Privacy Policy

Introductory Provisions

At Ban Tours, we value your privacy and attach particular importance to the protection of your personal data.

Through this document, we wish to explain which personal data we process and why, as well as how we handle the personal data we process.

We collect and process your data solely for the purpose of providing our services in a high-quality manner, in a lawful, fair, and transparent way. We process only the data necessary for the provision of a particular service, ensuring appropriate protection at all times.

Such personal data primarily relate to natural persons with whom Ban Tours has a business relationship or a legitimate interest in contacting (clients, suppliers, business partners, employees, etc.).

When the need to process your personal data ceases, we delete all personal data or anonymize them using appropriate technical solutions for exclusive statistical purposes.

We collect and process personal data in accordance with our core values and principles, this Privacy Policy, and applicable European and Croatian regulations relating to personal data protection.

This Privacy Policy applies equally to personal data in digital/electronic form and to personal data in printed (paper) form, regardless of whether they are printouts of digital/electronic records.

Terms used in this Privacy Policy that have gender meaning apply equally to all genders.

Principles

When processing personal data, we are guided by the principles and rules established by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation – GDPR).

When processing personal data, we observe the obligation of professional secrecy as regulated by European Union law and the law of the Republic of Croatia.

We process personal data exclusively:

  • lawfully, fairly, and transparently;

  • for specific, explicit, and legitimate purposes;

  • using only accurate, up-to-date, relevant, and limited data necessary for the purpose for which they are processed;

  • only for as long as necessary to fulfill the purpose of processing; and

  • by protecting them against unauthorized or unlawful processing, accidental loss, destruction, or damage.

We process personal data of individuals under 16 years of age only based on parental or guardian consent and only to the extent and scope for which consent was given.

When engaging data processors, we always do so on the basis of a written contract, ensuring they guarantee the same level of personal data protection as Ban Tours.

Confidentiality and Security

We treat all personal data confidentially, ensuring an appropriate level of security and protection. We do not collect, process, or otherwise use personal data in any unauthorized manner.

Ban Tours employees protect personal data as a business secret, even after termination of employment.

Employees process only the data they are authorized to process, within the limits of their authorization, and exclusively for the purpose for which the data were collected.

We follow the “need-to-know” principle to ensure that only authorized employees have access to specific personal data for a defined period of time.

Before introducing new technologies that may be used for personal data processing, we conduct thorough analysis and adjust technical and organizational measures to ensure the highest standards of data protection.

Employee Guidelines

Employees of Ban Tours act in accordance with this Privacy Policy and applicable data protection regulations in their daily work.

Access to personal data is granted exclusively to employees who require such access to perform their duties. Personal data are not shared informally among employees; each access request must be made to the responsible person.

Ban Tours organizes training at least once a year or otherwise informs employees of their obligations and applicable data protection regulations, following best practices and recommendations of the Croatian Personal Data Protection Agency and other competent EU authorities.

Employees take appropriate organizational and technical measures to minimize risks to personal data, including:

  • using strong passwords known only to them;

  • regularly reviewing data accuracy and deleting or anonymizing unnecessary or outdated data;

  • locking computers when unattended;

  • ensuring personal data are not disclosed to unauthorized persons;

  • seeking advice from the responsible person in case of uncertainty.

Data Storage

We ensure appropriate storage of personal data, whether in paper or digital form.

Paper records:

  • are stored in locked drawers or cabinets accessible only to authorized persons;

  • are not left visible or accessible to unauthorized persons;

  • are destroyed using shredders or other secure methods when no longer needed.

Digital records are protected against unauthorized access, alteration, or deletion through:

  • strong passwords regularly changed;

  • secure storage of portable media;

  • use of official media, servers, or selected cloud services with appropriate safeguards;

  • secure server locations;

  • regular backups;

  • avoidance of storing personal data on mobile devices unless strictly necessary;

  • prohibition of storing personal data on personal computers;

  • encryption programs, firewalls, and other technical safeguards.

Data Processing

We process personal data lawfully in accordance with GDPR and national legislation. Processing is primarily based on contractual necessity, legal obligations, legitimate interest, or consent.

Special categories of personal data are processed with particular care.

We do not use automated decision-making, including profiling, that produces legal effects or significantly affects individuals.

Personal data are collected directly from data subjects, who are informed about the purpose and legal basis of processing.

Data transfers are carried out using appropriate safeguards, including encryption. Personal data are never sent in plain email text but only as encrypted attachments or secure links.

We do not disclose personal data to third parties without explicit consent unless necessary for providing contracted services or fulfilling legal obligations.

International Transfers

We do not transfer personal data to third countries or international organizations unless necessary for contracted services, legally required, or upon explicit request and consent.

Any such transfer is based on:

  • European Commission adequacy decisions;

  • appropriate safeguards (binding corporate rules, approved codes of conduct, etc.);

  • effective legal protection mechanisms in the third country.

Court or administrative decisions of third countries do not bind us unless based on an international agreement binding the Republic of Croatia.

Accuracy and Updates

We take appropriate measures to ensure personal data are accurate and up to date.

Data are stored in as few locations as necessary, and unnecessary copies are avoided.

If data are found to be inaccurate and cannot reasonably be updated, they are deleted.

Retention and Deletion

Personal data are retained only as long as necessary for the purpose of processing or as required by law, after which they are deleted or anonymized.

We conduct reviews twice a year to ensure unnecessary data are removed.

Data may exceptionally be retained longer if required by law, court order, or to protect vital interests.

Data Subject Rights

Data subject rights are of utmost importance to Ban Tours.

Under GDPR, you have the right to:

  • obtain confirmation whether your data are processed;

  • access your personal data;

  • request rectification, erasure, restriction of processing, or data portability.

You may contact our Data Protection Officer at:
gdpr@bantours.hr

Information is provided electronically and free of charge. In cases of repeated or excessive requests, a fee of HRK 200 may be charged to cover administrative costs.

You may withdraw your consent at any time and request that we stop processing your personal data for marketing purposes.

If you believe your rights have been violated, you may contact the Croatian Personal Data Protection Agency:
www.azop.hr

This Privacy Policy is updated as necessary and at least once per year, in line with best practices and developments in data protection.

Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.