Privacy Policy

Based on Article 24 of the Personal Data Protection Law (Official Gazette of Montenegro No. 79/08, 70/09, 44/12 and 22/17))and Statute of the Travel Agency “Gold Travel” d.o.o. Podgorica (hereinafter referred to as “Controller”), Executive Director of the Agency, on May 27, 2022, issued:

GENERAL TERMS AND CONDITIONS OF PERSONAL DATA PROTECTION

I Subject

In accordance with Protection of Personal Data Law (Official Gazette of Montenegro No. 79/08, 70/09, 44/12 and 22/17) and requirements of General Data Protection Regulation (EU) 2016/679, the Controller has adopted the General Terms and Conditions of Personal Data Protection (hereinafter: General Conditions) with the aim of determining the basic principles and rules related to the collection, storage and processing of personal data of persons who are within the Controller’s organization, or in a certain connection with them (primarily, employees, associates, consultants and persons engaged in other ways by the Controller, as well as persons with whom the Controller has established certain type of business cooperation, and whose data the Controller processes, e.g. Users). Travel agency “Gold Travel” d.o.o. Podgorica, Bulevar Veljka Vlahovića No. 3, 81 000 Podgorica, PIB: 03326128, undertakes to guarantee confidentiality of personal data within the scope of providing services of organizing tourist trips, as well as other tourist services in accordance with the Protection of Personal Data Law (hereinafter: Law). Also, the Controller guarantees security and privacy on the internet platform it uses, which is located at the web address: www.goldtravel.me. The Controller collects personal data of natural persons from various sources. In most cases, personal data are provided directly by clients who decide to enter into a contractual relationship with the Controller. Certain personal data are created by the Controller through data processing for the purposes of reporting, analysis, etc. In addition, the Controller uses other data of natural persons that are available or provided from public sources (public registers, databases, internet applications, social networks or other public data sources). All collected data are processed by the employees of the Controller as part of their work activities. The Controller stores and protects personal data in order to prevent their disclosure to unauthorized persons. The Controller undertakes not to transfer, exchange or sell personal data to third parties, except with prior notification and obtaining your consent, with the application of appropriate security measures and to process personal data only with a provided legal basis and for defined purposes.

II Definitions and general terms

In these General Terms and Conditions, the following terms have the following meanings: Data subject / User refers to any natural person who can be identified, directly or indirectly. Data subject (personal data) means any information relating to an identified or identifiable natural person. Processing is any operation, which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, alteration, search, consultation, use, transmission, adaptation or combination, erasure or destruction. Profiling means any form of automated processing of personal data consisting of the use of data to evaluate certain aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, personal preferences, interests, reliability, behaviour. Personal data filing system refers to any structured set of personal data, which are subject of processing and are accessible according to specific criteria. Controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In your case, the Controller is Travel Agency “Gold Travel” d.o.o. Podgorica. Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller. Consent means any voluntarily, freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she signifies agreement to the processing of personal data relating to him or her; General Terms and Conditions are integral part of the consent. Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. Supervisory authority means an independent public authority which is established by a State for conducting supervision over the application of the Law. In Montenegro, the Agency for Personal Data Protection and Free Access to Information performs these tasks (hereinafter: APDP).

III Application field

Controller of personal data is:
Travel Agency „Gold Travel“ d.o.o. Podgorica Bulevar Veljka Vlahovića br. 3, 81000 Podgorica e-mail: info@goldtravel.me
Data Protection Officer (DPO) is available at:

e-mail: info@goldtravel.me

By post:
Travel Agency „Gold Travel“ d.o.o. Podgorica Data Protection Officer, Bulevar Veljka Vlahovića br. 3, 81000 Podgorica

IV Types of data that are collected

Personal data that the Controller processes are:
  1. name and surname, address, date and place of birth, gender, marital status, personal identification number, ID number, citizenship, social security number.
  2. academic and professional qualifications: degree, titles, data on skills, knowledge of foreign languages, training, employment history, biography;
  3. financial data: bank account number, data on earnings and added benefits;
  4. data on the performance of work duties: position, evaluation of the supervisory authority (person), business e-mail address, IP address;
  5. communication data: e-mail, phone number, emergency contact of a relative, as well as other data necessary for the performance of the employer’s obligations prescribed by law and implementation of the employment contract, or other contractual relationship between the employee and the Controller.
Controller does not process more data or other type of personal data than it is necessary to fulfil the stated purpose. If the processing of special types of data is based on the consent of the person, such consent must be given in writing, which includes detailed information on the type of data being processed, purpose of processing and the way data is used. Controller collects and processes the following personal data of employees:
  1. personnel files of employees;
  2. salary list;
  3. records of entries and exits;
  4. sick leaves, annual vacations, business trips, paid and unpaid leave and the like

V Purpose of collection and processing

Controller processes personal data for the purposes specified in the provisions of Chapters VI – IX of these Regulations.

VI Employment and human resources management

The Controller processes personal data for the purpose of establishing and executing an employment relationship, including other contractual relationships on the basis of which the Controller hires associates and consultants, such as data for the purposes of determining the adequacy and qualifications of candidates for certain positions, for managing working hours and absences, for the calculation of wages, travel expenses and daily allowances, for determining benefits based on sick leave and other forms of absence from the workplace, for assessing the progress of employees, for providing additional training and education and for disciplinary procedures.

VII Business activities

Controller is a company that provides travel organization and sales mediation services, as well as tourist travel and stay services, and has a license to carry out these activities. Personal data of clients, i.e. Users, are necessary for the Controller to fulfil contractual obligations, and to fulfil general travel conditions and obligations prescribed by applicable laws. The Controller collects personal data on its official website, via call centre, e-mail or mobile application. The Controller will ask for personal data in order to process the reservation and provide the requested service, communicate with the User (in case of problems with the reservation, delay, flight delay, conducting a survey on the quality of services, etc.), send reminders, newsletters and promotional offers, for market research and execution of administrative and legal obligations. The Controller will request all necessary data such as name and surname, contact data (phone number, e-mail address, residential address), bank/credit card data, as well as other data that will be required for the execution of contractual and legal obligations. In certain cases, if the User has special medical or other requirements, information about your health condition will also be required. In order for the Controller to process this data, he needs your explicit consent, i.e. consent for the processing of such data, otherwise such services will not be possible to be provided. In certain countries, there is a legal obligation to provide the relevant customs and border authorities with access to booking and travel information. For the purpose of fulfilling these legal obligations, personal data and travel data may be disclosed by the Controller to the competent customs and immigration services in the place/country from which you start your journey or the place/country of destination. In addition, based on the applicable laws in certain countries, the Controller has an obligation to collect passport information and related information about all passengers before flying to or from those countries.
Personal data are collected by the Controller in the following ways:
When making a reservation and purchase – The data required for reservation or purchase depends on destination, and for this purpose the Controller may request the following personal data:
  • minimum (usual): first name, last name, phone number and/or e-mail address
  • maximum, when prescribed by applicable laws: full name (first name, last name, father’s name if available), gender, date of birth, nationality, country of residence, type of travel document (usually passport), number of travel document (expiry date and name competent authority of the country that issued the passport)
Through an account – In order for the Controllor to offer a certain type of service, our website may require the registration of an account, for the purposes of:
  • Newsletters – to send promotional offers, campaigns or interesting things related to the company. When opening an account, personal data are entered: first name, last name, e-mail address, home address and phone number.
  • Through the link “Contact us” – In this case, personal data will be used exclusively for the purpose of responding to the submitted request. The copy will not be used for any purpose other than storing the e-mail for the specified period of time.

Log files – The website stores information about the User’s IP address in log files for a certain period. Information in log files include Internet Protocol (IP) address, browser type, Internet Service Provider (ISP), date, time, reference website, and other information that the browser may record. These information are exclusively used for eliminating potential problems in the system functioning. Cookies and tracking technologies – Some pages of the website may use cookies and other tracking technologies. “Cookie” is a small text file that may contain cached data (IP address, e-mail address or password) so that the User does not repeat repetitive actions. Data on the User’s geo location can also be stored, for easier navigation of the User. Most browsers allow the control of cookies, and if the User can disable cookies. In this case, the website may not function properly on the browser. We emphasize the importance of the Privacy Statement that can be found on all other websites. This Privacy Statement applies solely to information collected on these Internet pages. Google Analytics – This website uses Google Analytics services for website analysis, offered by Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, United States of America. This service allows assigning data from different devices to the User’s identifier and allows analysing the actions taken by the User from the level of the observed devices. At the request of the website operator, Google will use this information to evaluate the use of the website, so that it can develop reports on the User’s activity on the website and to provide the website operator with other internet and website-related services. Data processing for these purposes is also a legitimate interest of the website operator. Legal basis for using Google Analytics: Article 6.1. paragraph f) of the General Data Protection Regulation (GDPR). User can prevent the storage of cookies by selecting the appropriate setting in their browser. In this case, the User will not be able to fully use all the functions of the website. You can also prevent Google from collecting and processing data generated by cookies and data about your use of the website (including IP address) by downloading and installing an add-on. Google Ads and conversion tracking – In order to propose services that are most adapted to the User’s expectations, this website uses Google’s ad display system (Google Ads) and uses Google’s functionality called conversion tracking to personalize online ads based on interests and location. The IP anonymization option is controlled by Google Tag Manager, by using its internal settings. These settings are configured so that legally required anonymization to protect privacy includes IP addresses. Ads are displayed based on searches on sites that are part of the Google Display Network. The User can also choose the type of Google ads shown to them, or prevent interest-based Google ads on the ad settings page. User can also block third-party cookies with a special program provided by the Network Advertising Initiative. If the User does not want to receive any personalized ads, they can turn off the option of displaying ads through Google’s ad settings page. More information about how Google uses cookies can be found in Google’s privacy policy. Google Maps – The website uses Google Maps in order to present the offer to Users in an attractive way. Google Maps mapping on the website is connected via API. Google Web fonts – In order to ensure uniformity of fonts and to present the offer in an attractive way, Google Web fonts are used on the website of the Controller. In order to display fonts and text correctly, the Internet browser needs to connect to Google’s servers and load the necessary fonts into the cache. If the browser does not support Google Web Fonts, the computer’s default font will be used.

VIII Communications and information security

The Controller processes personal data for the purpose of managing and maintaining the functioning of the communication and information network, as well as maintaining information security.

IX Harmonization of business operations with relevant regulations

The Controller processes personal data for the purpose of fulfilling legal obligations and harmonizing business operations with relevant legal regulations, primarily in the domain of tourism and hospitality, labor, tax legislation, prevention of money laundering and terrorist financing, etc.

X Legal basis for processing and purpose of processing

Processing of personal data for the purpose of fulfilling contractual obligations
Processing of personal data is done for the purpose of providing services for the execution of the contract or to take actions at the request of the User before concluding the contract. Each product or service is accompanied by documentation that provides information on individual purposes of data processing.
Processing of personal data on a legal basis
Processing of personal data is governed by regulations governing the protection of personal data, prevention of money laundering and financing of terrorism, as well as the General Data Protection Regulation of the EU in parts where it does not conflict with positive legal norms in Montenegro.
Processing of personal data based on the client's consent
Processing of personal data can be based on the explicit consent of the data subject.

XI Access to personal data

Employees
Access to User’s personal data is provided to employees who process personal data for the purpose of fulfilling contractual and legal obligations and pursuing the Controller’s legitimate interests.
Contracted processors
For the execution of certain services, the Controller has signed contracts with certain data processors (Processors), who can process personal data only in accordance with a certain law or the User’s consent. In this situation, the Processor is given only the data necessary to achieve the purpose of the contracted processing, and the Processors cannot use them for other purposes. In these cases, the conditions of data processing and responsibility for data protection will be defined by the contract between the Controller and the Processor.
Competent state authorities
In accordance with the laws, the Controller in certain cases has the obligation to forward personal data to competent state authorities and authorities responsible for financial, tax or banking supervision (e.g. CBCG, Police Administration, Ministry of Finance, courts, prosecutor’s office).

XII Personal data storage period

The period in which personal data are stored changes in accordance with the legal basis and purpose of processing a certain category of personal data. Personal data cannot be stored longer than it is necessary to fulfil the purpose for which the related personal data are collected and processed. After fulfilling the processing purpose, unless there is another legal basis or unless it is necessary for the initiation, enforcement or defence of legal claims, personal data are deleted, destroyed, blocked or anonymized.

XIII Method of protection

The Controller continuously develops and improves data collection, processing and archiving system. The Controller implements appropriate legal, technical and organizational measures in order to ensure necessary safety and security of data. Some of the implemented protection measures are:
  • control of employees at all levels;
  • implementation of policies and internal procedures related to data protection;
  • control of physical access to the system and business premises;
  • setting up of technical and procedural measures necessary for the IT infrastructure to be implemented in accordance with the highest security standards.

XIV Clients’ rights

The Controller will ensure that the persons to whom the data are related can exercise their rights, more specifically, right to information, right to access personal data, right to complete the incomplete data and amend or erase inaccurate personal data, right to erase (where it is permitted by law) data about a person, right to withdraw consent to processing, right to limit processing, right to data portability. Persons to whom the data are related can submit a written request in a way that enables their identification for each of the listed rights. Received requests are reviewed by the DPO. The Controller has the obligation to submit response to the request submitted by the person to whom the data are related without undue delay, and within the deadline prescribed by the Law, at the latest. Controller has the obligation to provide a copy of personal data being processed, i.e. to provide the requested information to the natural person free of charge. However, if the claims of the data subject are clearly unfounded or exaggerated, and especially if they are repeated, the Controller may refuse to undertake any activities related to the request.
1. Right to be informed
Person to whom the data are related has the right to be informed about their rights, obligations and about issues related to the processing of personal data in the sense of PDPL even before the processing of such data begins.
2. The right of access by the person to whom the data are related
Data subject has the right to access the collected personal data related to them, as well as to simply exercise this right at reasonable intervals in order to familiarize themselves with processing and confirm its legality. Person to whom the data are related has the right to receive a notification from the Controller on whether their personal data are being processed and, if this is the case, to access the personal data and the following information: purpose and legal basis of processing, categories of relevant personal data that are processed, recipients or categories of recipients to whom personal data have been disclosed, the existence of the right to request from the Controller to change or delete incomplete or inaccurate personal data, or the existence of the right to object to the Controller regarding the respective processing, right to submit an objection to the supervisory authority, if data on persons have not been collected from the persons to whom they are related, all available information regarding their source.
3. The right to supplement incomplete data or change or delete incorrect data
The person to whom the data are related has the right to obtain from the Controller, upon written request, within the prescribed legal period, the amendment or deletion of inaccurate data relating to them. Taking into account the purpose of processing, the person to whom the data are related has the right to supplement incomplete personal data, including the possibility that the supplement be made on the basis of an additional statement.
4. Right to erasure
Person to whom the data are related has the right to demand from the Controller deletion of personal data relating to them, if the processing of personal data is not in accordance with the law.
5. The right to restrict processing
The person to whom the data are related has the right to request from the Controller a restriction of processing if one of the following cases can be applied: (1) the person to whom the data are related disputes the accuracy of their personal data, for a period that allows the Controller to check the accuracy of personal data, (2) the person to whom the data are related submitted a request for deletion of personal data with the explanation that their processing is not in accordance with the law, for a period that allows the Controller to carry out the procedure according to the request. In the case when the processing is limited on the basis of the previous paragraph, the relevant personal data, with the exception of storage, will be processed only with the consent of the person to whom the data are related or for the initiation, implementation or defense of legal claims or for the protection of rights of another natural or legal person.
6. Right to withdraw consent to processing
Consent to data processing for the purposes described in this document is voluntary. Consent is given only for the processing purposes specified in the consent and will be valid until revoked, so you inform the Controller about this, which will not have any impact on any contractual relationship between you and the Controller or on the use of products and services that do not require such consent. The Controller is obliged to process only those personal data even after the withdraw in order to fulfil its legal obligations, due to compliance with the contract with you, as well as due to the monitoring of its legal and legitimate interests.
7. Right to data portability
The person to whom the data are related can request the transfer of personal data to another Controller, when it is technically feasible, i.e. when personal data that are the subject of transfer request are in a structured and machine-readable format.

XV Final Provisions

The Controller reserves the right to change or amend these General Terms and Conditions. Information are available in the office and on the website. For everything that is not specifically dealt with in these General Terms and Conditions, the provisions of the current legislation apply. This Regulation enters into force on the day of its adoption.