Informativa sulla privacy

Last updated: 01st December 2023

Autotrans d.d., Šetalište 20. travnja 18, 51557 Cres i Autopromet d.d,  P. Svačića 7, 47240 Slunj all together as Arriva and hereinafter Arriva recognize the importance of protecting personal information and respect your privacy.

All collected information is used solely in accordance with this policy, the Regulation (EU) 2016/679, the Croatian Personal Data Protection Act, the Croatian Electronic Communications Act and the procedures relating to the protection of personal data of the Arriva group.

This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. By visiting www.arriva.com.hr or providing your information in the circumstances described below, you are accepting and consenting to the practices described in this policy.

What personal data do we collect?

Information provided by you includes information you provide when you purchase a bus ticket on our web page or in Arriva Croatia app, register to use myArriva account, register to Arriva Loyalty Program, set up various queries, sign up for our newsletter, participate in a competition or survey and when you make a complaint about the service.

The information you give us may include: your name, surname, e-mail address, phone number, address, PIN, date of birth and sex.

Information we collect about you

When you use our mobile app or when you register to use our wi-fi services on the bus we will not automatically collect any personal information.

Information we receive from other sources

We may receive information about you if you use any of the other websites we operate. We are also working closely with third parties such as business partners, agencies for ticket sales, online payment authorization providers, Google and Facebook for the purposes of registering users through their accounts and may receive information about you from them.

Sensitive personal data

We will not intentionally systematically seek to collect, store or otherwise use any special categories of data or sensitive data for any purpose.

Use of this sites by children

Please be aware that all personal data processing can only be used by people who are 16+ years old. The use of the system and the tool is forbidden as well as the processing of data of users under 16 without the appropriate parent / guardian consent. If, however, data is processed, we will terminate as soon as we find out that the user is under 16 and we will delete all data we collected.

Cookies

Our site uses cookies to distinguish you from other users of our site. This helps us to provide you with a good experience when you browse our site and also allows us to improve our sites. For detailed information on the cookies we use and the purposes for which we use them see our Cookie policy.

You can disable cookies by changing your web browser settings at any time. If you do not agree with use of cookies, the functionality of our web site might not be complete.

How do we use your personal data and what is the legal basis for such processing?

The collection of the personal data described above is usually mandatory and, if such personal data is not provided, we will not be able to provide the information, products and services to you and to enable the benefits of the loyalty program. Where the collection of any personal data is not mandatory, we will inform you of this prior to collection, as well as the consequences of failing to provide the relevant personal data.

However, we will normally process your personal information only:

  • where we have your consent to do so;
  • where the processing is necessary to perform our contract with you; or
  • where the processing is in our legitimate interests or those of a third party and such interests are not overridden by your data protection interests or fundamental rights and freedoms; and
  • where we have a legal obligation to process your personal information.

Information provided by you

We use your personal information as follows:

Purpose of processing Legal bassis for processing
Online ticket sales Performance of a contract
myArriva account registration Performance of a contract
Loyalty Program registration Performance of a contract
Respond to inquiries, suggestions and complaints Legal obligation
Participation in competitions or surveys Your consent
Providing additional service information, special offers and loyalty program benefits  Your consent
On-line payment authorization (by third party Corvus d.o.o.) Performance of a contract

Information about our service our special offers we send by email or push notifications in Arriva Croatia app. You can withdraw consent for the processing of your personal data at any time via the unsubscribe link in the newsletter or in your account settings.

User registration in the myArriva user account

At the first registration on myArriva account we collect only your e-mail address to confirm your identity. Within your account, you can add additional information like your name, address and phone number.

The information we collect within the account, we are using for the function of automatic data completion in the process of buying tickets which provides you faster and easier shopping.

The buyer shall take full responsibility for the accuracy and completeness of the information provided during the registration, and undertakes to handle the password accurately. Moreover, the buyer shall take full responsibility for all the activities performed with their account, including the activities of others, regardless of the fact that they were authorised by the buyer or if such persons are using the buyer’s account in an unauthorized manner.

Autotrans is not responsible for situations arising from unauthorized use of the buyer’s account and has the right to deny access and use of all or some services to that user.

Users registration in the loyalty program

Autotrans d.d., Šetalište 20. travnja 18, 51557 Cres and Autopromet d.d. P. Svačića 7, 47240 Slunj, all together as Arriva and hereinafter Arriva is the Controller of your personal data that you provided to us during the first registration to the loyalty program and by signing the application form for membership in the Arriva loyalty program as organizer of the loyalty program.

When registering for the first time in the loyalty program by which you become a member of the Arriva loyalty program, we collect the first name, surname, e-mail address, phone number, address, Personal Identification number (OIB), date of birth, and sex.
All data collected are mandatory, and we use them for the purpose of running the loyalty program.
The member is responsible for data accuracy and completeness entered at the time of registration, and undertakes to take care of their password security. The member is furthermore responsible for all activities carried out through their loyalty account, including those of other persons, regardless of the fact whether the member has authorized them or those persons make unauthorized use of their loyalty account.
Autotrans is not responsible for situations arising from the unauthorized use of a member’s loyalty account, and has the right to deny access to and provision of all or partial services to such a member of the program.

Information we receive from other sources

We use your personal information as follows:

 Purpose of processing Legal bassis for processing
Online ticket sales Performance of a contract
On-line payment authorization Performance of a contract
myArriva account registration Performance of a contract


Sharing Your Information

Information we receive from other sources. We may combine this information with information you give to us and use this information and the combined information for the purposes set out above (depending on the types of information we receive).

We may disclose your personal data to the following categories of recipient for the purposes  of:

  • on-line authorization of payment provider

In the booking process we forward your name, phone number and e-mail address. The number of your credit/debit card is not stored on our website but the payment is done through the online payment service CorvusPay of the company Corvus info d.o.o., Buzinski prilaz 10, 10010 Zagreb.

At the time of purchase, by using the Card Storage (eWallet) service, your data are stored in the CorvusPay system, where you can delete them at any time. 

  • competent law enforcement body, supervisory body

www.arriva.com.hr contains links to other web sites that are not managed by Arriva. These sites contain their own privacy statements and Arriva is not responsible for their privacy policies.

Security of data

Web sites on which confidential data is exchanged, is protected using Secure Socket Layer (SSL) security protocol with 128-bit data encryption. SSL encryption is the technology of data protection that enables secure data exchange between your browser and www.arriva.com.hr.

Arriva Croatia mobile application is storing your data locally on your device in a secure and protected way using encryption. You can delete your personal data at any time in the application.

Security of Online Payments

While conducting payments on our web shop you are using CorvusPay – an advanced system for secure acceptance of credit cards on the Internet.

CorvusPay ensures complete privacy of your credit card data from the moment you type them into the CorvusPay payment form. Data required for billing is forwarded encrypted from your web browser to the bank that issued your payment card. Our store never comes into contact with your sensitive payment card data. Similarly, CorvusPay operators cannot access your complete cardholder data. An isolated system core independently transmits and manages sensitive data while at the same time keeping it completely safe.

The form for entering payment data is secured by an SSL transmission cipher of the greatest reliability. All stored data is additionally protected by hi-grade encryption, using hardware devices certified by FIPS 140 2 Level 3 standard. CorvusPay fulfills all of the requirements for safe online payment prescribed by the leading credit card brands, operating in compliance to the PCI DSS Level 1 standard - the highest security standard of the payment card industry. Payments made by cards enroled with the 3-D Secure program are further authenticated by the issuing bank, confirming your identity through the use of a token or a password.

All information collected by Corvus Info is considered a banking secret and treated accordingly. The information is used exclusively for the purposes for which they were intended. Your sensitive data is fully secure and it’s privacy is guaranteed by the state of the art safeguard mechanisms. We collect only the data necessary for performing the work in accordance with the demanding prescribed procedures for online payment.

Security controls and operating procedures applied within the CorvusPay infrastructure not only ensure current reliability of CorvusPay but permanently maintain and enhance the security levels of protecting your credit card information by maintaining strict access controls, regular security and in-depth system checks for preventing network vulnerabilities.

 

Data retention

We will not retain your personal data for longer than is necessary to fulfil the purposes for which we collected that personal information, unless the law permits or requires that we retain it for longer. 

The table below explains in more detail how long Autotrans will store different types of information of users of our service at www.arriva.com.hr

 Passenger / Loyalty Members Information 
Passenger and buyer data For the period of 11 years following the end of the year in which the passenger last purchased the bus ticket
Passenger service enquiries 1 year
Correspondence for complaints 1 year after the completion of the complaint procedure
Complaints record 2 years
Prize contest 6 years following the end of the year in which the participant was awarded
Competitions 6 months following the end of the year in which the participant was awarded
Customer satisfaction surveys 2 years
Correspondence and papers including emails Review after 5 years
Personal data about loyalty program members, except loyalty membership number and date of birth 1 year after the end of the year in which the membership has ceased or the loyalty program has been discontinued
Loyalty membership number and date of birth 11 years after the end of the year in which membership in the loyalty program ceased or the program was discontinued

You can expect that within three years we will ask you to confirm your consent that you have given us for the specific purpose of processing. We remind you that you can withdraw your consent at any time in the same way as you gave it.

You may withdraw your consent under the loyalty program at any time in your loyalty account profile or by means of the Request for withdrawal of consent for the use of personal data in the Arriva loyalty program.

Information Security

We apply appropriate administrative, technical and organisational security measures to protect your personal data that is under our control from unauthorised access, collection, use, disclosure, copying, modification or disposal.  All information you provide to us is stored on secure servers.  We are part of the Arriva Group, which trains its employees regarding our data privacy policies and procedures and permit authorised employees to access personal data on a need to know basis, as required for their role.  We also take steps to ensure that any service provider that we engage to process personal data on our behalf takes appropriate technical and organisational measures to safeguard such personal data.

Transferring Information Internationally

We are not currently transferring your personal data to third countries outside the EEA.

Personal data collection and processing by video surveillance (CCTV monitoring)

For the purpose of protecting persons and property some business premises as well as some buses are under the video surveillance system 24 hours a day. The legal basis for processing is our legitimate interest in protecting our fleet, you as a user of our services, devices and other vehicle assets, including passenger assets.

As a data subject in relation to this type of processing, you have the right to access your personal information, the right to delete them, the right to limit their processing and the right to complain about their processing.

Data recipients in this type of data processing are the responsible persons of Arriva, as well as authorized persons of the Ministry of Interior of the Republic of Croatia or the Court, in which case the stored recordings will be delivered on their written request.

The stored video recordings of the video surveillance system we stored for up to 6 months retention period, depending on the technical capabilities of the system, in accordance with the video surveillance policy, after which they are deleted and will not be used for other purposes.

You are informed about collecting and processing personal data by CCTV monitoring, entering in the perimeter of a particular camera, in the form of a sign sticker indicating that the CCTV is in operation, including name and contact of data controller. At our sales points and on the buses under video surveillance you can find the document as a notification about collecting and processing personal data by video surveillance.

Updates to this Privacy Policy

We may update this Privacy policy from time to time in response to changing legal, technical or business developments. When we update our Privacy policy, we will take appropriate measures to inform you, consistent with the significance of the changes we make.  We will obtain your consent to any material Privacy policy changes if and where this is required by applicable data protection laws.

You can see when this Privacy policy was last updated by checking the “last updated” date displayed at the top of this Privacy policy. 

Your Data Protection Rights

You have the following data protection rights:

If you wish to access, correct, update or request deletion of your personal information, or to object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information you can do so at any time by contact details on the bottom of this page.

If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time.  Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.

We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.

Questions about this Privacy Policy

If you have any question, concerns or complaints about this Privacy policy or our handling of your personal data, you can reach us via the following contact details:

Request to access personal data

Complaint regarding the processing of personal data

Request for withdrawal of consent for the use of personal data in the Arriva loyalty program

Statement of termination of membership in the Arriva loyalty program

  • by telephone at the phone number +385 (0)72 660 660
  • by post at the address: Autotrans d.d. Šetalište 20 travnja 18, 51557 Cres or Autotrans d.d. p.p. 288 51000 Rijeka
  • at our ticket offices and sales agencies

If you are unsatisfied with the response, you can contact the data protection officer at the e-mail address: szzop@arriva.com.hr

You have the right to complain about our collection and use of your personal information to Croatian Personal Data Protection Agency at the address: Selska cesta 136 HR - 10 000 Zagreb, Tel. 00385 (0)1 4609-000, Fax. 00385 (0)1 4609-099 e-mail: azop@azop.hr.

Solo andata Andata e ritorno A/R aperto