Fav flights
Favourite flights

Privacy policy

Data Controller: Split Airport Ltd., Cesta dr. Franje Tuđmana 1270, 21217 Kaštel Štafilić
Phone: ++385 (0)21 203 589, e-mail: informacije@split-airport.hr

1. Data Protection Officer Information
e-mail: gdpr@split-airport.hr
Address: Split Airport Ltd., Cesta dr. Franje Tuđmana 1270, 21217 Kaštel Štafilić

2. Purpose and legal basis for processing personal data
Split Airport Ltd. processes personal data of data subjects only when there is a clearly defined legal basis – legal obligation, consent of the data subject, or in the course of performing its activity as a company that provides ground handling services in air transport.

2.1. We process personal data to fulfil our legal obligations under Article 6(1)(c) of the General Data Protection Regulation for the purpose of:

  • Employment at Split Airport Ltd. (the personal data collected and retention periods can be found in the Ordinance on the Content and Manner of Keeping Records of Workers – Articles 3, 7, and 9)

  • Working time records – collected: name, surname, card number, check-in and check-out time, absences (sick leave, vacation, business trip), planned vacation days, number and type of hours worked. These data are retained for a minimum of 6 years (Ordinance on the Content and Manner of Keeping Records of Workers, Official Gazette 73/2017)

  • Payroll processing – collected: name, surname, card number, OIB, IBAN, home address, education, job title, regular hours, absences, salary amount, life insurance policy number, loan amount and installments, reason and amount of garnishment, disability status, union membership, number of children, number of dependents, number of disabled dependents, membership in the second pension pillar. These data are retained permanently in accordance with the Accounting Act

  • Payments under the Collective Agreement – collected: name, surname, OIB, IBAN, home address, amount of payment, cost center. These data are retained for eleven years in accordance with the Accounting Act

  • Security checks of Split Airport Ltd. employees and contractors (detailed in Article 11.1 of Commission Implementing Regulation (EU) 2015/1998 of 5 November 2015 laying down detailed measures for the implementation of the common basic standards on aviation security)

  • Training and medical exams for employees in positions with special working conditions (Occupational Safety and Health Act, Ordinance on Jobs with Special Working Conditions, Act on Radiological and Nuclear Safety, Act on the Protection of the Population from Infectious Diseases, Road Traffic Safety Act, Ordinance on the Health Examinations of Drivers and Driver Candidates)

  • Responding to access to information requests – collected: name, surname, address, e-mail address

2.2. We process personal data based on legitimate interest under Article 6(1)(f) of the General Data Protection Regulation for the purpose of:

  • Sales and billing of goods and services – collected: name, surname, type and number of credit card, authorization number, flight number, seat number. Data are retained for 5 years (General Tax Act, Act on Fiscalization in Cash Transactions, Value Added Tax Act)

  • Conclusion of other contracts within the scope of business with natural persons – depending on the nature of the contract: name, surname, OIB, home or business address, bank account number. Retention periods vary depending on the contract.

  • GPS tracking of official vehicles for the protection of persons and property – collected: name, ID number, vehicle location. Retained for 3 months.

  • Video surveillance for the protection of persons and property – footage retained for 6 months or longer if used as evidence in court proceedings.

2.3. We process personal data based on consent under Article 6(1)(a) of the General Data Protection Regulation for the purpose of:

  • Fingerprint-based attendance records – collected: name, OIB or ID card number, card number, fingerprint template. These data for Split Airport Ltd. employees and contractors are stored for the duration of employment or until consent is withdrawn.

2.4. We process personal data pursuant to Article 6(1)(b) of the General Data Protection Regulation, as a data processor, for the purpose of:

  • Fulfilling contracts for passenger, baggage, and cargo handling (SGHA) concluded between Split Airport Ltd. and individual air carriers. Duties include:

    • Check-in – collected: name, surname, flight date, flight number, co-share flight number, reservation number (PNR), ticket, gender, frequent flyer number and card type, frequent flyer program, payment information, tour operator, number and weight of bags, seat, meal type and quantity. Passengers with health conditions must have medical clearance (view only).

    • Providing additional passenger information (API) required by national border control authorities – collected: name, surname, date of birth, ID number, ID expiry, nationality, gender, issuing country.

    • Reporting/lost baggage delivery – collected: name, surname, flight date, flight number, phone number, e-mail, accommodation address, destination address.

    • Business lounge use – collected: name, surname, flight date, flight number, co-share flight number, ticket number, frequent flyer card type and number, frequent flyer program, guest name.

After data is no longer needed, it is deleted or securely disposed of.

We apply strict security measures to minimize the risk of breach or misuse of personal data, such as unauthorized access or disclosure. Equipment and premises for personal data storage are located in a secure environment with restricted physical access (e.g. locked rooms). We use firewalls, strong passwords, antivirus software, VPNs, and multi-factor authentication.

Only authorized persons may access personal data, as regulated by our internal policies. Regular employee training is conducted to raise awareness and ensure understanding of data protection responsibilities. All employees and external associates with access to secure areas of Split Airport Ltd. undergo extended Ministry of Interior background checks.

3. Rights of the Data Subject

3.1. Right of Access to Personal Data
You have the right to access your personal data and may request detailed information on the processing purpose, data categories, access to your data, recipients or categories of recipients, and expected retention periods. Access may be restricted only in cases provided by Union law or Croatian national legislation or to protect the fundamental rights and freedoms of others.

3.2. Right to Rectification of Personal Data
You may request the correction or supplementation of personal data if your data are incorrect, incomplete, or outdated. Please specify what is inaccurate, incomplete, or outdated and how it should be corrected.

3.3. Right to Erasure
You may request deletion of your personal data if one of the following conditions is met: your data are no longer necessary for the purpose for which we collected or processed them; you have withdrawn consent under Article 6(1)(a) or Article 9(2)(a) of the General Data Protection Regulation and no other legal basis exists for processing; you object to processing under Article 21(1) and no legitimate overriding reasons exist; the data were unlawfully processed; the data must be erased to comply with a legal obligation under Union or Member State law to which the controller is subject; the data were collected in relation to the offer of information society services under Article 8(1).

3.4. Right to Restriction of Processing
You have the right to obtain restriction of processing if you contest accuracy; if processing is unlawful and you object to erasure; if the controller no longer needs the data but you require it for legal claims; or if you objected to processing and verification is pending.

3.5. Right to Object
You may object to processing of your personal data if it is based on legitimate interest or for direct marketing purposes.

3.6. Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, machine-readable format and transmit that data to another controller without interference, where processing is automated and based on consent or contract.

These rights do not apply where processing is necessary: to exercise the right to freedom of expression and information; to comply with a legal obligation under Union or Member State law; to carry out a task in the public interest or in the exercise of official authority; for archiving in the public interest, scientific or historical research, or statistical purposes under Article 89(1), to the extent that the rights would render impossible or seriously impair the objectives of that processing; or for the establishment, exercise, or defense of legal claims.

If processing is based on consent, you may withdraw that consent at any time by contacting us via e-mail: gdpr@split-airport.hr or by post at Split Airport, Cesta dr. Franje Tuđmana 1270, 21217 Kaštel Štafilić.

You may exercise your rights free of charge. We will respond to your request within one month.

We share personal data with third-party providers acting on our behalf and according to our instructions to deliver our services. This includes:

  • IT services

  • Cloud data storage

  • Payment services

We disclose your personal data to third parties only to fulfill legal obligations.

We have established legal grounds and signed contracts with our processors as required under Article 28 of the General Data Protection Regulation.

We use a service provider (DCS “Airport Software”) and transfer passenger personal data outside the EEA solely to fulfill air transport agreements.

When transferring personal data outside the EEA, we take all necessary steps and safeguards to ensure that the level of data protection matches that of the EEA.

We apply appropriate safeguards to protect your rights and freedoms. You have the right to human intervention, to express your opinion, and to contest automated decisions. For such requests, please contact: gdpr@split-airport.hr.

If you have questions, concerns, or complaints regarding how we use and process your personal data, please contact us at: gdpr@split-airport.hr

You also have the right to submit a complaint to the supervisory authority:
Croatian Personal Data Protection Agency, Selska cesta 136, Zagreb
Email: azop@azop.hr

Last updated: 12 November 2024