The agency NOMAGO Mobility d.o.o. is aware of the importance of personal data protection, primarily because we use data for the purpose of providing more suitable services and information to our customers. Each piece of personal data (such as data on the use of a website, which we associate with an individual) tells us a little more about what our users are interested in and allows us not to burden them with content that is not important to them. On the other hand, each piece of personal data also represents a risk - we are all familiar with cases when companies inappropriately used personal data, transferred them to other companies, accidentally disclosed or lost them, etc.
The GDPR regulation, adopted by the European Union, dictates high standards that determine how your data are collected and stored, and allows you to access them, request erasure and much more. In accordance with the legislation and our awareness of the importance of this area, we have prepared explanations related to the protection of your data and the rights you have as a data subject. Please read the following explanation carefully before agreeing to the collection or processing of your personal data.
Personal data are any information relating to a particular natural person, i.e. an individual, regardless of its form. This is information on the basis of which you can be identified.
As an example, we list several types of personal data: name, e-mail address, national identification number, tax number, health insurance number, telephone number, vehicle registration number, personal transaction account number, etc.
Special types of personal data include an natural person’s data revealing their racial or ethnic origin, political opinions, religion or philosophical beliefs, or trade union membership, and the processing of genetic or biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sexual orientation and sex life, data on convictions, etc.
The data controller is the company NOMAGO Mobility d.o.o., Ul. Andrije Hebranga 22, 10000 Zagreb, registration No. 1358685, PIN 70852164421 (hereinafter: NOMAGO Mobility d.o.o.).
The personal data we receive from you based on your explicit consent are stored in an electronic or physical collection of personal data (depending on the form of personal data obtained). The collections are appropriately secured in technical terms, and only authorized employees of NOMAGO Mobility d.o.o. have access to them.
The personal data that you provide to us digitally are stored on servers at the company's headquarters, and sometimes also with the companies whose tools we use. For example, the provider of e-mail communication tools stores data on recipients. The company NOMAGO Mobility d.o.o. cooperates exclusively with the leading providers of the aforementioned tools, and before each instance of cooperation we agree, i.e. ensure that the provider of the tools does not have the right to access the data. Furthermore, we check whether the provider has adequately organized data protection mechanisms and a guarantee that they themselves will never use any piece of data of our clients.
We store the collected personal data until the moment you inform us that you no longer agree to the storage and processing of personal data, that is, as long as it takes to achieve the purpose for which the data is processed, or to meet the legal requirements, as a maximum.
We collect, manage and process your personal data only for the purposes determined by law, or on the basis of your explicit consent.
Personal data that we need for the purposes determined by law (or contract) are, for example, the following:
Personal data that we need for other purposes that require consent are, for example, the following:
Data collected on the basis of consent are primarily intended for communication with you and improvement of services. We use these data to try to ensure that, for example, we do not notify pensioners about student IDs and that we do not invite international travelers to holiday camper trailers on the Croatian coast. We also try to identify which parts of our offer have not been visited because they may not be sufficiently visible on the website.
In any case, we undertake not to make your personal data available nor to sell them to a third party without prior notification and obtaining your explicit written consent.
Our company collects and processes personal data that we need to provide services or those determined by law, or a concluded contract, and the data for which you have granted your explicit consent.
These personal data are, for example, the following:
You have the right to withdraw your consent to the processing of personal data at any time. You can withdraw the right for a specific purpose or for all purposes of personal data processing to which you have agreed.
You can withdraw the given consent:
You can find a sample of a written statement for withdrawal of consent to the processing of personal data at the end of this notice.
Please send a written statement for withdrawal of consent to the processing of personal data to the address: NOMAGO Mobility, d.o.o., Ul. Andrije Hebranga 22, 10000 Zagreb, or by e-mail: travel@nomago.hr.
In the event of withdrawal of consent for the collection or processing of personal data, all collected personal data, to which the erasure request applies, will be erased or excluded from automatic processing.
The withdrawal of consent to the processing of personal data does not affect the lawfulness of the processing of personal data concerning you, until you disallow the use of such personal data for the purposes determined by law.
At any time, you have the right to request the controller to rectify or complete incorrect or incomplete personal data concerning you.
You can request to inspect the data that the controller has collected from you, or the immediate erasure of your personal data, at any time.
In case of rectification, erasure or having personal data completed, we must inform you without delay about the rectification, erasure or of the personal data having been completed.
You have the right to request at any time that we restrict the processing of your personal data in case of their inaccuracy, illegality, cessation of the purpose of processing or submission of a complaint.
You have the right to request at any time that we provide you with your personal data that we process.
You have the right to request at any time that we provide another controller with your personal data that we process.
Any use of your personal data for the purpose of providing information or for promotional purposes requires your explicit consent. In the event that you receive information or commercial promotional content based on your consent, you can request in writing at any time the cessation of use of your data for these purposes.
You can submit requests pursuant to all of your rights regarding the protection of your personal data using the form attached to this document. Send the request by mail to the address NOMAGO Mobility, d.o.o., Ul. Andrije Hebranga 22, 10000 Zagreb, or by e-mail: travel@nomago.hr.
At any time, you have the right to request confirmation of whether personal data concerning you are being processed and to request access to personal data concerning you, as well as the following information: the purpose of data processing, the type of personal data concerning you, the users of your personal data, the intended period of storage of personal data, the source of personal data.
Despite our efforts to protect your personal data as best as possible, there is of course no such thing as complete protection. There is always the possibility of an attack on our IT systems or unpredictable errors that can threaten the security of your personal data.
In the event that the security of your personal data is compromised, and in the event that it is determined that such a threat to personal data may cause a great risk to your rights and freedoms, we will inform you immediately.
In the event that the security of your personal data is compromised, we will inform the competent authority without undue delay, no later than within 72 hours of becoming aware of the threat to your personal data.
In the event of any form personal data breach, you have the right to lodge a complaint with the supervisory authority against the controller, at the address: Personal Data Protection Agency, Fra Grge Martića 14, 10000 Zagreb, or at azop@azop.hr.
We undertake to process all collected data only for the above-mentioned management purposes, i.e. personal data processing, in accordance with the Personal Data Protection Act and other legislation in this field, and in accordance with Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data (GDPR).
Inform us about any question or ambiguity, or provide us with information regarding the exercise of your personal data protection rights using the controller's address:
NOMAGO Mobility d.o.o.
Ul. Andrije Hebranga 22
10000 Zagreb
e-mail: travel@nomago.hr
Phone: +385 1 488 63 40
Fax: +385 1 488 63 45
Website: https://nomago.hr
At NOMAGO d.o.o., we are aware of the significance and importance of the protection of the personal data that you entrust to us, which is why we carefully store and manage your personal data.
This privacy policy refers to the processing of personal data at the company NOMAGO d.o.o. and provides information the company’s clients and visitors to the company’s website about the purposes of processing, the types of personal data we process, the rights we guarantee and the basis of personal data processing.
The company NOMAGO d.o.o. processes personal data in accordance with the provisions of Regulation (EU) 2016/697 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation or GDPR), national legislation and the latest guidelines and standards for personal data protection.
In order to provide you with an adequate user experience and to be able to cooperate with you appropriately, we will ask you for certain personal data. We will always ask you to provide only those personal data that are indispensable for us, so that we can, according to your wishes, cooperate with you and use them in accordance with the purpose for which they were given. We are obliged to process the personal data which you entrust to us lawfully and fairly, therefore we will never use your personal data for other purposes, which are not compatible with the processing purposes for which your personal data were collected.
The GDPR regulation, adopted by the European Union, dictates high standards of personal data protection, which determine how your data are collected, stored, allowing you access to them, as well as to request erasure and much more. In accordance with the legislation and our awareness of the importance of this field, we have prepared explanations on the protection of your data and the rights you have as a data subject. Before providing your consent to the collection or processing of your personal data, please read this explanation carefully.
Contact details of the data controller
Full name of the Controller | NOMAGO storitve mobilnosti in potovanj, d.o.o. |
Registered office | Vošnjakova ulica 3, 1000 Ljubljana |
Tax number | SI 52398790 |
Registration number | 5143373000 |
Phone number | 01 431 77 00 |
Website |
Data Protection Officer
Contact details of the Data Protection Officer (DPO)
Phone number: 01 431 77 00
E-mail: dpo@nomago.si
more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The controller processes the following types of personal data for precisely determined and predetermined purposes:
Your personal data are processed by the company only:
The company NOMAGO d.o.o. processes personal data for the purpose of the conclusion and performance of a contract or on the basis of a request imposed by legislation in force for the following purposes:
PURPOSE | DESCRIPTION |
Conclusion of a contract: Purchase, tickets for transportation, purchase of a monthly or an annual ticket. | We will process your data for the purpose of fulfilling the contractual obligation to carry out transportation on the basis of a daily, monthly or annual ticket. |
Issuance of an invoice for the service performed | We will process your personal data in accordance with legal requirements for the purposes of issuing an invoice for the service performed. |
Reservation of excursions, travel, accommodation | We will process your personal data for the purpose of making reservations for excursions, travel and accommodation. |
Supporting clients in the reservation process and resolving potential issues | We process your personal data on a contractual basis for the purpose of resolving potential issues that arise during the performance of the contract in connection with the performance of contractual obligations, and for the purpose of providing support to clients during transport or with regard to accommodation. |
Prevention and identification of misuse and actions that have the characteristics of a criminal offense | Your personal data are processed by the company for the purpose of preventing misuse and identifying actions that have the characteristics of a criminal offense and reporting data to competent authorities and services (prosecutor's office, police...) |
PURPOSE | PERSONAL DATA AND RETENTION PERIOD | DESCRIPTION |
Improving security and preventing breaches of the company's information systems | IP address | The company processes your personal data for the purpose of preventing breaches of the company's information systems, attacks on the company's websites and identifying critical points in the company's information system, as well as improving information security in the company. |
Use of cookies on company websites | Necessary cookies Storage period: during the use of the company's websites, or until receipt of the withdrawal of consent to the use of cookies. | In order to ensure the smooth functioning of the website, the company uses cookies, based on item (f) of the first paragraph of Article 6 of the General Regulation. Cookies allow us to adapt the website to your needs and make it easier for you to use, to provide you with content that is important to you, and not to provide you with content that is not important to you or that is inappropriate. By using the website, you agree to the use of necessary cookies. Necessary cookies are necessary for websites to function; we do not store your personal data in them, and they are used for the normal and proper functioning of websites. We use optional cookies, which are necessary for the functioning of various interfaces, based on your consent. |
Market research, analytics and improving our services | Logs, website users’ IP addresses, users’ navigation on websites. Cookies required for basic Google Analytics. Data are processed anonymously. Storage period: The data we process for the purpose of market research and improvement of our services will be processed exclusively until the cessation of the purpose of carrying out market research and establishing important facts for the improvement of our services. | We use your personal data for the purpose of performing analyses in order to improve our services, to determine potential errors in our systems and websites, to determine the effectiveness of our websites and to ensure a better quality of services and website functioning. The company carries out general statistical data processing (basic Google Analytics) regarding the general behavior of customers and their orders. For this purpose, the company processes the data of natural persons in such a way that it is not possible to identify them. |
Promotional activity and trading of products and services with existing clients | Name and surname, phone number, address, e-mail address Storage period: We will retain data for the purpose of trading with existing clients for as long as is necessary for the realization of the purposes of conducting marketing and trading activities, i.e. until we receive the withdrawal of your consent to the processing of personal data for the purpose of trading. | The activity of trading and promotion in relation to existing clients includes primarily:
|
Determining the geolocation of buses and application users in order to ensure the service of detailed monitoring of bus arrivals and departures at bus stops and the current location of buses in the NOMAGO Intercity application. Resolution of complaints and compensation requests submitted by travelers. | Geolocation of buses Location data of your mobile device, Phone number Storage period: The data are stored for 5 years from the procedure for the period of consideration of the clients’ complaints or compensation requests, i.e. until the conclusion of the initiated legal proceedings. | The company NOMAGO d.o.o. makes it possible for you to use the Intercity application to track the geolocation of buses using your mobile device in order to ensure the service of detailed monitoring of bus arrivals and departures and tracking the current bus location. Data on your bus location will also be used in the event of a complaint or compensation claim. You decide for yourself in the application whether you will allow the application to track your geolocation. |
PURPOSE | PERSONAL DATA AND STORAGE PERIOD | DESCRIPTION |
processing of personal data for customization of web content and communication | Name and surname, IP address, address, e-mail address, telephone number Storage period: Until the receipt of the withdrawal of consent to the processing of your personal data, i.e. the request for erasure. | The company NOMAGO d.o.o., with your consent, uses your personal data to monitor the use of the website. The data collected on the basis of your consent are primarily intended for customized communication with you and improvement of our services. We use these data to try to ensure that, for example, we do not notify pensioners about student IDs and that we do not invite international travelers to camper trailers on the Croatian. We also try to identify which parts of our offer are not being visited because they may not be sufficiently visible on the website. |
Informing customers about news, advertising activities and selling products and services to individuals who are not clients of the company | Name and surname, IP address, address, e-mail address, telephone number Storage period: We will retain data for the purpose of trading for as long as is necessary to realize the purpose of advertising and trading activities, i.e. until we receive the withdrawal of your consent to the processing of personal data for the purpose of trading. | The activity of trading with and advertising in relation to the existing clients includes primarily:
|
The company NOMAGO d.o.o. will obtain your personal data:
The personal data obtained from you either when using the NOMAGO d.o.o. websites, or on the basis of your express consent, will be stored in an electronic or physical collection of personal data (depending on the form of the personal data obtained). The collections are adequately protected by technical, organizational and logical-technical measures. Only persons authorized by the company NOMAGO d.o.o. have access to the collections of personal data.
The personal data that you digitally forward to us are stored on servers at the company's headquarters, and may also be stored at the companies whose software we use. For example, the provider of an e-mail communication software tool stores data on the addressees. The company Nomago d.o.o. cooperates exclusively with the leading providers of such software tools, and before each instance of cooperation we agree, i.e. ensure that the providers of software tools do not have any right to access the data. We also check whether they have adequately organized data protection mechanisms, as well as whether there is assurance that they will never use any of our clients’ data.
The nature of our business is such that, in certain cases, we have to share your personal data with other contractual processors and controllers whom we cooperate with.
NOMAGO d.o.o. works only with verified contractual processors, who guarantee adequate protection of your personal data, with a guarantee of appropriate technical and organizational measures, and process your personal data in compliance with the General Data Protection Regulation.
The provider will not forward your personal data to unauthorized third parties.
Contractual processors may process personal data only within the framework of the controller's instructions and may not use personal data to pursue any personal interests.
The controller strives every day to ensure the adequate security of personal data processing, which is why they constantly update and upgrade security systems to ensure secure personal data processing. Your personal data are protected against loss, destruction, unauthorized disclosure and access by unauthorized persons throughout the whole period of processing.
Transfer of data to third countries or international organizations
In the event of travel or transportation to third countries, NOMAGO d.o.o. will also have to forward your data to third countries to various contractual processors, such as accommodation providers (hotels, apartments), transportation providers (airlines) and others.
The company NOMAGO d.o.o. always cooperates with providers in third countries who guarantee adequate protection of personal data.
The company NOMAGO d.o.o. guarantees you the following personal data protection rights:
1. Right to withdraw consent
In the event that you, as an individual, have given consent to the processing of personal data for one or more personal data processing purposes, you have the right to withdraw your consent at any time.
After receiving the withdrawal of your consent for one or more processing purposes, the controller will immediately stop processing your personal data for that purpose.
The withdrawal of consent to the processing of personal data does not affect the lawfulness of the processing of personal data concerning you until your withdrawal or the use of such personal data for the purposes determined by law or a contract.
2. Right to access personal data concerning you that are processed
You have the right to receive confirmation from the controller as to whether personal data concerning you are being processed, as well as access to personal data concerning you and the following information: purpose of processing, type of personal data concerning you, users of your personal data, intended period of storage of personal data, source of personal data.
3. Right to have inaccurate personal data concerning you rectified
At any time, you have the right to request the controller to rectify or complete incorrect or incomplete personal data concerning you.
The controller will notify you of the rectification of your personal data without delay.
4. Right to restriction of personal data processing
You have the right to request that the controller restrict the processing of your personal data in case of their inaccuracy, illegality, cessation of the purpose of processing or submission of a complaint.
5. Right to erasure of personal data (“right to be forgotten”)
You have the right to request that the controller erase the personal data concerning you that they process without undue delay.
In case of erasure of personal data on the basis of your request, the controller will inform you about the deletion.
6. Right to object
In addition to the right to withdraw consent, you may, in case your personal data are used for information purposes or direct trading, request in writing the cessation of the use of your data for this purpose at any time. In the event of an objection to processing for trading purposes, the controller will immediately cease the processing of personal data for trading and information purposes.
7. Right to data portability
You have the right to have the personal data concerning you that are processed by the controller directly transferred from the controller to another controller, when technically feasible.
You can exercise all of the aforementioned rights from this statement on the basis of a request to exercise a particular right. You can submit a request to exercise your rights in physical or electronic form. A request to exercise rights by mail is sent to the address NOMAGO, storitve mobilnosti in potovanj, d.o.o., Vošnjakova ulica 3, 1000 Ljubljana, or to the e-mail address: travel@nomago.hr, or dpo©nomago.si.
In the event of a personal data breach, you have the right to lodge a complaint against the controller with the competent supervisory authority at the address: Informacijski pooblaščenec, Zaloška 59, 1000 Ljubljana or at: gp.ip@ip-rs.si.
Despite the great effort to protect data, unfortunately, there is no complete protection. There is always the possibility that a particularly serious breach of our IT systems or an unpredictable error could jeopardize the protection of your personal data.
In case of a threat to the protection of your personal data and in the event that it is likely that such a threat to the protection of personal data could cause a great risk to your rights and freedoms, we will notify you thereof without delay.
In case of a threat to the protection of personal data, we will notify the competent authority without undue delay, and no later than 72 hours after becoming aware of the threat to the protection of your personal data.
We reserve the right to adjust or update the personal data protection statement without prior notice in accordance with changes in legislation. The current version published here is valid every time.
Any change to this privacy policy will be published on this website.
Version: 2.0 of 17 September 2019
NOMAGO, storitve mobilnosti in potovanj, d.o.o.
Vošnjakova ulica 3
1000 Ljubljana
e-mail address: travel@nomago.si
phone: +386 1 431 77 00
Pursuant to Articles 25, 26, 27, 28, 29 and 30 of the Act on the Implementation of General Data Protection Regulation (Official Gazette 42/18, in force as of 25 May 2018) and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR), the management of the company NOMAGO Mobility d.o.o., with registered office in Zagreb, Andrije Hebranga 22, PIN: 70852164421 (hereinafter: NOMAGO Mobility d.o.o. and/or the Company and/or the Controller) has adopted the following:
Article 1
This Policy regulates in detail the method of processing and protection of personal data collected through the video surveillance system (hereinafter: video surveillance), the method of ordering recording, handling of video recordings and monitoring the use of video recordings at the Company.
Article 2
The Company processes personal data through video surveillance of the business premises where the Company conducts its business activities.
The video surveillance system is used to protect the lives and property of employees, the Company and all other persons on the Company's business premises. The system is also used to prevent unlawful acts directed at the Company's property (theft, damage, destruction, etc.), to ensure control of entry and/or exit from the Company's office and/or business premises, and to protect the Company’s trade secrets. In doing so, the Company may use the services of professional subcontractors (security services) that also have the role of a processor.
Video surveillance cameras record images. In addition to the images, the date and time of the video recording are visible on the videos.
Recordings from the video surveillance system may not be used contrary to the purpose established in paragraph 2 of this article.
Article 3
The purposes referred to in paragraph 2 of the previous Article cannot be realized by using more moderate measures.
Article 4
The Company is obliged to indicate that the facility or an individual room therein, and the external surface of the facility is under video surveillance, and the indication must be visible at the latest when entering the recording area. The Company does not monitor and record public areas.
The video surveillance sign, which is made in the form of a sticker or plate, shall contain an easily understandable image accompanied by a text that provides the following information to data subjects:
• that the area is under video surveillance
• information about the controller
• contact details through which the data subject can exercise their rights.
In the notification referred to in the previous paragraph, the Company is obliged to indicate the web address (via QR code) where a natural person can obtain information about the special effects of the processing, especially about further processing, the contact details of the authorized person and information about uncommon further processing, such as transfers to entities in third countries, live monitoring of events, the possibility of audio intervention in events, live monitoring of events and data referred to in paragraph 1 Article 13 of the General Data Protection Regulation.
Article 5
The following persons have the right to access personal data collected through video surveillance:
• the responsible person of the subcontractor performing security tasks through video surveillance
• the Data Protection Officer
• the Company's management and/or the person authorized by the Company's management
The video surveillance system is protected against access by unauthorized persons.
The transmission of the video signal from the system camera to the system control point shall be carried out in such a way that unauthorized persons are prevented from viewing, seizing or interfering with that signal.
Article 6
If it is likely that the processing of data collected by video surveillance, taking into account the nature, scope, context and purposes of the processing, will lead to a high risk with regard to the rights and freedoms of natural persons, the Company shall carry out, prior to the processing, an assessment of the impact of the planned processing procedures on personal data protection. When carrying out the data protection impact assessment, the Company shall seek advice from the Data Protection Officer.
Article 7
The management of the Company shall appoint, by decision, authorization or business cooperation agreement, an authorized employee or employees, or an external contractor, who is/are responsible for operating the video surveillance system and processing personal data obtained through video surveillance.
The authorized person must be properly qualified to operate and use the system. They must handle the devices carefully and in accordance with the technical instructions.
Article 8
Technical supervision of the operation of the system shall be carried out by the Company's management and/or an employee authorized by the Company’s management, or by an external contractor.
The Company's management may also authorize an external contractor for technical supervision of the operation of the video surveillance system on the basis of an appropriate business cooperation agreement.
An authorized employee or an external contractor, or their authorized repairers and persons in charge of maintenance of hardware and application software, are required to check the operation of the video surveillance system once a year or when necessary.
The Company's management or a person authorized by the Company’s management, or an external contractor, must ensure that in case of servicing, repair, modification or updating of the system and potential copying of personal data, the copy is destroyed after the need for the copy has ceased. During installation or maintenance work, a representative of the Company's management or a person authorized by the Company's management must be present at all times and supervise the installation and/or maintenance of the system in order to prevent unlawful processing of personal data.
In the event of the deletion of video recordings stored on the medium or the destruction of the video recording medium, the authorized person is obliged to fill in the Record of Deletion of Video Recordings or Destruction of the Medium.
Article 9
Access to the settings of the video surveillance system is protected by an input password in accordance with the adopted password policy.
All interventions in the video surveillance system must comply with the provisions of Article 9 of this policy.
Article 10
Interventions in the video surveillance system shall be carried out by an employee of the Company authorized for operating the video surveillance system or an authorized external contractor who keeps the necessary records of interventions in the video surveillance system (the records form Annex 6 to this policy), as well as a signed corresponding business cooperation agreement with the operator.
Article 11
Video surveillance on the Company's business premises shall be introduced by a written decision on the introduction of video surveillance in the company.
The decision to introduce video surveillance at the company must also state and explain the reasons for introducing video surveillance.
All employees and other persons entering the company’s premises on the basis of the written notification must be informed about the introduction of video surveillance.
Before the introduction of the video surveillance system, the Company's management must issue a notice or decision on the introduction of video surveillance on the bulletin board or other common place, or in another way that is common in the company, on which all employees, persons doing business with the Company and visitors to the Company can obtain information about the introduction and method of video surveillance implementation.
The Company must display notices in a visible place in accordance with Article 4 of this policy.
Article 12
The notice shall be placed in visible places on the outside of the office building, at the entrances to the office building and when entering the business premises of the company building.
Article 13
Video surveillance on the Company's business premises shall be implemented in the form of video surveillance cameras. Video surveillance shall be carried out by recording in the places specified in Annex 2 to this policy.
Article 14
The implementation of video surveillance creates a collection of video surveillance personal data.
The video surveillance personal data collection contains:
- videotape,
- location of recording,
- date of recording,
- time of recording.
The aforementioned collection of personal data also forms Annex 1 to this policy as a record of processing operations at the company, entitled Data Collection on the Implementation of Video Surveillance.
Article 15
Before the commencement of video surveillance at the company, the video surveillance provider shall make a list of the video surveillance personal data collection.
Article 16
Recordings resulting from the operation of the video surveillance system must be labelled as a trade secret and processed in accordance with this Policy.
Article 17
Video surveillance shall be carried out 24 hours a day and 365 days a year.
In the event of an emergency interruption of recording, the authorized person must fill in the Recording Interruption Record.
Article 18
Video surveillance system recordings shall be kept for a minimum of 1 day, and a maximum of 21 days from the day of recording.
Video surveillance recordings may also be kept for longer than the period specified in the previous paragraph, and for a maximum of six months, unless another law prescribes an even longer retention period, or if they constitute evidence in judicial, administrative, arbitration or other equivalent proceedings.
Video surveillance system recordings shall be stored on the disk in the device and shall be automatically copied or deleted after the expiration of the deadlines referred to in paragraphs 1 and 2 of this Article.
Recordings on portable media shall be stored in such a way that adequate technical and organizational protection against unauthorized access or the occurrence of a security incident is ensured in accordance with the rules governing the protection of personal data, such as, for example:
Recording on portable media is ordered by the Company's Management or a person authorized by the Company’s Management to conduct video surveillance at a specific location.
A copy of the recording may be kept for the duration of judicial, administrative, arbitration or other proceedings before competent authorities.
If the recordings of a certain event or situation lead to the suspicion of a criminal offense, the Company's management or the authorized person is obliged to inform the police. At the written request of the police, the recording shall be provided to them in printed form or on a portable medium.
Persons appearing on recordings used in judicial, administrative, arbitration or other proceedings before the competent authorities must be informed that the recordings in which they appear will be set apart and sent to the competent authorities.
It is forbidden to forward recordings to persons who claim that they intend to initiate judicial proceedings.
Recordings shall be forwarded only by order of a court or competent authorities.
Article 19
The Company is obliged to set up an automated record system for keeping records of access to video surveillance recordings, which will contain the time and place of access, as well as the designation of the persons who accessed the data collected through video surveillance. The person authorized to perform video surveillance at the company, or the external contractor authorized by them, shall keep records from which it can later be determined when certain personal data obtained through the video surveillance system were used or otherwise processed and by whom, that is, for the period when legal protection of a natural person’s rights regarding unauthorized transfer or processing of personal data is possible (5 years).
Article 20
The Company's management and/or a person authorized by the Company’s management shall have access to video recordings and they shall have the right to view the recordings.
A person authorized to view the recordings (inspection) and provide instructions to the information system administrator based on the request of a state authority or administration shall be:
- Concession area manager;
An authorized person who, according to the instructions of the regional operational controller, has permission to view and manage, control, access, export, copy, transfer, destroy or delete recordings shall be:
- information systems administrator.
Only an authorized video surveillance operator or an authorized external contractor shall have access to the video surveillance settings.
Article 21
An authorized person in charge of video surveillance may change the video surveillance settings if they consider that changing the video surveillance settings is justified and necessary in order to ensure the smooth operation or the effectiveness of video surveillance.
The authorized person must make a note about each change of settings indicating who changed the settings, the purpose of the change and the time of the change. The record may also be kept electronically.
Article 22
The Company's management and/or a person authorized by the Company’s management may order that recordings of certain extraordinary events be stored on portable media for the purpose of reconstruction and analysis of the implementation of security. Recording on portable media shall be carried out by a person authorized to manage video surveillance and/or an external contractor authorized by them.
Article 23
The Company's management, a person authorized to operate video surveillance or an external contractor with whom the company enters into a business cooperation agreement shall ensure the implementation of video surveillance and the maintenance of video surveillance hardware and software, taking into account the provisions of this policy and the Personal Data Protection Act.
The video surveillance system must meet the following technical requirements:
Article 24
The management of the company shall supervise the implementation of the provisions of this policy.
The management of the company has the right to request access to the audit trail of video surveillance management from a person authorized to perform video surveillance or an authorized external video surveillance contractor.
Article 25
Data subjects whose personal data appear on the video recordings have the following rights:
Article 26
The video surveillance system in workplaces is used to protect the safety of the Company's employees and to protect the Company's interests and property.
The processing of employees' personal data through the video surveillance system may only be carried out under the conditions set out in the Act on the Implementation of the General Data Protection Regulation (Official Gazette 42/2018), the General Data Protection Regulation and the regulations governing occupational health and safety, if the employees were adequately informed in advance about such a measure, and if the Company informed the employees before adopting the decision to install a video surveillance system. In this sense, the Company is obliged to notify each employee in writing regarding the video surveillance measures it is implementing.
Video surveillance does not cover changing room areas, places for employees to rest and toilet areas, if there are such areas in the Company's business premises.
All the provisions of this Policy that apply to the processing of personal data of visitors, customers and partners of the Company through video surveillance shall also apply to the processing of personal data of employees through video surveillance.
Article 27
The provisions of the applicable General Data Protection Regulation, laws and by-laws shall directly apply to anything that is not specified in this personal data protection policy.
All company employees must be familiar with the provisions of this policy. By publishing the policy in the common place for the publication of internal acts at the company, the employees are deemed to be familiar with the provisions of the policy.
This Policy shall be adopted by the Company's Management and shall enter into force on the day following its publication on the company's internal bulletin board, or on the company's usual website.
All amendments to this Policy shall be made in the manner prescribed for its adoption.
In Zagreb, 11 July 2023.