PRIVACY POLICY

What are personal data and how do we collect them?

Personal data means information that can be used to ascertain your identity. Such information includes for example your name, address, post code, date of birth and gender, IP address, telephone number or your e-mail, payment information, etc.

Information that is not directly related to your actual identity (such as favourite websites or the number of website users) does not fall into this category.

We collect personal data upon the booking of tourism services, i.e. either in person at a branch office, via the call centre, on the website or in the application, or when you pay for services and when you participate in prize competitions or register for the newsletter. We also collect personal data when you visit our website.

We specifically collect the following categories of personal data:

• first and last name, home address, e-mail address, telephone number, information on age and gender, data on passports as appropriate (ID No., citizenship, date of expiry and country of issue), data on the means of payment and eventual other payment data as appropriate;
• information on potential special medical or dietary conditions for passenger with special health requirements or dietary needs;
• travel history and information on eventual additional services such as insurance, parking and the like;
• information on the use of our website or application;
• messages you exchange with us or send via SMS, e-mail, chatrooms, telephone calls or social media.

Why we need your personal data and how long do we keep them?

Your data may be used for the following purposes:

• to provide contractual travel services: we use the data you send us to provide tourism services related to your trip;
• for the purposes of communication relating to travel changes or the provision of assistance during the trip; these messages are not intended for marketing and cannot be deactivated;
• verification or authorisation of payments using credit or other payment cards: we use payment data for accounting, charging and auditing purposes as well as for detecting and preventing fraud;
• administrative and legal purposes: we use data for statistical and market analyses, system testing, customer surveys, quality control, maintenance and development or for dispute or claim resolution;
• immigration or customs control: we might be required to transmit your data to border control authorities, consulates for entry permits/visas and the like;
• security, health, administrative measures, crime detection and prevention: we may transmit your data to national or executive authorities in order to comply with legislative requirements;
• communication with customers: we use the data to strengthen customer relations and improve our services or your user experience;
• marketing: we will occasionally inform you about our offer via mail, telephone or e-mail. Each message will offer the option of rejecting the reception of future messages of this type. Rejection is highly straightforward, i.e. by a reply message or telephone call, which is completely free-of-charge for you.

Your personal data are processed exclusively based on the legal basis for the processing. The legal basis depends on the purpose, for which we obtained the data.

In the majority of cases, your personal data are processed for the purpose of fulfilling your travel contract.

Personal data may also be processed for the following purposes:

• compliance with a legislative requirement (e.g. immigration or customs requirements);
• notification about our offer (participation in prize competitions or registration for the newsletter) based on your personal consent;
• to protect your life interests or the interests of another person in emergencies;
• to fulfil the legal interests of the agency (notification about the agency's offer, statistical and market analyses, system testing, customer surveys, quality control, maintenance and development or for dispute or claim resolution).

We shall not store your data longer than required for the fulfilment of the purpose, for which they are processed. In order to determine a suitable retention period, we consider the scope, nature and sensitivity of personal data, the purposes, for which they are processed, and whether we can achieve these purposes by other means.

When determining a suitable retention period, we must consider the legal periods such as those laid down in the Value Added Tax Act, the statute of limitations or the period for the consideration of complaints.

When we no longer require your personal data, we will securely erase or destroy them.

To whom do we transmit your personal data?

We may transmit your personal data for the purposes outlined in these Rules to the following third parties:

• providers of tourism services, such as hotels, travel organisers, rent a car services providers, transport providers, guides and the likes;
• GDS reservation systems (Global Distribution System), through which we reserve tourism services (air transports, hotels, rent a car services, transfers, trips and the like);
• insurance companies - providers of tourist insurance either for travel cancellation, accident insurance or medical insurance with assistance (Coris, Europäische, etc.);
• debit or credit card companies that facilitate payments for us as well as ensure fraud prevention verification and may require information on the payment method and reservation of tourism services for the processing of payments or the assurance of the security of your payment transactions;
• consulates, immigration and customs authorities for the arrangement of entry permits, law enforcement authorities and tax authorities based on their respective written requests, judicial authorities and legal associates for the exercise of your legal rights relating to the contract we have concluded with you;
• confidential providers of services that we use for the management of our operations such as external IT experts, providers of cloud services, e-mail and SMS marketing providers and the providers of printed matter personalisation services for targeted marketing campaigns, whereby we require services providers to ensure the same level of data protection as ensured by the agency;
• for the purposes of using online services, we transmit your data to our online system providers (system hosting companies, online reservation tools, travel agency support systems ("Mid-Office Systems"), web analytics providers, global distribution systems and marketing providers). Our systems providers help us improve the systems and offer;
• as part of prize competitions, we transmit your data to relevant prize competition partners if so indicated in the prize Competition General Terms and Conditions.
• Social media: you may access third party online services via our website or application, or before accessing our website or application. If you are registered in your social media service accounts, we will obtain personal data, which you intend to share with us via the said social media services in accordance with privacy settings, which we do in order to improve and adapt your use of our website or application. We may also use social media plug-ins on our website or application. As a result, your information will be shared with your social media providers and perhaps presented in your profile on social networks that you wish to share with others in your network. If you wish to learn more about these procedures, please, see the privacy rules of these third party social media providers.

The agency offers tourism services practically everywhere in the world meaning that it is sometimes necessary to send personal data to third parties, which are listed in the first indent, outside the European Economic Area (EEA) for the purpose of fulfilling the travel contract. Because personal data protection in other countries is not as high as it is in the EEA, we request all service providers to process data securely and in accordance with the legislation on data protection applying in the Republic of Slovenia and in the EU.

In order to ensure the legality of data transmission outside the EEA, we use standard means for the protection of data outside the EEA.

We hereby explicitly declare that we do not sell personal data to third parties, which especially applies to addresses.

How do we protect your data?

When storing and disclosing your personal data, we adhere to strict security procedures and protect data from accidental loss, destruction or damage. The data you send us are protected with the SSL technology (Secure Socket Layer). SSL is a standard industry method for encoding personal data and credit card data so that they can be safely transmitted over the Internet.

All payment data are transmitted via the SSL through the dedicated network infrastructure (MPLS) and stored in accordance with the payment card industry's data security standards (PCI DSS).

In regards to the protection of data relating to your credit card, we would like to explicitly warn you that – when effecting payments online – these data must be entered exclusively in the reservation form fields which are dedicated for this purpose. We can only ensure secure handling of your data if you yourself observe the correct method of data entry.

We may disclose your personal data to third parties exclusively for the purposes outlined in these Rules. We request all third parties to have suitable technical and operational safeguards in place for the protection of your personal data in accordance with the Personal Data Protection Act and the GDPR.

Your rights arising from personal data protection

Under certain circumstances, you shall have the following rights under the law, i.e. the right to:

• request information on whether we hold personal data concerning you and – if so – which data we hold and why we retain or use them;
• request access to personal data, which enables you to receive a copy of the personal data concerning you and to verify whether we process them legally;
• request corrections to personal data concerning you, which enables you to correct incomplete or incorrect data;
• request the erasure of your personal data when there is no reason for the further processing or when you exercise your right to object to further processing;
• object to further processing of personal data when we rely on the legitimate interest (even in case of a legitimate interest of a thirds party), when there are reasons relating to your particular situation; irrespective of the provision of the preceding sentence, you shall have the right to object at any time if we process your personal data for direct marketing purposes;
• request the limitation of processing of your personal data, which enables you to terminate the processing of your personal data, e.g. if you want to ascertain their correctness or verify the reasons for their further processing;
• request the transmission of personal data in structured electronic format to another controller;
• withdraw consent you provided for the collection, processing and transmission of your personal data for a particular purpose; after receiving a notification of your withdrawal of consent, we will stop processing your personal data for the purposes, to which you have initially consented, unless we have another legitimate legal basis for doing so legally.

If you wish to exercise any of the abovementioned rights, send your request via e-mail to zasebnost@sonchek.com or via regular mail to the address Turistična agencija Sonček, d. o. o., Glavni trg 17, 2000 Maribor.

You do not need to pay a fee for limiting access to personal data or to exercise of any other right. However, we may charge a reasonable fee if your request for access is manifestly unjustified or excessive. Another option that we have is to refuse the request under such circumstances.

In case of the exercise of rights for such reasons, we may have to request certain information from you that will help us confirm your identity, which is only a security measure that ensures that personal data are not disclosed to unauthorised persons.

Cookies and website tracking

When visiting our website, your computer stores information in the browser software in the form of cookies. Cookies store information on your usage of the website that are then used by Turistična agencija Sonček, d.o.o. The use of cookies facilitates your use of functions as your computer is recognised by the website upon your next and subsequent visits which simplifies eventual re-entry of data.

Cookies that we use (small files containing configuration information) help us determine the frequency of use and the number of users of our website, while they allow you to use the entirety of our services. Cookies also enable us to send you personalized information in Sonček via e-mail, e.g. notifications about reservations, certain products or sales campaigns as well as recommendations about products or services that might be of interest to you.

Most of the browsers are set up to accept cookies automatically. Despite this however, you can turn of the acceptance of cookies or set up your browser so that it notifies you about the sending of cookies. There is also the option of deleting the stored cookies from your hard drive yourself at any time.

Cookies are absolutely required for making reservations. Our services can be used to a limited degree even without cookies.

If you require more information on cookies and on how to prevent the installation of cookies on your computer, visit the following website: http://www.allaboutcookies.org.

In order to monitor traffic patterns and website usage, we use tracking software that helps us develop the design and layout of the website. The abovementioned software does not enable recording of the passengers' personal data.

General information is stored (e.g. number of visitors and duration of the visit to individual pages, etc.) upon each access to the content of our online offer. These are not personal data and are therefore processed in anonymised form. We use these types of data exclusively for statistical purposes so they help us optimise our online offer.

Use of the Google Analytics service

This website uses the Google Analytics service, which is a service for web analytics provided by Google Inc. (hereinafter: Google). Google Analytics uses the so-called "cookies", text files that are stored on your computer and enable the analysis of your use of the website. Information on your usage of the website (including your IP address), which is recorded by the cookie, is transferred to the server of the Google company in the USA where the information is stored.

Google will use that information to analyse your usage of the website, produce reports on website activities for website operators and to perform other services associated with the use of the website and the Internet. Google will transmit the information to third parties as appropriate, i.e. within the legally prescribed scope or if said third parties process the information based on the order placed by Google. In no case will Google merge your IP address with other Google data. You can disable cookie installation with the appropriate setup of your browser's software. We should, however, warn you that you will in such an event not be able to use all of the functions of the website in their full scope. By using this website, you declare that you agree to Google processing the data concerning you in a manner previously described and for the abovementioned purpose.

Our website uses the anonymisation function that is provided by the Google Analytics service. Because of this, IP addresses are therefore stored and processed only in abbreviated form so that they cannot be linked to the identity of a particular person.

Integration of plug-ins for Facebook

Our website has plug-ins (hereinafter: Plug-ins) installed for the facebook.com social network which is operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (hereinafter: Facebook).

You will recognise Facebook Plug-ins by one of the logos of the Facebook application (white "f" in a blue square or raised thumb symbol) or by the "Facebook Social Plugin" designation. You can view the list and appearance of Facebook Plug-ins by clicking the link below: http://developers.facebook.com/plugins.

If you open a page on our website that has such a Plug-in installed, your browser will establish a direct connection to Facebook's servers. The Plug-in content is transmitted via Facebook directly to your browser via which it is installed in the website. For this reason, we have no control over the volume and content of the data collected by Facebook using these Plug-ins and we therefore only provide you with the information at our disposal (http://www.facebook.com/help/?faq=186325668085084):

Through the integration of the Plug-ins, Facebook receives information that you visited a certain page of our website. If you are logged into Facebook, Facebook can link your visit to your Facebook account. If you use Plug-ins, e.g. if you click the "Like" button or submit a comment, the relevant information from your browser is transferred directly to Facebook where it is stored. Even if you are not a member of the Facebook network, there is a way for Facebook to obtain your IP address and store it.

You can read in Facebook's privacy protection statement about the purpose and scope of data collection and further processing and use of the data by Facebook as well as about your rights in this regard and the possible settings for the protection of your privacy: http://www.facebook.com/policy.php.

If you are registered in Facebook and do not wish Facebook to collect data concerning you through our website and link them to your data stored in the Facebook network, you must log out of Facebook and delete the cookies before visiting our website. You can find more information about cookies in this Data Protection Statement.

You can block Facebook Plug-ins, among others by installing an add-on for your browser such as "Facebook Blocker".

Links to other websites

Our online offer contains links to other websites. This Data Protection Statement does not apply to other providers. Because we have no control over whether the operators of such websites observe the provisions on data protection, we assume no responsibility for the correctness, currency and completeness of the information they provide on their web pages.

Personal data controller

Turistična agencija Sonček, d. o. o. is responsible for storing and processing personal data and is at the same time a service provider. You can find detailed information about the company and how to get in touch with us in the impressum.

If you have any questions or wish to submit your wishes or comments relating to data protection, write us at zasebnost@sonchek.com.

Owing to the amendments to the legislation governing personal data protection, we must occasionally adapt the provisions relating to such protection. We will inform you of eventual changes here.

Website operator

Turistična agencija Sonček, d.o.o., Glavni trg 17, 2000 Maribor
VAT ID No.: SI71695532. Registration ID No.: 5680727.
The company is registered with the District Court of Maribor under reg. No. 1/06953/00.

Status: Januar 2020