Privacy policy
INTRODUCTION
This document provides information on data processing that PassSport (as specified below under data controller) performs in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament an of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (the “GDPR“), as well as in accordance with the Croatian Act of Implementation of the GDPR. Privacy Policy provides information in accordance with Articles 13 and 14 of the GDPR, i.e. information about how we process your personal data, how to exercise your rights regarding personal data processing, as well as other important information in accordance with the positive regulations governing the field of data protection. This Information on the processing of personal data applies to any user who has requested or received a service from PassSport, all users of the PassSport website and mobile application (the “Platform”), as well as to all other individuals who are in any way connected or will be connected with PassSport.Your security matters and we therefore strive to process your personal data as legally, fairly and transparently as possible, while protecting the privacy of your personal data from unauthorized or illegal processing, applying high technical, security and organizational protection measures.This Privacy Policy is based on the terminology used by the European legislature and legislature in the adoption of the GDPR. It should be easy to read and understand, both for the public and for our customers.
DATA CONTROLLER
PassSport LLC with registered seat at Republic of Croatia, 10000 Zagreb, Slavonska avenija 1C, Commercial court of Zagreb registration number (MBS) 081517678, Tax Identification Number (OIB) 48759490829, email: info@passsport.com (the “PassSport”).
PERSONAL DATA, MANNER AND PURPOSE OF PROCESSING
Personal data are any data referring to an individual whose identity has been established or can be established. An identifiable individual is a person who can be identified directly or indirectly, in particular by means of an identifier (e.g. name, surname, identification number, location data, online identifier, bank account details or by one or more factors specific to that individual’s identity). A data subject is any identified or identifiable natural person whose personal data is processed by the data controller.Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.In order to establish a business relationship with you, provide you with PassSport service, and in other cases related to the business and services provided by PassSport, we process the following categories of personal data:
1) The data collected directly from you when you contact us and data from any communication you have with PassSport (orally, in writing, via digital communication channels). For example, when establishing a business relationship with you, handling the application procedure, opening your account, establishing and verifying your identity, we collect your personal data which is necessary for login into your account and the use of the Platform, such as basic identification data: name and surname, email address, mobile number, language and other user profile information. The refusal to provide this information results in the inability to enter into a specific agreement with PassSport and to use the PassSport services.
2) Data arising from the use of the Platform, such as IP address data and geolocation of service users. User may choose to disable geolocation on his/her device which will result in the inability to use the PassSport services.
3) PassSport processes the technical data of the system which is a prerequisite for your ability to use the service via remote communication means, such as the operating system you use, type of mobile device and/or computer, type and version of browser, language of browser and/or mobile device and, if necessary, it can process other data of this type.
4) The category of data arising from the processing of any data during the provision of PassSport services, such as time of entering sports and recreational facilities, number of visits to sports and recreational facilities, time spent on the Platform.
5) Data collected from third parties (employers of data subjects, sports and recreational partner facilities presented on the Platform, etc.) on the basis of a legal obligation or on another legal basis, as well as from publicly available sources, in accordance with applicable regulations.
LEGAL BASIS FOR DATA PROCESSING
Your personal data is processed when one of the following conditions is met:
1) Data processing is necessary for the performance of the contract in which the data subject is a party, i.e. data processing is necessary in order to enable the data subject to use the Platform and other services provided by PassSport at the request of the data subject or to take action at the request of the data subject prior to the conclusion of the contract (Article 6 Paragraph 1(a) of the GDPR). Providing personal data for this purpose is mandatory. If the data subject refuses to provide any of the information necessary for the purpose of concluding and performing a contract to which the data subject is a party, PassSport may not be able to provide certain services and may therefore refuse to enter into a contractual relationship.
2) Data processing is necessary to fulfil the legitimate interest of PassSport or third parties (Article 6 Paragraph 1(f) of the GDPR). Legitimate interest includes processing for purposes such as managing PassSport’s operational, reputational and other risks, taking measures to secure people and/or property, processing personal data for internal administrative purposes, and protecting computer and electronic communications systems. When processing the personal data of data subjects on the basis of a legitimate interest, PassSport always takes into account the interests and fundamental rights and freedoms of the data subject and in particular takes into account that their interests are not stronger than the interests of PassSport on which the processing of personal data is based.
3) Data processing is necessary to meet legal obligations, as well as acting in accordance with individual acts adopted by the relevant institutions of the Republic of Croatia or other bodies whose orders PassSport is obliged to act on by law or other regulations (Article 6 Paragraph 1(c) of the GDPR).
4) The data subject granted consent to the processing of their personal data for one or more special purposes (Article 6 Paragraph 1(a) of the GDPR). PassSport shall seek consent for purposes such as providing information about PassSport’s offers, in which case PassSport may provide the data subject with offers and benefits related to new or already agreed PassSport services and for direct marketing purposes to develop a business relationship with PassSport, participate in market research, as a result of which PassSport may invite the data subject to express their opinion on PassSport, the Platform and other services in occasional surveys. Consent is voluntary and the data subject may at any time withdraw the previously given consent for the purpose of marketing and market research. In that case, the personal data relating to the data subject shall not be processed for that purpose, unless we can prove compelling legitimate grounds for processing. Withdrawal of consent shall not affect the lawfulness of the processing of personal data on the basis of consent prior to its withdrawal.
AUTOMATED DECISION-MAKING, INCLUDING PROFILING
In the case of automated decision-making, including profiling, Article 22 of the GDPR gives you the right not to be subject to a decision based solely on the automated processing of your personal data, including profiling, unless this decision is necessary for the conclusion or performance of an agreement between you and PassSport, permitted by Croatian law. In cases where automated processing of personal data is necessary for the conclusion or performance of an agreement and based on the explicit consent of the data subject, PassSport, as the controller, implements appropriate measures to safeguard the rights and freedoms and legitimate interests of data subjects, including at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
COOKIES
We use cookies on our Platform. Cookies are small files that are automatically created and stored on your IT system (personal computer, tablet, mobile phone, etc.) when you visit our Platform. Information generated from the specific device used is stored in cookies. The use of cookies helps us make it more convenient for you to use PassSport service. We also use temporary cookies to optimise user-friendliness. These cookies are stored on your device for a specific period of time. If you return to our Platform to use our services, cookies allow us to automatically recognise that you have visited our Platform previously and remember the inputs and settings you have made so that you do not have to enter them again. We also use cookies to statistically record the use of our Platform and analyse it for the purpose of optimising our services. The data processed by cookies, which are required for the proper functioning of the Platform, are to safeguard our legitimate interests pursuant to Article 6 Paragraph 1 Sentence 1(f) GDPR.
PERSONAL DATA STORAGE PERIOD
PassSport stores personal data for as long as necessary to fulfil contractual and legal obligations. In situations where no retention period is prescribed by the law for a particular data processing, PassSport, defines the retention period and the data is always retained for as long as necessary for the purposes for which they are processed, including for the period established by law for filing or defending the appropriate legal actions (e.g. personal civil actions, personal information criminal actions, accounting and tax procedures). The maximum period may therefore vary per use. After a user has deleted their user account personal data may be stored only as long as such processing is required by law or is reasonably necessary for our legal obligations or legitimate interests such as claims handling, bookkeeping, internal reporting and reconciliation purposes.
RECIPIENTS OF YOUR PERSONAL DATA
PassSport may provide information to third parties based on the consent of the data subject or the performance of an agreement to which the data subject is a contracting party or performance of an agreement that is necessary for performance of PassSport service or the provisions of laws and regulations. This applies, for example, to employers of data subjects, sports and recreational partner facilities, IT services, advisory and consultancy services, sales and marketing services and law firms.Please note that all persons who, due to the nature of their work with or for PassSport, have access to personal data, are equally obliged to keep this data in accordance with contracts on data processing concluded with PassSport, in accordance with the GDPR, as well as other applicable and binding laws and bylaws adopted on the basis of these laws. Personal data may be transferred to a third country or international organization on the basis of a decision of the European Commission that the third country, area of work or one or more specific sectors within that third country or international organization ensures an adequate level of personal data protection.
YOUR RIGHTS AS A DATA SUBJECT
Each data subject whose personal data is processed by PassSport has the following rights:
1) The right to information in accordance with the provisions of Article 15 of the GDPR – allows the data subject to find out whether his/her personal data are being processed, i.e., the data subject has the right to receive confirmation from PassSport on whether his/her data are being processed, the purpose of processing, categories of personal data, recipients or categories of recipients, the intended period in which the data will be stored, etc.
2) The right to rectification of data in accordance with the provisions of Article 16 of the GDPR – allows the data subject to request the rectification of inaccurate or incomplete personal data referring to him/her.
3) The right to erasure (”the right to be forgotten“) in accordance with the provisions of Article 17 of the GDPR – allows the data subject to request the erasure of personal data, whereby PassSport may not delete the data subject’s personal data if the processing is necessary (e.g. compliance with the prescribed data retention obligation or in case of setting, enforcing or defending legal claims).
4) The right to restrict processing in accordance with the provisions of Article 18 of the GDPR – allows the data subject to request a restriction on the processing of personal data, for example in case the data subject disputes the accuracy of personal data or considers the processing to be illegal.
5) The right to data transferability in accordance with the provisions of Article 20 of the GDPR – allows the data subject to transfer data to another data controller. It should be noted that the right to transferability applies only to the personal data of the data subjects provided personally to PassSport and when it is technically feasible.
6) The right to object in accordance with the provisions of Article 21 of the GDPR – allows the data subject to object to the processing of personal data if the processing is done in the public interest or is necessary for the legitimate interest of PassSport (including profiling) or if the data subject’s data is processed for direct marketing purposes. PassSport shall refrain from further processing of the personal data of data subjects, unless it proves that there are compelling legitimate reasons for the processing (grounds whose significance goes beyond the interests, rights and freedoms of the data subjects) or if the processing is necessary to set, enforce or defend legal claims.
7) The right to revoke the consent – allows you to revoke any consent to the processing of personal data at any time with future effect.
8) The right to lodge a complaint to the supervisory authority in accordance with the provisions of Article 77 of the GDPR – allows the data subject to contact the Agency for Personal Data Protection, Selska cesta 136, 10000 Zagreb, Croatia.
EXERCISE OF DATA SUBJECT’S RIGHTS
To exercise their rights in relation to the protection of personal data, the data subjects have at their disposal PassSport employees from the customer support department who can be contacted in writing via e-mail: gdpr@passsport.com.
PRIVACY POLICY CHANGES
We regularly update the privacy policy to make it accurate and up-to-date, and we reserve the right to change its content if we deem it necessary. You will be informed about any changes in a timely manner via our Platform in accordance with the principle of transparency.
Enacted 1.12.2023.