Information on the processing of personal data of natural persons (data subjects) relating to users of the OBEO application for the sale of travel tickets on the Android and iOS platforms
 
Pursuant to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/ EC (General Data Protection Regulation, hereinafter: Regulation), with this information, Zagrebački holding d.o.o. provides information on the processing and security of personal data of natural persons, their rights and how these rights are exercised, as well as other necessary information in accordance with the Regulation relating to the use of the OBEO application for the sale of travel tickets.
 
Information about the Controller and contact data of the Data Protection Officer:
 
Controller:                                                                 Data Protection Officer:
Zagrebački holding d.o.o.                                      Zagrebački holding d.o.o.
Ulica grada Vukovara 41                                       Ulica grada Vukovara 41
10000 Zagreb                                                        10000 Zagreb
Phone: +385 1 6420 000                                      Phone: +385 1 6420 000
E-mail: [email protected]                                                E-mail: [email protected]
 
 
With regard to the protection of personal data, the controller is Zagrebački holding d.o.o., and the Zagreb Bus Station branch (hereinafter: Zagreb Bus Station) is the organizational unit of the controller that carries out the station activities, which include the sale of tickets through the OBEO application on the Android and iOS platforms (hereinafter in the text: OBEO application).
 
Contact data of the Zagreb Bus Station:
Avenija Marina Držića 4, 10 000 Zagreb
Phone:  +385 (1) 6008-600, e-mail: [email protected]
 
For questions related to the processing of your personal data, as well as inquiries and requests to exercise the rights of the data subject based on the Regulation, you can contact the data protection officer at the above contact details.
 
Purpose and legal basis for the processing of personal data:
 
1) The purpose of processing your personal data is to allow you to quickly and easily purchase tickets or make reservations through the OBEO application within the network of bus lines for which the controller, i.e., the Bus Station sells tickets.
 
The legal basis for the processing of your personal data is the provision of Article 6(1)(b) of the Regulation – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
 
The use of the OBEO application is voluntary and you decide whether you want to use it. You can use the OBEO application as a registered or non-registered user.
 
As a non-registered user, when you purchase a ticket or reservation, we process your personal data in the form of an e-mail address so that, after you have successfully purchased a ticket, the ticket or reservation and the purchase invoice are sent to your e-mail address.
 
As a registered user of the OBEO application, you can not only purchase a ticket or make a reservation, but also use the full functionality of the application for a better purchase experience. This allows access to advanced features of the application (use of location services, loading of tickets purchased on our website www.akz.hr, at your choice, the ability to store only protected debit card data in the application to speed up and simplify further purchases, sharing tickets through the application, etc.).
 
The personal data we process for the registered user are: First and last name, phone number, e-mail address as confirmation of your identity.
 
When registering, you are obliged to provide correct and complete information. You undertake to ensure the security of your password and are responsible for all activities you perform through your user account. The controller, i.e., the Bus Station, is not responsible for cases arising from the unauthorized use of the registered user’s account.
 
You can also log in to the OBEO application using Google and Facebook if you have an account with these providers.
 
In the OBEO application, you can voluntarily enable/disable the option to allow access to the location of the mobile device. This way you will be able to use the app to see which bus stop/station is near you. We do not process this data about your location.
 
Payment for a ticket or reservation is made through the payment service provider “mcheckout”, the virtual POS system of the company m-Start d.o.o. for the secure processing of payments initiated by you. When paying, you temporarily leave the OBEO application and go to the protected server of the system of m-Start d.o.o. On its interface, in an SSL-protected form with a unique transaction identifier, you enter the authorization data (card number, expiry month, expiry year, CVV, first and last name, address, zip code, city, country, e-mail address, phone number) to pay with a debit card in a secure environment. After a successful (or unsuccessful) payment, you return to the OBEO application and continue your activities. In case of a successful payment, we receive data from “mcheckout”: a unique transaction identifier to confirm the payment of the ticket or reservation and the transaction amount.
 
As for the possibility of sharing tickets or reservations purchased in the OBEO app with another registered user of the OBEO app, this is possible if the phone number of this other registered user is in the list of your contacts on your mobile device and you allow the OBEO app to access your contact list with your consent. If you give your consent only for this purpose by clicking the “I agree” button, the OBEO app will send all contacts from your address book to our server, where the phone numbers will be compared with the existing database of registered users of the OBEO app. After matching, only the phone numbers that are registered with the OBEO app user and are in your contact list will be sent to your mobile device. Your selection will transfer the ticket to the specified phone number. Please note that the process of phone number comparison is not recorded, and your consent is required to transfer the ticket.
 
When you purchase a ticket or make a booking through the OBEO application, a contractual relationship is created and the processing of your personal data is necessary for the execution of the contract. If you do not provide the required personal data, you will not be able to make a purchase through the OBEO application.  
 
 
2) To enable communication with users of the OBEO application, the application has a published e-mail address [email protected], to which you can send inquiries regarding assistance in purchasing tickets or reservations and other inquiries, requests, complaints, etc.
 
When processing your request, the data sent in this way will be processed (e.g., first and last name, address, e-mail address and time of sending, telephone/mobile phone number, content of the inquiry, etc.).
 
Data from your contact with us is processed for the purpose of processing that contact and our most appropriate action on it. Depending on the basis and subject of your contact, the legal basis for processing your personal data can be: the provision of Article 6(1) point (b) of the Regulation – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract if the contact is related to the contract, or the provision of Article 6(1) point (c) of the Regulation – processing is necessary for compliance with a legal obligation to which the controller is subject if the contact is connected to exercise one of the rights of the respondent from the Regulation or with the rights of consumers, or the provision of Article 6(1) point (f) of the Regulation – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child if the contact is related to other cases. It is our legitimate interest to process your contact as you expect.
 
The provision of your personal data is necessary for the most appropriate manner of processing by the controller, i.e., the Bus Station. If you do not provide personal data, you may not receive the most appropriate response.
 
Information we receive from other sources
We receive your personal information indirectly when you sign in to the OBEO application through Google and Facebook user accounts.
 
Recipients/categories of recipients of personal data
Your personal data may be provided to legal and natural persons who may process personal data on behalf of and in accordance with the instructions of the controller on the basis of the contract for the provision of services (e.g., IT service providers, etc.), in accordance with the regulations governing the field of personal data protection and other relevant regulations.
 
We process your personal data for the purposes stated in this information. If it is necessary to achieve this purpose due to our legal or contractual obligation and/or our right to initiate legal proceedings in order to establish, realize or defend our legal claims, we may disclose your personal data to lawyers, notaries and competent courts.
 
Disclosure of personal data to third countries or international organizations
The controller, i.e., Bus Station, uses e-mail and web hosting services provided by companies that have servers for these services in the European Union, i.e., the European Economic Area (hereinafter: EU/EEA), and your personal data will not be transferred outside the EU/EEA.
 
Storage period of personal data
The personal data of the data subjects are processed until the purpose of the processing of the personal data is fulfilled. After the end of the purpose for which they were collected, the personal data are no longer used. They remain in the storage system and are kept in accordance with the laws on the protection of archival and record material.
 
The storage period for your personal data is as follows:
 

A	Information about your user account in the OBEO application	When you delete it yourself or request deletion
B	Invoice information about purchased tickets	11 years from the end of the year in which the invoice for the ticket was issued/calculated
C	Data related to inquiries, requests, remarks, proposals, objections, etc.	2 years from the end of the year in which the inquiry, request, remark, proposal, objection, etc. was submitted
D	Data related to the request to exercise your rights under the Regulation	1 year from the end of the year in which the request was submitted

 
If personal data is used as evidence in a judicial, administrative, arbitration or other equivalent proceeding, including the filing of a complaint with the competent supervisory authority, it will be stored for longer than the storage period required by law or another regulation, until the final conclusion of the proceeding.
 
Security of processing
Your personal data will be processed lawfully, confidentially, and only for the purpose for which it was collected, by the authorized staff of the controller, i.e., the Bus Station. The controller, i.e., the Bus Station, takes appropriate technical and organizational measures to ensure an adequate level of security for your personal data. The OBEO application stores your personal data on the mobile device securely and safely, using encryption.
 
Data traffic (internet communication) between the OBEO application on your device and our server is encrypted and secured using the HTTPS protocol. The data is stored on the server in encrypted form, and only authorized employees of the controller, i.e., the Bus Station, have the right to access it. Access to the data is protected against unauthorized access, backup copies of the data are made in order to restore the availability of personal data and access to them in a timely manner in the event of a physical or technical incident, etc.
 
For secure payment or purchase of tickets or reservations, the virtual POS system “mcheckout” is used, which is an independent service for authorization and billing via the Internet with maximum security of online payment and authorization of credit and debit cards for web sales points. The “mcheckout” system uses the most modern standards for data protection – the protocol Transport Layer Security (TLS 1.2) with 256-bit data encryption and the SHA algorithm.
 
The Internet Protocol Security (IPsec) ensures that data exchange between the “mcheckout” system and the card houses’ authorization centres takes place in a private network protected from unauthorized access by a double firewall layer. The “mcheckout” service is a certified partner according to PCI DSS (Payment Card Industry Data Security Standard) Level 1 security standards of the highest category. PCI DSS is a standard whose aim is to ensure the best possible security measures in card systems and the protection of end users during card payments. All banks, issuers, and acceptors of payment cards, as well as all companies involved in card transactions and receiving, processing, storing, or forwarding payment card data in any way are obliged – regardless of the size of the transaction – to align their business with the PCI DSS security standard.
 
This means that when you pay for a ticket or a reservation through the OBEO application, you leave it briefly and go to the protected server of the “mcheckout” system. On the “mcheckout” interface, you enter the authorization data for the payment in a TLS-protected form in a secure environment, and after a successful (or unsuccessful) payment you return to the OBEO application and continue your activities.
 
Automated decision-making and profiling None
 
Your rights and exercising these rights
You are free to contact us at any time to exercise your rights:
 

1. The right to access your personal data: you have the right to obtain confirmation as to whether your personal data are being processed and, if so, to obtain access to the personal data and the following information: about the purpose of the processing, the type/category of personal data processed, including insight into your data, about the recipients or categories of recipients and about the expected storage period. You have the possibility to obtain a copy of your personal data.
2. Right to rectification: you have the right to request that your personal data be corrected or completed if the data is not accurate, complete, and up to date.
3. Right to erasure (right to be forgotten): You have the right to request the deletion of your personal data if one of the following conditions is met:

1. your personal data is no longer necessary for the purpose for which it was collected or processed;
2. you have withdrawn your consent on which the processing is based and there is no other legal basis for the processing;
3. you have objected to the processing of your personal data and the controller no longer has valid grounds for the processing;
4. your personal data have been processed unlawfully;
5. your personal data must be erased in order to comply with a legal obligation under EU law or the law of the country to which the controller is subject;
6. your personal data have been collected in connection with the provision of information society services.

 
Your personal data will not be deleted in the following cases:
 

1. for exercising the right of freedom of expression and information;
2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
3. for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing;
5. for the establishment, exercise, or defence of legal claims.

 

4. The right to restriction of processing: You have the right to obtain a restriction of the processing of your personal data in the following cases: if you contest the accuracy of the personal data, if the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead, if we no longer need your personal data for the purposes of the processing, but you need them for the establishment, exercise or defence of legal claims, if you have objected to the processing of your personal data and are awaiting a response from the controller. If processing is restricted, your data will be stored and will not be processed further. For example, if you dispute the accuracy of your personal data, the processing of that data will be restricted until we make sure that the data is accurate.
5. The right to data portability: You have the right to receive your personal data previously provided to the controller in a structured form and in a commonly used, machine-readable format, and you have the right to transmit this data to another controller without the need for the controller to whom the personal data was provided to intervene if the processing is carried out by automated means and on the basis of consent or a contract.
6. The right to object: You have the right to object to the processing of your personal data, taking into account your particular situation, at any time:   

1. where the lawfulness of the processing is based on the performance by the controller of tasks carried out in the public interest or in the exercise of official authority, i.e., where the processing is based on the legitimate interest of the controller or a third party, including profiling based on the aforementioned lawfulness of the processing. The controller may no longer process your personal data unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims.
2. if your personal data are processed for direct marketing purposes, which also includes profiling, insofar as it is related to such direct marketing. In this case, your personal data may no longer be processed for these purposes.

7. Automated decisions: You have the right to object to the making of automated individual decisions, including profiling, i.e., you have the right not to be subject to a decision based solely on automated processing, including profiling without human intervention.

 
We draw your special attention to the fact that, pursuant to the provisions of Article 21(1) and (4) of the Regulation, you have the right to object at any time, on the basis of your particular situation, to the processing of your personal data where the processing is based on Article 6(1) point (e) – performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or pursuant to Article 6(1) point (f) – for the purposes of the legitimate interests pursued by the controller or by a third party, including profiling. The controller, i.e., the Bus Station, shall no longer process personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defence of legal claims.
 
You exercise your rights by submitting a request or objection: in writing or in person to the following address: Zagrebački holding d.o.o., Ulica grada Vukovara 41, 10000 Zagreb, Data Protection Officer, with the reference on the envelope “Personal data” or electronically to the e-mail address: [email protected]
 
Optional request forms for exercising your rights or submitting objections can be downloaded from this website below or from the controller’s website https://www.zgh.hr/o-nama/zastita-osobnih-podataka/8547 (see: Downloads) and at the controller’s registered office. There is no fee for submitting and fulfilling requests or objections.
 
The request or objection should include your correct personal data and complete, clear, and accurate information to enable you to exercise your rights. The controller, i.e., Bus Station may ask you to provide additional information, which may include information to confirm your identity, such as a copy of an official form of identification (ID card, passport, or driver’s license). If you provide a copy of an official identification document, that copy should include the following information: First and last name, personal identification number (Croatian: OIB) or, in the case of foreign nationals, the national ID number, place of residence (street and house number and city) and the validity date of the document. All other data on the copy of the identification document, such as the date of birth, photo, etc., should be adequately protected (redacted). The processing of data from a copy of an official identification document is strictly limited by the controller, i.e., the Bus Station, and will only be used to confirm your identity and protect your data to prevent fraud (e.g., false identity, misuse of personal data, etc.) and that data will not be stored longer than necessary for this purpose.
 
If it is not possible to establish your identity, the controller, i.e., the Bus Station has the right to refuse to process the request or complaint, as well as in the case where requests are clearly unfounded or excessive, especially due to their frequency.
 
The controller, i.e., the Bus Station, will respond to you within one month of receipt of a valid request or complaint, with the indication that this period may be extended by two additional months, if necessary, taking into account the complexity and number of requests or complaints. The controller, i.e., the Bus Station will inform you of such an extension within one month of receipt of a valid request or complaint and will indicate the reasons for the delay in the response.
 
For relevant inquiries about your rights, appeals or information in the area of personal data protection, the data protection officer is at your disposal, whom you can contact at the above-mentioned contact details.
 
The right to file a complaint with the supervisory authority
If, after contacting the controller, i.e., the Bus Station, you have been unable to exercise your rights and you consider that your right to the protection of personal data has been infringed, you may at any time lodge a complaint or a request for a finding of infringement directly with the competent supervisory authority, in particular in the EU country where you have your habitual residence or place of work, if you consider that our processing of your personal data is not lawful.
 
The contact data of the Croatian national supervisory body are:
Croatian Personal Data Protection Agency (Agencija za zaštitu osobnih podataka – AZOP)
Selska cesta 136, 10000 Zagreb,
Phone.: +385 1 4609 000
E-mail: [email protected]
www.azop.hr
 
We encourage you to contact the data protection officer prior to filing a complaint or request for a violation determination with the Croatian Data Protection Authority to try to resolve any disputed issues.
 
Updating this Information on the processing of personal data
From time to time, we may update this information about the processing of personal data due to changes in legal acts, technology, or business development, etc. The date of the last update of this information about the processing of personal data is given below.
 
The date of the last modification of this Information for the Data Subject: 31 July 2023  
  
Downloads: 
 
Personal Data Management System Policy of Zagrebački holding d.o.o.
Form – Request to exercise data subjects’ rights
Form – Objection to the controller
 
For more information about personal data protection and the supervisory authority in the Republic of Croatia, see the following links:
 
General Data Protection Regulation – Regulation (EU) 2016/679
Act on the Implementation of the General Data Protection Regulation (Official gazette Narodne novine 42/2018)
Croatian Personal Data Protection Agency – AZOP