All companies that, as a data processing manager, act as part of the group "Sub Rosa" (hereinafter referred to as "Sub Rosa"), are concerned with the security and protection of your personal data when collecting, processing, using and possibly delivering to third parties and executives in order to process requested services.
Data Protection is conducted in accordance with the provisions of the General Regulation on data protection 2016/679 of the European Parliament and of the Council on April 27, 2016 on the protection of individuals with regard to the processing of personal data and the free movement of such data (hereinafter: the General Regulation), the Implementation of the General Data Protection and Electronic Media Act (hereinafter: Laws) and the Book of Rules on the Collection, Processing, Use and Protection of Personal Data (hereinafter: the Ordinance).
For this purpose, in cooperation with relevant agencies and services, a web site owned by "Sub Rosa d.o.o." Trumbićeva Obala 17, 21000 Split, Croatia with an integrated online car booking system was created.
Data processing is performed in the Republic of Croatia or in the EU member states, and in third countries it is possible only on the basis of the EU Commission decision on adequacy, with the application of Art. 45 of the General Regulation.
By entering our website at www.subrosa.rent, you give your consent to dealing with your information as described in this Statement, therefore you are advised to read the text below.
DATA COLLECTING
Information you voluntarily provide, either personally on paper or online, pursuant to Art. 6. sec.1. al. (b) of the General Regulations may relate to the execution of a contract at the request of the respondent for the purpose of booking a car rental, submitting various requests, inquiries and privileges or seeking information, as well as submitting a complaint to the service.
For the purpose of realizing any of the above mentioned services, you may be asked for the following information: name and surname, date of birth, personal identification number, address of residence, email address, phone number and/or credit/debit card information (for card payment).
The information we collect about you from other sources may refer to: your visit to one of our web sites; when we work with business partners and agencies for the purpose of selling our/their services exclusively related to transportation; when cooperating with online payment authorization providers.
The data we do not collect and do not process are: data that technical devices can record when using our web pages and wi-fi services in the car; special categories of personal data or sensitive person data in the sense of Art. 9. of the General regulations (origin, political or other affiliation, membership in associations, etc.); information about a child or a child under 16 years of age is not collected without the parents' consent and we pay particular attention to it.
LEGAL BASIS AND PROCESSING PURPOSE
We will process your information in order to achieve the purpose and perform the services you have requested, realize the contract or your request, and if there is a legitimate interest that is not against the interests of protecting your personal information.
All the personal information you provide is necessary for the purpose of executing a rental agreement or online payment, and for the fulfillment of our legal obligation when we, as a processing manager, are obliged to respond to inquiries or complaints.
EXCHANGE OF COLLECTED DATA
Some of your collected personal data will be forwarded for processing for specific purposes to the following categories of recipients:
a) Online Payment Service CorvusPay d.o.o., Buzinski prilaz 10, 10010 Zagreb, Croatia, as processing executor.
In the process of booking a vehicle, we provide this online credit card authorization service to your personal information: name and surname, phone contact details, email address and address of residence. We do not store your payment card number because payments are only made via CorvusPay.
CorvusPay is in compliance with PCI DSS and GDPR standards. The user's personal information is used solely for the execution of the basic contract.
On CorvusPay's webpage You can find their "Privacy Notice".
b) To the competent supervisory body in the performance of its duties aiming to establish the security of processing, in accordance with the General Regulation and the Law.
The processing manager processes the collected data in accordance with Art. 28. of the General Regulations, which specifically regulates the process of data processing on behalf of the processing manager.
SECURITY
"Sub Rosa" shall carry out the appropriate technical and organizational measures to ensure that in an integrated manner only the personal data necessary for each particular purpose of processing are processed.
The entry and transfer of personal data and credit card number data is protected by an SSL protocol (128/256-bit encryption) provided by the SSL certificate issued by RapidSSL.
Authorization and credit card payment is done by using the WSPay system for realtime authorization and billing.
In accordance with PCI DSS standards, CorvusPay protects your data transfer and privacy with TLS 1.2 cryptographic protocols.
DATA PRESERVATION
The processing manager keeps the data as necessary to fulfill the purpose for which they were collected and to respect the prescribed deadlines for keeping under the Companies Act, the Accounting Act, the General Tax Code and the Ordinance, as follows:
- all documents and data on passengers and customers such as incoming and outgoing invoices, calculations, contracts and other duplicate acts, decisions and solutions - 11 years;
- all correspondence, memos and papers including emails - 5 years;
- passenger consents and privileges as well as inquiries and requested information - 2 years;
- objections and correspondence with passengers on complaints - 1 year after termination of the procedure;
- records of objections - 2 years.
RIGHT TO ACCESS, COMPLAINTS AND DATA PROTECTION
In order to inform you of all aspects of the processing of the data provided, you have the right to free access to all the information we have about you, the right to delete them, limit the processing, correction and referral on the basis of the General Regulations, the Act and the Ordinance. Also, in accordance with the aforementioned, you have the right at any moment to withdraw your privilege that you have given us, which will in no way have any negative impact on the exercise of your rights and legitimate interests.
We will answer all your inquiries regarding the protection of your rights and the use of our services without unnecessary delays, at the latest within 30 days.
For all questions about your data and processing for the foregoing purposes, please contact us at "Sub Rosa d.o.o." Trumbićeva obala 17, 21000 Split, Croatia or by e-mail: subrosa@subrosa.hr or tel: 00385 21 399 000.
Anyone who finds that he/she has been violated a right guaranteed by the General Rule or the Law may apply for a violation of the right to the Personal Data Protection Agency, 14 Martićeva street, Zagreb 10000, www.azop.hr, tel: 01/4609 000 or via e-mail: azop@azop.hr..