Rules
Pursuant to Art. 3. Par. 1. of the General Data Protection Regulation (EU) 2016/679 and Art. 30 of the Memorandum of Association of Mon Perin d.d. Bale, Trg la Musa 2, OIB 06374155285, on May 24th 2018, the Management Board shall adopt
RULES ON THE PROCESSING AND PROTECTION OF PERSONAL DATA
I. GENERAL PROVISIONS
Article 1
In the processing of personal data and protection of natural persons with regard to the processing of personal data and rules on the free movement of such data Mon Perin d.d. Bale (hereinafter: Company) shall apply the General Data Protection Regulation (EU) 2016/679 (hereinafter: General Regulation) and the Law on the application of the General Data Protection Regulation (NN 42/18).
Article 2
Pursuant to Art. 4. Point. 7. of the General Regulation the Company is the controller of personal data and as such determines the purpose and means of the processing of personal data in accordance with national legislation and/or EU law.
Article 3
In accordance with the General Regulation the definitions used in these Rules have the following meaning:
“personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
“processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
“filing system” means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis
“controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
“recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
“third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data
“consent by data subject” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
“personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
“pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person
Article 4
Personal data of natural persons shall be processed lawfully, fairly and in a transparent manner by the Company. Only adequate and relevant personal data shall be processed, namely solely for specified, explicit and legitimate purposes, and shall not be further processed in a manner that is incompatible with those purposes.
Personal data processed by the Company shall be accurate and, where necessary, kept up to date. Personal data that are inaccurate shall be erased or rectified without delay.
Personal data shall be processed by the Company in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The Company shall store personal data in the period necessary to serve the purpose for which they were collected, usually during a contractual relationship and for any subsequent period as legally mandated or permitted by any applicable law. The Company’s storage rules reflect the applicable limitation periods and legal requirements.
II. PROCESSING OF PERSONAL DATA
Article 5
The Company shall process personal data only if and to the extent that one of the following grounds applies:
− the data subject has given consent to the processing of his or her personal data for one or more specific purposes
− processing is necessary for the performance of a contract to which the data subject is party
− processing is necessary for compliance with a legal obligation to which the Company is subject
− processing is necessary in order to protect the vital interests of the data subject or of another natural person
− processing is necessary for the performance of a task carried out in the public interest
− processing is necessary for the purposes of the legitimate interests pursued by the Company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child
Article 6
The consent by which the data subject agrees to the processing of personal data relating to him or her to the Company shall be freely given, in writing, intelligible, written in a clear and plain language, with a clearly indicated purpose for which it is given, and should not contain unfair terms.
In the event when personal data of a child below the age of 16 years are processed, the consent referred to in Paragraph 1 hereof shall be given by the holder of parental responsibility over the child (parent or child’s legal guardian).
The consent involves sharing personal data with companies affiliated with the Company and in particular with: Mon Perin Castrum d.o.o., Maian d.o.o., Dandoli d.o.o., Plinio d.o.o., freelancer Jasmina Cuccurin (Italy), as well as sharing personal data of data subjects with Google Ireland, Facebok Ireland ltd., Instragam Inc.
Article 7
In the processing of personal data the Company shall in an appropriate manner (in either written or oral form ) provide the data subject with any information relating to the processing of his or her personal data, in particular on the purpose of the processing, legal grounds for processing of personal data, Company’s legitimate interests, intention to submit data to third persons, period for which the personal data are stored, existence of the right of data subjects to access to and rectification or erasure of personal data or restriction of processing, right to object to processing, etc.
III. RIGHTS OF DATA SUBJECTS
Article 8
The Company shall immediately and at the latest within one month of filing the request by the data subject, his or her legal representative or attorney:
− inform the data subject on the purposes of the processing, categories of personal data undergoing processing, recipients or categories of recipients to whom the personal data have been or will be disclosed, the envisaged period for which the personal data will be stored, and where the personal data are not collected from the data subject, any available information as to their source
− provide the data subject with a printout of the personal data contained in the filing system relating to him or her
− rectify inaccurate data or complete data
− undertake the erasure of personal data concerning the data subject, provided that they are no longer necessary in relation to the purposes for which they were collected or if the data subject withdraws consent on which the processing is based.
The period referred to in Par. 1 hereof may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Company shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.
Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
With regard to the reasons for rejecting the request of the data subject referred to in Par. 1 hereof, the Company shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for rejecting the request.
Article 9
The Company shall provide information provided under Art. 8 free of charge.
By way of exception, where requests from a data subject are manifestly unfounded or excessive, the Company may charge a reasonable fee taking into account the administrative costs of providing the information or communication.
Article 10
The data subject who is of the opinion that the Company has breached his or her right guaranteed by the General Regulation shall have the right to submit a request seeking a finding of an infringement of right to the competent body.
IV. FILING SYSTEM
Article 11
The Company collects and processes the following types of personal data:
− the name and surname of the Company’s customers/data subjects
− the data subject’s domicile/residence address
− the data subject’s nationality
− the data subject’s date of birth
− the data subject’s country of birth
− the data subject’s gender
− the type of data subject’s identity document
− payment data such as account numbers and other related card information
− the data subject’s email address
− the data subject’s national identification number
− information on the data subject’s disability
− IP addresses of devices, internal identification number, MAC addresses of devices, email address of the person using the Wi-Fi system, date and time of registration with the system
− the data subject’s phone/mobile phone numbers
− company’s name and contact details (if a customer)
− data collected by video surveillance of the Mon Perin’s campsite and facilities
The Company also processes:
− Company’s employees’ personal data
− personal data on candidates participating in a competition procedure for employment
− personal data of outworkers, regulated by special Rules on personal data protection in the employment context available to Company’s employees (workers) and outworkers.
Article 12
For personal data referred to in Article 11 hereof the Company shall maintain a record of processing activities, which is set out in the Annex to these Rules and shall be regarded as an integral part hereof.
Records of processing activities shall contain at least the following data:
− the name and contact details of the Company, the person/persons with powers of representation and the data protection officer
− the purposes of the processing
− a description of the categories of data subjects and of the categories of personal data;
− the categories of recipients to whom the personal data have been or will be disclosed
− the envisaged time limits for erasure of the different categories of data
− a general description of the technical and organisational security measures to ensure the protection of personal data
Article 13
The Management Board shall adopt the decision on persons in charge of personal data processing and protection referred to in Art. 11 hereof.
V. DATA PROTECTION OFFICER
Article 14
The Company shall designate a data protection officer.
The data protection officer shall have adequate professional qualifications and shall be designated among the Company’s staff.
Contact details of the data protection officer shall be available on the Company’s website.
The data protection officer shall have the task to inform and advise the Company’s responsible persons and employees who carry out processing of their obligations pursuant to the General Regulation, to monitor compliance with this Regulation and with other Union or Member State data protection provisions, to enable the exercising of the rights of data subjects and to cooperate with the supervisory authority.
The data protection officer shall keep confidential any information which he or she receives in the course of his or her duties.
VI. MEASURES OF DATA PROTECTION
Article 15
To prevent unauthorised access to personal data, data in written form shall be kept in binders and locked cabinets, whereas computer data shall be protected by assigning a username and password known only to employees in charge of data processing and for the purpose of their further security and secrecy, they are stored on storage media.
Article 16
The Company shall, where appropriate and in particular when publishing data which could be attributed to a specific data subject, conduct a pseudonomysation as a technical measure for data protection.
Article 17
Persons in charge for the processing of personal data shall be responsible for the protection of personal data against accidental loss or destruction, unauthorised access or illicit change, illicit publishing and any other misuse.
VII. FINAL PROVISIONS
Article 18
These Rules shall enter into force on the day of their publication.
These Rules will be made available also on the Company’s web site: www.www.camping-monperin.hr
Mon Perin d.d. Bale
Massimo Piutti,
Management Board President
ANNEX
Record of processing activities template
RECORD OF PERSONAL DATA PROCESSING ACTIVITIES
Personal Data Controller:
The Company „Mon Perin d.d.“
address: Trg la Musa 2
seat: Bale
telephone number: +385 (0)52 824 338
fax number: +385 (0)52 824 382
email: [email protected]
Company’s Responsible Person:
Massimo Piutti, Management Board President and Ivan Maričić, Management Board Member
Data Protection Officer
telephone number: +385 (0)52 824 338
email: [email protected]
Purpose of processing (description):
Processing of data subjects’ personal data
The purpose of processing is determined by:
Regulation and law,
- Company’s legitimate interest;
- fulfilling the Company’s contractual commitments;
- consent
Means of providing data subject consent to collect and process his or her personal data:
Data subject’s written content
Category of data subjects: and types of data
- guests
- employees
- business partners
Types of data:
- the name and surname of the Company’s customers/data subjects
- the data subject’s domicile/residence address
- the data subject’s nationality
- the data subject’s date of birth
- the data subject’s country of birth
- the data subject’s gender
- the type of data subject’s personal document
- payment data such as account numbers and other related card information
- the data subject’s email address
- the data subject’s national identification number
- information on the data subject’s disability
- IP addresses of devices, internal identification number, MAC addresses of devices, email address of the person using the Wi-Fi system, date and time of registration with the system
- the data subject’s phone/mobile phone numbers
- company’s name and contact details (if a customer)
The Company also processes:
- Company’s employees’ personal data
- personal data on candidates participating in a competition procedure for employment
- personal data of outworkers, regulated by special Rules on personal data protection in the employment context available to Company’s employees (workers) and outworkers
Categories of recipients to whom the personal data have been or will be disclosed:
Ministry of Tourism, Tourist Board, e-visitor, Mon Perin Castrum d.o.o., Maian d.o.o., Dandoli d.o.o., Plinio d.o.o. (Croatia), Plinio S.r.l. (Italy), as well as sharing personal data of data subjects with Google Ireland, Facebook Ireland ltd., Instragam Inc.
Envisaged time limits for erasure of personal data: The Company shall store personal data in the period necessary to serve the purpose for which they were collected, usually during a contractual relationship and for any subsequent period as legally mandated or permitted by any applicable law. The Company’s storage rules reflect the applicable limitation periods and legal requirements.
General description of the technical and organisational security measures for data protection:
Data in written form shall be kept in file cases, closets, locked, whereas computer data shall be protected by assigning a username and password known only to employees in charge of data processing and are for the purpose of their further security and secrecy stored on external storage media.