Information on personal data processing
COMMUNICATION RELATING TO THE PROCESSING OF PERSONAL DATA
This document serves to provide details regarding the collection, processing, and protection of personal data by Aircash d.o.o. (hereinafter referred to as: “Aircash”) in compliance with the General Data Protection Regulation (GDPR) and other relevant legislation.
This communication pertains to data subjects who are users of the “Aircash” application (hereinafter referred to as: the “Application”), visitors to the website www.aircash.eu, visitors to Aircash’s official premises, and all other individuals whose personal data is processed by Aircash.
DATA CONTROLLER
Aircash d.o.o., Ulica grada Vukovara 271, HR-10000 Zagreb
OIB (PIN): 99833713101, Contact Details: 01/4573537, [email protected] , [email protected]
LEGAL BASES FOR THE PROCESSING OF PERSONAL DATA
All processing of personal data must be lawful, and the data collected must be for precisely defined purposes of processing.
a) Processing Is Necessary for Compliance with Legal Obligations
Aircash is subject to the application of special regulations (such as the Anti-money Laundering and Counter-Terrorist Financing Act, the Payment System Act, the Electronic Money Act), pursuant to which we are required to collect specific data about the data subject (user of the Application). Aircash may decline to enter into a contractual relationship, provide a service, or terminate an existing business relationship should the data subject fail to provide the data required by law.
b) Processing Is Necessary for the Performance of a Contract or in Order to Take Steps Prior to Entering into a Contract
Should the data subject decline to provide certain data necessary for the conclusion and performance of a contract to which the data subject is party, Aircash may be unable to provide certain services and, therefore, may refuse to establish a contractual (business) relationship.
c) Processing Is Necessary for the Purposes of Legitimate Interests
Aircash has legitimate interests for processing personal data when such processing is necessary for risk management, achieving the highest level of information security and protection of confidential information, individuals, and assets, as well as for administrative and other justified business needs. In determining legitimate interests, Aircash always ensures that these interests do not override the rights and freedoms of the data subjects.
d) Substantial Public Interest
Aircash processes biometric data (specifically processed facial images) when necessary for the purpose of unequivocally identifying a user in the event of a change or loss of a mobile phone. Aircash is required to prevent fraud and provide support to Application users should they fall victim to fraud.
e) Processing Is Based on Consent
Consent is not always necessary for data processing to be lawful. By giving consent, the data subject freely and voluntarily agrees to the processing of their data and may withdraw consent at any time without negative consequences.
CATEGORIES OF PERSONAL DATA PROCESSED BY AIRCASH
For the purpose of easier understanding of this communication, we have grouped the personal data we process into the following categories:
a) Identification Data: Name and surname, date and country of birth, personal identification number (OIB), address of residence/domicile, identification document information, nationality, facial image.
b) Biometric Data: Facial image resulting from specific technical processing, which allows or confirms the unique identification of the data subject.
c) Contact Details: Name and surname, email address, phone number.
d) Transaction Data: Data concerning transactions related to deposits, sending and/or receiving money, payment for services provided by contractual partners, other payments, and cash withdrawals. The data includes the date and time of the transaction, amount, currency, details of the recipient (legal or natural person), information about the merchant, partner/distributor, or ATM linked to the transaction, sender’s and recipient’s names.
e) Data Regarding the Technical Configurations of the System and Application Usage: IP address, operating system used, type of mobile device and/or computer, browser type and version, browser language, and/or mobile device language, etc.
f) Geolocation: Approximate or precise user location.
g) Website Usage Data: Depending on the type of cookies accepted, this encompasses statistical reports on website visits, analytical reports on website interaction, advertising options, etc.
The purposes and legal bases for processing personal data are clarified in the table below:
Category of Personal Data |
Purpose of Processing |
Legal Basis for Processing |
Identification data |
Establishment of a business (customer) relationship |
Taking steps prior to entering into a contract/performance of a contract |
Determining and verifying the user’s identity |
Taking steps prior to entering into a contract/performance of a contract Legal obligation |
|
Due diligence |
Legal obligation |
|
Carrying out payment transactions |
Performance of a contract (providing a service) |
|
Customer service |
Performance of a contract (providing a service) |
|
Handling of complaints |
Performance of a contract (providing a service) Legal obligation |
|
Biometric data (facial image) |
Secure user authentication in case of mobile phone change |
Performance of a contract (providing a service) Substantial Public Interest |
Transaction data |
Service provision (carrying out payment transactions) |
Performance of a contract Legal obligation |
Due diligence |
Legal obligation |
|
Fraud prevention |
Legal obligation Legitimate interest |
|
Customer service |
Performance of a contract (providing a service) |
|
Handling of consumer complaints |
Performance of a contract (providing a service) Legal obligation |
|
Contact details |
Regular communication |
Performance of a contract (providing a service) Legal obligation |
Customer service |
Performance of a contract (providing a service) |
|
Handling of consumer complaints |
Performance of a contract (providing a service) Legal obligation |
|
Direct marketing |
Legitimate interest |
|
User satisfaction survey |
Legitimate interest |
|
Contact details (“Directory”) |
Using the “Invite a friend to Aircash” option Help with money-sending service |
Consent |
Data regarding the technical configurations of the system and the use of the service |
Necessary for service use |
Performance of a contract (providing a service) |
Data on the use of the website |
Analysis of visits and content views, advertising |
Consent |
Geolocation |
Locating the nearest point of sale / partner Help with paying for parking services |
Consent |
Video surveillance footage |
Protection of persons and property on official premises |
Legitimate interest |
PERSONAL DATA STORAGE PERIOD
The storage period for specific categories of personal data primarily depends on Aircash’s legal obligations.
Pursuant to the Anti-money Laundering and Counter-Terrorist Financing Act, Aircash is required to retain data collected for legal compliance purposes (such as verifying the identity of data subjects and customer due diligence) for 10 years following the termination of the business relationship.
Data on transactions carried out in the Application constitute an accounting document and are retained for 11 years in accordance with the Accounting Act.
Other data necessary for the provision of services and uninterrupted use of the Application are retained for the duration of the business relationship between Aircash and the data subject.
Data collected and processed based on Aircash’s legitimate interests are retained for a limited period, solely until the purpose for which they were collected is achieved.
If data is processed based on the data subject’s consent, withdrawing the consent will result in the erasure of the data unless there is another legal basis or justified reason for retaining the data.
In exceptional cases, data may be processed for an extended period when necessary for other legitimate purposes (e.g., for legal proceedings).
RECIPIENTS OF PERSONAL DATA
Personal data will be disclosed to supervisory authorities for the purpose of conducting oversight and other tasks falling within their competence, for example, to the Anti-Money Laundering Office or the Croatian National Bank.
In exceptional circumstances, Aircash will, upon request, provide the requested data to other authorised public authorities for investigations and other official procedures, including the Ministry of the Interior.
For carrying out financial transactions, Aircash collaborates with reputable partners for the processing of payment and card transactions.
Aircash also relies on other essential services for its operational needs, including IT support, consultancy and legal services, postal services, and the like, and in specific scenarios, certain personal data may be shared with providers of these and similar services.
Special contracts on personal data processing have been concluded with all business partners and service providers, defining mandatory safeguards to ensure the confidentiality, integrity, and availability of personal data and other confidential information.
RIGHTS OF DATA SUBJECTS
Data subjects have the following rights regarding the processing of personal data:
· Right to access information on the processing and a copy of the personal data;
· Right to rectification of inaccurate personal data and/or right to have incomplete personal data completed;
· Right to erasure of personal data (if the legal basis for further processing or storage no longer exists).
If applicable, depending on the method of data processing and legal basis, data subjects also have the following rights:
· Right to restriction of processing;
· Right to data portability;
· Right to object to processing based on Aircash’s legitimate interests;
· Right to withdraw previously given consent for data processing;
· Right to object to decisions based solely on automated processing, which produce significant legal effects concerning the data subject.
Within the Application, data subjects have the possibility to change or update their personal data autonomously.
For the exercise of other available rights or for other related queries and information, data subjects can contact the Data Protection Officer at the following email address: [email protected].
Data subjects can also lodge a complaint with the Croatian Personal Data Protection Agency, located at Selska cesta 136, Zagreb, [email protected]
LOCATION OF PERSONAL DATA PROCESSING
Aircash processes and stores personal data within the European Union and the European Economic Area. In the event of a legitimate business need to transfer personal data to third countries, Aircash will provide appropriate mandatory safeguards as defined by the General Data Protection Regulation.
DOCUMENT VERSION
Latest version date: 1 July 2024