Privacy and Personal Data Protection Policy


General terms
The Touroperator appreciates the trust of your personal data and takes maximum efforts to implement the privacy policy and to protect the information provided. The purpose is to provide a comfortable service that ensures complete privacy.

Definition of terms
In accordance with Article 2 of the Law of Ukraine "On the Protection of Personal Data":
personal data base is a named set of ordered personal data in electronic form and/or in the form of personal data files;
owner of personal data is an individual person or legal entity, which determines the purpose of processing personal data, establishes the composition of these data and the procedures for their processing, unless otherwise is provided by law;
consent of the personal data subject – is a voluntary will of an individual (subject to his knowledge) to provide permission for the processing of his/her personal data in accordance with the stated purpose of their processing, expressed in the writing or in another form, which allows to conclude that consent. In the field of electronic commerce, the consent of the personal data subject can be provided when registering in the information and telecommunication system of the subject of electronic commerce by putting a mark on granting permission to process their personal data in accordance with the stated purpose of their processing, provided that such a system does not create opportunities for processing personal data until the moment of putting a mark;
depersonalization of personal data is an exemption of information that allows directly or indirectly to identify a person;
card index is any structured personal data that is available according to certain criteria, regardless if such data are centralized, decentralized or divided according to functional or geographical principles;
personal data processing - any action or set of actions, such as collecting, registering, accumulating, storing, adapting, changing, renewing, using and distribution (spread, performing, transmitting), depersonalizing, destroying personal data, including using information (automated) systems;
beneficiary is an individual or a legal entity who is provided with personal data, including a third party;
personal data is the information or a collection of data about an individual who is identified or can be specifically identified;
personal data manager is an individual or a legal entity that has been given the right to process this data on behalf of the owner or by law;
personal data subject is an individual whose personal data is processed;
third party is any person, with the exception of the personal data subject, owner or manager of personal data and Ukrainian Parliament Commissioner for Human Rights, to whom the owner or manager of personal data transfers personal data.
- Who will process your personal data?In order that you make a conscious choice - to give or not to give consent to the processing of your personal data, we have prepared answers to the following questions:
The owner of personal data for all personal data processing operations that are carried out through the website is CORAL TRAVEL LLC, legal address is 01054, Ukraine, Kiev, Bulvarno- Kudriavska St, 24. Tel .: +38 (044) 495 82 80.
- For what purpose your personal data is processed?
The tour operator is going to use your personal data:
- to provide travel services and other activities in accordance with the Touroperator charter and the legislation of Ukraine;
- to fulfill the terms of the agreements that were/will be concluded by the Touroperator, to implement and protect the rights of the parties to the concluded agreements;
- to provide answers or services according to your request and to send you push messages; to contact you, when necessary, to answer your questions, including electronic messages; to provide any other services for which you sent the relevant requests; to send you information letters, as well as to provide any other services that you may ask;
- for marketing and advertising purposes, including direct marketing, as well as for tourism market researches, or email surveys, SMS messages, push messages, pop-up banners, instant messages, telephone calls by the operator, for Touroperator official pages on social networks, Touroperator services and to send you offers, information on advertising activities and other information about our services;
- for future marketing and advertising purposes, by sending you an e-mail direct marketing notification about Touroperator’s services, which are identical or similar to what you previously asked by using the website www.coraltravel.ua. You can refuse such notifications, and this will not lead to any consequences (except that you will not be able to receive further marketing offers from the Touroperator) by canceling notifications by link, which is in the bottom of all such notifications;
- to ensure compliance with the laws that oblige the Touroperator to collect and/or further process certain types of personal data if the consumer participates in promotion campaigns, contests or draws on our website. In this case, the processing of personal data may include the storage and delivery of your personal data to the official authorities to fulfill tax, customs and other legal obligations. No consent for data processing is required in case of this purpose, since such processing is necessary to comply with the requirements of the legislation of Ukraine;
- to analyze and improve our services, evaluate the effectiveness of marketing activities and services of the Touroperator.
- in order to exercise other powers, functions and duties of the Touroperator, not contradicting with the legislation of Ukraine. In particular, the Touroperator carries out the personal data processing for the implementation of labor, social relations in the field of hiring, accounting and personnel management, administrative and legal relations and requirements in the field of accounting, salary, taxation, employment, etc.
-What personal data will be processed?
We collect only that personal information that the user provides us voluntarily or in the case when such information is needed to provide (improve) our services to the customer. You can provide us with your data to receive information regarding the services of the Touroperator, to participate in our promotion campaigns or surveys, or to receive timely news in which you are interested.
We may process your personal data received directly from you or any other source. Such data may include:
• Your full name.
• Information about your employer, the department you work in and your job responsibilities.
• Your address, phone number, email address or other contact information (your personal or work data, depending on the nature of our relations with you or your employer).
• ITN; actual place of residence and state registration; education, profession, specialty, work experience and information about the place of work and position; personal information about age, marital status, relatives; financial position, income, types of charges and deductions;
• Personal information received through phone, e-mail, our website, social networks communication with you or in any other way. Such information also includes data that we receive or you give to us when using the website: registering to receive our news, providing us with goods or services, taking an interest in our services, placing an order, participating in a competition, advertising or survey, contacting us to inform about a problem or by following the steps above on behalf of your employer.
• Information regarding operations from our and your side or from the side of your employer (for example, details about the products that we develop or the services we provide to you or receive from you or your employer).
• Your other personal data that we need to process in order to conclude or execute a contract with you or your employer.
• Information about the events to which you or a person related to you is invited, as well as your personal information and preferences in case such data are necessary for organizing and managing these events.
• Personal information that you provide us, or which we receive in any other way during your visits.
• Personal information that you provide us when using the website, in particular:
- technical information, including the Internet Protocol (IP) address used to connect the computer to the Internet, your registration information, browser type and version, time zone, browser plug-in types and versions, operating system and platform;
- information about your visit, including complete unique resource locators (URLs), history of visits and movements by our website, history of transitions from our website (including the date and time), services that you viewed or searched for, page response time, loading errors, the period of time spent on certain pages, information about the activity on the page (for example, scrolling, clicks, and mouse hovering), methods of transition from the page, as well as the phone number or social network icon that you used to contact us.
- other information that became known to the Touroperator in connection with the implementation of legal relations with an individual, that fulfills the requirements of the legislation of Ukraine and internal documents of the Touroperator.
- What are the actions of the personal data processing?
Data processing is carried out using the procedures, technical and electronic means, relevant for protection of confidential information and data security, and includes collection, recording, organization, storage, consultation, development, modification, selection, search, formation, use, combination, blocking, exchange, dissemination, erasure and destruction of data, including a combination of two or more of these activities.
All personal data collected and processed through the site, will be stored and processed in such a way as to minimize the risk of destruction, loss (including accidental loss), unauthorized access/use or incompatible use with the original purpose of collecting data.
The Touroperator takes all necessary measures to protect data from unauthorized access, alteration, disclosure or destruction. These measures include, in particular, internal verification of data collection, storage and processing processes and security measures, including appropriate encryption and measures to ensure the physical security of data to prevent unauthorized access to the systems in which we store personal data.
- Whom can your personal data be transferred to? For what purpose? On what bases?
As part of its activities and for the purposes described above, your personal data may be transferred to third parties, including outside Ukraine, to foreign subjects of relations, or they can have access to them, in particular:
- to ensure the performance by third parties of their functions or the provision of services to the Touroperator, in particular, touroperators, transport companies/carriers, insurance companies and other persons, if such functions and services relate to the activities of the Touroperator, or necessary for the conclusion and execution agreements (transactions) by the Touroperator, the provision of appropriate services to the Touroperator’s client, as well as to the Touroperator’s partners;
- upon the occurrence of grounds for the personal data transfer to third parties in accordance with the legislation of Ukraine or in accordance with the terms of the concluded agreements;
- to individuals and legal entities - travel agents - to provide the customer with services for booking Touroperator’s tour product; the complete list of such travel agents is available at https://www.coraltravel.ua/register-agencies.
-persons who provide the Touroperator with services to check the service quality, to organize audio recordings, mailings, phone calls, SMS messages and email messages;
- persons who provide the Touroperator with services for documents’ storage, creation and storage of their electronic copies (archives, databases); properly appointed managers for personal data processing who provide special data processing services or additional services (for example, data storage, messaging for us, web hosting, content management, user services, website IT services, e-mail newsletters ) on behalf of the Touroperator and according to its instructions, whose degree of development regarding data protection issues has been checked by the Touroperator before concluding an agreement;
-persons who represent the Touroperator’s interests or provide services/ other activities of the Touroperator, that do not contradict with the laws of Ukraine.
-in other cases stipulated by the legislation of Ukraine and the terms of agreements concluded by the Touroperator, and when the distribution/transfer of personal data is necessary considering the functions, powers and obligations of the Touroperator in the relevant legal relations. The transfer of personal data to third parties is carried out by the Touroperator in these cases without obtaining additional written consent and a separate message from the individual - the subject of personal data.
- to individuals, authorized by the Touroperator to process personal data necessary for the implementation of activities strictly related to the provision of services via the website (for example, maintenance of network equipment and electronic systems) that have undertaken not to disclose confidential information or must adhere to the relevant legal obligation of non-disclosure of confidential information (for example, Touroperator’s employees)
- legal entities and individuals, state bodies to whom your personal data may be disclosed, in accordance with current law or the requirements of such legal entities, institutions or bodies. We may also disclose your personal data when we are confident that such disclosure is necessary to ensure your protection or the protection of others, investigate fraud cases or provide an official response to a government authorities’ request.
-How long will your personal data be stored at the owner?
Your personal data will be stored by the Touroperator as long as necessary so that we respond to requests or solve a problem, provide new services, and in accordance with the legal requirements of the legislation of Ukraine. This means that we can store your personal data for a certain period of time after you stop using the services of the Touroperator or the website www.coraltravel.ua. Personal data processed for the provision of services will be stored by the Touroperator for the period considered necessary to achieve these goals. However, the information will be stored longer if we need to consider any claims for services or protect the interests of the Touroperator related to the potential responsibility for the provision of services. Personal data that is processed for marketing and advertising purposes will be stored from the moment you provide it until you object to their processing. As soon as you object to their processing, personal data will no longer be used for such purposes, though the Touroperator can still save them, in particular, to protect its interests related to the potential responsibility for the processing of such data.
After this period, your personal data will be deleted from all systems of the Touroperator. We have the right to delete your personal data at any time, with the exception of those personal data that we must store for a longer period in accordance with the current law.
Personal data can be transferred to other countries of the world where Touroperator’s servers or suppliers are located, provided that an adequate level of data protection is provided.
- Limitation of liability for the accuracy of the information received.
The Touroperator does not verify the accuracy of the information received about users and does not control the legal personality of users.
-On what conditions can you withdraw the consent to personal data processing and what are the consequences of such an action?
The stored personal data will be deleted by the Touroperator after the expiry of the storage period established by the law, or if the Tou operator itself no longer needs to save these data. You have the right to demand at any time the removal of your personal information from the Touroperator’s database. You also have the right to withdraw your consent to use or process your personal data at any time. In such cases, as well as if you have any other wishes related to your personal data, we ask you to send a letter to the address: LLC CORAL TRAVEL, Ukraine, Kiev, Bulvarno-Kudriavska St , 24, BC "Renaissance" or by email marketing@coraltravel.ua. We will try to provide the answer to your request as soon as possible.
The address of an individual to the Touroperator or use of the Touroperator’s services through the Agent indicates the consent of such a person to his personal data processing by the Touroperator in connection with such address or service use of the Touroperator. Objections of the person to the personal data processing that is necessary for the Touroperator to fulfill its obligations, incl. revocation by a person of consent to the processing of data may become the basis for terminating the fulfillment by the Touroperator of the terms of the concluded agreements. In case of withdrawal by an individual of consent to the personal data processing without performing the procedures, necessary to terminate contractual or other relations with the Touroperator, the Touroperator will continue to process personal data to the extent and volumes that stipulated by the implementation of existing legal relations and the legislation of Ukraine, including protection by the Touroperator of its rights and legitimate interests under contracts.
Withdrawal of consent to the personal data processing for marketing and advertising purposes will not lead to any consequences except that you will not be able to receive further information or offers from the Touroperator.
- As a subject of personal data, you can use at any time the following rights
According to Article 8 of the Law of Ukraine “On the Protection of Personal Data”, the subject of personal data has the right:
1) to know about the sources of collection, the location of his personal data, the purpose of their processing, the location or place of residence (stay) of the owner or manager of personal data or give an appropriate order to receive this information to authorized persons, except as otherwise provided by law;
2) to receive information on the conditions for providing access to personal data, in particular the information about third parties to whom his personal data is transmitted;
3) to access his personal data;
4) to receive no later than thirty calendar days from the date of request receipt, except as provided by law, an answer about whether his/her personal data are being processed, as well as receive the content of such personal data;
5) to make a reasoned request to the personal data owner with an objection to the processing of his/her personal data;
6) to make a reasoned request to change or destroy his personal data by any owner and manager of personal data if this data is processed illegally or is inaccurate;
7) to protect his personal data from illegal processing and accidental loss, destruction, damage due to intentional concealment, failure to provide or to provide not on time thereof, as well as to protect against the provision of information that is inaccurate or that discredit the honor, dignity and business reputation of an individual;
8) to handle complaints to the Ukrainian Parliament Commissioner for Human Rights or the court about his personal data processing;
9) to apply legal remedies in case of violation of the legislation on the personal data protection;
10) to make restriction on the right to process his personal data when giving consent;
11) to withdraw consent to the personal data processing;
12) to know the mechanism of the personal data automatic processing;
13) to protest against the automated processing that has legal consequences for him.
Personal non-proprietary rights to personal data held by each individual are inalienable and inviolable.
We draw your attention that the revocation of the date processing consent will not stop the legality of the processing performed before your consent revocation.
You have the right provided by the current law to send at any time an appropriate request to the Touroperator’ address that is mentioned above.
Final terms
This Privacy Policy entered into force on April 02, 2015.
The Touroperator reserves the right partially or completely change this Privacy Policy, or simply update its content, for example, as a result of changes in the current legislation. Therefore, we ask you to check this Privacy Policy regularly to see its latest updated version so that you can constantly know how the Touroperator collects and uses personal data.
The date of the latest update of the Policy will be indicated in the line «Latest update» at the top of first page this Privacy and Personal Data Protection Policy.



Privatumo politika

Sąvokos:
Svetainė – internetinis kelionių portalas coraltravel.lt, kuris yra pasiekiamas internetiniu adresu – www.coraltravel.lt.
Bendrovė – UAB „Coral travel Lithuania“ , juridinio asmens kodas 305643868, buveinės adresas Konstitucijos pr. 26, Vilnius. Bendrovė yra asmens duomenų valdytojas.
Asmens duomenys –bet kokia informacija apie fizinį asmenį, kurio tapatybė nustatyta arba kurio tapatybę galima nustatyti (duomenų subjektas); fizinis asmuo, kurio tapatybę galima nustatyti, yra asmuo, kurio tapatybę tiesiogiai arba netiesiogiai galima nustatyti, visų pirma pagal identifikatorių, kaip antai vardą ir pavardę, asmens identifikavimo numerį, buvimo vietos duomenis ir interneto identifikatorių arba pagal vieną ar kelis to fizinio asmens fizinės, fiziologinės, genetinės, psichinės, ekonominės, kultūrinės ar socialinės tapatybės požymius.
Duomenų tvarkymas – bet kuris su asmens duomenimis atliekamas veiksmas: rinkimas, užrašymas, kaupimas, saugojimas, klasifikavimas, grupavimas, jungimas, keitimas (papildymas ar taisymas), teikimas, paskelbimas, naudojimas, loginės ir (arba) aritmetinės operacijos, paieška, skleidimas, naikinimas ar kitoks veiksmas arba veiksmų rinkinys.

Privatumo politika – šis dokumentas, kuriame yra numatytos pagrindinės asmens duomenų ir kitos svarbios informacijos rinkimo, kaupimo, tvarkymo ir laikymo taisyklės, naudojantis Svetaine.
Asmens duomenys tvarkomi šiais tikslais:
• Sutarties sudarymo ir vykdymo tikslais, įskaitant tinkamos paslaugų kokybės užtikrinimą (teisinis pagrindas - BDAR 6.1 straipsnio b punktas).
• Teisinių prievolių vykdymo tikslais, pvz. finansinių atsiskaitymų ir apskaitos ataskaių rengimo tikslais (įskaitant sąskaitų išrašymą ir saugojimą) arba atsakymo į skundus tikslais (teisinis pagrindas - BDAR 6.1 straipsnio c punktas).
• Pretenzijų ir reikalavimų reiškimo tikslais (teisinis pagrindas - BDAR 6.1 straipsnio f punktas).
• Paslaugų kokybės gerinimo tikslais, įskaitant keliautojų pasitenkinimo tyrimų atlikimą (teisinis pagrindas - BDAR 6 straipsnio 1 dalies f punktas).
• Rinkodaros informacijos (pvz., informacinio biuletenio) siuntimo tikslais , jei duotas sutikimas tvarkyti duomenis tam tikslui (teisinis pagrindas - BDAR 6 straipsnio 1 dalies a punktas – sutikimas)
• Tiesioginės rinkodaros, įskaitant rinkodaros turinio suasmeninimo tikslais (teisinis pagrindas - BDAR 6.1 straipsnio f punktas). Valdytojas gali tvarkyti asmens duomenis siekdamas parengti ir pateikti asmeninį pasiūlymą kelionių paketams. Tokie duomenys taip pat tvarkomi automatizuotomis priemonėmis, tačiau priimti sprendimai neturi teisinio poveikio duomenų subjektui.
Rinkodaros ir kontaktiniais tikslais Bendrovė renka šiuos asmens duomenis : asmens vardą, elektroninį paštą, telefono numerį. Sutikimas, kad Asmens duomenys būtų naudojami rinkodaros ir kontaktiniais tikslais, išreiškiamas pažymint atitinkamą laukelį varnele.
Kokie asmens duomenys tvarkomi:
• vardas (-ai),
• pavardė,
• gimimo data,
• lytis,
• el. pašto adresas (tik rinkodaros ir kontaktiniu tikslu tik gavus išankstinį duomenų subjekto sutikimą),
• telefono numeris (rinkodaros tikslu ir kontaktiniu tikslu tik gavus išankstinį duomenų subjekto sutikimą),
• gyvenamosios vietos adresas,
• parašo pavyzdys,
• ir asmens tapatybės kortelės arba paso duomenys (atsižvelgiant į paskirties šalį ar pasiūlymą).
Minėtų asmens duomenų teikimas yra savanoriškas, tačiau būtinas sutarčiai sudaryti ir įvykdyti (išskyrus duomenis apie el. pašto adresą). Nepateikus asmens duomenų, Kelionių organizatorius neturės galimybės sudaryti ir iš anksto suformuoti sutarties.
Tiek, kiek to reikia norint sudaryti ir iš anksto suformuoti sutartį ir užtikrinti tinkamą paslaugų kokybę, valdytojas taip pat gali tvarkyti tam tikrų kategorijų asmens duomenis (įskaitant duomenis apie sveikatą, pvz., neįgaliesiems, riboto judumo asmenims, kuriems reikalinga speciali medicininė priežiūra), jei duomenų subjektas davė aiškų sutikimą tvarkyti tokius duomenis minėtu tikslu (teisinis pagrindas - BDAR 9 straipsnio 2 dalies a punktas) - „sutikimas“. Valdytojas tvarko Asmens duomenis komercinių pranešimų siuntimo tikslais (el. pašto adresu) ir tiesioginės rinkodaros tikslais ( naudodamas telefono numerį) remdamasis atskirai duotais sutikimais.
Duomenų tvarkymo laikas
Valdytojas turi teisę tvarkyti asmens duomenis tiek laiko, kiek reikia aukščiau numatytiems tikslams pasiekti. Atsižvelgiant į teisinį duomenų tvarkymo pagrindą, tai bus:
• laikas, reikalingas sutarčiai įvykdyti;
• teisinių prievolių vykdymo laikas ir laikas, kurį duomenų valdytojas privalo saugoti duomenis pagal teisines nuostatas, pvz. pagal mokesčių įstatymus,
• laikas, lygus pretenzijų reiškimo pagal sutartį senaties terminui,
• tol, kol duomenų subjektas atšaukia sutikimą (taikoma duomenims, tvarkomiems sutikimo pagrindu)
Duomenų perdavimas
Iš Duomenų subjekto gaunama informacija, be teisėto pagrindo, negali būti atskleidžiama tretiesiems asmenims, išskyrus:
Laikydamasis visų duomenų saugumo garantijų, valdytojas gali perduoti duomenų subjekto asmens duomenis kitiems subjektams, įskaitant:
• subjektams, kurie tvarko duomenis valdytojo vardu, pvz., atstovai, techninių paslaugų teikėjai ir konsultavimo paslaugų teikėjai ;
• kitus duomenų tvarkytojus tiek, kiek reikia paslaugoms teikti ir teisiniams reikalavimams vykdyti, pvz. elektroninių mokėjimo paslaugų teikėjams, vežėjams, viešbučių paslaugų teikėjams, draudikams, papildomų paslaugų (pvz., automobilių stovėjimo aikštelių, oro uosto paslaugų) teikėjams, kurjeriams, verslo partneriams, teikiantiems paslaugas valdytojui pagal sudarytas sutartis.
Duomenų subjekto Asmens duomenys yra teikiami į Europos Sąjungos valstybes nares ar į kitas užsienio valstybes tokiomis pat sąlygomis ir tvarka, kaip ir Lietuvos Respublikoje esantiems Asmens duomenų gavėjams tik tikslams, numatytiems šioje Privatumo Politikoje.
Duomenų subjekto teisės
Duomenų subjektas suteikia teisę Bendrovei rinkti, valdyti, tvarkyti ir saugoti duomenų subjekto Asmens duomenis tokia apimtimi ir tokiais tikslais, kaip numatyta Privatumo politikoje ir kituose Svetainės dokumentuose.
Duomenų subjektas turi teisę gauti informaciją apie duomenų tvarkymą. Informacija apie Duomenų subjekto asmens duomenų tvarkymą, nurodyta Bendrojo duomenų apsaugos reglamento 13 ir 14 straipsniuose, pateikiama raštu Asmens duomenų gavimo metu. Šią informaciją Duomenų subjektui pateikia Duomenų valdytojas.
Duomenų subjektas turi teisę susipažinti su savo tvarkomais Asmens duomenimis. Siekdami sužinoti, kokius asmens duomenis Bendrovė surinko ir iš kokių šaltinių, kokiais tikslais jie tvarkomi, kokiems gavėjams jie teikiami ir buvo teikti, duomenų subjektas turi iš anksto kreiptis el. pašto adresu, nurodytu šioje Privatumo politikoje.
Duomenų subjektas turi teisę reikalauti ištrinti duomenis („teisė būti pamirštam"). Duomenų subjekto teisė ištrinti jo Asmens duomenis („teisė būti pamirštam") įgyvendinama Bendrojo duomenų apsaugos reglamento 17 straipsnyje numatytais atvejais. Duomenų subjekto teisė reikalauti ištrinti Asmens duomenis („teisė būti pamirštam") gali būti neįgyvendinta Bendrojo duomenų apsaugos reglamento 17 straipsnio 3 dalyje numatytais atvejais. Jeigu Duomenų subjekto Asmens duomenys (ištrinti pagal duomenų subjekto prašymą) buvo perduoti duomenų gavėjams, Duomenų valdytojas šiuos duomenų gavėjus apie tai informuoja, nebent tai būtų neįmanoma ar pareikalautų neproporcingų pastangų. Duomenų subjektas turi teisę prašyti, kad jam būtų pateikta informacija apie tokius duomenų gavėjus.
Duomenų subjektas turi teisę apriboti duomenų tvarkymą. Bendrojo duomenų apsaugos reglamento 18 straipsnio 1 dalyje numatytais atvejais Duomenų valdytojas privalo įgyvendinti Duomenų subjekto teisę apriboti jo asmens duomenų tvarkymą. Asmens duomenys, kurių tvarkymas apribotas, yra saugomi, o prieš tokio apribojimo panaikinimą Duomenų subjektas elektroniniu paštu yra informuojamas. Jeigu Duomenų subjekto asmens duomenys (kurių tvarkymas apribotas pagal Duomenų subjekto prašymą) buvo perduoti duomenų gavėjams, Duomenų valdytojas šiuos duomenų gavėjus apie tai informuoja, nebent tai būtų neįmanoma ar pareikalautų neproporcingų pastangų. Duomenų subjektas turi teisę prašyti, kad jam būtų pateikta informacija apie tokius duomenų gavėjus.
Teisė į duomenų perkeliamumą. Duomenų valdytojas įgyvendina Duomenų subjekto teisę į duomenų perkeliamumą, numatytą Bendrojo duomenų apsaugos reglamento 20 straipsnyje numatytais atvejais. Duomenų subjektas teisės į duomenų perkeliamumą neturi tų Asmens duomenų atžvilgiu, kurie tvarkomi neautomatiniu būdu susistemintose rinkmenose, pavyzdžiui, popierinėse bylose. Duomenų subjektas, kreipdamasis dėl teisės į duomenų perkeliamumą, turi nurodyti, ar pageidauja, kad jo Asmens duomenys būtų persiųsti jam ar kitam duomenų valdytojui. Pagal Duomenų subjekto prašymą perkelti jo Asmens duomenys nėra automatiškai ištrinami. Jeigu Duomenų subjektas to pageidauja, turi kreiptis į Duomenų valdytoją dėl teisės reikalauti ištrinti duomenis („teisės būti pamirštam") įgyvendinimo.
Teisė nesutikti su duomenų tvarkymu. Duomenų subjektas Bendrojo duomenų apsaugos reglamento 21 straipsnyje numatytais atvejais, turi teisę dėl su juo konkrečiu atveju susijusių priežasčių bet kuriuo metu nesutikti, kad Duomenų valdytojas tvarkytų jo Asmens duomenis. Sutikimo tvarkyti asmens duomenis atšaukimas realizuojamas atžymint varnele anksčiau Duomenų subjekto pažymėtą atitinkamą žymimąjį laukelį „Sutinku, kad būtų tvarkomi mano kontaktiniai asmens duomenis“ (dėl duomenų, tvarkomų rinkodaros ir kontaktiniais tikslais) arba pateikiant informaciją info@coraltravel.lt Duomenų subjektui išreiškus nesutikimą su Asmens duomenų tvarkymu, toks tvarkymas atliekamas tik tuo atveju, jeigu motyvuotai nusprendžiama, kad priežastys, dėl kurių atliekamas Asmens duomenų tvarkymas, yra viršesnės už Duomenų subjekto interesus, teises ir laisves, arba jeigu Asmens duomenys yra reikalingi pareikšti, vykdyti ar apginti teisinius reikalavimus. Teisė reikalauti, kad nebūtų taikomas tik automatizuotu duomenų tvarkymu, įskaitant profiliavimą, grindžiamas sprendimas. Šiais atvejais, duomenų subjektas turi teisę reikalauti, kad jo atžvilgiu nebūtų taikomas tik automatizuotu duomenų tvarkymu grindžiamas sprendimas ir toks sprendimas būtų peržiūrėtas. Duomenų subjektui kreipiamasi dėl automatizuotu duomenų tvarkymu grindžiamo sprendimo peržiūros, Duomenų valdytojas turi atlikti išsamų visų svarbių duomenų, įskaitant ir Duomenų subjekto pateiktos informacijos, vertinimą.
Jeigu susipažinęs su savo Asmens duomenimis duomenų subjektas nustato, kad Asmens duomenys yra neteisingi, neišsamūs ar netikslūs, turi teisę kreiptis į Bendrovę elektroniniu pašto adresu prašydamas ištaisyti neteisingus, neišsamius, netikslius Asmens duomenis ir (arba) sustabdyti tokių Asmens duomenų tvarkymo veiksmus. Asmens duomenys taisomi ir naikinami arba jų tvarkymo veiksmai sustabdomi pagal duomenų subjekto tapatybę ir jo Asmens duomenis patvirtinančius dokumentus. Jeigu Duomenų subjekto Asmens duomenys (ištaisyti pagal Duomenų subjekto prašymą) buvo perduoti duomenų gavėjams, Duomenų valdytojas šiuos duomenų gavėjus apie tai informuoja, nebent tai būtų neįmanoma ar pareikalautų neproporcingų pastangų. Duomenų subjektas turi teisę prašyti, kad jam būtų pateikta informacija apie tokius duomenų gavėjus.
Duomneų subjektas turi teisę pateikti skundą Asmens duomenų apsaugos tarnybai, jei mano, kad asmens duomenų tvarkymas yra neteisėtas.
Duomenų subjekto teisių įgyvendinimas
Įgyvendindamas aukščiau minėtas teises duomenų subjektas gali kreiptis į Bendrovę info@coraltravel.lt Teikiant prašymą elektroniniu paštu, prašymas turi būti pasirašytas kvalifikuotu elektroniniu parašu arba jis turi būti suformuotas elektroninėmis priemonėmis, kurios leidžia užtikrinti teksto vientisumą ir nepakeičiamumą. Ši nuostata netaikoma, jeigu duomenų subjektas kreipiasi dėl informavimo apie asmens duomenų tvarkymą pagal Bendrojo duomenų apsaugos reglamento 13 ir 14 straipsnius. Prašymas įgyvendinti Duomenų subjekto teises turi būti įskaitomas, asmens pasirašytas, jame turi būti nurodyti Duomenų subjekto vardas, pavardė, adresas, gimimo data, ir (ar) kiti kontaktiniai duomenys ryšiui palaikyti ar kuriais pageidaujama gauti atsakymą dėl Duomenų subjekto teisių įgyvendinimo.
Savo teises Duomenų subjektas gali įgyvendinti pats arba per atstovą. Asmens atstovas prašyme turi nurodyti savo vardą, pavardę, adresą ir (ar) kitus kontaktinius duomenis ryšiui palaikyti, kuriais asmens atstovas pageidauja gauti atsakymą, taip pat atstovaujamo asmens vardą, pavardę ir gimimo datą bei pateikti atstovavimą patvirtinantį dokumentą ar jo kopiją. Esant abejonių dėl Duomenų subjekto tapatybės, Bendrovė turi teisę prašyti papildomos informacijos, reikalingos ja įsitikinti.
Bendrovė, gavusi Duomenų subjekto prašymą, ne vėliau kaip per 1 (vieną) mėnesį nuo prašymo gavimo, pateikia Duomenų subjektui informaciją apie tai, kokių veiksmų buvo imtasi pagal gautą prašymą. Jeigu bus vėluojama pateikti informaciją, per nurodytą terminą Duomenų subjektas informuojamas apie tai, nurodant vėlavimo priežastis ir apie galimybę pateikti skundą Valstybinei duomenų apsaugos inspekcijai.
Jeigu prašymas pateiktas nesilaikant šiame Taisyklių skyriuje nustatytos tvarkos ir reikalavimų, Bendrovė jo nenagrinėja, ir nedelsiant, bet ne vėliau kaip per 5 (penkias) darbo dienas, informuoja apie tai Duomenų subjektą nurodant priežastis. Jeigu prašymo nagrinėjimo metu nustatoma, jog Duomenų subjekto teisės yra apribotos Bendrojo duomenų apsaugos reglamento 23 straipsnio 1 dalyje numatytais pagrindais, Bendrovė apie tai informuoja Duomenų subjektą.
Bendrovė informaciją pagal Duomenų subjekto prašymą dėl jo teisių įgyvendinimo pateikia valstybine kalba.
Visi veiksmai pagal Duomenų subjekto prašymus įgyvendinti Duomenų subjekto teises atliekami ir informacija teikiama nemokamai, išskyrus šiame Taisyklių skyriuje numatytus atvejus.
Asmens duomenų apsauga
Bendrovė užtikrina, jog duomenų subjekto pateikiami Asmens duomenys Svetainėje būtų apsaugoti nuo bet kokių neteisėtų veiksmų: neteisėto Asmens duomenų pakeitimo, atkleidimo ar sunaikinimo, asmens tapatybės vagystės, sukčiavimo bei Asmens duomenų apsaugos lygis atitiktų Lietuvos Respublikos teisės aktų reikalavimus.
Asmens duomenys yra saugomi nuo praradimo, neleistino naudojimo ir pakeitimų. Patalpa, kurioje laikomi surinkti duomenys, yra fiziškai apsaugota nuo pašalinių asmenų prieigos. Svetainės naudotojų duomenis sauganti duomenų bazė yra apsaugota nuo neleistinos prieigos per kompiuterinius tinklus.
Svetainės naudotojas įsipareigoja ir privalo saugoti savo prisijungimo prie Svetainės slaptažodį ir prisijungimo vardą, bei kitus duomenis. Naudotojas įsipareigoja ir privalo jokiems kitiems tretiesiems asmenims neatskleisti Asmens duomenų nei apie save, nei apie trečiuosius asmenis, jeigu tokie trečiųjų asmenų Asmens duomenys jam teko prieinami, ir iš karto apie matomus pažeidimus informuoti Bendrovę.





Approved by the Order
of the Director of Coral Travel, LLC
No. 12 Dated “12” May 2021.

PRIVACY AND PERSONAL DATA PROTECTION POLICY


Last update “12” May 2021.

1. GENERAL PROVISIONS
1.1. This Privacy and Personal Data Protection Policy of Coral Travel, LLC (hereinafter referred to as the Privacy Policy), registration address 220100, Minsk, Kulman str., 35A, of. 9, applies to all personal data that Coral Travel, LLC (hereinafter referred to as the Information Holder) may receive from the User.
1.2. The Privacy Policy of the Information Holder in the field of personal data processing is determined in accordance with the Civil Code of the Republic of Belarus, the Tax Code of the Republic of Belarus, the Law of the Republic of Belarus "On Information, Informatization and Information Protection" dated November 10, 2008 No. 455-Z, the Law of the Republic of Belarus "On Consumer Rights Protection" dated January 09, 2002 No. 90-Z, the Law of the Republic of Belarus "On Tourism" dated November 25, 1999 No. 326-Z.
1.3. In case of disagreement with the terms of the Privacy Policy, the User must stop using the mobile application "Coral Travel" (hereinafter referred to as the Mobile Application).

2. BASIC TERMS
2.1. The following terms are used in this Privacy Policy:
2.2.1.Information Holder is a subject of information relations who has obtained the rights of the information holder on the grounds established by the acts of the legislation of the Republic of Belarus, or under the contract;
2.2.2. Information User (hereinafter referred to as the User) is a subject of information relations that receives, distributes and (or) provides information, and exercises the right to use it;
2.2.3.User's agreement is a voluntary expression of an individual's will to grant permission for the collection, processing, storage and use of his/her personal data, expressed in writing. Written agreement is also understood as an agreement expressed by means of:
- indication (selection) by the User of certain information (code) after receiving an SMS message, a message to an email address;
- setting a check sign or other mark by the User on the Internet resource;
- other methods that allow to establish the fact of obtaining the User's agreement.
2.2.4.Personal data is basic and additional personal data of an individual subject to registration in the population register in accordance with the legislative acts of the Republic of Belarus, as well as other data that allows identifying such a person.

3. PURPOSES OF COLLECTING, PROCESSING, STORING AND USING PERSONAL DATA
3.1. Information Holder may use the User's personal data for the following purposes:
3.1.1. to provide tourist services and other activities in accordance with the Charter of the Information Holder and the current legislation of the Republic of Belarus;
3.1.2. to fulfill the terms of the contracts that were/will be concluded by the Information Holder, to implement and protect the rights of the parties under the concluded contracts;
3.1.3. to provide responses or services on request and to send notifications via push messages; to communicate, if necessary, and to respond to requests, including electronic messages; to provide any other services for which the relevant requests were sent; to send informational letters, as well as to provide any other services on request;
3.1.4. to be used for marketing and advertising purposes, including direct marketing, as well as for conducting research, studying the tourist market, for surveys via email, SMS messages, push messages, pop-up banners, flash messages, phone calls of the operator, for the official pages of the Information Holder in social networks that present the services of the Information Holder, as well as for sending the User offers, news about advertising activities and other information about our services;
3.1.5. to be used for future marketing and advertising purposes, via sending a direct marketing email notification about services provided by the Information Holder that are identical or similar to those previously requested by the User through the use of the website www.coral.by. The User can refuse such notifications, and this will not lead to any consequences (except that the User will not be able to receive further marketing offers from the Information Holder), by canceling sending notifications via the link that will be indicated at the bottom of all such notifications;
3.1.6. to ensure compliance with the laws that oblige the Information Holder to collect and/or further process certain types of personal data if the User participates in promotions, contests or lotteries on the Information Holder's website. In this case, the processing of personal data may include the storage and communication of personal data to official authorities in order to fulfill tax, customs and other legal obligations. No agreement is required in the case of data processing for this purpose, since such processing is necessary for compliance with the requirements of the legislation of the Republic of Belarus;
3.1.7. to analyze and improve our service, evaluate the effectiveness of marketing activities and services of the Information Holder.
3.1.8. to exercise other powers, functions and duties of the Information Holder that do not contradict the legislation of the Republic of Belarus.

4. SUBJECT OF THE PRIVACY POLICY
4.1. This Privacy Policy sets out the obligations of the Information Holder on non-disclosure and ensuring the protection of the confidentiality of personal data that the User provides.
4.2. The personal data allowed to be processed under this Privacy Policy is provided by the User voluntarily, for obtaining information, participating in promotions or surveys, as well as for the purpose of timely receiving news from the Information Holder, and includes the following information:
4.2.1. full name;
4.2.2. address, phone number, email address or other contact information;
4.2.3. information related to joint operations (for example, details about products that have been developed, or services that have been provided to the User or received from the User);
4.2.4. other personal data that the Information Holder needs to process in order to conclude or execute a contract with the User;
4.2.5. information about events to which the User or persons associated with the User are invited, as well as personal information and preferences, if such data is necessary for the organization and management of these events;
4.2.6. personal information that the User provides when using the website or Mobile Application.

5. METHODS AND TERMS OF PERSONAL INFORMATION PROCESSING
5.1. The processing of the User's personal data is carried out without a time limit, in any legal way, including in personal data information systems with or without the use of automation tools.
5.2. All personal data collected and processed through the Mobile Application is stored and processed in such a way as to minimize the risk of destruction, loss (including accidental loss), unauthorized access/use, or incompatible use with the original purpose of data collection.
5.3. The Information Holder takes all necessary measures, including organizational and technical measures, to protect the data from unauthorized access, modification, disclosure or destruction. These measures include, in particular, internal verification of data collection, storage and processing procedures and security measures, including appropriate encryption and measures to ensure the physical security of data to prevent unauthorized access to the systems in which the Information Holder stores personal data.
5.4. The above mentioned measures are applied until the personal data is destroyed, or depersonalized, or until the written agreement of the individual to whom this data relates is obtained for disclosure, or until the individual's agreement to data processing is revoked.
5.5. The User's personal data may be transferred to the authorized state authorities of the Republic of Belarus only on the grounds and in accordance with the procedure established by the legislation of the Republic of Belarus.
5.6. Personal data may be transferred to third parties, including those outside the Republic of Belarus, foreign subjects of relations, or provided with access to them, in particular:
5.6.1. to ensure that third parties perform their functions or provide services to the Information Holder, in particular, to tour operators, transport companies/carriers, insurance companies and other persons, if such functions and services relate to the activities of the Information Holder or they are necessary for the conclusion and execution of contracts (transactions) by the Information Holder, providing relevant services to the Information Holder's client, as well as to the Information Holder's partners;
5.6.2. if there are grounds for transferring personal data to third parties in accordance with the legislation of the Republic of Belarus or in accordance with the terms of concluded contracts;
5.6.3. to persons who provide the Information Holder with services for checking the quality of service, for organizing audio recordings, mailings, phone calls, SMS messages, and e-mail messages;
5.6.4. to persons who provide the Information Holder with services for storing documents, creating and storing electronic copies of them (archives, databases); to duly appointed personal data processing managers who provide special data processing services or additional services (for example, data storage, sending messages to us, web hosting, content management, user services, IT services for the operation of the website, e-mail newsletters) on behalf of the Information Holder and in accordance with his instructions;
5.6.5. to persons who represent the interests of the Information Holder or offer services/provide other activities of the Information Holder that do not contradict the legislation of the Republic of Belarus;
5.6.6. in other cases provided for by the legislation of the Republic of Belarus and the terms of contracts concluded by the Information Holder, and when the spread/transfer of personal data is necessary, taking into account the functions, powers and obligations of the Information Holder in the relevant legal relations. The transfer of personal data to third parties is carried out by the Information Holder in these cases without obtaining additional written agreement and separate notification of the individual;
5.6.7. to independent individuals authorized by the Information Holder to process personal data necessary for the performance of activities strictly related to the provision of services through the mobile application and website (for example, maintenance of network equipment and electronic systems), who have assumed obligations of non-disclosure of confidential information or must comply with a corresponding legal obligation of non-disclosure of confidential information (for example, employees of the Information Holder);
5.6.8. to legal entities, individuals, and government agencies to whom personal data may be disclosed, in accordance with applicable law or the mandatory requirements of such legal entities, institutions, or authorities. The Information Holder may also disclose personal data if such disclosure is necessary to ensure the protection of the User or the protection of others, to investigate fraud cases, or to provide an official response to a request from public authorities.

6. TERM OF PERSONAL DATA STORAGE
6.1. Personal data is stored by the Holder for a certain period of time after the User has stopped using the services of the Information Holder, the Mobile Application or the website www.coral.by. Personal data processed for the provision of services is stored by the Information Holder for the period that is considered necessary to achieve these goals. However, the information is stored longer if the Information Holder needs to address any claims regarding the services or protect the interests of the Information Holder related to potential liability for the provision of the services. Personal data that is processed for marketing and advertising purposes will be stored from the moment it is provided by the User until the User objects to its processing. Once the User objects to its processing, the personal data will no longer be used for such purposes, although the Information Holder may still retain it, in particular to protect his interests related to the potential responsibility for the processing of such data.
6.2. After this period, the personal data will be deleted from all the systems of the Information Holder. The Information Holder reserves the right to delete personal data at any time, except for those personal data that the Information Holder must store for a longer period in accordance with current legislation.
6.3. Personal data may be transferred to other countries of the world where the servers of the Information Holder or any of its suppliers are located, provided that an adequate level of data protection is guaranteed.

7. RESPONSIBILITY FOR THE ACCURACY OF THE INFORMATION RECEIVED
7.1. The Information Holder does not verify the accuracy of the information received about the users and does not control the users' legal capacity and efficiency. 7.2. The stored personal data will be deleted by the Information Holder after the end of the storage period established by law, or if the Information Holder no longer needs to save certain data. The User has the right to request the Information Holder to delete the information about himself/herself at any time. The User also has the right to withdraw agreement to the use or processing of personal data at any time. In such cases, as well as if the User has any other requests related to personal data, please send a mail to: Coral Travel, LLC, 220100, Minsk, Kulman str., 35A, office 9, or by e-mail call@coral.by.
7.3. The appeal of an individual to the Information Holder or the use of the Information Holder's services through a Travel Agent indicates the agreement of such a person to the processing by the Information Holder of his/her personal data in connection with such an appeal or use of the Information Holder's services. Objections of a person to the processing of personal data necessary for the Information Holder to fulfill his obligations, including the withdrawal of agreement by the person to the processing of data, may become the basis for the termination of the Information Holder's compliance with the terms of the concluded contracts. If an individual withdraws agreement to the processing of personal data without performing the procedures necessary for the termination of contractual or other relations with the Information Holder, the Information Holder will continue to process personal data within the limits and volumes stipulated by the implementation of existing legal relations and the legislation of the Republic of Belarus, including for the protection of the Information Holder of his rights and legal interests under contracts.
7.4. Withdrawal of agreement to the processing of personal data for marketing and advertising purposes will not lead to any consequences other than that the User will not be able to receive further information and offers from the Information Holder.
7.5. The withdrawal of agreement to the processing of data will not affect the legality of the processing performed before the withdrawal of agreement.

8. FINAL PROVISIONS
8.1. The Privacy Policy has entered into force “12” May 2021.
8.2. The Information Holder reserves the right to partially or completely change this Privacy Policy, or simply update its content, for example, as a result of changes in current legislation.
8.3. The date of the Privacy Policy last update will be indicated in the "Last update" line at the beginning of the first page of this Privacy Policy.







Privacy Policy


Definitions:
Website means the online travel portal coraltravel.ee accessible online at www.coraltravel.ee;
Company means Coral Travel Estonia, legal entity reg. No 16194673, registered address Liivalaia 22, 10145 Tallinn, Estonia. The company is the personal data controller.

Personal data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, and online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, economic, cultural or social identity of that natural person.

Processing means any operation or set of operations which is performed on personal data, such as collection, recording, storage, safekeeping, classification, organisation, combination, alteration (addition or correction), provision, publication, use, logical and/or arithmetic operations, search, dissemination, or destruction.

Privacy Policy means this document, which contains basic rules for the collection, storage, processing and safekeeping of personal data and other relevant information while using the Website.

Personal data shall be processed for the following purposes:
• For the purposes of conclusion and performance of the contract, including ensuring the quality of the services concerned (legal basis - Article 6.1[b] of the General Data Protection Regulation [hereinafter – GDPR]).
• For the purpose of compliance with legal obligations, such as the preparation of financial statements and accounting reports (including billing and safekeeping) or for the purpose of responding to complaints (legal basis - Article 6.1[c] GDPR).
• For claims and claims purposes (legal basis - Article 6.1[f] GDPR).
• For the purposes of improving the quality of services, including carrying out surveys of traveller satisfaction (legal basis - Article 6.1[f) GDPR).
• For the purposes of sending marketing information (e.g. newsletter), if consent to processing is given for that purpose (legal basis - Article 6.1[a] GDPR – consent).
• Direct marketing, including for the purpose of personalization in marketing content (legal basis - Article 6.1[f] GDPR). The controller may process personal data in order to prepare and submit a personal offer for package travel. Such data shall also be processed by automated means, but the decisions taken do not have a legal effect on the data subject.
For marketing and contact purposes, the Company collects the following personal data: name, email, and telephone number. Consent to the use of personal data for marketing and contact purposes shall be expressed by checking the appropriate box.
The following personal data is processed:
• first name(s),
• surname,
• date of birth,
• sex,
• email address (only for marketing and contact purposes with prior consent of the data subject),
• telephone number (for marketing and contact purposes only with prior consent of the data subject),
• residential address,
• an example of a signature,
• data of personal identity card or passport (depending on the country of a destination or an offer).
Provision of the personal data is voluntary, but is necessary for the conclusion and performance of the contract (except for an email address). In the absence of the personal data, the tour operator will not be able to conclude and perform the contract.

To the extent it is necessary to conclude and prepare a contract and to ensure appropriate quality services, the controller may also process certain categories of personal data (including data on health, e.g. for disabled persons or persons with reduced mobility who require special medical care), provided the data subject has given explicit consent to the processing of such personal data for the said purpose (legal basis - Article 9.2[a] GDPR) – consent. The controller shall processes personal data for the purposes of sending commercial notifications (to email address) and for direct marketing (using telephone number) on the basis of individual consents.
Time of data processing
The controller shall have the right to process personal data for as long as necessary to achieve the intended purposes. In view of the legal basis for the processing, this will include:
• the time required to perform the contract;
• the time for the fulfilment of legal obligations and the time for which the controller is obliged to store the data in accordance with legal provisions, e.g. under tax law,
• the limitation period for claims under the contract,
• as long as the data subject withdraws their consent (applicable to data processed on the basis of consent).
Data transfer
Information obtained from the data subject shall not be disclosed to third parties, without a legitimate basis, except:
Subject to all data security guarantees, the controller may transfer personal data of the data subject to other entities, including:
• entities that process the data on behalf of the controller, e.g. to representatives, technical service providers and consultancy services providers;
• other data processors to the extent necessary for the provision of services and for the enforcement of legal requirements, e.g. to electronic payment service providers, carriers, hotel service providers, insurers, ancillary services (e.g. parking facilities, airport services) providers, couriers, business partners providing services to the controller under contracts.
The personal data of the data subject shall be provided to the Member States of the European Union or to other foreign states under the same conditions and procedures as the recipients of personal data in the Republic of Estonia only for the purposes provided for in this Privacy Policy.
Rights of the data subject
The data subject gives the Company the right to collect, manage, process and store personal data of the data subject to the extent and for the purposes specified in the Privacy Policy and other documents on the Website.
The data subject shall have the right to obtain information on the processing of the data. Information on the processing of personal data of the data subject as specified in Articles 13 and 14 of the GDPR shall be provided in writing at the time of receipt of the personal data. This information shall be provided to the data subject by the controller.
The data subject shall have the right to access their personal data that is being processed. In order to ascertain which personal data the Company has collected and from what sources, for what purposes they are processed, to which recipients they are provided and have been provided, the data subject must contact the Company in advance using the email address provided in this Privacy Policy.
The data subject shall have the right to request that their personal data are erased (right to be forgotten). The right of the data subject to the erasure of their personal data (right to be forgotten) shall be exercised in the cases provided for in Article 17 of the GDPR. The right of the data subject to request that their personal data are erased (right to be forgotten) may not be exercised in the cases provided for in Article 17(3) of the GDPR. If the personal data of the data subject (erased at the request of the data subject) have been transferred to the recipients of the data, the controller shall notify those recipients, unless this would be impossible or would require disproportionate effort. The data subject shall have the right to request information on the recipients of such data.
The data subject shall have the right to restrict the processing of the data. In the cases provided for in Article 18(1) of the GDPR, the controller must implement the right of the data subject to restrict the processing of their personal data. The personal data whose processing is restricted shall be stored and the data subject shall be notified by electronic mail before any such restriction is revoked. Where the personal data of the data subject (the processing of which is restricted on the basis of a request from the data subject) have been transferred to the recipients of the data, the controller shall notify those recipients unless this would be impossible or would require disproportionate effort. The data subject shall have the right to request information on such recipients.
The right to data portability. The controller shall implement the data subject's right to data portability provided for in the cases provided for in Article 20 of the GDPR. The data subject shall not have the right to data portability in respect of the personal data processed in a non-automated manner in structured files, such as paper files. The data subject shall indicate whether they wish to have their personal data transferred to them or to another controller when applying for the right to data portability. The personal data transferred on request of the data subject shall not be automatically erased. If the data subject so requests, they must contact the data controller for the implementation of the right to the erasure of their personal data (right to be forgotten).
The right to object to data processing. The data subject shall have the right, in the cases provided for in Article 21 of the GDPR, to object at any time to the processing of their personal data by the controller for reasons relating to them in a particular case. The withdrawal of consent to the processing of personal data shall be implemented by unchecking the box previously marked by the data subject in the field “I agree to the processing of my contact personal data” (data processed for marketing and contact purposes) or by submitting information to info@coraltravel.ee . If the data subject disagrees with the processing of personal data, such processing shall be carried out only in the case, where it is decided in a reasoned manner that the reasons for processing personal data take precedence over the interests, rights and freedoms of the data subject or where personal data are necessary for the purposes of bringing, enforcing or defending legal claims.
The right to require that the decision is not limited to automated processing, including profiling. In such cases, the data subject shall have the right to require that the decision based on automated processing shall not be applied with their respect and that any decision based on automated processing shall be reviewed. If the data subject requests a review of the decision based on automated processing, the controller must carry out a comprehensive assessment of all relevant data, including information provided by the data subject.
If the data subject, having familiarised themselves with their personal data, finds that the personal data are incorrect, incomplete or inaccurate, they shall have the right to request the Company by email to correct the incorrect, incomplete, inaccurate personal data and/or to suspend the processing of such personal data. Personal data shall be corrected and destroyed or their processing shall be suspended on the basis of the identity of the data subject and the documents supporting their personal data. Where the personal data of the data subject (corrected on request of the data subject) have been transferred to the recipients of the data, the controller shall notify those recipients thereof unless this would be impossible or would require disproportionate effort. The data subject shall have the right to request information on such recipients.
The data subject shall have the right to lodge a complaint with the data protection authority if they consider that the processing of personal data is unlawful.
Exercise of the rights of the data subject
When exercising the above rights, the data subject can contact the Company at info@coraltravel.ee . When submitting an application by email, the application must be signed by a qualified electronic signature or be formed by electronic means, which allow to ensure the integrity and irreversibility of the text. This provision shall not apply where the data subject requests information on the processing of personal data pursuant to Articles 13 and 14 of the GDPR. The request for the exercise of the rights of the data subject shall be legible, signed by the person, shall include the first name, surname, address, date of birth, and/or other contact details of the data subject for communication or for receiving a reply regarding the exercise of the rights of the data subject. The data subject may exercise their rights by themselves or through a representative. The representative of the person must indicate his first name, surname, address and/or other contact details in the application for receiving a reply, and also the first name, surname, and date of birth of the principal and to provide a document or a copy of the document confirming the basis of representation. In case of doubt as to the identity of the data subject, the Company shall have the right to request additional information necessary for verification.
The company shall provide the data subject with information on the actions taken in response to the request, no later than within 1 (one) month after receipt of the request. In the event of a delay in the submission of information, the data subject shall be notified within the specified term, indicating the reasons for the delay and the possibility of lodging a complaint with the State Data Protection Inspectorate.
If the application ignores the procedures and requirements laid down in this Section of the policy, the Company shall not examine any such application and shall notify the data subject without delay of the reasons, but no later than within 5 (five) business days. Where, during the examination of the application, it is established that the rights of the data subject are restricted on the grounds provided for in Article 23(1) of the GDPR, the Company shall notify the data subject accordingly.
The Company shall provide the information on the data subject's request regarding the exercise of their rights in the official language.
All actions related to the data subject's requests regarding the exercise of the rights of the data subject shall be carried out and provided free of charge, except in the cases provided for in this Section of the policy.
Personal data protection
The Company shall ensure that the personal data provided by the data subject on the Website be protected against any unlawful actions: unauthorized modification, disclosure or destruction of personal data, identity theft, scam and that the personal data protection standard shall comply with the requirements of the legal acts of the Republic of Estonia.
Personal data are protected against loss, unauthorized use and modification. The premises where the collected data are stored are physically protected from unauthorized access. The database protecting the data of the Website users’ is protected from unauthorized access via computer networks.
The user of the Website undertakes to safe keep the password and login name to the Website and other data. The user undertakes and must not disclose personal data either about themselves or third parties to any other third party, and if such personal data of third parties have been made available to the user, to notify the Company without delay of any observed breaches.





Privacy Policy


Definitions:
Website means the online travel portal coraltravel.lv accessible online at www.coraltravel.lv;
Company or Personal data controller is CORAL TRAVEL Latvia SIA, Reg.No. 40203293469, legal address Vienibas avenue 109, LV-1058, Riga, Latvia. The company is the personal data controller.

Personal data is any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, and online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, economic, cultural or social identity of that natural person.

Processing of personal data is any operation or set of operations which is performed on personal data, such as collection, recording, storage, safekeeping, classification, organisation, combination, alteration (addition or correction), provision, publication, use, logical and/or arithmetic operations, search, dissemination, or destruction.

Privacy Policy is this document, which contains basic rules for the collection, storage, processing and safekeeping of personal data and other relevant information while using the Website.

Consent - any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she consents to the processing of his or her personal data in the form of a statement or explicit consent.

Direct marketing - an activity by which to persons are offered goods or services by mail, phone, e-mail or other means and / or their opinion about the offered goods or services is clarified.

GDPR or General Data Protection Regulation - REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

Personal data shall be processed for the following purposes:
• For the purposes of conclusion and performance of the contract, including ensuring the quality of the services concerned (legal basis - Article 6.1[b] of the General Data Protection Regulation [hereinafter – GDPR]).
• For the purpose of compliance with legal obligations, such as the preparation of financial statements and accounting reports (including billing and safekeeping) or for the purpose of responding to complaints (legal basis - Article 6.1[c] GDPR).
• For claims and claims purposes (legal basis - Article 6.1[f] GDPR).
• For the purposes of improving the quality of services, including carrying out surveys of traveller satisfaction (legal basis - Article 6.1[f) GDPR).
• For the purposes of sending marketing information (e.g. newsletter), if consent to processing is given for that purpose (legal basis - Article 6.1[a] GDPR – consent).
• Direct marketing, including for the purpose of personalization in marketing content (legal basis - Article 6.1[f] GDPR). The controller may process personal data in order to prepare and submit a personal offer for package travel. Such data shall also be processed by automated means, but the decisions taken do not have a legal effect on the data subject.
For marketing and contact purposes, the Company collects and process the following personal data: name, email, and telephone number. Consent to the use of personal data for marketing and contact purposes shall be expressed by checking the appropriate box.
The following personal data is processed:
• first name(s),
• surname,
• date of birth,
• sex,
• email address (only for marketing and contact purposes with prior consent of the data subject),
• telephone number (for marketing and contact purposes only with prior consent of the data subject),
• residential address,
• an example of a signature (for security purposes and only if the Company has a established obligations with the person concerned),
• data of personal identity card or passport (depending on the country of a destination or an offer).
Provision of the personal data is voluntary, but is necessary for the conclusion and performance of the contract (except for an email address). In the absence of the personal data, the tour operator will not be able to conclude and perform the contract.

To the extent it is necessary to conclude and prepare a contract and to ensure appropriate quality services, the controller may also process certain categories of personal data (including data on health, e.g. for disabled persons or persons with reduced mobility who require special medical care), provided the data subject has given explicit consent to the processing of such personal data for the said purpose (legal basis - Article 9.2[a] GDPR) – consent. The controller shall processes personal data for the purposes of sending commercial notifications (to email address) and for direct marketing (using telephone number) on the basis of individual consents.
Time of data processing
The controller shall have the right to process personal data for the period necessary to achieve the specified purposes, taking into account the terms and conditions specified in the General Data Protection Regulation and other applicable regulatory acts. In view of the legal basis for the processing, this will include:
• the time required to perform the contract;
• the time for the fulfilment of legal obligations and the time for which the controller is obliged to store the data in accordance with legal provisions, e.g. under tax law,
• the limitation period for claims under the contract,
• as long as the data subject withdraws their consent (applicable to data processed on the basis of consent).
Data transfer
Information obtained from the data subject shall not be disclosed to third parties, without a legitimate basis, except:
Subject to all data security guarantees, the controller may transfer personal data of the data subject to other entities, including:
• entities that process the data on behalf of the controller, e.g. to representatives, technical service providers and consultancy services providers;
• other data processors to the extent necessary for the provision of services and for the enforcement of legal requirements, e.g. to electronic payment service providers, carriers, hotel service providers, insurers, ancillary services (e.g. parking facilities, airport services) providers, couriers, business partners providing services to the controller under contracts.
The personal data of the data subject shall be provided to the Member States of the European Union or to other foreign states under the same conditions and procedures as the recipients of personal data in the Republic of Latvia only for the purposes provided for in this Privacy Policy. The Company involves certain processors in the processing of the Personal Data provided, which may be established outside the European Economic Area (eg Turkey, Egypt). The Company's employees, performing their functions and processing personal data, comply with the GDPR and other applicable laws, this Privacy Policy, as well as the Company's internal documents. Personal data is processed only legally, in good faith and in a way that is transparent to the data subject.
Rights of the data subject
The data subject gives the Company the right to collect, manage, process and store personal data of the data subject to the extent and for the purposes specified in the Privacy Policy and other documents on the Website.
The data subject shall have the right to obtain information on the processing of their personal data. Information on the processing of personal data of the data subject as specified in Articles 13 and 14 of the GDPR shall be provided in writing at the time of receipt of the personal data. This information shall be provided to the data subject by the controller.
The data subject shall have the right to access their personal data that is being processed. In order to ascertain which personal data the Company has collected and from what sources, for what purposes they are processed, to which recipients they are provided and have been provided, the data subject must contact the Company in advance using the email address provided in this Privacy Policy.
The data subject shall have the right to request that their personal data are erased (right to be forgotten). The right of the data subject to the erasure of their personal data (right to be forgotten) shall be exercised in the cases provided for in Article 17 of the GDPR. The right of the data subject to request that their personal data are erased (right to be forgotten) may not be exercised in the cases provided for in Article 17(3) of the GDPR. If the personal data of the data subject (erased at the request of the data subject) have been transferred to the recipients of the data, the controller shall notify those recipients, unless this would be impossible or would require disproportionate effort. The data subject shall have the right to request information on the recipients of such data.
The data subject shall have the right to restrict the processing of the data. In the cases provided for in Article 18(1) of the GDPR, the controller must implement the right of the data subject to restrict the processing of their personal data. The personal data whose processing is restricted shall be stored and the data subject shall be notified by electronic mail before any such restriction is revoked. Where the personal data of the data subject (the processing of which is restricted on the basis of a request from the data subject) have been transferred to the recipients of the data, the controller shall notify those recipients unless this would be impossible or would require disproportionate effort. The data subject shall have the right to request information on such recipients.
The right to data portability. The controller shall implement the data subject's right to data portability provided for in the cases provided for in Article 20 of the GDPR. The data subject shall not have the right to data portability in respect of the personal data processed in a non-automated manner in structured files, such as paper files. The data subject shall indicate whether they wish to have their personal data transferred to them or to another controller when applying for the right to data portability. The personal data transferred on request of the data subject shall not be automatically erased. If the data subject so requests, they must contact the data controller for the implementation of the right to the erasure of their personal data (right to be forgotten).
The right to object to data processing. The data subject shall have the right, in the cases provided for in Article 21 of the GDPR, to object at any time to the processing of their personal data by the controller for reasons relating to them in a particular case. The withdrawal of consent to the processing of personal data shall be implemented by unchecking the box previously marked by the data subject in the field “I agree to the processing of my contact personal data” (data processed for marketing and contact purposes) or by submitting information to celojumi@coraltravel.lv . If the data subject disagrees with the processing of personal data, such processing shall be carried out only in the case, where it is decided in a reasoned manner that the reasons for processing personal data take precedence over the interests, rights and freedoms of the data subject or where personal data are necessary for the purposes of bringing, enforcing or defending legal claims.
The right to require that the decision is not limited to automated processing, including profiling. In such cases, the data subject shall have the right to require that the decision based on automated processing shall not be applied with their respect and that any decision based on automated processing shall be reviewed. If the data subject requests a review of the decision based on automated processing, the controller must carry out a comprehensive assessment of all relevant data, including information provided by the data subject.
If the data subject, having familiarised themselves with their personal data, finds that the personal data are incorrect, incomplete or inaccurate, they shall have the right to request the Company by email to correct the incorrect, incomplete, inaccurate personal data and/or to suspend the processing of such personal data. Personal data shall be corrected and destroyed or their processing shall be suspended on the basis of the identity of the data subject and the documents supporting their personal data. Where the personal data of the data subject (corrected on request of the data subject) have been transferred to the recipients of the data, the controller shall notify those recipients thereof unless this would be impossible or would require disproportionate effort. The data subject shall have the right to request information on such recipients.
The data subject shall have the right to lodge a complaint with the data protection authority if they consider that the processing of personal data is unlawful.
Exercise of the rights of the data subject
When exercising the above rights, the data subject can contact the Company at celojumi@coraltravel.lv. When submitting an application by email, the application must be signed by a qualified electronic signature or be formed by electronic means, which allow to ensure the integrity and irreversibility of the text. This provision shall not apply where the data subject requests information on the processing of personal data pursuant to Articles 13 and 14 of the GDPR. The request for the exercise of the rights of the data subject shall be legible, signed by the person, shall include the first name, surname, address, date of birth, and/or other contact details of the data subject for communication or for receiving a reply regarding the exercise of the rights of the data subject. The data subject may exercise their rights by themselves or through a representative. The representative of the person must indicate his first name, surname, address and/or other contact details in the application for receiving a reply, and also the first name, surname, and date of birth of the principal and to provide a document or a copy of the document confirming the basis of representation. In case of doubt as to the identity of the data subject, the Company shall have the right to request additional information necessary for verification.
The company shall provide the data subject with information on the actions taken in response to the request, no later than within 1 (one) month after receipt of the request. In the event of a delay in the submission of information, the data subject shall be notified within the specified term, indicating the reasons for the delay and the possibility of lodging a complaint with the State Data Protection Inspectorate.
If the application ignores the procedures and requirements laid down in this Section of the Privacy policy, the Company shall not examine any such application and shall notify the data subject without delay of the reasons, but no later than within 5 (five) business days. Where, during the examination of the application, it is established that the rights of the data subject are restricted on the grounds provided for in Article 23(1) of the GDPR, the Company shall notify the data subject accordingly.
The Company shall provide the information on the data subject's request regarding the exercise of their rights in the official language.
All actions related to the data subject's requests regarding the exercise of the rights of the data subject shall be carried out and provided free of charge, except in the cases provided for in this Section of the policy.
Personal data protection
The Company shall ensure that the personal data provided by the data subject on the Website be protected against any unlawful actions: unauthorized modification, disclosure or destruction of personal data, identity theft, scam and that the personal data protection standard shall comply with the requirements of the legal acts of the Republic of Latvia.
Personal data are protected against loss, unauthorized use and modification. The premises where the collected data are stored are physically protected from unauthorized access. The database protecting the data of the Website users’ is protected from unauthorized access via computer networks.
The user of the Website undertakes to safekeep the password and login name to the Website and other data. The user undertakes and must not disclose personal data either about themselves or third parties to any other third party, and if such personal data of third parties have been made available to the user, to notify the Company without delay of any observed breaches.