Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation – GDPR (hereinafter: the Regulation), the group of undertakings comprising BINA - ISTRA, d.d., with its registered seat in Lupoglav, Zrinščak 57, OIB (tax no.): 13439120211, as the dominant company, and BINA - ISTRA UPRAVLJANJE I ODRŽAVANJE, d.o.o., with its registered seat in Lupoglav, Zrinščak 57, OIB (tax no.): 76757137512, as the dependant company (hereinafter jointly referred to as: BINA - ISTRA), has on 20 September 2022 in Lupoglav adopted the following
PRIVACY POLICY
1. This BINA - ISTRA Privacy Policy shall apply to all data subjects whose personal data are processed by the company, and especially to a data subject who has submitted a request for the establishment of a user relationship with BINA - ISTRA pursuant to the General Terms and Conditions of the ENC package; who is a user of the ENC package pursuant to the General Terms and Conditions of the ENC package; who travels on the Istrian Motorway; who contacts BINA - ISTRA, especially at points of sale or via the customer service, by telephone, by sending an e-mail or by post;
who visits the BINA - ISTRA website (hereinafter: the User).
2. For the purpose of this Privacy Policy, the terms listed below shall have the following meaning:
“Data subject” is a natural person (individual) who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of that natural person;
“Processing” means any operation or set of operations which is performed on data or on sets of data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of that natural person;
“Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients;
“Consent of the data subject” means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them, which BINA - ISTRA shall usually use as the legal basis for the processing of personal data in the absence of other legal bases.
3. When processing personal data, BINA – ISTRA shall comply with the principles relating to processing of personal data, as follows:
The principle of lawfulness, fairness and transparency – personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
The principle of purpose limitation – personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes.
Principle of data minimisation – personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Principle of accuracy – personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Principle of storage limitation – personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the Regulation, subject to implementation of the appropriate technical and organisational measures required by the Regulation in order to safeguard the rights and freedoms of the data subject.
Principle of integrity and confidentiality – personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
4. BINA - ISTRA shall collect only the data necessary to achieve a certain legal purpose, whereby the data is processed only as long as it is necessary to fulfil the same legal purpose for which they have been collected, after which the data are permanently deleted or anonymized.
Data shall be collected, inter alia:
directly from the User who delivers the data themselves, which includes:
- submission of a request to establish a service and/or exercise rights and obligations arising from a contract (extending the user’s subscription account) with BINA - ISTRA when the User, if they wish to use/continue using a certain service, provides the data and documents necessary for identification and provision of the service (name and surname, address, OIB (tax number), e-mail address, home and/or mobile phone number, transaction data, billing data, i.e. encrypted bank card number, entry and exit toll
station, time of entry and exit, number of the ENC device, toll amount, group and vehicle registration number, photograph of the vehicle) if that is necessary for the provision of a service of BINA - ISTRA);
- collection of data during the User’s communication with BINA - ISTRA via customer service (via e-mail address, postal address, telephone conversation with customer service, web form on the website), i.e., first and last name, home and mobile phone number and e-mail address. through video surveillance at the toll booths on the Istrian Motorway, the Učka tunnel, junctions on the Istrian Motorway, work areas, sales points and in the administration building; by visiting the BINA – ISTRA website (https://bina-istra.com/) (for the processing of personal data via the use of so-called cookies, see below under 11).
5. The processing of personal data by BINA - ISTRA is carried out only if and to the extent that at least one of the following conditions is fulfilled:
the data subject has given their consent for the processing of their personal data for one or more specific purposes.
Consent is given in writing. The User may at any time, in a simple and free way, give, withdraw or withhold consent in writing (through the online interface or at BINA - ISTRA sales points).
The User’s consent is not necessary for execution nor is it a condition for concluding a contract with BINA - ISTRA
If personal data are processed on the basis of consent, the data subject shall have the right to withdraw their consent at any time; however, this does not affect the legality of the processing that was based on consent before it was withdrawn.
the processing is necessary for the performance of a contract to which the data subject is a party or in order to take actions at the request of the data subject before the conclusion of the contract.
The data collected from the User in order to take actions at the User’s request before concluding a contract for a BINA - ISTRA service in accordance with point 4 are processed for the purpose of concluding and executing a contract for BINA - ISTRA services (“contractual data”), and include name and surname, address, OIB, e-mail address, home and/or mobile phone number, transaction data, billing data, i.e. encrypted bank card number, entry and exit toll station, time of entry and exit, number of the ENC device, toll amount, group and vehicle registration number, photograph of the vehicle if that is necessary for the provision of a BINA - ISTRA service. The requests for a BINA - ISTRA service shall contain the information mandatory for the conclusion of the contract, because a BINA - ISTRA service cannot be contracted without them. Contractual data includes data on BINA - ISTRA services that the User uses or has used, as well as data on the method and history of payment for BINA - ISTRA services.
By using the BINA - ISTRA electronic toll collection service, data necessary for the provision of the service are automatically created and collected, including the date, time of entry and exit from the Istrian Motorway, location of entry and exit points.
The data from this point shall be processed for the purpose of verifying the User’s identity, the provision of the contracted service, calculation and charging for the service, contacting the User if necessary in connection with the provision of the service, resolving complaints, or other actions related to the conclusion and execution of the contract in accordance with the law.
In the event that the User does not wish to provide the necessary information for the purpose of concluding and executing a contract, BINA - ISTRA will not be able to conclude the contract and/or perform certain actions related to the execution of the contract.
These personal data are stored for a maximum period of 11 years from the termination of the contractual relationship, unless another law prescribes a longer retention period or if the data are used as evidence in court, administrative arbitration or other equivalent proceedings.
Further information about the rights and obligations related to the use of the Istrian Motorway and toll collection is provided in the General Terms and Conditions for the use of the ENC package available on the website, at the following link: https://bina-istra.com/pp.
processing is necessary in order to comply with the legal obligations of BINA - ISTRA, i.e., for the performance of a task of public interest or in the exercise of official authority of BINAISTRA;
as stipulated under point 4, BINA - ISTRA automatically collects certain personal data of the User through video surveillance (videos of people using tunnels and parts of the motorway that are under video surveillance, as well as their vehicles, and data on vehicle registration plates and data on the presence of persons and vehicles in the area covered by the recording)), and for the purpose of performing tasks of public interest and performing the legal obligations of BINA - ISTRA. The legal basis for data processing for these purposes is the fulfilment of the obligations of BINA - ISTRA pursuant to the Roads ACT (OG 84/11, 18/13, 22/13, 54/13, 148/13, 92/14, 10/19, 144/21) (hereinafter: the Roads Act) such as, for example, the obligation to organize a toll collection system and establish mutual interoperability with the electronic toll collection systems of other highway operators, the obligation to provide information to the public about the condition and passability of public roads, on extraordinary events occurring on roads and meteorological conditions significant for the safe flow of traffic, monitoring and analysis of traffic safety on public roads and the organization of the toll collection system. Furthermore, the relevant legal obligations of BINA - ISTRA may also arise from other regulations; therefore, processing of personal data is possible for the purpose of acting on requests for exercising the right to access information, in accordance with the Act on the Right of Access to Information (OG 25/2013, 85/2015 ), for the purpose of resolving user complaints, in accordance with the Consumer Protection Act (OG 19/2022), for the purpose of resolving requests related to the protection of personal data based on the Regulation, as well as for the purpose of establishing an employment relationship with BINA - ISTRA
Data are stored for a period of 6 months, unless another law prescribes a longer storage period or if the data are used as evidence in a court, administrative arbitration or other equivalent procedure. Furthermore, on the basis of a written request based on valid regulations, BINA - ISTRA is obliged to deliver or provide access to certain personal data of the User to competent state authorities (e.g., courts, the police, Croatian Personal Data Protection Agency, etc.).
processing is necessary to protect the key interests of the data subject or other natural persons;
processing is necessary for the legitimate interests of BINA - ISTRA or a third party, except when those interests are superseded by the interests or fundamental rights and freedoms of the data subject that require the protection of personal data, especially if the data subject is a child.
BINA - ISTRA also processes personal data for the purpose of protecting the legitimate interests of the User and/or BINA - ISTRA. This includes, for example, the processing of personal data for security purposes, which are reflected in the prevention, detection and processing of abuse to the detriment of the User or BINA - ISTRA, ensuring the security of services, creating services and offers that meet the needs and wishes of the User, and market research and analysis.
Telephone conversations between the User and BINA - ISTRA may be recorded and further used for the purposes of improving the quality of work of BINA - ISTRA employees, resolving potential complaints by the User, as well as for security purposes, of which the User shall be informed before the start of the conversation.
Unless the User specifies otherwise, BINA - ISTRA is authorized to process all the User’s contact information for sending promotional information about its services through all advertising channels. The User may declare at any moment that they no longer wish to receive promotional notifications, in which case the User’s data shall no longer be processed for direct marketing purposes. The User may give this statement as follows: (i) by submitting a written statement that they do not wish their data to be processed for direct marketing purposes or (ii) by simply selecting the appropriate option in each notification received electronically or via text message. Data for the purposes of sending promotional messages about BINA - ISTRA services are stored until the termination of the contractual relationship or until the User submits a statement saying they do not wish to receive promotional messages, in accordance with the General Terms and Conditions of the ENC package.
On the basis of legitimate interest, BINA - ISTRA may process personal data by conducting video surveillance of its business premises; generally, the period of storage of the recordings depends on the capacities of the specific video storage system and the purposes of the video surveillance itself, but no longer than 6 months, unless they are used as evidence in court, administrative, arbitration or other procedure.
6. Collected personal data are not transferred to third countries; however, they may be forwarded to third parties in cases where this is stipulated by a compulsory regulation (e.g., a court request) or if BINA - ISTRA has hired third parties as a subcontractor to perform certain work in the capacity of processor (e.g., IT service provider, system maintenance service provider, delivery service provider).
7. BINA - ISTRA does not implement systems for automated decision-making or profiling from Article 22(1) and (4) of the Regulation.
8. BINA - ISTRA protects personal data by implementing appropriate technical and organizational measures against unauthorized access, modification, loss, theft, or any other violation and misuse, which primarily include the following:
obligating all subcontractors to protect the User’s personal data through appropriate contracts or contractual clauses;
carrying out regular controls, reviews and updates of security measures and personal data protection measures;
implementation of measures to prevent unauthorized use of IT systems, with regular updating of programs (software) and antivirus protection solutions;
limiting access to premises where documents containing personal data are stored to authorized personnel only;
limiting access to media for storing personal data in electronic form to authorized personnel only, who can access the data only by entering a username and password;
establishing internal procedures for dealing with personal data;
establishing a backup plan for the entire server and all data on the server;
protection of the server room and administrative building from unauthorized entry through a video surveillance system;
conducting practice audits to ensure the effectiveness of the measures taken.
9. BINA - ISTRA enables data subjects to exercise all rights guaranteed by the Regulation, and especially the following:
Right of access
The data subject shall have the right to obtain from BINA - ISTRA confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and the following information: (a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from BINA - ISTRA rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data are not collected from the data subject, any available information as to their source; (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the Regulation and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Right to rectification
The data subject shall have the right to obtain from BINA - ISTRA without undue delay the rectification of inaccurate personal data concerning them. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure
The data subject shall have the right to obtain from BINA - ISTRA the erasure of personal data concerning them without undue delay and BINA - ISTRA shall have the obligation to erase personal data without undue delay if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed and in other cases stipulated in the Regulation.
Right to restriction of processing
The data subject shall have the right to obtain from BINA - ISTRA restriction of processing where one of the following applies: (i) the accuracy of the personal data is contested by the data subject; (ii) the processing is unlawful and the data subject opposes the erasure of the personal data; (iii) BINA - ISTRA no longer needs the personal data, but they are required by the data subject for the establishment, exercise or defence of legal claims; (iv) the data subject has objected to processing of their personal data.
Right to data portability
The data subject shall have the right to receive the personal data concerning them, which they have provided to BINA - ISTRA, in a structured, commonly used and machine-readable format, and shall have the right to transmit those data to another controller without hindrance from BINA - ISTRA, if the processing is based on consent or if it is necessary for the execution of a contract to which the data subject is a party or in order to take actions at the request of the data subject before the conclusion of the contract, and the processing is carried out by automated means.
10. The user whose data is processed has the right to request access, rectification, amendment, deletion and restriction of the processing of personal data relating to them and has the right to object to the processing of their personal data to BINA - ISTRA, and to report a suspected violation of their personal data. The User can exercise the aforementioned rights by contacting the joint officer for the protection of personal data at dpo@bina-istra.com or at postal address Bina - Istra d.d. (or Bina – Istra upravljanje i održavanje, d.o.o.), Zrinščak 57, Lupoglav. The User may also object to processing of personal data to the supervisory authority, i.e., the Croatian Personal Data Protection Agency; further details are available at https://azop.hr/zahtjev-za-utvrdivanje-povrede-prava/ .
11. The https://bina-istra.com/ website uses cookies. A cookie is a small text file that is stored on your computer or mobile device when you visit the website.
Technical (mandatory) cookies – cookies without which the website cannot function or its functioning would encounter significant difficulties, and which cannot be turned off.
Analytical cookies - cookies that BINA - ISTRA uses for internal research on possible ways to improve the service it provides to all users. These cookies track your interaction with the website and are not shared with third parties or used for any other purpose. You can refuse (turn off) this type of cookie during your first visit to the website, and later turn it on again by selecting the menu at the bottom of the “Cookie Settings” page.
Name Purpose Duration of cookies
__Secure-3PSIDCC*
__Secure-1PAPISID*
__Secure-1PSID*
__Secure-1PSIDCC*
__Secure-3PAPISID*
_ga*
_gid:GA1.2*
Protection of web forms from spam robots, memorizing data for easier completion of forms
360 days
Google analytics for tracking visit statistics 720 days
Google analytics for tracking statistics 720 days
Please note that third-party cookies are marked with “*” in the tables above. The aforementioned website displays the contents of external service providers, namely the Google.com domain or Alphabet Inc. In order to view this third-party content, you must first accept their specific terms and conditions. This includes their cookie policy, which BINA - ISTRA does not control.
If you delete the browsing history from your browser, you will delete all stored cookies from your device. This way you can remove all cookies from all Internet pages you have ever visited. However, please note that you may also lose some saved data (e.g., saved login data, personal page preferences). For better control over the cookies of individual pages, check the privacy and cookie settings in your main browser. Today, you can set most browsers to block the placement of cookies on your device, but then you may have to manually adjust some personal preferences each time you visit a site. Furthermore, some services and functionalities may not work well (e.g., logging in with a profile).
12. This Privacy Policy may be amended and/or supplemented from time to time and is available at any moment on the BINA - ISTRA website and at BINA - ISTRA sales points. This Privacy Policy shall supersede the General Terms and Conditions of the ENC package in the part related to the protection of personal data, which means that, in the event of a different regulation of an individual issue related to the protection of personal data, this Privacy Policy shall apply.