Privacy Policy

Introduction

This Policy represents an internal act of Adriatic Signature d.o.o., defining the principles, rules, and obligations related to the collection, use, and protection of personal data. It is adopted to ensure compliance with the laws of the Republic of Croatia and the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679) and serves as the foundation for internal control and external transparency in personal data processing.

1. General Provisions

This Policy regulates the rules and procedures regarding the protection of personal data processed by Adriatic Signature d.o.o. (hereinafter: the Agency) in the course of its operations. The Agency is committed to protecting the privacy and personal data of its clients, employees, and other individuals, ensuring their security and lawful processing.

2. Definitions

• Personal data: Any information relating to an identified or identifiable natural person, including but not limited to name, address, contact details, identification documents, travel data, and financial information.
• Data processing: Any operation or set of operations performed on personal data, such as collection, storage, use, transfer, disclosure, deletion, or destruction.
• Data controller: Adriatic Signature d.o.o., which determines the purposes and methods of personal data processing.
• Data subject: Any natural person whose personal data is being processed.
• Processing of sensitive data: Processing of special categories of personal data, such as health data, genetic or biometric data, etc.

3. Purpose and Legal Basis for Data Processing

The Agency processes personal data for the following purposes:

• Organizing and providing travel services and arrangements
• Fulfilling contractual obligations with clients
• Communicating with clients, providing customer support and information
• Complying with legal obligations towards authorities and regulators
• Conducting marketing activities and promotions, based on freely given prior consent
• Maintaining internal records and analyses to improve services

Legal bases for data processing include one or more of the following:

• Explicit consent of the data subject
• Performance of a contract between the Agency and the client
• Compliance with legal obligations
• Legitimate interests of the Agency, provided that such interests are not overridden by the data subject's rights and freedoms

4. Types of Personal Data Processed

The Agency may collect and process the following types of personal data:

• Personal identification data: name, surname, date of birth, OIB (Croatian personal ID number), passport or ID number
• Contact details: address, phone number, email address
• Booking and travel information: travel dates, destinations, accommodation, special requirements
• Financial data: data necessary for payment processing
• Sensitive data: health information and dietary requirements voluntarily provided by the client
• Data collected via the website, newsletter subscriptions, or promotional activities

5. Methods of Data Collection

Personal data is collected in the following ways:

• Directly from clients during bookings, communication, or service provision
• Via the website and digital channels, including newsletter sign-ups or promotional campaigns
• From third parties and business partners in accordance with legal regulations and for purposes related to the Agency's activities

6. Data Processing and Protection Measures

Adriatic Signature is committed to protecting the personal data of its customers by collecting only the essential and necessary information required to fulfill our obligations. Customers are informed about how their data is used and are regularly given the option to decide on the use of their data, including the choice to have their name removed from marketing campaign lists.

All customer data is strictly safeguarded and accessible only to employees who need it to perform their job duties. All Adriatic Signature employees and business partners are responsible for upholding the principles of data privacy protection.

The Agency processes personal data in accordance with the GDPR principles:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimization
• Accuracy and updating of data
• Storage limitation
• Integrity and confidentiality

The Agency implements appropriate technical and organizational measures to prevent unauthorized access, loss, or alteration of personal data.

7. Rights of Data Subjects

Data subjects have the following rights under the GDPR:

• Right of access – to know what data is being processed
• Right to rectification – to correct inaccurate or incomplete data
• Right to erasure (right to be forgotten) – to request data deletion when there is no legal basis for retention
• Right to restriction of processing – in certain circumstances
• Right to object – particularly regarding direct marketing or legitimate interests
• Right to data portability – to receive data in a structured, commonly used format and transfer it to another controller
• Right to withdraw consent – at any time, without affecting the lawfulness of prior processing
• Right to lodge a complaint – with the Agency and the Croatian Personal Data Protection Agency (AZOP)

8. Data Retention Period

Personal data is retained:

• As long as necessary to fulfill the processing purpose
• In accordance with applicable laws (e.g. accounting and tax regulations)
• After that, data is either securely deleted or anonymized

9. Data Sharing and Transfers

The Agency may share personal data with:

• Partners and service providers (e.g. hotels, transport providers, insurers)
• Data processors, such as IT support, payroll processors, hosting providers, under data protection agreements
• Public authorities, when legally required

If data is transferred outside the EU, the Agency ensures appropriate safeguards in compliance with the GDPR.

10. Security Measures

The Agency implements:

• Technical measures: encryption, password protection, firewalls, regular security audits
• Organizational measures: employee training, privacy policies, access controls
• Incident response procedures in case of personal data breaches

11. Use of Cookies

The Agency's website uses cookies for the following purposes:

• Enhancing user experience
• Traffic analysis
• Delivering personalized content

By using the website, users agree to the use of cookies. Cookie settings can be adjusted in the user's browser at any time.

12. Contact and Exercising Data Subject Rights

For any questions, requests, or complaints regarding personal data protection, data subjects can contact the Data Protection Officer:

13. Amendments and Updates to the Policy

The Agency reserves the right to amend this Policy in accordance with legal changes and operational needs. Data subjects will be notified of all changes via the Agency’s official communication channels.