PRIVACY POLICY
Version 1, January 2023, Zagreb
ABOUT US
We are SDA Croatia Ltd., Horvatova ulica 80A, Zagreb, PIN 72915630881 (hereinafter: "SDA").
In this Privacy Policy we provide all important information about the processing and protection of your personal data that we carry out in our business processes, all as defined by the provisions of the General Regulation.
If you have any questions regarding the processing and protection of your personal data, as well as questions regarding this Privacy Policy, please feel free to contact our Data Protection Officer in writing at the address of our registered seat or by e-mail at: dpo@sdacroatia.com.
We will inform you about changes and / or additions to the information in the Privacy Policy in a timely manner and through our usual communication channels.
IMPORTANT TERMS
To fully understand our Privacy Policy, we kindly ask you to carefully read the definitions of the terms listed below in the text. These are terms that are mentioned in this Privacy Policy and are important for understanding the information we provide to you.
General Regulation means REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of the 27th of April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Personal data means any information relating to an identified or identifiable natural person (data subject);
Data subject means identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Controller means a natural or legal person, public authority, agency or other body which alone or jointly with others, determines the purposes and means of the processing personal data;
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Recipient means a natural or legal person, public authority, agency or other body to which the personal data are disclosed, whether a third party or not;
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
Supervisory authority means an independent public authority established by a Member State; in the Republic of Croatia, it is the Croatian Personal Data Protection Agency (AZOP), Selska cesta 136, 10 000 Zagreb, Croatia.
CATEGORIES OF DATA SUBJECTS AND PERSONAL DATA, AND PURPOSES AND LEGAL BASIS FOR PERSONAL DATA PROCESSING
Candidates for employees
If you are interested in working at SDA, we collect and process your personal data, which you provided to us during the initial communication or by sending a CV and other accompanying documentation (for example job applications, letters of recommendation, etc.).
We collect and process the following categories of your personal data:
Identification data: name and surname.
Location data: address (street name and house number, postal code and city, country).
Contact data: telephone and / or mobile phone number, e-mail address.
Data on education / training: varies depending on the data provided in the CV and accompanying documentation of the candidate.
Data on work experience: varies depending on the data provided in the CV and accompanying documentation of the candidate.
Data on personal characteristics / skills: varies depending on the data provided in the CV and accompanying documentation of the candidate.
Other data: photo (if part of the CV and accompanying documents of the candidate), other personal data contained in the CV and other accompanying documents of the candidate.
We process the above mentioned personal data for the following purposes and on the following legal basis:
For the purpose of making initial contact (communication) through selected channels (for example e-mail, telephone / mobile phone number, etc.), and for the purpose of taking actions necessary to select the best candidate (for example reviewing the CV and other accompanying documentation we received, selection of candidates for job interview, etc.). In that case, the legal basis for the processing of your personal data is our legitimate interest (Article 6 (1) (f) of the General Regulation).
For the purpose of further storage (retention) of your personal data, i.e. CVs and accompanying documentation for future possible employment. In that case, the legal basis for the processing of your personal data is your consent (Article 6 (1) (a) of the General Regulation).
For the purpose of fulfilling our legal obligations, i.e. compliance with applicable regulations and cooperation with competent bodies and services. In that case, the legal basis for the processing of your personal data is compliance with our legal obligations (Article 6 (1) (c) of the General Regulation).
Candidates for temporary workers
If you are a seconded employee of a temporary employment agency, and the agency referred you as a candidate for temporary work at SDA, we collect and process your personal data which your agency forwarded to us (for example data from your CV and other accompanying documentation, etc.), and which you provided to us during the interview and assessment.
We collect and process the following categories of your personal data:
Identification data: name and surname.
Location data: address (street name and house number, postal code and city, country).
Contact data: telephone and / or mobile phone number, e-mail address.
Data on education / training: varies depending on the data provided in the CV and accompanying documentation of the candidate.
Data on work experience: varies depending on the data provided in the CV and accompanying documentation of the candidate.
Data on personal characteristics / skills: varies depending on the data provided in the CV and accompanying documentation of the candidate.
Other data: photo (if part of the CV and accompanying documents of the candidate), other personal data contained in the CV and other accompanying documents of the candidate.
We process the above mentioned personal data for the following purposes and on the following legal basis:
For the purpose of making initial contact (communication) through selected channels (for example e-mail, telephone / mobile phone number, etc.), and for the purpose of taking actions necessary to select the best candidate (for example reviewing the CV and other accompanying documentation we received, selection of candidates for job interview, etc.). In that case, the legal basis for the processing of your personal data is our legitimate interest (Article 6 (1) (f) of the General Regulation).
For the purpose of fulfilling our legal obligations, i.e. compliance with applicable regulations and cooperation with competent bodies and services. In that case, the legal basis for the processing of your personal data is compliance with our legal obligations (Article 6 (1) (c) of the General Regulation).
Candidates for the student work
If you are interested in working as a student at SDA, we collect and process your personal data, which you provided to us during the initial communication or by sending a CV and other accompanying documentation (for example job applications, letters of recommendation, etc.).
We collect and process the following categories of your personal data:
Identification data: name and surname.
Location data: address (street name and house number, postal code and city, country).
Contact data: telephone and / or mobile phone number, e-mail address.
Data on education / training: varies depending on the data provided in the CV and accompanying documentation of the candidate.
Data on student work experience: varies depending on the data provided in the CV and accompanying documentation of the candidate.
Data on personal characteristics / skills: varies depending on the data provided in the CV and accompanying documentation of the candidate.
Other data: photo (if part of the CV and accompanying documents of the candidate), other personal data contained in the CV and other accompanying documents of the candidate.
We process the above mentioned personal data for the following purposes and on the following legal basis:
For the purpose of making initial contact (communication) through selected channels (for example e-mail, telephone / mobile phone number, etc.), and for the purpose of taking actions necessary to select the best candidate (for example reviewing the CV and other accompanying documentation we received, selection of candidates for student work interview, etc.). In that case, the legal basis for the processing of your personal data is our legitimate interest (Article 6 (1) (f) of the General Regulation).
For the purpose of further storage (retention) of your personal data, i.e. CVs and accompanying documentation for possible future student work. In that case, the legal basis for the processing of your personal data is your consent (Article 6 (1) (a) of the General Regulation).
For the purpose of fulfilling our legal obligations, i.e. compliance with applicable regulations and cooperation with competent bodies and services. In that case, the legal basis for the processing of your personal data is compliance with our legal obligations (Article 6 (1) (c) of the General Regulation).
Visitors to the Aelia Duty Free Shop, The Fashion Place, and our pop-up stores at the airport
If you are just a visitor to our Aelia Duty Free Shop, The Fashion Place or one of our pop-up stores at the airport, we collect and process your personal data, which we collected through the video surveillance system during your visit to one of the above mentioned stores.
We collect and process the following categories of your personal data:
Data in the form of video recordings: video recordings from the video surveillance system.
We process the above mentioned personal data for the following purposes and on the following legal basis:
For the purpose of protecting persons and property of SDA using the video surveillance system. In this case, the legal basis for processing your personal data is our legitimate interest (Article 6 (1) (f) of the General Regulation).
For the purpose of fulfilling our legal obligations, i.e. compliance with applicable regulations and cooperation with competent bodies and services. In that case, the legal basis for the processing of your personal data is compliance with our legal obligations (Article 6 (1) (c) of the General Regulation).
Customers at the Aelia Duty Free Shop, The Fashion Place, and our pop-up stores at the airport
We collect and process the following categories of your personal data:
Identification data: name and surname.
Location data: address (street name and house number, postal code and city, country).
Contact data: telephone and / or mobile phone number, e-mail address.
Financial data: bank and bank account information.
Data in the form of video recordings: video recordings from the video surveillance system.
Other data: the date and time of return from the trip, the number of the purchased package, and other data that you may provide to us.
We process the above mentioned personal data for the following purposes and on the following legal basis:
For the purpose of providing the "Shop&Collect" service, i.e. providing the service of collecting purchased goods upon returning from a trip. In this case, the legal basis for the processing of your personal data is the execution of the contract (Article 6 (1) (b) of the General Regulation).
For the purpose of providing an answer to your complaint as a consumer. In that case, the legal basis for the processing of your personal data is compliance with our legal obligations (Article 6 (1) (c) of the General Regulation).
For the purpose of protecting persons and property of SDA using the video surveillance system. In this case, the legal basis for processing your personal data is our legitimate interest (Article 6 (1) (f) of the General Regulation).
For the purpose of fulfilling our legal obligations, i.e. compliance with applicable regulations and cooperation with competent bodies and services. In that case, the legal basis for the processing of your personal data is compliance with our legal obligations (Article 6 (1) (c) of the General Regulation).
Customers who are employees of other airport tenants
If you are a customer in our Aelia Duty Free Shop, The Fashion Place, and in our pop-up stores at the airport, but also an employee of one of the other airport tenants, we collect and process your personal data, which we collected through the video surveillance system during your visit to one of the above mentioned stores, and which you provided to us due to your membership in the SDA Croatia Loyalty Program, or by exercising your rights as a consumer, i.e. the right to complain.
We collect and process the following categories of your personal data:
Identification data: name and surname, number of identification card / badge.
Location data: address (street name and house number, postal code and city, country).
Contact data: telephone and / or mobile phone number, e-mail address.
Financial data: bank and bank account information.
Employment data: name of the employer (employment company).
Data in the form of video recordings: video recordings from the video surveillance system.
Other data: other data that you may provide to us.
We process the above mentioned personal data for the following purposes and on the following legal basis:
For the purpose of providing an answer to your complaint as a consumer. In that case, the legal basis for the processing of your personal data is compliance with our legal obligations (Article 6 (1) (c) of the General Regulation).
For the purpose of joining the SDA Croatia Loyalty Program. In this case, the legal basis for processing your personal data is our legitimate interest (Article 6 (1) (f) of the General Regulation).
For the purpose of sending a monthly newsletter about current offers, events, and news in our stores. In that case, the legal basis for the processing of your personal data is your consent (Article 6 (1) (a) of the General Regulation).
For the purpose of protecting persons and property of SDA using the video surveillance system. In this case, the legal basis for processing your personal data is our legitimate interest (Article 6 (1) (f) of the General Regulation).
For the purpose of fulfilling our legal obligations, i.e. compliance with applicable regulations and cooperation with competent bodies and services. In that case, the legal basis for the processing of your personal data is compliance with our legal obligations (Article 6 (1) (c) of the General Regulation).
Responsible and contact persons of our business partners
If you are a responsible or contact person of our potential or existing business partner, we collect and process your personal data depending on the needs of our potential or existing business (partner) relationship. We collect and process personal data that you provided to us during the initial communication or that we collected during the establishment and maintenance of our business (partner) relationship.
We collect and process the following categories of your personal data:
Identification data: name and surname.
Contact data: telephone and / or mobile phone number, e-mail address.
Employment data: relationship with the business partner (founder, director, employee, etc.).
We process the above mentioned personal data for the following purposes and on the following legal basis:
For the purpose of establishing initial contact (communication), as well as for the purpose of further regular communication through selected channels (for example e-mail, telephone / mobile phone, etc.) and for the purpose of exercising rights and obligations from the contractual relationship with a business partner. In that case, the legal basis for the processing of your personal data is our legitimate interest (Article 6 (1) (f) of the General Regulation).
For the purpose of fulfilling our legal obligations, i.e. compliance with applicable regulations and cooperation with competent bodies and services. In that case, the legal basis for the processing of your personal data is compliance with our legal obligations (Article 6 (1) (c) of the General Regulation).
Inquiry senders
If you send us an inquiry, we collect and process your personal data. We collect and process personal data that you provided to us during the initial communication, or that we collected during our communication.
We collect and process the following categories of your personal data:
Identification data: name and surname.
Contact data: telephone and / or mobile phone number, e-mail address or other contact information depending on the communication channel.
Other data: the content of the communication (if it contains personal data).
We process the above mentioned personal data for the following purposes and on the following legal basis:
For the purpose of making contact and answering your inquiry. In that case, the legal basis for the processing of your personal data is our legitimate interest (Article 6 (1) (f) of the General Regulation).
For the purpose of fulfilling our legal obligations, i.e. compliance with applicable regulations and cooperation with competent bodies and services. In that case, the legal basis for the processing of your personal data is compliance with our legal obligations (Article 6 (1) (c) of the General Regulation).
VIDEO SURVEILLANCE
To protect the persons and property, SDA collects and processes your personal data through video surveillance on the legal basis of legitimate interest (Article 6 (1) (f) of the General Regulation). In the paragraphs above, we have indicated which data subjects are covered by our video surveillance.
Prior to entering the recording perimeter, warning notices are set up, which contain all important information regarding the processing of personal data via video surveillance.
The recordings may be provided to the competent authorities on request (for example the police) if necessary for proceedings under applicable regulations.
We keep the recordings obtained through video surveillance for 1 (one) month, or at most up to 6 (six) months, unless applicable regulations define a longer retention period or if they are evidence in court, administrative, arbitration or other equivalent proceedings.
SOCIAL NETWORKS
SDA has accounts on the following social networks: https://www.instagram.com/aelia_duty_free_zagreb/ i https://www.facebook.com/Aelia-Duty-Free-374708259781009.
The privacy policies of social networks on which SDA has accounts may differ from our privacy policies. All information that you provide to us through the social network, as well as all communication through the social network is at your own risk. SDA is not responsible for the actions of users of the social network, as well as for the actions of the social network itself. Your interaction with the social network in relation to the processing of your personal data is governed by the privacy policy of that social network.
LEGITIMATE INTEREST AS LEGAL BASIS
SDA uses legitimate interest as a legal basis for certain processing of your personal data. In the previous paragraphs of this Privacy Policy, we specify for which categories of data subjects and personal data, and for which purposes we use legitimate interest as a legal basis.
Prior to the processing of your personal data whose legal basis is our legitimate interest, we consider your interests and fundamental rights and freedoms, as well as your reasonable expectations regarding the processing of personal data in our mutual relationship.
Our legitimate interest may vary, depending on business process, i.e. depending on data processing in question.
OBLIGATION TO PROVIDE PERSONAL DATA
If providing personal data is your legal or contractual obligation or condition necessary for the conclusion of the contract, when colleting your personal data we will clearly inform you whether the provision of personal data is mandatory or not, and what are the possible consequences if you do not provide personal data.
RECIPENTS OF PERSONAL DATA
When disclosing your personal data to the recipients, we make sure that we have a valid legal basis, and that the business processes of the recipients are compliant with the General Regulation and other regulations on the protection of personal data.
Also, when applicable, relations with recipients regarding the processing and protection of personal data are regulated in detail by a special contract – data protection agreement (as addition to the initial business contract).
Recipients of your personal data, among others, can be our processors who provide us with services necessary for our daily business, such as our external associates who provide us with additional operational support like maintenance and upgrades of information systems and software solutions, installation and management of the video surveillance system and the like.
Recipients of your personal data, among others, may also be other independent data controllers who provide us with services important for our lawful business, and other services necessary for our daily business, such as providers of services for complying our business with applicable regulations like legal advice, tax consulting, auditing, but also temporary employment agencies (assignment of temporary workers) and the like.
Recipients of your personal data, among others, may be competent authorities acting within their legal authority and may process your personal data on the basis thereof. SDA has a legal obligation to disclose your personal data to competent authorities as recipients of your personal data (conducting surveillance, conducting inspections, filing or defending against legal claims, etc.).
TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS
Currently, in our daily business operations, SDA does not and avoids transferring your personal data to third countries or international organizations. All countries that are not members of the European Union are considered third countries.
In the future, if your personal data is transferred to third countries or international organizations, we will inform you in time about all the details of the transfer (including which third countries and international organizations are in question), and the relevant protective measures we use.
In case of transfer of your personal data to third countries or international organizations, we use two steps to authorize the transfer in question. The first step consists of identifying the legal basis of the transfer (including your consent if there is no other relevant legal basis), while in the second step we provide additional protective measures for the transfer, all in accordance with the provisions of Chapter V of the General Regulation.
SECURITY AND PROTECTION OF PERSONAL DATA
When determining the means and methods of processing, and during the processing itself, SDA implements appropriate technical and organizational measures to protect your personal data, while taking into account the latest achievements, the cost of implementation, and the nature, scope, context and purposes of the processing.
Our technical and organizational measures ensure the effective application of personal data protection principles, such as the data minimization principle, the principle of purpose limitation, the principle of integrity and confidentiality, etc.
We are constantly reviewing and improving all our technical and organizational measures to ensure that they are appropriate and up to date.
We divide our technical and organizational measures into 3 (three) groups: measures to ensure confidentiality, measures to ensure integrity and measures to ensure the availability of personal data, and the resilience of our processing systems.
Measures to ensure the confidentiality of your personal data include, but are not limited to, general physical access control, general logical access control, special access control to personal data, separation of personal data, etc.
Measures to ensure the integrity of your personal data include, but are not limited to, control in the case of personal data transfer, control when entering personal data into our processing systems, etc.
Measures to ensure the availability of your personal data and the resilience of our processing systems include, but are not limited to, availability control, resilience of our processing systems, periodic audits, assessments and evaluations of our business in relation to personal data protection, etc.
RETENTION PERIODS
The retention periods of your personal data vary depending on the categories of personal data we process, the purposes and legal bases of the processing of your personal data (criteria we use when determining the retention periods for personal data). We also always keep the retention period for your personal data to a minimum (the "storage limitation" principle).
Below are the general retention periods defined by the legal basis for the processing of your personal data, but please be aware that the retention periods may vary depending on the specific processing situations.
If you would like more detailed information about the retention periods, you can always contact our Data Protection Officer.
When the applicable regulations define the period in which we are obliged to retain your personal data, we retain them in the period defined by the applicable regulations and delete them in an additional period of 1 (one) month.
When we have signed a contract with you and when there is no retention period for your personal data defined by the applicable regulations, we retain them for the entire duration of our contractual relationship, and delete them in an additional period of 1 (one) month from the date of termination of the contractual relationship.
When we process your personal data based on the legal basis of our legitimate interest, we retain your personal data for the entire period of existence of our legitimate interest, and delete them in an additional period of 1 (one) month from the end of the existence of our legitimate interest.
When we process your personal data based on your consent, we retain them until you withdraw your consent. When you withdraw your consent, we delete your personal data in the shortest possible period. If you have given us your consent for a certain period, at the end of the period in question, we delete your personal data in the shortest possible time.
We store certain business documentation that may contain some of your personal data (for example contracts, addendums to the contract, statements, confirmations, etc.) permanently as part of our business documentation or for a longer period as proof of the existence and termination of our relationship, and for filing or defending against legal claims.
YOUR RIGHTS
As a data subject whose personal data we process, you can exercise the rights listed and described below.
You can exercise some rights only under certain conditions in accordance with the provisions of the General Regulation, those are the exceptions to the exercise of rights. For example, you cannot exercise the right to erasure under certain conditions defined in Article 17(3) of the General Regulation.
You can exercise your rights by sending a request to our Data Protection Officer at the address of our registered seat or by e-mail at the address: dpo@sdacroatia.com.
In order to be able to act on your request and provide you with accurate and complete information in the shortest possible time, we ask that your request contains the following: necessary information about your identity (name, surname, OIB - PIN, etc.), the name of the rights you wish to exercise (see the names and rights descriptions below), a detailed description of your request, and information about the contact to which you want us to deliver our response (for example email address, mobile phone number, etc.).
When submitting your request, in case of a doubt regarding your identity, we have the right to ask you to provide additional information necessary to confirm your identity.
We respond to your request within one month from the date of receipt of your request. We can extend the deadline for an additional 2 (two) months if it is a complex request or more than one of your requests. We will inform you in time about the extension of the deadline for responding to your request, and about the reasons for the extension.
All information we provide to you in relation to your request, as well as our communication, is provided free of charge. However, if we repeatedly receive your unfounded and excessive requests, we may charge a reasonable fee for our administrative costs incurred when providing the information and acting on the request.
When you exercise your rights by submitting a request, we process your personal data so that we can comply with your request, all in accordance with the provisions of the General Regulation.
Right of access - as a data subject, you have the right to obtain the confirmation as to whether we are processing your personal data and, if we do, access to your personal data and relevant information. We also provide a free copy of your personal data we process if this does not adversely affect the rights and freedoms of others.
Right to rectification - as a data subject whose personal data we process, you have the right to obtain the rectification of your inaccurate personal data. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed including by means of providing a supplementary statement.
Right to erasure ("right to be forgotten") - as a data subject whose personal data we process, you have the right to obtain the erasure of your personal data if one of the conditions from Article 17(1) of the General Regulation is met. Please note that the right to erasure cannot be exercised under certain conditions defined in Article 17(3) of the General Regulation.
Right to restriction of processing - as a data subject whose personal data we process, you have the right to obtain a restriction of the processing of your personal data if one of the conditions from Article 18(1) of the General Regulation is met.
Right to data portability - as a data subject whose personal data we process, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transfer them to another controller if the processing of your personal data is based on consent or a contract and the processing is carried out by automated means.
Right to withdraw consent - as a data subject whose personal data we process on the legal basis of consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing your personal data based on consent before its withdrawal.
Right to object - as a data subject whose personal data we process, you have the right, based on your particular situation, to object to the processing of your personal data, which we process based on our legitimate interest and / or for direct marketing purposes, which includes creating a profile.
Right to object to a supervisory authority - as a data subject whose personal data we process, you have the right at any time to object to an independent public authority for the protection of personal data. The independent public authority in the Republic of Croatia is the Personal Data Protection Agency (AZOP), with its registered seat at Selska cesta 136, 10000 Zagreb, Croatia. You can contact AZOP by e-mail at azop@azop.hr, by calling 00385 (0)1 4609-000 or in writing to the address of its registered seat. You can find more information about AZOP on their website www.azop.hr.