LIMITED LIABILITY COMPANY “COSMOPOLITAN DMC” PODGORICA, company with registered seat at the address Cetinjska 11, 5th floor (The Capital Plaza Centar), Podgorica, Montenegro, registration number 03288463, contact email address: [email protected] („Controller“), intends to, in the capacity of personal data controller, for the purpose of organizing and paying for tourist trips, as well as for the purpose of informing of the users of the Controller’s services via the website www.cosmopolitanprivatetransfers.com (hereinafter the: „Website“) collect and process certain personal data. Bearing that in mind, the Controller informs all visitors and users of the Website (individually each of the visitors and users of the Website hereinafter referred to as: “User”) about the following:
1. Data to be collected and processed
1.1. The Controller intends to collect and process personal data from the Users that is necessary for the organization of tourist trips through the Website, including but not limited to:
– travel reservation and associated content
– organization of transfers from/to the airport and point-to-point transfers
1.2. User data that the Controller intends to collect and process in accordance with point 1.1 above are: name, surname, email address and payment card data (“Data”).
2. Controller’s Identity
2.1. Data, identity and contact information of the Controller are disclosed in the introductory provisions above.
3. Legal basis and purpose of Data collection and processing
3.1. The purpose of Data collection and processing is the organization of tourist trips and related services via Website, as defined in Article 1 of this Policy, and receipt of further notifications and promotional offers addressed to Users by the Controller (“Purpose”).
3.2. Legal basis for Data collection and processing is the consent of the User.
4. Information on Data recipients
4.1. User’s Data may be further transferred to the company which manages the e-trade platform used on the Website. In addition, access to the User’s Data may be enabled to the company Contact Service d.o.o. Beograd, a company with its registered seat in Ustanička Street number 170v, Belgrade, Republic of Serbia, who will act as sales agents and respond to inquiries that come through the Website, by phone and by email. If these data transfers occur, Controller will execute an agreement on data processing with these companies, as well as any other entity that processes the User’s Data, which honors standard contractual clauses envisaged in Article 45 of the Law on the Protection of Personal Data of the Republic of Serbia (“Official Gazette of the RS” No. 87/2018, hereinafter the: “Law”) as well as in Article 28 of the General Data Protection Regulation of EU no. 2016/679 (hereinafter: “GDPR”) and which ensure required level of personal data protection in accordance with the applicable regulations.
4.2. User’s Data shall be kept on the servers of CloudWays, which are located in Germany, who is a signatory of the Data Protection Convention of the European Council. As an EU member, Germany is considered as a country with the adequate level of personal data protection, in accordance with Article 45 of GDPR.
4.3. User’s Data: name, surname and e-mail address will be sent to the e-mail address [email protected], for the purpose of organizing the requested transfers and/or excursions. The access to this Data shall be granted to the specifically appointed person employed with the Controller, and email server for this email address is located in the Republic of Serbia. The Republic of Serbia is not considered as a country with the adequate level of personal data protection in accordance with the EU regulations, and thus, if Data transfer occurs in this instance, it will be subject to mechanisms ensuring required level of the User’s Data protection, in accordance with the first paragraph of this Article. User can familiarize with the applicable protective measures in accordance with Article 5.7. of this Policy.
4.4. Data on User’s payment cards shall be kept in Montenegro, in the registered headquarters of the Controller. When entering payment card data, confidential information is transmitted via a public network in a protected (encrypted) form using the SSL protocol, using the most modern methods of tokenization of sensitive data, and in accordance with PCI-DSS standards. Payment card information is never available to the merchant. 3D Secure protection for all merchants and customers – AllSecure Payment Gateway uses the highest global standards of data protection and privacy. All merchants using the AllSecure Payment Gateway are automatically included in the 3D-Secure protection, guaranteeing customers the security of their purchases. Users’ payment card numbers are not stored on the merchant’s system, and the registration itself is protected by SSL data encryption. PCI DSS Standards – AllSecure Payment Gateway constantly complies with all requirements of card organizations in order to increase the security level of merchants and customers. From 2005 to today, without interruption, the system has been certified as PCI-DSS Level 1, which represents the highest standard in the industry. PCI Data Security Standard (PCI-DSS) is a norm that defines the necessary security measures for processing, storing and transmitting sensitive card data. PCI Standards protect sensitive data about the cardholder during the entire payment process: from the moment of data entry at the merchant’s point of sale, during communications between the merchant and relevant banks and card organizations, as well as later storage of that data.
5. Rights, including right to be notified, that belong to the Users in case of unauthorized processing of personal data
5.1. Right of access: The User has the right to request access to a copy of the Data, together with information about:
– which of the User’s personal data is processed by the Controller
– what is the purpose of processing
– whether the Data is shared with third parties and the identity of those third parties, if any
– what is the data storage period
– what are the rights of the User in relation to the Data, and above all information about the right to correction, deletion, restriction of processing, objection and complaint to the competent authority in country of residence
– whether User Data was used for any automated decision-making.
5.2. Requesting Right of access is free of any charge.
5.3. The right to object: The User can at any time lodge an objection regarding any aspect of Data processing by the Controller by contacting the e-mail address [email protected]
5.4. Right to revoke consent: The Controller processes User Data exclusively on the basis of consent. At any time, the User can withdraw its consent, in which case the Controller stops further processing of the Data. If the User exercises this right, it will not affect the earlier processing that was carried out in accordance with the User’s consent and in accordance with the Law and the GDPR.
5.5. Right to rectification of Data: The User can at any time ask the Controller to change or complete any incorrect or incomplete Data.
5.6. The right to delete Data: The User can at any time ask the Controller to delete the Data if the Controller no longer needs the Data for the purpose for which it was collected.
5.7. The right to information regarding the appropriate protection measures: The User can at any time be informed about all the protection measures applied to the Data, including the measures applied when exporting the Data to countries that do not provide an adequate level of protection of personal data in accordance with positive regulations, via email address [email protected]
5.8. The right to data portability: The User can at any time ask the Controller to transfer all or some of the Data to him or to a third party, in a way and in a form that can be easily transferred.
5.9. The right to limit the processing of Data: The User can at any time ask the Controller to limit the processing of Data. In case of such a request by the User, the Operator will suspend all activities related to the Data, until this request is resolved.
5.10. Automated decision-making and profiling: The Operator informs the User that no automated decision-making or profiling is applied to the Data as a method of decision-making, nor will such actions be carried out in the future.
5.11. Right to file a complaint: The User can file a complaint at any time:
– To the Commissioner for Information of Public Importance and Protection of Personal Data via the email address [email protected], if there is a complaint regarding the collection and processing of Data, for Users residing in the Republic of Serbia.
– To the competent authority for the protection of personal data in the country of their residence or stay, for Users who have a residence or stay in one of the EU member states, the United Kingdom of Great Britain and Northern Ireland, Montenegro, or any other country, if the provision of the services of the Controller through the Website targets them directly.
6. Obligation and legal basis, i.e. voluntary provision of Data and processing
6.1. Giving consent to the processing of Data for the stated Purpose is voluntary.
7. Giving and revoking consent
7.1. Consent can be revoked via the email address [email protected], or in writing via the address of the Controller’s headquarters, with consequences as stated in Article 5.4 of this Policy.
7.2. Revocation of consent does not affect the admissibility of processing based on consent prior to revocation.
7.3. In case of revocation of consent, User who previously gave consent is obliged to compensate the Controller for reasonable costs and possible damage, in accordance with the regulations governing liability for damage.
8. Other information relevant to Data processing
8.1. The Data will be stored and considered confidential as long as it is necessary for the fulfillment of the Purpose, in accordance with the applicable laws, or until the consent is revoked.