Based on Article 24 of the Personal Data Protection Law (Official Gazette of Montenegro No. 79/08, 70/09, 44/12 and 22/17))and Statute of the Travel Agency “Gold Travel” d.o.o. Podgorica (hereinafter referred to as “Controller”), Executive Director of the Agency, on May 27, 2022, issued:
In accordance with Protection of Personal Data Law (Official Gazette of Montenegro No. 79/08, 70/09, 44/12 and 22/17) and requirements of General Data Protection Regulation (EU) 2016/679, the Controller has adopted the General Terms and Conditions of Personal Data Protection (hereinafter: General Conditions) with the aim of determining the basic principles and rules related to the collection, storage and processing of personal data of persons who are within the Controller’s organization, or in a certain connection with them (primarily, employees, associates, consultants and persons engaged in other ways by the Controller, as well as persons with whom the Controller has established certain type of business cooperation, and whose data the Controller processes, e.g. Users).
Travel agency “Gold Travel” d.o.o. Podgorica, Bulevar Veljka Vlahovića No. 3, 81 000 Podgorica, PIB: 03326128, undertakes to guarantee confidentiality of personal data within the scope of providing services of organizing tourist trips, as well as other tourist services in accordance with the Protection of Personal Data Law (hereinafter: Law). Also, the Controller guarantees security and privacy on the internet platform it uses, which is located at the web address: www.goldtravel.me.
The Controller collects personal data of natural persons from various sources. In most cases, personal data are provided directly by clients who decide to enter into a contractual relationship with the Controller. Certain personal data are created by the Controller through data processing for the purposes of reporting, analysis, etc. In addition, the Controller uses other data of natural persons that are available or provided from public sources (public registers, databases, internet applications, social networks or other public data sources). All collected data are processed by the employees of the Controller as part of their work activities.
The Controller stores and protects personal data in order to prevent their disclosure to unauthorized persons. The Controller undertakes not to transfer, exchange or sell personal data to third parties, except with prior notification and obtaining your consent, with the application of appropriate security measures and to process personal data only with a provided legal basis and for defined purposes.
In these General Terms and Conditions, the following terms have the following meanings:
Data subject / User refers to any natural person who can be identified, directly or indirectly.
Data subject (personal data) means any information relating to an identified or identifiable natural person.
Processing is any operation, which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, alteration, search, consultation, use, transmission, adaptation or combination, erasure or destruction.
Profiling means any form of automated processing of personal data consisting of the use of data to evaluate certain aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, personal preferences, interests, reliability, behaviour.
Personal data filing system refers to any structured set of personal data, which are subject of processing and are accessible according to specific criteria.
Controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In your case, the Controller is Travel Agency “Gold Travel” d.o.o. Podgorica.
Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
Consent means any voluntarily, freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she signifies agreement to the processing of personal data relating to him or her; General Terms and Conditions are integral part of the consent.
Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Supervisory authority means an independent public authority which is established by a State for conducting supervision over the application of the Law. In Montenegro, the Agency for Personal Data Protection and Free Access to Information performs these tasks (hereinafter: APDP).
Travel Agency „Gold Travel“ d.o.o. Podgorica
Bulevar Veljka Vlahovića br. 3, 81000 Podgorica
e-mail: info@goldtravel.me
Travel Agency „Gold Travel“ d.o.o. Podgorica
Data Protection Officer, Bulevar Veljka Vlahovića br. 3, 81000 Podgorica
Controller processes personal data for the purposes specified in the provisions of Chapters VI – IX of these Regulations.
The Controller processes personal data for the purpose of establishing and executing an employment relationship, including other contractual relationships on the basis of which the Controller hires associates and consultants, such as data for the purposes of determining the adequacy and qualifications of candidates for certain positions, for managing working hours and absences, for the calculation of wages, travel expenses and daily allowances, for determining benefits based on sick leave and other forms of absence from the workplace, for assessing the progress of employees, for providing additional training and education and for disciplinary procedures.
Controller is a company that provides travel organization and sales mediation services, as well as tourist travel and stay services, and has a license to carry out these activities.
Personal data of clients, i.e. Users, are necessary for the Controller to fulfil contractual obligations, and to fulfil general travel conditions and obligations prescribed by applicable laws.
The Controller collects personal data on its official website, via call centre, e-mail or mobile application.
The Controller will ask for personal data in order to process the reservation and provide the requested service, communicate with the User (in case of problems with the reservation, delay, flight delay, conducting a survey on the quality of services, etc.), send reminders, newsletters and promotional offers, for market research and execution of administrative and legal obligations.
The Controller will request all necessary data such as name and surname, contact data (phone number, e-mail address, residential address), bank/credit card data, as well as other data that will be required for the execution of contractual and legal obligations.
In certain cases, if the User has special medical or other requirements, information about your health condition will also be required. In order for the Controller to process this data, he needs your explicit consent, i.e. consent for the processing of such data, otherwise such services will not be possible to be provided.
In certain countries, there is a legal obligation to provide the relevant customs and border authorities with access to booking and travel information. For the purpose of fulfilling these legal obligations, personal data and travel data may be disclosed by the Controller to the competent customs and immigration services in the place/country from which you start your journey or the place/country of destination. In addition, based on the applicable laws in certain countries, the Controller has an obligation to collect passport information and related information about all passengers before flying to or from those countries.
The Controller processes personal data for the purpose of managing and maintaining the functioning of the communication and information network, as well as maintaining information security.
The Controller processes personal data for the purpose of fulfilling legal obligations and harmonizing business operations with relevant legal regulations, primarily in the domain of tourism and hospitality, labor, tax legislation, prevention of money laundering and terrorist financing, etc.
Processing of personal data is done for the purpose of providing services for the execution of the contract or to take actions at the request of the User before concluding the contract.
Each product or service is accompanied by documentation that provides information on individual purposes of data processing.
Processing of personal data is governed by regulations governing the protection of personal data, prevention of money laundering and financing of terrorism, as well as the General Data Protection Regulation of the EU in parts where it does not conflict with positive legal norms in Montenegro.
Processing of personal data can be based on the explicit consent of the data subject.
Access to User’s personal data is provided to employees who process personal data for the purpose of fulfilling contractual and legal obligations and pursuing the Controller’s legitimate interests.
For the execution of certain services, the Controller has signed contracts with certain data processors (Processors), who can process personal data only in accordance with a certain law or the User’s consent.
In this situation, the Processor is given only the data necessary to achieve the purpose of the contracted processing, and the Processors cannot use them for other purposes. In these cases, the conditions of data processing and responsibility for data protection will be defined by the contract between the Controller and the Processor.
In accordance with the laws, the Controller in certain cases has the obligation to forward personal data to competent state authorities and authorities responsible for financial, tax or banking supervision (e.g. CBCG, Police Administration, Ministry of Finance, courts, prosecutor’s office).
The period in which personal data are stored changes in accordance with the legal basis and purpose of processing a certain category of personal data. Personal data cannot be stored longer than it is necessary to fulfil the purpose for which the related personal data are collected and processed. After fulfilling the processing purpose, unless there is another legal basis or unless it is necessary for the initiation, enforcement or defence of legal claims, personal data are deleted, destroyed, blocked or anonymized.
The Controller will ensure that the persons to whom the data are related can exercise their rights, more specifically, right to information, right to access personal data, right to complete the incomplete data and amend or erase inaccurate personal data, right to erase (where it is permitted by law) data about a person, right to withdraw consent to processing, right to limit processing, right to data portability.
Persons to whom the data are related can submit a written request in a way that enables their identification for each of the listed rights.
Received requests are reviewed by the DPO. The Controller has the obligation to submit response to the request submitted by the person to whom the data are related without undue delay, and within the deadline prescribed by the Law, at the latest.
Controller has the obligation to provide a copy of personal data being processed, i.e. to provide the requested information to the natural person free of charge. However, if the claims of the data subject are clearly unfounded or exaggerated, and especially if they are repeated, the Controller may refuse to undertake any activities related to the request.
Person to whom the data are related has the right to be informed about their rights, obligations and about issues related to the processing of personal data in the sense of PDPL even before the processing of such data begins.
Data subject has the right to access the collected personal data related to them, as well as to simply exercise this right at reasonable intervals in order to familiarize themselves with processing and confirm its legality.
Person to whom the data are related has the right to receive a notification from the Controller on whether their personal data are being processed and, if this is the case, to access the personal data and the following information: purpose and legal basis of processing, categories of relevant personal data that are processed, recipients or categories of recipients to whom personal data have been disclosed, the existence of the right to request from the Controller to change or delete incomplete or inaccurate personal data, or the existence of the right to object to the Controller regarding the respective processing, right to submit an objection to the supervisory authority, if data on persons have not been collected from the persons to whom they are related, all available information regarding their source.
The person to whom the data are related has the right to obtain from the Controller, upon written request, within the prescribed legal period, the amendment or deletion of inaccurate data relating to them.
Taking into account the purpose of processing, the person to whom the data are related has the right to supplement incomplete personal data, including the possibility that the supplement be made on the basis of an additional statement.
Person to whom the data are related has the right to demand from the Controller deletion of personal data relating to them, if the processing of personal data is not in accordance with the law.
The person to whom the data are related has the right to request from the Controller a restriction of processing if one of the following cases can be applied: (1) the person to whom the data are related disputes the accuracy of their personal data, for a period that allows the Controller to check the accuracy of personal data, (2) the person to whom the data are related submitted a request for deletion of personal data with the explanation that their processing is not in accordance with the law, for a period that allows the Controller to carry out the procedure according to the request.
In the case when the processing is limited on the basis of the previous paragraph, the relevant personal data, with the exception of storage, will be processed only with the consent of the person to whom the data are related or for the initiation, implementation or defense of legal claims or for the protection of rights of another natural or legal person.
Consent to data processing for the purposes described in this document is voluntary. Consent is given only for the processing purposes specified in the consent and will be valid until revoked, so you inform the Controller about this, which will not have any impact on any contractual relationship between you and the Controller or on the use of products and services that do not require such consent. The Controller is obliged to process only those personal data even after the withdraw in order to fulfil its legal obligations, due to compliance with the contract with you, as well as due to the monitoring of its legal and legitimate interests.
The person to whom the data are related can request the transfer of personal data to another Controller, when it is technically feasible, i.e. when personal data that are the subject of transfer request are in a structured and machine-readable format.
The Controller reserves the right to change or amend these General Terms and Conditions. Information are available in the office and on the website.
For everything that is not specifically dealt with in these General Terms and Conditions, the provisions of the current legislation apply.
This Regulation enters into force on the day of its adoption.