Personal Data Protection Policy

I. INTRODUCTION

The Trakošćan Castle museum institution, Trakošćan 4, Lepoglava, OIB: 24929691978, respects your privacy and considers the protection and security of personal data to be extremely important. We believe everyone has the right to know which personal data we collect about them.

Therefore, in accordance with the provisions of the General Data Protection Regulation (hereinafter: GDPR), this Policy informs you about which personal data we may collect when you visit our website (regardless of where you access it from) or do business with us, for what purposes, how we use it, how long we store it, to whom we may disclose it, and what your rights are as a Data Subject.

The entity responsible for processing personal data is Trakošćan Castle, Trakošćan 4, OIB: 24929691978.

Contact details:

Trakošćan Castle
Trakošćan 4, 42 250 Lepoglava
Telephone: +385 42 796 281
Email: dvor@trakoscan.hr

Should you have any queries, complaints, or requests concerning your rights under this Personal Data Protection Policy, please feel free to contact Trakošćan Castle, as the entity responsible for processing personal data, i.e., the data controller.

Trakošćan Castle highlights that all its employees and collaborators are familiar with the Policy and Rules of the protection of personal data and have been trained to handle the personal data of Data Subjects conscientiously and correctly.

II. PERSONAL DATA THAT WE MAY COLLECT

Trakošćan Castle is a museum institution that continuously strives to improve the services it provides to both domestic and international visitors. To this end, in its operations, and with the aim of delivering high-quality and comprehensive services, it may collect certain personal data under the following categories:

Personal data that includes your first name, surname, maiden name, nickname and alike, marital status, title, date of birth, gender, and any other personal data you voluntarily provide to us.

Contact information including residential address, phone number, e-mail address

Transaction data that includes your first name, surname, address, and bank account details

Technical data that includes your computer’s IP address, browser type and version, browser add-ons, operating system, mobile device type and name, time zone and location, and other technology of the device used to access our website.

Website and content visit data, including clickstream arrivals, duration of page visits, download errors, data about the information you viewed

We do not collect personal data that, in accordance with the GDPR, refers to Special Categories of Personal Data, i.e. we do not collect data that reveals your racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and we do not process genetic data, biometric data for the purpose of uniquely identifying an individual, data relating to health, or data about sex life or sexual orientation.

III. PURPOSE AND LEGAL BASIS FOR PROCESSING PERSONAL DATA

We collect and process your personal data for the following purposes based on the following legal grounds:

1. Informing about events and museum content

Purpose: sending invitations to cultural and museum events, notifications about exhibitions, programmes, news (newsletters), publications and other related content.

Data category: personal data, contact details

Data category: personal data, contact details

2. Responding to inquiries and providing requested information

Purpose: responding to your inquiries and ensuring a quality user experience and availability of requested information about our work.

Data category: personal data, contact details

Data category: personal data, contact details

3. Notification of changes to the Privacy Policy

Purpose: to inform users about changes to the Personal Data Protection Policy.

Data category: personal data, contact details

Legal basis: legitimate interest of the data controller

4. Website management and improvement

Purpose: to ensure the functionality and security of the website, as well as to adapt the content to user needs.

Data category: technical data, data on website usage

Legal basis: legitimate interest of the data controller

5. Keeping records of user interests and participation

Purpose: recording interest in events, compliments, complaints and other forms of user engagement in order to improve our programmes and offerings.

Data category: personal data, contact details

Legal basis: legitimate interest of the data controller

IV. TYPE OF OBLIGATION TO COLLECT PERSONAL DATA AND CONSEQUENCES OF FAILURE TO PROVIDE PERSONAL DATA

In accordance with Article 13, paragraph 2 of the GDPR, we would like to point out that you are not obliged to provide the above-mentioned personal data, but that failure to provide them in certain cases may prevent the provision of services or reduce the quality of the provision of services.

For example, without basic personal data, it is not possible to send invitations to certain events.

V. METHOD OF COLLECTING PERSONAL DATA

We may collect your personal data in various ways:

• data that you have made available to us: personal and contact data that you provide when communicating with us by phone, e-mail, fax, when visiting our museum in person, by filling out some of the forms on our website, etc.
• data that we have collected: when visiting our website, we may collect the previously mentioned technical data and data about visiting the website and its content, whereby we may use cookies and similar automated technologies.

VI. THIRD PARTIES AND SHARING PERSONAL DATA

Trakošćan Castle will not distribute, publish, provide, or otherwise make available to third parties (including third parties in other countries and international organisations) the personal data collected from the Data Subject without your prior consent.

Except as stated above, we may disclose and share your personal data to a limited extent and to the extent necessary:

• based on a legally binding decision or order of a competent authority or based on a statutory obligation
• to third parties – entities that maintain our IT systems or provide accounting services (and who are subject to a contractual obligation of confidentiality) based on your consent

We ensure that third-party recipients of personal data who process personal data for our purposes process them on the basis of and within the framework of our instructions, whereby they ensure the protection, measures and handling of personal data in accordance with the GDPR.

VII. PERSONAL DATA RETENTION PERIOD

We will retain the personal data we collect and process about you for as long as necessary, taking into account the purpose of the processing for which the data was collected and the type of data, and for at least 12 months. In addition, we may retain your personal data for as long as required or permitted by applicable regulations or until you withdraw your consent for those personal data that are processed on the basis of consent.

VIII. RIGHTS OF DATA SUBJECTS UNDER GDPR

The GDPR stipulates that each Data Subject from whom personal data is collected has certain rights. Below, we will introduce you to the rights you have under GDPR. Below, we will introduce you to the rights you have under GDPR.

• Right to access and confirmation from the controller regarding personal data relating to the Data Subject in accordance with Art. 15 of the GDPR: The right to request confirmation as to whether and to what extent your personal data are being processed
• Right to rectification (Art. 16 of GDPR): The right to request rectification or completion if the personal data we collect about you are inaccurate or incomplete.
• Right to erasure (“to be forgotten”) (Art. 17 of GDPR): The right to request the erasure of personal data we collect about you if the purpose for which they were collected no longer exists, if their processing disproportionately affects your legitimate protected interests, or if their processing is based on consent. It may not be justified to delete all personal data if this conflicts with statutory retention obligations, ongoing procedures, etc.
• Right to restriction of processing (Art. 18 of GDPR): The right to request restriction of processing of your data in cases where: you contest the accuracy of your data for a period that allows us to verify the accuracy of the data; if the processing of your data is unlawful, but you have refused erasure and instead request restriction of use of the data; if we no longer need your data for a specific purpose, but you still need them to establish, exercise or defend legal claims; if you have objected to the processing of the data.
• Right to data portability (Art. 20 of GDPR): In the event that we process your personal data automatically, and these are personal data that you have provided to us on the basis of consent or are necessary for the performance of a contractual obligation, at your request we can provide you or a third party designated by you with your personal data in a structured, commonly used and machine-readable format.
• Right to object (Art. 21 of GDPR): If we process your data for the performance of tasks carried out in the public interest, in the exercise of official authority or based on the needs of our legitimate interests, you can object to the processing of your data if there is an overriding interest in protecting your data. You can object to the sending of marketing materials at any time without giving reasons.
• Right to withdraw consent at any time (Art. 7 para. 3 of GDPR): The right to withdraw any consent you have given us for the processing of your personal data at any time, after which we will no longer process your personal data for the purpose for which consent was given. The withdrawal does not affect the lawfulness of the previous processing based on the withdrawn consent. The withdrawal of consent may affect the possibility or quality of providing certain services.
• Right to lodge a complaint with the competent supervisory authority: The right to lodge a complaint with the competent supervisory authority – the Personal Data Protection Agency. Regardless of the above, you can always contact the controller for a joint resolution of your complaint.

You can exercise your rights as a Data Subject by submitting a written request to Trakošćan Castle as the controller indicated in the introduction to this Policy, indicating which right you wish to exercise.

In the event of a request to exercise your rights, we may ask you for certain personal data to confirm your identity and ensure the right to access your personal data. This is a security measure to ensure that personal data is not disclosed to any other person who is not entitled to receive it.

We will inform you of the actions taken in relation to your request or any other inquiries and complaints without undue delay and no later than one month from the date of receipt of the request. Exceptionally, this deadline may be extended by an additional two months if necessary, taking into account the complexity and number of requests, of which we will inform you within one month from the date of receipt of the request, stating the reasons for the delay.

Any communication and actions taken by Trakošćan Castle in connection with the exercise of the aforementioned rights are free of charge. However, if your requests are manifestly unfounded or excessive, in particular, due to their repetitive nature, we may charge you a fee, taking into account the costs incurred, or refuse to act on your requests.

IX. CONSENT

Personal data collected on the basis of consent are collected by giving your consent in written or digital form (via e-mail, website or other electronic channels) in which it is explicitly stated which personal data is collected and for what purposes it will be used.

If you, as the Data Subject, have not given your consent for a specific purpose of collecting personal data, it will not be used for that purpose. It is noted that the above does not apply to the collection of personal data and their processing for purposes for which the Trakošćan Castle museum institution has a legitimate interest, which is necessary for the fulfilment of a contractual obligation or represents a legal obligation.

The Data Subject has the right to withdraw their consent at any time via the link in each marketing message or by contacting us in any form.

When filling out forms or sending inquiries via e-mail or telephone, you give your consent for us to use the data you have provided to respond to your inquiry or for the purposes for which you have provided us with your personal data.

X. SECURITY OF PERSONAL DATA

Trakošćan Castle has taken appropriate technical and organisational measures to protect your data, among other things, against loss, manipulation or unauthorised access. The measures taken are regularly checked and continuously adapted to the current state of technology. If there is a breach of your personal data that may pose a high risk to your rights and freedoms, we will inform you in accordance with applicable regulations.

XI. COOKIES AND WEBSITES

A cookie is information stored on your computer by a website you visit. Cookies usually store your preferences and settings for a website, such as your preferred language or address. Later, when you open the same website again, the browser sends back cookies belonging to that website. This allows the website to display information tailored to your needs.

Trakošćan Castle may publish cookie content on its website for advertising and traffic statistics based on the interests and information of visitors to our websites from social networks.

If you use content on Trakošćan Castle’s social networks or in applications, cookies from the aforementioned networks and applications may be stored on your device from which you access our website.

Visitors have the right and the ability to disable cookies. Internet browsers are usually programmed so that they accept cookies by default, but this can be easily adjusted by changing their browser settings. If you want to limit or block all cookies that include websites/applications of Trakošćan Castle (which may prevent the use of certain parts of the website) or other websites/applications, the Data Subject can easily do this in their browser settings.

Our website may contain links that lead to other websites, applications or extensions. For example, our website may contain links to Facebook, Instagram, X, TikTok, Gmail and other relevant sites. We would like to point out that we are not responsible for the security or privacy of any data collected by these websites, applications or extensions through their use, and therefore, we ask you to carefully read the Privacy Statements applicable to these websites.

XII. ACCURACY AND UP-TO-DATENESS OF PERSONAL DATA

In order for us to be able to provide you with quality service, it is important that the personal data you have made available to us is accurate and up-to-date. Please inform us of any changes to your personal data during the duration of our cooperation.

XII. POLICY CHANGES

Trakošćan Castle has the right to update this Policy if necessary to reflect best practices and ensure compliance with and implementation of changes to the rules regarding the protection of personal data.

In order to be aware of changes to the Policy, we may notify you of them.

You can review and update your consent by clicking Cookie Settings.

You can revoke your consent by clicking Reset Cookie Settings.