereinafter referred to as the Controller.
2. Personal data gathered by the Controller through the website are processed in accordance with Regulation (EU) 2016/679 of the
European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter
referred to as GDPR, and the Personal Data Protection Act of 10 May 2018.
THE TYPE OF PROCESSED PERSONAL DATA, THE AIM AND SCOPE OF DATA COLLECTION
1. THE PURPOSE OF PROCESSING AND THE LEGAL BASIS. The Controller processes personal data through www.mediteran.travel
- the user makes use of the contact form. Personal data are processed pursuant to Art. 6(1)(f) of GDPR as part of legitimate
interests pursued by the Controller.
- the user subscribes to the Newsletter to receive commercial information by electronic means. Personal data are processed after the user has given separate consent to it, pursuant to Art. 6(1)(a) of GDPR.
- the user books a holiday stay in one of the houses or apartments of the Controller. Personal data are processed pursuant to Art. 6(1)(f) of GDPR as part of legitimate interests pursued by the Controller.
2. THE TYPE OF PROCESSED PERSONAL DATA.
The Controller processes the following categories of users’ personal data:
- Name and surname,
- Date of birth,
- E-mail address,
- Phone number,
3. THE DURATION OF PERSONAL DATA RETENTION.
- Personal data of users are stored by the Controller as follows:
when the basis for data processing is the performance of a contract, the data will be stored for as long as it is necessary to perform the contract, and afterwards for the limitation period of claims. Unless a specific regulation provides otherwise, the limitation period is six years, whereas for claims concerning periodical performances and claims connected with conducting business activity, this period is three years.
- when data processing is based on consent, the data will be stored until the consent is withdrawn, and after the withdrawal of consent, the data will be stored for the limitation period of claims which could be submitted by the Controller or against the Controller. Unless a specific regulation provides otherwise, the limitation period is six years, whereas for claims concerning periodical performances and claims connected with conducting business activity, this period is three years.
- When the user is using the website, additional information can be collected as well, in particular: the IP address assigned to the user’s computer or the external IP address of the Internet service provider, the domain name, the type of browser, the access time, or the type of the operating system.
- The users’ navigation data may also be collected, including information about links that the users click on or other activities they perform on the website. The legal basis for this type of actions are legitimate interests pursued by the Controller (Art. 6(1)(f) of GDPR), which consists in facilitating the use of electronically supplied services and improving the functionality of these services.
- Providing personal data by the user is voluntary.
- Personal data will also be processed automatically, including profiling, provided that the user gives consent to such processing pursuant to Art. 6(1)(a) of GDPR. The result of profiling will be assigning a profile to a given person in order to make decisions which concern this person, as well as to analyse or predict his or her preferences, actions and attitude.
- The Controller takes the utmost care to protect the interests of data subjects. In particular, the Controller guarantees that the collected data are:
- processed lawfully,
- collected for specific lawful purposes and are not subject to further processing which would be contrary to such purposes,
- essentially correct and adequate to the purposes for which they are processed and are stored in a form which makes it possible to identify data subjects only for as long as it is necessary for the purpose of processing to be achieved.
MAKING PERSONAL DATA AVAILABLE
- Personal data of users are transmitted to service providers whose services are used by the Controller to run the website. Depending on
contractual arrangements and circumstances, service providers who receive personal data are either subject to the Controller’s instructions as to the purposes and means of data processing (processors) or determine the purposes and means of data processing on their own (controllers).
- Personal data of users are stored solely in the European Economic Area (EEA).
THE RIGHT TO CONTROL, ACCESS AND RECTIFY ONE’S OWN PERSONAL DATA
- The data subject has the right to access his or her personal data, the right to rectify and erase the data, the right to restrict the processing of the data, the right to data portability, the right to object, and the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
- Legal bases for the user’s demands:
1. Access to data – Art. 15 of GDPR.
2. Rectification of data – Art. 16 of GDPR.
3. Erasure of data (the so-called right to be forgotten) – Art. 17
4. Restriction of processing – Art. 18 of GDPR.
5. Data Portability – Art. 20 of GDPR.
6. Objection – Art. 21 of GDPR.
7. Withdrawal of consent – Art 7(3) of GDPR.
- In order to exercise the rights referred to in Point 2, you can send a relevant e-mail to the following address: firstname.lastname@example.org.
- If the user moves for an entitlement arising out of the abovementioned rights, the Controller will either comply with the request or refuse to comply with it forthwith, but not later than a month after the Controller received the request. However, if due to the complexity of the request or the number of requests the Controller cannot satisfy the request within a month, the Controller will satisfy it within the next two months, having informed the user about the intent to prolong the time limit and the reasons behind this decision within a month after the Controller received the request.
- In case it is established that personal data processing violates the provisions of GDPR, the data subject has the right to complain to the
President of the Personal Data Protection Office.
- The Controller’s website uses browser cookies.
- The installation of cookies is necessary for the proper provision of services on the website. Cookies contain information necessary for the website to function correctly. These files also make it possible to compile general website visit statistics.
- The website uses the following types of cookies: session
1. Session cookies are temporary files which are stored on the
User’s final device until the User logs out (leaves the webpage).
- The Controller uses its own cookie files to learn more about the way in which the user interacts with the content of the website. Files
collect information about the way in which the user uses the website, the type of website which brought the user to the Controller’s
website, the number of visits and the duration of the user’s visit on the website. This information does not contain specific personal data of the user and is used to compile statistics which show how the website is used.
- The user has the right to decide whether cookies will have access to his or her computer by selecting an appropriate option in the browser window. Detailed information on handling cookies is available in software (web browser) settings.
- The Controller uses technical and organizational measures which guarantee that the protection of processed personal data will be appropriate and adjusted to risks and categories of protected data. In particular, the Controller protects the data from being is closed tounauthorized persons, taken by unauthorized persons, processed in violation of applicable laws, as well as from being changed, lost,
damaged or destroyed.
- The Controller makes available appropriate technical measures which prevent unauthorized persons from obtaining and modifying personal data sent by electronic means.
- Provisions of GDPR and other relevant provisions of Polish law will