HR EN

PRIVACY POLICY ZAGREB INTERNATIONAL AIRPORT JSC. (''Privacy policy'')

  1. INFORMATION ON DATA CONTROLLER AND DATA PROTECTION OFFICER
 
International Zagreb Airport Jsc. (MZLZ) is a company which manages Franjo Tuđman Airport (ZAG) and which is data controller of your personal data. For all questions in relation to the processing of your personal data, you can contact our data protection officer on the following contacts:
 
e-mail: DPO@zag.aero or
address: Ulica Rudolfa Fizira 1, p.p. 80, 10 410 Velika Gorica
 
  1. PURPOSE AND LEGAL BASIS FOR PROCESSING OF PERSONAL DATA
 
MZLZ processes only those personal data that are necessary and that are obtained within the scope of business activities and for the following purposes:
 
  • performance of the contract - when the processing is necessary for the performance of a contract to which you are a party;
  • satisfaction of legitimate interests - when necessary, personal data will be processed in order to satisfy legitimate interests, which can amongst other, include protection of persons and property, responding to your complaints and inquiries, pursuing legal proceedings, preventing illegal actions;
  • compliance with regulatory requirements - for example, we are obliged to act in accordance with EU regulations in relation to the protection of civil air traffic, tax regulations and similar;
  • processing of personal data based on consent - only after we receive your consent for processing of personal data for specific purpose.
 
In case we process your personal information for purposes not described in this Privacy policy or for the purpose to which you have not given your consent, prior to such processing, we will provide you with information about the purpose and all other relevant information about the processing.
 
  1. PROCESSING OF PERSONAL DATA - BOARDING PASSES CONTROL
 
Personal data contained in valid boarding passes are collected and processed for the purpose of controlling access to airside area of ZAG and directing passengers holding a valid boarding pass to further physical security screening (security body check).
 
The collection and processing of the personal data from valid boarding passes are necessary to be conducted because of civil aviation security and are carried based on legal obligation of MZLZ, arising from the following regulations:
  • Regulation (EC) No. 300/2008 of the European Parliament and of the Council of 11 March 2008 common rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002
  • Commission implementing Regulation (EU) 2015/1998 of 05 November 2015 laying down detailed measures for the implementation of the common basic standards on aviation security
  • Commission Implementing Decision C(2015) 8005 final of 16 November 2015 laying down detailed measures for the implementation of the common basic standards on aviation security containing information
  • National civil aviation security program of the Republic of Croatia, edition 3
  • Airport program of Civil aviation security of MZLZ.
By scanning valid boarding passes, MZLZ processes personal data of passengers contained in the boarding pass (name and surname, flight number, destination, number of boarding pass, scanning time of such a boarding pass, indication whether the specific passenger was subsequently directed to security screening). The mentioned personal data are used for the following purpose:
  • directing passengers with a valid boarding pass to physical security screening:
  • determining MZLZ’s liability towards third parties and the liability of third parties towards the MZLZ, in cases of performing legal obligations of the MZLZ and in cases when such is necessary in terms of legal interests of MZLZ or third parties to which the content is made available.
For the purpose of performing boarding pass control MZLZ uses an electronic gate system (e-gates) for boarding pass control consisting of physical electronic gates and a dedicated software solution. Personal data are processed and stored within the territory of the European Union. A system maintenance provider based in a third country accesses the system solely for maintenance and technical support purposes, acting in the capacity of a data processor. Such access may involve the transfer of personal data to a third country, which is carried out in accordance with Articles 44-46 of the General Data Protection Regulation (GDPR), on the basis of standard contractual clauses adopted by the European Commission, with the application of appropriate technical and organisational safeguards.
Additionally, in cases where manual checks are required, MZLZ uses the services of a data processor which, acting on behalf of and for the account of MZLZ, performs the scanning of passengers’ boarding passes for the purpose of controlling access to the airside of the airport and directing passengers with a valid boarding pass to further security screening.
The personal data obtained by such processing will be kept for 30 days at longest, from the date of boarding pass scanning, except in case when the capacities of servers are full, in which case the data will be kept/saved shorter than 30 (thirty) days.
  1. PROCESSING OF PERSONAL DATA - VIDEO SURVEILLANCE
MZLZ and company HAVAS - Ground Handling Services Ltd. (hereinafter jointly: MZLZ) collect and process your personal data by using the video surveillance system which records data on appearance and movements of persons and objects. Processing of personal data by using the video surveillance system is based on the legitimate interest of MZLZ and the legal obligation of MZLZ arising from the following regulations:
  • ICAO Annex; Doc, 9859 SARP, Global Aviation Safety Plan;
  • European Aviation Safety Plan;
  • National civil aviation security program of the Republic of Croatia, edition 3
  • Airport program of Civil aviation security of MZLZ
  • National civil aviation security program
  • Law on Air Traffic (OG 69/09, 84/11, 54/13, 127/13, 92/14);
  • Law on privacy protection (OG 68/03, 31/10, 139/10);
  • Ordinance on conditions and manner of technical security (OG 198/03);
  • Law on critical infrastructures (OG 156/13) and other acts generated from that Law;
  • Directive on selection criteria of security measures and manner of marking of military and other facilities of special importance for defence (OG 63/2011).
The scope of collection and further processing of personal data by using video surveillance system is limited to:
  • effective protection and security of people, property, operating surfaces, devices, facilities, installations, devices and equipment at ZAG,
  • preventing unlawful actions,
  • anti-terrorist, anti-attack and anti-sabotage activities,
  • determining MZLZ’s liability towards third parties and the liability of third parties towards the MZLZ, in cases of performing legal obligations of the MZLZ and in cases when such is necessary in terms of legal interests of MZLZ or third parties to which the content of the video surveillance system is made available.
Personal data obtained by this processing is automatically erased after 30 (thirty) days of storage on external disk space, except in case when the capacities of external servers are full, in which case the videos will be kept/saved shorter than 30 (thirty) days. Keeping of video recordings after 30 days is possible in case of court proceedings being in progress, where the personal data obtained by this processing may be used.
  1. PROCESSING OF PERSONAL DATA - COMPLAINTS AND INQUIRIES OF THE USERS
 
MZLZ and the company HAVAS - Ground Handling Services Ltd. (hereinafter jointly: MZLZ) collect and process your personal data via the official website or by written form, where passengers have the right to make a complaint about certain services provided by MZLZ or through which the passengers / visitors have right to ask a question or give a suggestion to MZLZ.
 
The personal data that MZLZ collects in this way are name and surname, e-mail address and residence address. MZLZ uses the personal data exclusively for the purpose of processing of the complaint and preparation of a reply.
 
This processing of personal data is based on the legal obligation of MZLZ arising from the Consumer Protection Act.
 
The personal data obtained through processing of MZLZ will be kept at most 5 years from the date of their receipt, or longer in case of court proceedings where the personal data here obtained will be used.
 
MZLZ may share personal data received for this purpose with its sub-contractors who process personal data in the name and on behalf of MZLZ. Where such sharing of personal data is made, MZLZ will ensure that such sub-contractors follow the same protection measures for your personal data as well as MZLZ.
 
 
  1. PROCESSING OF PERSONAL DATA IN RELATION TO THE RECORDING OF TELEPHONE CONVERSATIONS WHEN USING THE CONTACT CENTER FOR CUSTOMER INQUIRIES
 
MZLZ collects and processes your personal data when recording telephone conversations upon calling the number of our contact centre. The data processing is based on the legitimate interest of the data controller in responding to customer inquiries. The data controller ensures that no unnecessary data is collected and ensures the continuous deletion of conversations that are no longer required.
 
The personal data being processed includes to the following categories: first name, last name, address, phone number, email address, audio recordings of interactions with agents, and records of customer responses.
 
MZLZ uses a subcontractor who maintains the contact centre’s data storage system.
 
Personal data obtained through this processing is retained by MZLZ for up to 30 days from the date of data storage, unless the storage media capacity is full, in which case it will be stored for less than 30 days. Exceptionally, recordings may be stored for longer than 30 days in the case of ongoing legal proceedings or similar disputes where the personal data obtained through this processing is used.
 
  1. PROCESSING OF PERSONAL DATA - AUTOMATED LICENSE PLATE RECOGNITION SYSTEM (LRP SYSTEM)
 
The personal data of users of car park for passengers and visitors as well as users of Kiss & fly zone at ZAG we are processing through the use of an automated license plate recognition system (herein after ‘’LPR system’’). The LPR system, when entering and leaving the car park, takes a photograph of the vehicle and the registration number of vehicles of passengers/visitors who used the aforementioned car park at ZAG. The following personal data of users are processed through the LPR system: license plate number, time of entry, and time of exit from the parking lot.
 
The aforementioned processing of personal data is based on the contractual relationship, the legitimate interest of MZLZ, and the legal obligation of MZLZ arising from the following regulations:
  • ICAO Annex; Doc, 9859 SARP, Global Aviation Safety Plan;
  • European Aviation Safety Plan;
  • National civil aviation security program of the Republic of Croatia, edition 3
  • Airport program of Civil aviation security of MZLZ
  • National civil aviation security program
  • Law on Air Traffic (OG 69/09, 84/11, 54/13, 127/13, 92/14);
  • Law on privacy protection (OG 68/03, 31/10, 139/10);
  • Ordinance of conditions and manner of technical security (OG 198/03);
  • Law on critical infrastructures (OG 156/13) and other acts generated from that Law;
  • Directive on selection criteria of security measures and manner of marking of military and other facilities of special importance for defence (OG 63/2011).
The scope of data collection and further processing using the LPR system is limited to:
  • performance of the contract in accordance with the Terms and conditions for car parks and Kiss &Fly zone at Franjo Tuđman Airport (hereinafter: "Car Park Terms"). Car Park Terms are available on MZLZ’s website;
  • effective parking lot management, which includes parking fee collection and control, as well as communication with the users of parking lot for that purpose;
  • prevention of illegal actions and breach of Car Park Terms,
  • solving any complaints and received inquiries.
For those parking lot users who have not paid for parking in accordance with the Car Park Terms, MZLZ submits the license plate number of the vehicle for which payment has not been made to the competent police station or vehicle inspection centre. In such cases, MZLZ acts and requests information based on its legitimate interest, with the aim of effective parking lot management and ensuring payment for parking services.
 
The competent police station or vehicle inspection centre has a legal obligation to provide MZLZ, based on the provided license plate number, with personal data about the owner or user of the vehicle. The personal data provided to MZLZ by the competent police station or vehicle inspection centre includes the following: name of the owner or user of the vehicle under the leasing contract, residence/address/registered office of the owner or user of the vehicle under the leasing contract, personal identification number (OIB) of the vehicle owner or user, and type of person (legal/natural).
The personal data obtained by this processing shall be retained for 5 years or longer in case of a court procedure where this personal data is used.
MZLZ uses the subcontractor for this processing of personal data which maintains the LPR system. Where such sharing of personal data is made, MZLZ will ensure that such sub-contractors follow the same protection measures for your personal data as well as MZLZ.
  1. PROCESSING OF PERSONAL DATA - AIRPORT IDENTIFICATION CARDS, ACCESS CONTROL, AIRSIDE DRIVING PERMITS AND TEMPORARY AIRSIDE DRIVING PERMITS AND PERMITS FOR PHOTOGRAPHING THE AIRCRAFT
Your personal data which, is necessary for the purpose of issuing airport identification cards to unescorted and escorted persons as well as identification cards for unescorted and escorted vehicles, is processed based on the legal obligation arising from the following regulations:
  • Commission Implementing Regulation (EU) 2015/1998 of 5 November 2015 on the establishment of detailed measures for the implementation of common basic standards on aviation security,
  • Commission Implementing Decision C (2015) 8005 of 16.11.2015 laying down detailed measures for the implementation of common basic standards on aviation security,
  • Commission Regulation (EU) No 139/2014 of 12 February 2014 on establishing requirements and administrative procedures related to airports in accordance with Regulation (EC) No 216/2008 of the European Parliament and of the Council Text with EEA relevance and its amendments
  • National Civil Aviation Security Program of the Republic of Croatia
  • Airport security program of Franjo Tuđman Airport
The purpose of the processing is to enable lawful and secure access for persons and vehicles to the critical zone of the restricted security area of ZAG for which such access is necessary in order to perform their duties.
Data collected for the purpose of issuing identification cards:
  • for unescorted persons, the data will be kept for ten years from the end of the year in which the eligibility check was conducted.
  • for escorted persons, the data will be kept for five years from the end of the year in which the approval for issuing the identification card for the escorted person was issued.
  • for unescorted vehicles, the data will be kept for five years from the end of the year in which the identification card for the unescorted vehicle was issued.
  • for escorted vehicles, the data will be kept for five years from the end of the year in which the approval for issuing the identification card for the escorted vehicle was issued.
  • for unescorted persons or for approval issued based on the submitted Request for Approval of Temporary Movement in Security Restricted Areas at Airports in the Republic of Croatia, the data will be kept for seven years from the end of the year in which the approval was issued.
Data collected for the purpose of issuing an airside driving permit on the airside and a temporary airside driving permit will be kept for five years from the end of the year in which the airside driving permit was issued.
The data collected for the purpose of issuing a permit for photographing aircraft will be kept for one year after the end of the year in which the permit for photographing aircraft expired.
MZLZ uses the access control system to critical zone of the restricted security area of ZAG for the purposes described below, and in this sense, we process the personal data of users of airport identification cards in such a way that the access control system, when entering and exiting critical zone of the restricted security area of ZAG, records the data on movement of persons who have airport identification cards. The aforementioned processing of personal data is based on the legitimate interest and legal obligation of MZLZ, which derives from the following regulations:
  • ICAO Annex; Doc, 9859 SARP, Global Aviation Safety Plan;
  • European Aviation Safety Plan;
  • National civil aviation security program of the Republic of Croatia, edition 3
  • Airport program of Civil aviation security of MZLZ
  • National civil aviation security program
  • Law on Air Traffic (OG 69/09, 84/11, 54/13, 127/13, 92/14);
  • Law on privacy protection ( OG16/20, 114/22);
  • Ordinance of conditions and manner of technical security (OG 198/03);
  • Ordinance on the Method of Conduct of Police Officers in the Procedure for Assessing a Person’s Suitability (Official Gazette No. 92/2017)
  • Instruction of the Ministry of the Interior on the Use of the e-AERO Application for the Purposes of Conducting the Procedure for Assessing Persons’ Suitability
  • Law on critical infrastructures (OG 56/13,114/22) and other acts generated from that Law;
  • Directive on selection criteria of security measures and manner of marking of military and other facilities of special importance for defence (OG 63/2011).
The scope of data collection and further processing through the access control system to the critical zone of the restricted area of ZAG airport is limited to:
  • to administer airport identification cards in accordance with regulatory requirements;
  • to manage and record access to security restricted areas and facilities at ZAG;
  • to investigate allegations of misuse of airport identification cards;
  • to prevent illegal actions;
  • determining MZLZ’s liability towards third parties and the liability of third parties towards the MZLZ, in cases of performing legal obligations of the MZLZ and in cases when such is necessary in terms of legal interests of MZLZ or third parties to which the content is made available.
In order to fulfill the previously described purposes, MZLZ may disclose your data collected through the access control system to employers who have requested airport identification cards for you.
Data collected through the ZAG area access control system will be kept for 2 years or longer in the case of a court procedure in which personal data obtained through this processing is used.
MZLZ uses a subcontractor for this processing of personal data which maintains an access control system. Where such sharing of personal data is made, MZLZ will ensure that such sub-contractors follow the same protection measures for your personal data as well as MZLZ.
  1. PROCESSING OF PERSONAL DATA DURING RECRUITMENT
When you apply for a job for a position within MZLZ, we collect candidates’ personal data for the purpose of conducting the recruitment procedure and verifying that the conditions for the relevant position for which you are applying are met. This processing includes, but is not limited to, the following categories of candidates’ personal data: (i) identification and contact details, (ii) data on education and work experience, and (iii) other data provided by candidates in their CVs and accompanying documentation. Generally, MZLZ does not collect special categories of candidates’ personal data; however, it is possible that a candidate may provide information relating to health and/or social status in their job application. The processing of personal data in the case of applying for a published position within MZLZ is based on taking steps at the request of the data subject prior to the entering into the a contract.
Currently, we do not accept open job applications, nor do we process personal data for that purpose. Should this change in the future, and we enable the submission of open applications, the processing of personal data contained therein will be carried out exclusively on the basis of your consent, which you will have the right to withdraw at any time.
If you are selected as the most suitable candidate for the position, we will provide you with an offer. If you accept the offer, we will collect additional information in order to conclude and perform the contract with you. Further collection and processing of your personal data will be carried out for the purpose of concluding a contract with you or taking the necessary steps prior to entering into such a contract.
If you have applied for a published position within MZLZ and have not been selected as the most suitable candidate, your personal data will be deleted upon the closure of the recruitment process, unless you have provided consent for their further retention for the purpose of being considered for future vacancies. In such a case, the data will be retained for a maximum period of six (6) months from the date the consent was given or until its withdrawal, whichever occurs first.
 
  1. RIGHTS OF THE DATA SUBJECT REGARDING PROCESSING OF PERSONAL DATA
To exercise your rights, you can contact us in writing or by email using contact data specified in item 1 of this Privacy Policy. In order to protect your personal data, depending on the legal basis of processing, the rights may include the following:
  • Right of access by the data subject,
  • Right to be informed on the processing of personal data,
  • Right to rectification,
  • Right to erasure,
  • Right to restriction of processing,
  • Right to data portability,
  • Right to object.
The realization of the above-mentioned rights will depend on the legal basis for specific processing of data and will be possible if it is applicable in accordance with the regulations and/or technically feasible in relation to the specific processing of personal data. Also, please note that the right to erasure does not apply, for example, in cases where processing is necessary to comply with legal obligations, as well as when it relates to establishing, exercising or defending legal claims and similar.
Please note that you have the right to request the above-mentioned rights as they are applicable in relation to specific processing, but according to the regulations on personal data protection, we are obliged to confirm your identity before providing any information and to provide you with an explanation in case we are unable to comply with your request. In the case of a request from your side, we will inform you whether your request has been approved.
In addition, if you consider that your rights have been violated, you may file a complaint with the Croatian Personal Data Protection Agency, Ulica Metela Ožegovića 16, 10000, Zagreb or via e-mail: azop@azop.hr.
  1. THE RECIPIENTS OF THE PERSONAL DATA
Your  personal data may be used by the system maintenance service providers within which your personal data is processed or to service providers who provide services on behalf of MZLZ (if applicable to specific processing and as specified in relation to specific processing), who act as processors only for the purpose of fulfilling the obligations from the contracts concluded with MZLZ, and MZLZ has obliged them not to process your personal data without our order nor to transfer the data to third parties. Furthermore, we may forward your personal data to the competent authorities for the purpose of performing tasks within their jurisdiction, the court or the competent state attorney's office, i.e. other authorities in legal proceedings as well as the law firms that we engage to represent us in proceedings in order to establish, realize or defend the legal interests of MZLZ and in other cases when we are required by law to provide your personal data.
  1. SECURITY OF PERSONAL DATA
We take all appropriate technical and organizational security measures to prevent accidental or illegal destruction, loss, alteration, unauthorized use, disclosure, insight or access to data. Among other things, the measures include, depending on the specific processing, controlled access - to electronic databases that contain personal data obtained through the specific processing - only through a personally specified username and password, and access to the server equipment system is under video surveillance and under access control, as it is applicable to the specific processing.
  1. TIME PERIOD OF STORAGE OF PERSONAL DATA
We store your personal data as long as necessary to fulfill a contractual or legal obligation or legitimate interest, or until the purpose of personal data processing is fulfilled. Storage periods are prescribed specifically for the specific processing of personal data. In the case of processing personal data based on consent, when your consent is withdrawn, the processing of personal data ceases.
  1. PRIVACY POLICY CHANGES
MZLZ reserves the right to change this Privacy Policy and will publish all changes to the Privacy Policy on its official website.
Need Help?