Information on personal data processing
We collect and process your data in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter: “General Data Protection Regulation“), as well as in accordance with the Act on the Implementation of the General Data Protection Regulation.
Your security matters for our security, and we therefore strive to process your personal data as legally, fairly and transparently as possible, while protecting the privacy of your personal data from unauthorized or illegal processing, applying high technical, security and organizational protection measures.
1. DATA CONTROLLER
Aircash d.o.o., PIN: 99833713101, with its registered office at Ulica grada Vukovara 271, 10000 Zagreb, Republic of Croatia, e-mail: [email protected], tel.: +385 1 4573537 and +385 1 4573538 (hereinafter referred to as: „Aircash“).
2. WHAT IS PERSONAL DATA AND HOW DO WE COLLECT AND PROCESS PERSONAL DATA?
Personal data are any data referring to an individual whose identity has been established or can be established. An identifiable individual is a person who can be identified directly or indirectly, in particular by means of an identifier (e.g. name, surname, identification number, IBAN, location data, online identifier or by one or more factors specific to that individual’s identity).
In order to establish a business relationship with you and/or provide you with a financial service, and in other cases related to the business and services provided by Aircash, we collect the following categories of personal data:
a) First, the data directly from you in any communication you have with Aircash (orally, in writing, via digital communication channels). For example, when establishing a business relationship with you and/or providing our services and/or establishing and verifying your identity and/or implementing due diligence measures or Aircash’s legal obligations (e.g. under the Prevention of Money Laundering and Terrorist Financing Act, Electronic Money Act or Payment Operations Act), we collect your personal data, such as basic identification data: name and surname, date and country of birth, personal identification number (PIN), address of permanent / temporary residence, data on the identification document, citizenship. The refusal to provide this information results in the inability to enter into a specific agreement with Aircash or to establish a business relationship.
b) When using the Aircash app, other products, websites and social networks. For example, Aircash collects data such as IP address data and geolocation of service users. Aircash allows you as a user of the Aircash app, to access and use the fingerprint service, if you have previously stored the physical features that make up the fingerprint on your device and given consent to Aircash to use these features for that purpose. Aircash does not store this physical information in its system or further process it for any purpose other than to confirm your identity once. At the same time, Aircash processes the technical data of the system which is a prerequisite for your ability to use the service via remote communication means, such as the operating system you use, type of mobile device and/or computer, type and version of browser, language of browser and/or mobile device and, if necessary, it can process other data of this type.
c) The category of data arising from the processing of any data during the provision of Aircash services, such as transaction data.
d) From third parties based on a legal obligation or on another legal basis, as well as from publicly available sources, in accordance with applicable regulations.
3. FOR WHAT PURPOSES DOES AIRCASH PROCESS YOUR DATA AND ON WHAT LEGAL BASIS?
Your personal data is processed when one of the following conditions is met:
a) Data processing is necessary to meet legal obligations (e.g. obligations prescribed by the Prevention of Money Laundering and Terrorist Financing Act), as well as acting in accordance with individual acts adopted by the relevant institutions of the Republic of Croatia or other bodies whose orders Aircash is obliged to act on by law or other regulations. The processing of such personal data is a legal obligation and Aircash may refuse to enter into an agreement or provide a service under agreement, or it may terminate the existing business relationship in the event that the respondent does not submit the legally prescribed data.
b) Data processing is necessary for the performance of the contract in which the respondent is a party or to act at the request of the respondent prior to the conclusion of the contract. Providing personal data for this purpose is mandatory. If the respondent refuses to provide any of the information necessary for the purpose of concluding and performing a contract to which the respondent is a party, Aircash may not be able to provide certain services and may therefore refuse to enter into a contractual relationship.
c) Data processing is necessary to fulfil the legitimate interest of Aircash or third parties. Legitimate interest includes processing for purposes such as managing Aircash’s operational, reputational and other risks, taking measures to secure people and/or property, processing personal data within Aircash for internal administrative purposes, and protecting computer and electronic communications systems. When processing the personal data of the respondent based on a legitimate interest, Aircash always considers the interests and fundamental rights and freedoms of the respondent and in particular considers that their interests do not override the interests of Aircash on which the processing of personal data is based.
d) The respondent consented to the processing of their personal data for one or more special purposes. Aircash shall seek consent for purposes such as providing information about Aircash’s offers, in which case Aircash may provide the respondent with offers and benefits related to new or already agreed Aircash products and services and for direct marketing purposes to develop a business relationship with Aircash, participate in market research , as a result of which Aircash may invite the respondent to express their opinion on Aircash, Aircash products and services in occasional surveys, and use of the fingerprint service to access the Aircash mobile wallet.
Consent is voluntary and the respondent may at any time withdraw the previously given consent for the purpose of marketing, market research and identification using a fingerprint service to access the Aircash mobile wallet. In that case, the personal data relating to the respondent shall not be processed for that purpose, which shall not affect the lawfulness of the processing of personal data based on consent prior to its withdrawal. Aircash shall not refuse to enter or enforce an agreement if the respondent denies or withdraws consent. All the above consents may be revoked, and for any inquiries, the Aircash customer support department is at your disposal.
4. AUTOMATED DECISION MAKING, INCLUDING PROFILING
In the case of automated decision-making, including profiling (e.g. when developing a money laundering and terrorist financing risk analysis model) Article 22 of the General Data Protection Regulation gives you the right not to be subject to a decision based solely on the automated processing of your personal data, including profiling, unless this decision is necessary for the conclusion or performance of an agreement between you and Aircash, permitted by Croatian law (e.g. the Prevention of Money Laundering and Terrorist Financing Act) or the law of an EU Member State to which Aircash is subject as a controller and which is based on your consent.
In cases where automated processing of personal data is necessary for the conclusion or performance of an agreement and based on the explicit consent of the respondent, Aircash, as the controller, implements appropriate measures to safeguard the rights and freedoms and legitimate interests of respondents, including at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
5. PERSONAL DATA STORAGE PERIOD
Aircash stores personal data for as long as necessary to fulfil contractual and legal obligations.
Aircash retains personal data for as long as specified in a particular regulation that Aircash is required to apply in its business (e.g. The Prevention of Money Laundering and Terrorist Financing Act, the Electronic Money Act, etc.), i.e., no longer than is necessary to achieve the purpose for which the data are processed. Aircash as a financial institution is obliged to apply the Prevention of Money Laundering and Terrorist Financing Act, which stipulates that data, information and documentation of respondents collected for the purpose of implementing measures, actions and procedures for the prevention and detection of money laundering and terrorist financing, are kept for at least 10 years after the termination of the business relationship, i.e., relationships or transactions defined by the relevant Prevention of Money Laundering and Terrorist Financing Act. It is exceptionally possible to process data even longer when it is necessary for other legitimate purposes (e.g. for the needs of court and other legal proceedings, etc.), whereby the data retention periods may be extended.
In situations where no retention period is prescribed for particular data processing, Aircash, as the controller, defines the retention period and the data is always retained for as long as necessary for the purposes for which they are processed.
6. CATEGORIES OF THE RECIPIENTS OF YOUR PERSONAL DATA
Aircash may provide information to third parties based on the consent of the respondent or the performance of an agreement to which the respondent is a contracting party or the provisions of laws and regulations.
Personal data shall be provided to certain third parties for whom Aircash is legally obliged to provide data, such as e.g. the Croatian National Bank, Ministry of Finance (Office for the Prevention of Money Laundering), Tax Administration, and other institutions in the Republic of Croatia and the EU to which Aircash is authorized or obliged to provide personal data in accordance with applicable laws and other relevant regulations governing financial institutions (e.g. Prevention of Money Laundering and Terrorist Financing Act, Electronic Money Act, Payment System Act, etc.). Aircash will disclose the personal data of respondents and third parties if necessary to perform transactions to those third parties with whom it has a data protection agreement, in order to perform the services that Aircash provides to respondents, facilitate future transactions or supplement data from publicly available sources.
This applies, for example, to providers of postal services, IT services, advisory and consultancy services, sales and marketing services and law firms.
Please note that all persons who, due to the nature of their work with or for Aircash, have access to personal data are equally obliged to keep this data in accordance with the General Data Protection Regulation, as well as other applicable and binding laws and bylaws adopted based on these laws.
In addition, Aircash may take personal data out of the European Economic Area only to the extent necessary to execute the respondent’s orders (for example, payment services) or to the extent required by law or other legally binding basis of Aircash.
Personal data may be transferred to a third country or international organization based on a decision of the European Commission that the third country, area of work or one or more specific sectors within that third country or international organization ensures an adequate level of personal data protection.
7. RESPONDENTS’ RIGHTS
Each respondent whose personal data is processed by Aircash as the controller has the following rights:
a) The right of access to data(in accordance with the provisions of Article 15. of the General Data Protection Regulation) – allows the respondent to find out whether his/her personal data are being processed, i.e., the respondent has the right to receive confirmation from Aircash on whether his/her data are being processed, the purpose of processing, categories of personal data, recipients or categories of recipients, the intended period in which the data will be stored, etc.
b) The right to rectification of data (in accordance with the provisions of Article 16 of the General Data Protection Regulation) – allows the respondent to request the rectification of inaccurate or incomplete personal data referring to him/her.
c) The right to erasure(„the right to be forgotten“ in accordance with the provisions of Article 17 of the General Data Protection Regulation) – allows the respondent to request the erasure of personal data, whereby Aircash may not delete the respondent’s personal data if the processing is necessary (e.g. compliance with the prescribed data retention obligation or in case of setting, enforcing or defending legal claims).
d) The right to restrict processing(in accordance with the provisions of Article 18 of the General Data Protection Regulation) – allows the respondent to request a restriction on the processing of personal data, for example in case the respondent disputes the accuracy of personal data or considers the processing to be illegal.
e) The right to data portability(in accordance with the provisions of Article 20 of the General Data Protection Regulation) – allows the respondent to transfer data to another controller. It should be noted that the right to portability applies only to the personal data of the respondents provided personally to Aircash and when it is technically feasible.
f) The right to object(in accordance with the provisions of Article 21 of the General Data Protection Regulation) – allows the respondent to object to the processing of personal data if the processing is done in the public interest or is necessary for the legitimate interest of Aircash (including profiling) or if the respondent’s data is processed for direct marketing purposes. Aircash shall refrain from further processing of the personal data of the respondents, unless it proves that there are compelling legitimate reasons for the processing (grounds whose significance goes beyond the interests, rights and freedoms of the respondents) or if the processing is necessary to set, enforce or defend legal claims.
g) The right to lodge a complaint to the supervisory authority(in accordance with the provisions of Article 77 of the General Data Protection Regulation) – allows the respondent to contact the Agency for Personal Data Protection, Selska cesta 136, 10000 Zagreb, Croatia.
8. EXERCISE OF RESPONDENTS’ RIGHTS
To exercise their rights in relation to the protection of personal data, the respondents have at their disposal Aircash employees from the customer support department and a personal data protection officer who can be contacted in writing at the following address: Ulica grada Vukovara 271, 10 000 Zagreb, Republic of Croatia or via e-mail: [email protected].
Aircash shall notify you of any action taken without undue delay and at the latest within one month of receiving the request. Exceptionally, this period may be extended by an additional two months if necessary, considering the complexity and number of requests, of which Aircash is obliged to inform you.