1. Introductory provisions
Pursuant to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Official Journal of the European Union L 119, 04/05/2016, p. 1, hereinafter referred to as „General Data Protection Regulation“), which is in full application as of 25 May 2018 in the Republic of Croatia and the European Union, and the General Data Protection Regulation Implementation Act (Official Gazette number 42/18, hereinafter referred to as “Act”), i.e. in accordance with the legal framework for the protection of personal data applicable in the Republic of Croatia and the European Union and European best practices, Kosmos d.o.o (hereinafter referred to as “Agency”), as Controller of the processing of personal data of its customers, has developed this Customer Privacy Protection Policy.
Personal data processing is performed under the responsibility of the Agency:
Kosmos d.o.o. Jadranska 17, Umag
Company Number (MB): 2512157
Personal Identification Number (OIB): 32071975526
Contact information of the data protection officer:
2. How and which data do we collect
The services offered by the Agency require the collection of customers’ personal data. Basic data is collected in the following ways:
1. Directly by the customers themselves in such a way that the customers deliver to the Agency, as data processing controller, their personal data in a certain amount of information relevant to the provision of the corresponding services. For the purpose of providing the appropriate services, the customer is obliged to provide the Agency with the following data that is necessary to establish a contractual relationship for the provision of tourism-related or rent-a-car services:
a) name and surname;
c) personal identification number (OIB)
d) date of birth;
f) phone and/or mobile number;
g) email address);
h) ID card information (address and country of residence, identity card number);
i) passport number;
j) bank account information and credit card number necessary to make the payment;
k) driving licence number.
2. From other sources i.e. from our business partners (for instance, data received by a partner agency for the purposes of accommodation booking).
3. Automatically by visiting our website; only personal data associated with online identifiers is collected (internet protocol addresses and cookie identifiers, such as Google Analytics used to track user’s and/or customer’s engagement).
A cookie is a small data file stored on your computer or mobile device each time you visit a website. Cookies are used to improve the user experience and to remember website preferences in order to make web browsing more efficient, as well as to track and analyse the web traffic and number of visits to the Company’s website. Cookies are also used for tracking internet usage and for creation of user profiles, and afterwards for showing personalised digital ads based on customer preferences.
After disabling and/or blocking cookies, a customer can still navigate on the Agency’s website. However, it is possible that some options and/or functions of the website will not be available to such customer, i.e. the time needed to access certain functions of the website will be longer than usual.
Kosmos’s cookies do not collect any personal data of our customers, but third-party cookies do. If you want more information, you can visit Google’s website (https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage).
3. For what purposes personal data is collected and processed further
The Agency collects personal data in order to provide, maintain, protect and improve its purchase-related services, to understand the ways in which users and/or customers use the services provided and use the Company’s website, and to perform its contractual obligations. Such information is collected by the Company on the basis of a consent given by the customer for one or more specific purposes, as well as in one of the cases below.
Fulfilment of contractual obligations
The Agency collects and further processes customers’ personal data for the purpose of stipulating and delivering contracts and other acts associated with contract conclusion and delivery in accordance with the relevant regulations.
The legal basis for the processing of customers’ personal data for the foregoing purposes is the necessity of entering into a contract, i.e. in the event that the customer refuses to provide essential information, the Agency will not be able to enter into a contract and / or undertake certain activities related to execution of the contract concluded.
Fulfilment of legal obligations
Following a written request submitted by a customer to the above indicated data protection officer’s address, the Agency is obliged to provide the customer access to the personal data being processed, rectification of inaccurate personal data, erasure of personal data or restriction of processing of his/her personal data, and to inform the customer of the right to object to processing personal data concerning him or her and of the right to data portability.
Customer’s contact details may be used for sending advertising notifications about the Agency’s services, if the customer has given a consent for this type of processing or if there is a legitimate interest of the Agency for this type of actions, unless such interest is overridden by customer’s interests or fundamental rights and freedoms that require personal data protection.
The Agency may use contact details and personally turn to customers whose personal data it already has based on a legitimate interest for sending advertising notifications about all products and services provided by the Agency, using all available marketing channels, unless the customer objects to such processing.
In order for a customer to receive notifications in line with his/her wishes and habits, it is required that the Agency uses certain customer’s data to create personalised advertising notifications, as long as the customer does not expressly object to such processing of data i.e. withdraw his/her previously given consent for processing.
4. Internal purposes
The Agency uses certain customers’ data only for its own records, for the purposes of protection of legitimate interests of customers and/or the Agency. For instance, the above includes the use of personal data for creation of offers that satisfy customers’ needs and wishes, market research and analysis.
Information of potential users
The Agency is also entitled to collect information of potential users of its services. Such data include the basic data (name and surname, email address), but also the interests of potential customers that turn to the Agency wishing to be informed and/or sent an offer for certain products and services.
In the above case, the legal basis for data collection is the customer’s consent.
5. Personal data storage and processing period
Depending on the purpose and the legal basis on which the customer’s personal data is collected, the Agency is in some cases obliged to keep personal data for a period of time that for a particular purpose is prescribed by applicable regulations or until the termination of the purpose for which they were collected.
In cases where the basis for data collection and processing is legitimate interest of the Agency or customer’s consent, the personal data is kept for the following time periods:
a) data on existing customers: during the contractual relationship and 10 years after termination;
b) data on potential customers: 10 years.
Data processed based on a legitimate interest of the Agency and/or customer’s consent may be deleted even before the expiration of the time limit specified in this Policy, if such deletion is requested by the customer or if the customer objects to such processing.
6. Customer’s rights
• Right of access to personal data
• Right to rectification of inaccurate data
• Right to erasure of personal data
• Right to restriction of data processing
• Right to object
Customer may exercise his/her rights in writing, by sending a filled request to the Agency’s address, or by clicking on the link forma.uniline.hr, by filing an online request.
7. Location of personal data processing
The Agency processes customers’ personal data in the Republic of Croatia.
8. Conditions on which personal data are shared with third parties
Customers’ personal data are transferred by the Agency to third parties (partner agencies, associated companies, and competent authorities) only in the following cases:
a) based on customer’s consent;
b) for the purpose of fulfilling a contractual obligation towards the customer, provision;
c) for the purpose of fulfilling legal obligations of the Company;
d) when such processing is required for the protection of customer’s key interests.
9. Consent management
The active role of the customer in the protection of privacy is reflected in his/her giving of consent as a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data. The consent management implies the possibility that the customer, by an active and unambiguous action, authorises the Agency to collect and process specific personal data for one or more purposes (consent of the data subject), or that the customer withdraws, in the same way, his or her previously given consent to collection and processing of personal data, for one or more purposes.
10. Who can you turn to
Kosmos d.o.o. Jadranska 17, Umag
Amendments to the Privacy Protection Policy
The Agency reserves the right to amend this Policy at any time, without giving any special notice to the persons concerned. For this reason, it is recommended to all interested parties to regularly review the Agency’s website content for information on the updated content of this Policy.