INTRODUCTION (Ref [1])
The EU Charter of Fundamental Rights stipulates that EU citizens have the right to protection of their personal data. The new data protection package adopted in May 2016 aims at making Europe fit for the digital age. More than 90% of Europeans say they want the same data protection rights across the EU and regardless of where their data is processed. 2016/679 (Ref [2]) is regulation (EU) on the protection of natural persons regarding the processing of personal data and on the free movement of such data. The regulation is an essential step to strengthen citizens’ fundamental rights in the digital age and facilitate business by simplifying rules for companies in the digital single market. A single law will also do away with the current fragmentation and costly administrative burdens. The regulation came into force on 24 May 2016 and will apply from 25 May 2018. The GDPR replaces the 1995 Data Protection Directive.
GDPR IN OUR HOUSE – IN PRACTICE
Data Protection Officer (DPO) does not exist because we are small business handling small amount of personal data. GDPR Controller is Vedran. Processor is your host, most of the time it will be Ranko and in other cases Jasminka or Vedran. Data Protection Impact Assessment (DPIA) is not needed.
When you make reservation, we will copy your name, your country, your email address and your mobile phone number and paste this data into excel file which is saved on Google Drive. This file can also be found on our laptops or mobile phones. In the period from reservation to your arrival, we will collect information about your transportation type, your arrival time (maybe your flight number), number of people arriving (adults, kids, age of kids) and your preferences and expectations during your holiday. All this data we collected is also stored in the same excel file under your reservation ID. All personal data collected for now are used to prepare everything needed for your holiday and to make it unforgettable. All this data will remain in our excel file until you formally ask us to delete it. We save it for your future stays in our house. Your personal data (this excel file) is only accessed by members of our family, we do not share it with anyone else.
Finally, when you arrive to our house you will populate “Property handover form” where you will leave your name and mobile phone number to you host (and he will provide name and his mobile phone number to you also) so that you could have direct communication during your stay. If you do not give us your GSM number, we will not be able to give you keys ☹. Populated “Handover forms” are stored physically in registrar for 5 years.
Additionally, according to local law (Ref [4]) we are obliged to identify all guests and store your personal data into eVistitor (Ref [5], in summer 2015 eVisitor was not yet in service, so all personal data of guests stayed in 2015 in our house is stored in excel file mentioned above). To identify our guests, they show us ID card issued by their government (personal ID card od passport). From this document we read (we do not copy, scan or take photo of your documents) your personal data and store it into eVisitor system. Personal data we read and store according to our local law are name, surname, sex, date, country and city of birth, citizenship, document type and number, country, city and home address. If you give us formal and written permission (we will give you form which you can sign if you want) we will store your email address and phone number into eVisitor together with mandatory personal data (mentioned above) we needed to collect from you and store it there. Also, if you give us permission we will use your email address and phone number for sending greeting cards, news and offers. For each of this type of message, you will have possibility to sign up in formal and written form.
TO SUMMARIZE ?
WHO IS COLLECTING
- Ines and/or Vedran during reservation phase
- Ranko, Jasminka or Vedran during check-in phase
WHO IS USING
- our family members, Jasminka, Ranko, Ines, Šimo, Vedran and Nikolina
WHAT DO WE COLLECT
- reservation phase: name, country, email address, mobile phone number, transportation type, arrival time, number of people arriving, age of kids, your preferences and expectations during your holiday
- check-in phase: name, surname, sex, date, country and city of birth, citizenship, document type and number, country, city and home address, mobile phone number (mandatory) + email address (optional)
WHERE DO WE STORE IT
- reservation phase: excel file on Goole Drive and on our personal laptops and mobile phones
- check-in phase: eVisitor (Ref [5], everything except GSM number) + registrar (name, GSM number)
WHY DO WE COLLECT
- reservation phase: to prepare everything needed for your holiday and to make it unforgettable + to be able to provide “Special offer for old-guests” to you in future years
- check-in phase: according to local law (Ref [4], eVistor) + to be able to have direct communication between guest and host (registrar)
HOW DO WE COLLECT
- reservation phase: we get it from booking agency you used to make reservation and from direct communication with you
- check-in phase: you show us your ID cards and confirm to us your mobile phone number
PERMISSIONS
- reservation phase: if you give us formal and written permission we will use your email address and mobile phone number to send greeting cards, news and offers
- check-in phase: for mandatory personal data (except GSM number) we do not need to ask for your permission as local law is in the background, for all other (email and GSM number), you will give us formal and written permission
FOR HOW LONG DO WE STORE DATA
- excel file: until you ask for deletion
- eVisitor: according to law (Ref [4], Article 6) personal data is stored for 10 years, but statistical analysis and data are stored forever
- registrar: 5 years
FORMAL and WRITTEN PERMISSION
- online – https://tinyurl.com/gdpr-kosalec
- offline – form “Permission to Process Personal Data”
YOUR RIGHTS
- to access your personal data
- to update your personal data
- to transfer your personal data
- to delete your personal data
- to withdraw given permission
REQUESTS, QUESTIONS & COMPLAINS
Vedran Kosalec
GSM: 00385913653263
Email: vedran.kosalec@gmail.com
SUPERVISORY BODY
Croatian Personal Data Protection Agency
Telephone: 0038514609000
E-mail: azop@azop.hr
REFERENCES
- https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
- http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
- https://megabooker.hr/wp-content/uploads/2018/04/GDPR-za-Agencije-Hotele-i-Iznajmljivace.pdf (CRO)
- https://narodne-novine.nn.hr/clanci/sluzbeni/2015_11_126_2395.html (CRO)
- https://www.evisitor.hr/info/ (CRO)