HR EN

Privacy Policy

1. INFORMATION ON DATA CONTROLER AND DATA PROTECTION OFFICER
 
International Zagreb Airport Jsc. (MZLZ) is a company which manages Franjo Tuđman Airport (ZAG) and which is data controller of your personal data. For all questions in relation to the procession of your personal data, you can contact our data protection officer on the following contacts:
 
e-mail: DPO@zag.aero or
address: Ulica Rudolfa Fizira 1, p.p. 80, 10 410 Velika Gorica

2. PURPOSE AND LEGAL BASIS FOR PROCESSING OF PERSONAL DATA
 
MZLZ processes only those personal data that are necessary and that are obtained within the scope of business activities and for the following purposes:
 
  • performance of the contract - when the processing is necessary for the performance of a contract to which you are a party;
  • satisfaction of legitimate interests - when necessary, personal data will be processed in order to satisfy legitimate interests, which can amongst other, include protection of persons and property, responding to your complaints and inquiries, pursuing legal proceedings, preventing illegal actions;
  • compliance with regulatory requirements - for example, we are obliged to act in accordance with EU regulations in relation to the protection of civil air traffic, tax regulations and similar;
  • processing of personal data based on consent - only after we receive your consent for processing of personal data for specific purpose.
 
In case we process your personal information for purposes not described in this Privacy policy or for the purpose to which you have not given your consent, prior to such processing, we will provide you with information about the purpose and all other relevant information about the processing.


3. PROCESSING OF PERSONAL DATA - BOARDING PASSES CONTROL
 
Your personal data from valid boarding passes is collected and processed for the purpose of controlling airside access and directing to further physical security screening (security body check) the passengers who possess valid boarding pass. Collection and processing of the personal data from valid boarding passes is necessary to be conducted because of civil aviation security, and is based on legal obligation of MZLZ arising from the following regulations:
  • Regulation (EC) No. 300/2008 of the European Parliament and of the Council of 11 March 2008 common rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002
  • Commission implementing Regulation (EU) 2015/1998 of 05 November 2015 laying down detailed measures for the implementation of the common basic standards on aviation security
  • Commission Implementing Decision C(2015) 8005 final of 16 November 2015 laying down detailed measures for the implementation of the common basic standards on aviation security containing information
  • National civil aviation security program of the Republic of Croatia, edition 3
  • Airport program of Civil aviation security of MZLZ.
By scanning valid boarding passes, we collect from the passengers all data contained in the boarding pass (name and surname, flight number, destination, number of boarding pass) and the mentioned data are used:
  • in order to direct those passengers with a valid boarding pass to physical security screening:
  • for determining MZLZ’s liability towards third parties and the liability of third parties towards the MZLZ, in cases of performing legal obligations of the MZLZ and in cases when such is necessary in terms of legal interests of MZLZ or third parties to which the content is made available.
For processing of personal data, MZLZ uses the services of sub-contractor - the company SECURITAS HRVATSKA  d.o.o. - which in the name and for behalf of MZLZ scans passenger boarding passes in order to perform access control to the airside and in order to direct to further security screening those passengers with valid boarding passes.
The personal data obtained by such processing will be kept for 12 months at longest, from the date of its receipt, or longer, in case of a court procedure where this personal data obtained - are used.


4. PROCESSING OF PERSONAL DATA - VIDEO SURVEILLANCE
 
MZLZ and company HAVAS - Ground Handling Services Ltd. (hereinafter jointly: MZLZ) collect and process your personal data by using the video surveillance system which records data on the looks and movements of persons and things. Processing of personal data by using the video surveillance system is based on the legitimate interest of MZLZ and the legal obligation of MZLZ arising from the following regulations:
  • ICAO Annex; Doc, 9859 SARP, Global Aviation Safety Plan;
  • European Aviation Safety Plan;
  • National civil aviation security program of the Republic of Croatia, edition 3
  • Airport program of Civil aviation security of MZLZ
  • National civil aviation security program
  • Law on Air Traffic (OG 69/09, 84/11, 54/13, 127/13, 92/14);
  • Law on privacy protection (OG 68/03, 31/10, 139/10);
  • Ordinance on conditions and manner of technical security (OG 198/03);
  • Law on critical infrastructures (OG 156/13) and other acts generated from that Law;
  • Directive on selection criteria of security measures and manner of marking of military and other facilities of special importance for defence (OG 63/2011).
The scope of collection and further processing of personal data by using video surveillance system is limited to:
  • effective protection and security of people, property, operating surfaces, devices, facilities, installations, devices and equipment at ZAG,
  • preventing unlawful actions,
  • anti-terrorist, anti-attack and anti-sabotage activities,
  • determining MZLZ’s liability towards third parties and the liability of third parties towards the MZLZ, in cases of performing legal obligations of the MZLZ and in cases when such is necessary in terms of legal interests of MZLZ or third parties to which the content of the video surveillance system is made available.
Personal data obtained by this processing is automatically erased after 30 (thirty) days of storage on external disk space, except in case when the capacities of external servers are full, in which case the videos will be kept/saved shorter than 30 (thirty) days. Keeping of video recordings after 30 days is possible in case of court proceedings being in progress, where the personal data obtained by this processing may be used.


5. PROCESSING OF PERSONAL DATA - COMPLAINTS AND INQUIRIES OF THE USERS
 
MZLZ and the company HAVAS - Ground Handling Services Ltd. (hereinafter jointly: MZLZ) collect and process your personal data via the official website or by written form, where passengers have the right to make a complaint about certain services provided by MZLZ or through which the passengers / visitors have right to ask a question or give a suggestion to MZLZ.
 
The personal data that MZLZ collects in this way are name and surname, e-mail address and residence address. MZLZ uses the personal data exclusively for the purpose of processing of the complaint and preparation of a reply.
 
This processing of personal data is based on the legal obligation of MZLZ arising from the Consumer Protection Act.
 
The personal data obtained through processing of MZLZ will be kept at most 5 years from the date of their receipt, or longer in case of court proceedings where the personal data here obtained will be used.
 
MZLZ may share personal data received for this purpose with its sub-contractors who process personal data in the name and on behalf of MZLZ. Where such sharing of personal data is made, MZLZ will ensure that such sub-contractors follow the same protection measures for your personal data as well as MZLZ.


6. PROCESSING OF PERSONAL DATA IN RELATION TO THE RECORDING OF TELEPHONE CONVERSATIONS WHEN USING THE CONTACT CENTER FOR CUSTOMER INQUIRIES
 
MZLZ collects and processes your personal data when recording telephone conversations upon calling the number of our contact centre. The data processing is based on the legitimate interest of the data controller in responding to customer inquiries. The data controller ensures that no unnecessary data is collected and ensures the continuous deletion of conversations that are no longer required.
 
The personal data being processed includes to the following categories: first name, last name, address, phone number, email address, audio recordings of interactions with agents, and records of customer responses.
 
MZLZ uses a subcontractor who maintains the contact centre’s data storage system.
 
Personal data obtained through this processing is retained by MZLZ for up to 30 days from the date of data storage, unless the storage media capacity is full, in which case it will be stored for less than 30 days. Exceptionally, recordings may be stored for longer than 30 days in the case of ongoing legal proceedings or similar disputes where the personal data obtained through this processing is used.


7. PROCESSING OF PERSONAL DATA - AUTOMATED LICENSE PLATE RECOGNITION SYSTEM (LRP SYSTEM)

The personal data of users of car park for passengers and visitors as well as users of Kiss & fly zone at ZAG we are processing trough use of an automated license plate system (herein after ‘’LPR system’’). The LPR system, when entering and leaving the car park, takes a photograph of the vehicle and the registration number of vehicles of passengers/visitors who used the aforementioned car park at ZAG.
 
The aforementioned processing of personal data is based on the contractual relationship, the legitimate interest of MZLZ, and the legal obligation of MZLZ arising from the following regulations:
  • ICAO Annex; Doc, 9859 SARP, Global Aviation Safety Plan;
  • European Aviation Safety Plan;
  • National civil aviation security program of the Republic of Croatia, edition 3
  • Airport program of Civil aviation security of MZLZ
  • National civil aviation security program
  • Law on Air Traffic (OG 69/09, 84/11, 54/13, 127/13, 92/14);
  • Law on privacy protection (OG 68/03, 31/10, 139/10);
  • Ordinance of conditions and manner of technical security (OG 198/03);
  • Law on critical infrastructures (OG 156/13) and other acts generated from that Law;
  • Directive on selection criteria of security measures and manner of marking of military and other facilities of special importance for defence (OG 63/2011).
The scope of data collection and further processing using the LPR system is limited to:
  • performance of the contract in accordance with the Terms and conditions for car parks and Kiss &Fly zone at Franjo Tuđman Airport (hereinafter: "Car Park Terms"). Car Park Terms are available on MZLZ’s website.;
  • prevention of illegal actions,
  • solving any complaints and received inquiries.
The personal data obtained by this processing shall be retained for 5 years or longer in case of a court procedure where this personal data is used.
MZLZ uses the subcontractor for this processing of personal data which maintains the LPR system. Where such sharing of personal data is made, MZLZ will ensure that such sub-contractors follow the same protection measures for your personal data as well as MZLZ.


8. PROCESSING OF PERSONAL DATA - AIRPORT IDENTIFICATION CARDS, ACCESS CONTROL, AIRSIDE DRIVING PERMITS AND TEMPORARY AIRSIDE DRIVING PERMITS AND PERMITS FOR PHOTOGRAPHING THE AIRCRAFTS

Your personal data which, is necessary for the purpose of issuing airport identification cards to unescorted and escorted persons as well as identification cards for unescorted and escorted vehicles, is processed based on the legal obligation arising from the following regulations:

  • Commission Implementing Regulation (EU) 2015/1998 of 5 November 2015 on the establishment of detailed measures for the implementation of common basic standards on aviation security,
  • Commission Implementing Decision C (2015) 8005 of 16.11.2015 laying down detailed measures for the implementation of common basic standards on aviation security,
  • Commission Regulation (EU) No 139/2014 of 12 February 2014 on establishing requirements and administrative procedures related to airports in accordance with Regulation (EC) No 216/2008 of the European Parliament and of the Council Text with EEA relevance and its amendments
  • National Civil Aviation Security Program of the Republic of Croatia
  • Airport security program of Franjo Tuđman Airport
Data collected for the purpose of issuing identification cards:
  • for unescorted persons, the data will be kept for ten years from the end of the year in which the eligibility check was conducted.
  • for escorted persons, the data will be kept for five years from the end of the year in which the approval for issuing the identification card for the escorted person was issued.
  • for unescorted vehicles, the data will be kept for five years from the end of the year in which the identification card for the unescorted vehicle was issued.
  • for escorted vehicles, the data will be kept for five years from the end of the year in which the approval for issuing the identification card for the escorted vehicle was issued.
  • for unescorted persons or for approval issued based on the submitted Request for Approval of Temporary Movement in Security Restricted Areas at Airports in the Republic of Croatia, the data will be kept for seven years from the end of the year in which the approval was issued.
Personal data necessary for the issuance of an airside driving permit and a temporary airside driving permit are processed based on the legal obligation arising from Commission Regulation (EU) No 139/2014 of 12 February 2014 on establishing requirements and administrative procedures related to airports in accordance with Regulation (EC) No 216/2008 of the European Parliament and of the Council Text with EEA relevance and its amendments. Data collected for the purpose of issuing an airside driving permit on the airside and a temporary airside driving permit will be kept for five years from the end of the year in which the airside driving permit was issued.
The data collected for the purpose of issuing a permit for photographing aircraft will be kept for one year after the end of the year in which the permit for photographing aircraft expired.
MZLZ uses the access control system to the security restricted areas of ZAG for the purposes described below, and in this sense, we process the personal data of users of airport identification cards in such a way that the access control system, when entering and exiting the security restricted areas of ZAG, records the data on movement of airport identification cards. The aforementioned processing of personal data is based on the legitimate interest and legal obligation of MZLZ, which derives from the following regulations:
  • ICAO Annex; Doc, 9859 SARP, Global Aviation Safety Plan;
  • European Aviation Safety Plan;
  • National civil aviation security program of the Republic of Croatia, edition 3
  • Airport program of Civil aviation security of MZLZ
  • National civil aviation security program
  • Law on Air Traffic (OG 69/09, 84/11, 54/13, 127/13, 92/14);
  • Law on privacy protection ( OG16/20, 114/22);
  • Ordinance of conditions and manner of technical security (OG 198/03);
  • Law on critical infrastructures (OG 56/13,114/22) and other acts generated from that Law;
  • Directive on selection criteria of security measures and manner of marking of military and other facilities of special importance for defence (OG 63/2011).
The scope of data collection and further processing through the access control system to the critical zone of the restricted area of ZAG is limited to:
  • to administer airport identification cards in accordance with regulatory requirements;
  • to manage and record access to security restricted areas and facilities at ZAG;
  • to investigate allegations of misuse of airport identification cards;
  • to prevent illegal actions;
  • determining MZLZ’s liability towards third parties and the liability of third parties towards the MZLZ, in cases of performing legal obligations of the MZLZ and in cases when such is necessary in terms of legal interests of MZLZ or third parties to which the content is made available.

In order to fulfill the previously described purposes, MZLZ may disclose your data collected through the access control system to employers who have requested airport identification cards for you.
Data collected through the ZAG area access control system will be kept for 2 years or longer in the case of a court procedure in which personal data obtained through this processing is used.
MZLZ uses a subcontractor for this processing of personal data which maintains an access control system. Where such sharing of personal data is made, MZLZ will ensure that such sub-contractors follow the same protection measures for your personal data as well as MZLZ.

 
9. RIGHTS OF THE DATA SUBJECT REGARDING PROCESSING OF PERSONAL DATA
 
To exercise your rights, you can contact us in writing or by email using contact data specified in item 1 of this Privacy Policy. In order to protect your personal data, depending on the legal basis of processing, the rights may include the following:

  • Right of access by the data subject,
  • Right to be informed on the processing of personal data,
  • Right to rectification,
  • Right to erasure,
  • Right to restriction of processing,
  • Right to data portability,
  • Right to object.

The realization of the above-mentioned rights will depend on the legal basis for specific processing of data and will be possible if it is applicable in accordance with the regulations and/or technically feasible in relation to the specific processing of personal data. Also, please note that the right to erasure does not apply, for example, in cases where processing is necessary to comply with legal obligations, as well as when it relates to establishing, exercising or defending legal claims and similar.
Please note that you have the right to request the above-mentioned rights as they are applicable in relation to specific processing, but according to the regulations on personal data protection, we are obliged to confirm your identity before providing any information and to provide you with an explanation in case we are unable to comply with your request. In the case of a request from your side, we will inform you whether your request has been approved.
In addition, if you consider that your rights have been violated, you may file a complaint with the Croatian Personal Data Protection Agency, Selska cesta 136, 10000, Zagreb or via e-mail: azop@azop.hr.


10. THE RECEPIENTS OF THE PERSONAL DATA
 
Your  personal data may be used by the system maintenance service providers within which your personal data is processed or to service providers who provide services on behalf of MZLZ (if applicable to specific processing and as specified in relation to specific processing), who act as processors only for the purpose of fulfilling the obligations from the contracts concluded with MZLZ, and MZLZ has obliged them not to process your personal data without our order nor to transfer the data to third parties. Furthermore, we may forward your personal data to the competent authorities for the purpose of performing tasks within their jurisdiction, the court or the competent state attorney's office, i.e. other authorities in legal proceedings as well as the law firms that we engage to represent us in proceedings in order to establish, realize or defend the legal interests of MZLZ and in other cases when we are required by law to provide your personal data.


11. SECURITY OF PERSONAL DATA
 
We take all appropriate technical and organizational security measures to prevent accidental or illegal destruction, loss, alteration, unauthorized use, disclosure, insight or access to data. Among other things, the measures include, depending on the specific processing, controlled access - to electronic databases that contain personal data obtained through the specific processing - only through a personally specified username and password, and access to the server equipment system is under video surveillance and under access control, as it is applicable to the specific processing.


12. TIME PERIOD OF STORAGE OF PERSONAL DATA

We store your personal data as long as necessary to fulfill a contractual or legal obligation or legitimate interest, or until the purpose of personal data processing is fulfilled. Storage periods are prescribed specifically for the specific processing of personal data. In the case of processing personal data based on consent, when your consent is withdrawn, the processing of personal data ceases.


13. PRIVACY POLICY CHANGES

MZLZ reserves the right to change this Privacy Policy and will publish all changes to the Privacy Policy on its official website.