Privacy policy

Last updated: 24th May 2018

Autotrans recognizes the importance of protecting personal information and respects your privacy.

All collected information is used solely in accordance with this policy, the Regulation (EU) 2016/679, the Croatian Personal Data Protection Act, the Croatian Electronic Communications Act and the procedures relating to the protection of personal data of the Arriva group.

This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. By visiting www.arriva.com.hr or providing your information in the circumstances described below, you are accepting and consenting to the practices described in this policy.

What personal data do we collect?

Information provided by you includes information you provide when you purchase a bus ticket, register to use myArriva account, set up various queries, sign up for our newsletter, participate in a competition or survey and when you make a complaint about the service.

The information you give us may include: your name, surname, e-mail address, phone number, address, PIN, date of birth.

Information we collect about you

When you visit our sites or when you register to use our wi-fi services on the bus we will not automatically collect any personal information.

Information we receive from other sources

We may receive information about you if you use any of the other websites we operate. We are also working closely with third parties such as business partners, agencies for ticket sales, online payment authorization providers, Google and Facebook for the purposes of registering users through their accounts and may receive information about you from them.

Sensitive personal data

We will not intentionally systematically seek to collect, store or otherwise use any special categories of data or sensitive data for any purpose.

Use of this sites by children

Please be aware that all personal data processing can only be used by people who are 16 years of age. The use of the system and the tool is forbidden as well as the processing of data of users under 16 without the appropriate parent / guardian consent. If, however, data is processed, we will terminate as soon as we find out that the user is under 16 and we will delete all data we collected.

Cookies

Our site uses cookies to distinguish you from other users of our site. This helps us to provide you with a good experience when you browse our site and also allows us to improve our sites. For detailed information on the cookies we use and the purposes for which we use them see our Cookie policy.

You can disable cookies by changing your web browser settings at any time. If you do not agree with use of cookies, the functionality of our web site might not be complete.

How do we use your personal data and what is the legal basis for such processing?

The collection of the personal data described above is usually mandatory and, if such personal data is not provided, we will not be able to provide the information, products and services to you.  Where the collection of any personal data is not mandatory, we will inform you of this prior to collection, as well as the consequences of failing to provide the relevant personal data.

However, we will normally process your personal information only:

  • where we have your consent to do so;
  • where the processing is necessary to perform our contract with you; or
  • where the processing is in our legitimate interests or those of a third party and such interests are not overridden by your data protection interests or fundamental rights and freedoms; and
  • where we have a legal obligation to process your personal information.

Information provided by you

We use your personal information as follows:

Purpose of processing Legal bassis for processing
Online ticket sales Performance of a contract
myArriva account registration Performance of a contract
Respond to inquiries, suggestions and complaints Legal obligation
Participation in competitions or surveys Your consent
Providing additional service information and special offers Your consent
On-line payment authorization (by third party Corvus d.o.o.) Performance of a contract

User registration

At the first registration on myArriva account we collect only your e-mail address to confirm your identity. Within your account, you can add additional information like your name, address and phone number.

The information we collect within the account, we are using for the function of automatic data completion in the process of buying tickets which provides you faster and easier shopping.

Information we receive from other sources

We use your personal information as follows:

 Purpose of processing Legal bassis for processing
Online ticket sales Performance of a contract
On-line payment authorization Performance of a contract
myArriva account registration Performance of a contract


Sharing Your Information

Information we receive from other sources. We may combine this information with information you give to us and use this information and the combined information for the purposes set out above (depending on the types of information we receive).

We may disclose your personal data to the following categories of recipient for the purposes  of:

  • on-line authorization of payment provider

In the booking process we forward your name, phone number and e-mail address. The number of your credit/debit card is not stored on our website but the payment is done through the online payment service CorvusPay of the company Corvus info d.o.o., Buzinski prilaz 10, 10010 Zagreb.

At the time of purchase, by using the Card Storage (eWallet) service, your data are stored in the CorvusPay system, where you can delete them at any time. 

  • competent law enforcement body, supervisory body

www.arriva.com.hr contains links to other web sites that are not managed by Autotrans. These sites contain their own privacy statements and Autotrans is not responsible for their privacy policies.

Security of data

Autotrans web siteS on which confidential data is exchanged, is protected using Secure Socket Layer (SSL) security protocol with 128-bit data encryption. SSL encryption is the technology of data protection that enables secure data exchange between your browser and www.arriva.com.hr.

Security of Online Payments

While conducting payments on our web shop you are using CorvusPay – an advanced system for secure acceptance of credit cards on the Internet.

CorvusPay ensures complete privacy of your credit card data from the moment you type them into the CorvusPay payment form. Data required for billing is forwarded encrypted from your web browser to the bank that issued your payment card. Our store never comes into contact with your sensitive payment card data. Similarly, CorvusPay operators cannot access your complete cardholder data. An isolated system core independently transmits and manages sensitive data while at the same time keeping it completely safe.

The form for entering payment data is secured by an SSL transmission cipher of the greatest reliability. All stored data is additionally protected by hi-grade encryption, using hardware devices certified by FIPS 140 2 Level 3 standard. CorvusPay fulfills all of the requirements for safe online payment prescribed by the leading credit card brands, operating in compliance to the PCI DSS Level 1 standard - the highest security standard of the payment card industry. Payments made by cards enroled with the 3-D Secure program are further authenticated by the issuing bank, confirming your identity through the use of a token or a password.

All information collected by Corvus Info is considered a banking secret and treated accordingly. The information is used exclusively for the purposes for which they were intended. Your sensitive data is fully secure and it’s privacy is guaranteed by the state of the art safeguard mechanisms. We collect only the data necessary for performing the work in accordance with the demanding prescribed procedures for online payment.

Security controls and operating procedures applied within the CorvusPay infrastructure not only ensure current reliability of CorvusPay but permanently maintain and enhance the security levels of protecting your credit card information by maintaining strict access controls, regular security and in-depth system checks for preventing network vulnerabilities.

 

Data retention

We will not retain your personal data for longer than is necessary to fulfil the purposes for which we collected that personal information, unless the law permits or requires that we retain it for longer. 

The table below explains in more detail how long Autotrans will store different types of information of users of our service at www.arriva.com.hr

 Passenger Information
Passenger and buyer data For the period of 11 years following the end of the year in which the passenger last purchased the bus ticket
Passenger consents Review after 2 years
Passenger service enquiries 1 year
Correspondence for complaints 1 year after the completion of the complaint procedure
Complaints record 2 years
Prize contest 6 years following the end of the year in which the participant was awarded
Competitions 6 months following the end of the year in which the participant was awarded
Customer satisfaction surveys 2 years
Correspondence and papers including emails Review after 5 years

Information Security

We apply appropriate administrative, technical and organisational security measures to protect your personal data that is under our control from unauthorised access, collection, use, disclosure, copying, modification or disposal.  All information you provide to us is stored on secure servers.  We are part of the Arriva Group, which trains its employees regarding our data privacy policies and procedures and permit authorised employees to access personal data on a need to know basis, as required for their role.  We also take steps to ensure that any service provider that we engage to process personal data on our behalf takes appropriate technical and organisational measures to safeguard such personal data.

Transferring Information Internationally

We are not currently transferring your personal data to third countries outside the EEA.

Updates to this Privacy Policy

We may update this Privacy policy from time to time in response to changing legal, technical or business developments. When we update our Privacy policy, we will take appropriate measures to inform you, consistent with the significance of the changes we make.  We will obtain your consent to any material Privacy policy changes if and where this is required by applicable data protection laws.

You can see when this Privacy policy was last updated by checking the “last updated” date displayed at the top of this Privacy policy. 

Your Data Protection Rights

You have the following data protection rights:

If you wish to access, correct, update or request deletion of your personal information, or to object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information you can do so at any time by contact details on the bottom of this page.

If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time.  Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.

We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.

Questions about this Privacy Policy

If you have any question, concerns or complaints about this Privacy policy or our handling of your personal data, you can reach us via the following contact details:

Request to access personal data

Complaint regarding the processing of personal data

  • by telephone at the phone number +385 (0)72 660 660
  • by post at the address: Autotrans d.d. Šetalište 20 travnja 18, 51557 Cres or Autotrans d.d. p.p. 288 51000 Rijeka
  • at our ticket offices and sales agencies

If you are unsatisfied with the response, you can contact Arriva plc's Data Protection Officer at data.protection@arriva.co.uk

You have the right to complain about our collection and use of your personal information to Croatian Personal Data Protection Agency at the address: Martićeva ulica 14 HR - 10 000 Zagreb, Tel. 00385 (0)1 4609-000, Fax. 00385 (0)1 4609-099 e-mail: azop@azop.hr.

Single Return Open return