1. General information

Privacy Policy of BENEFIT SYSTEMS d.o.o. (hereinafter referred to as BENEFIT SYSTEMS) applies to users of MultiSport cards (hereinafter referred to as users) and applies from 1 January 2021.

By applying for a MultiSport card (hereinafter: MS card) or by agreeing to have someone else apply for an MS card on your behalf and entering into a contractual relationship with BENEFIT SYSTEMS, which allows you to access the services covered by our MultiSport program, you entrust us with your personal information.

Responsible for the processing of personal data is Controller:
BENEFIT SYSTEMS Ltd., Heinzelova 44, Zagreb, OIB: 57845277445, MBS: 081141357

You can contact us:

• via the e-mail address which is also the address of the personal data protection officer: dpo@benefitsystems.hr ,
• via the address of the headquarters of Bene Systems t Systems d.o.o., Heinzelova 44, 10000 Zagreb with a note on the envelope “Personal data”,
• via the contact form on the web address www.benefitsystems.hr

2. Types of personal data that we collect and process, the ways in which we process them and the purposes and legal basis of processing

We collect and process the following personal information 

• your name and surname, your identification number with your employer and MS card number, card type and validity date (which becomes your personal data after issuing the MS card in your name), place and time and location of MS card use and type of service, 

all for the purpose of establishing a contractual relationship at your request (submitted in person or through another person), ie creating an MS card and fulfilling mutual rights and obligations under the contractual relationship, such as access to services covered by our MultiSport program and billing based on which your employer pays a fee for using the MS card for you or on your behalf.

If your employer has entered into an agreement with us on the employee’s joining the MultiSport program and you have approved the delivery of your data, then your data has been submitted to us by your employer. If an MS card has been issued to you as an additional member, it means that we received your data, with your consent, from a person who is an employee of the company who is our client and with whom we have a contract.

MultiSport card users receive an additional benefit in the form of the MyMultiSport online platform. In the process of user registering on the MyMultiSport platform, we collect the following personal data: name and surname, Card number and e-mail address. We collect the above personal data for the following purposes:

• Registration and use of the MyMultiSport platform. Use of the platform also includes e-mail notifications related to possible changes in the terms of use, or notifications related to your account. By registering on the platform, you accept these terms
• Promotional purposes, such as notification of sweepstakes and contests, surveys, inquiries about satisfaction with the service provided and the use of the product, information on new benefits or products. By accepting the “Promotional Purposes” option when registering, you accept these terms

On our contact forms we collect (depending on the type of form) some of the following information: name and surname, company name, company tax ID, city, number of employees in the company, phone/mobile number and e-mail address. We collect the above data for the following purposes:

• Providing an offer or answering inquiries from users, companies, partners or interested parties, via e-mail or telephone call. By entering the required data, and by accepting the rules for data processing, you also accept these conditions.
• Promotional purposes, such as notification of sweepstakes and contests, surveys, inquiries about satisfaction with the provided services and the use of products, information about new benefits or products. By selecting the option “I wish to receive news from the MultiSport world” when using the contact form, you accept these terms.

Providing of personal data is voluntary, and if you refuse to provide the requested data, we will not be able to provide you with certain services or inform you about our activities, benefits and promotions.

We periodically collect and process the following personal data:

• number of MS card uses within a certain period, type of service used, time and place of used service,

and all for the purpose of checking for possible misuse of the MS card, for which we have a legitimate interest, since we pay our business partners for the services used based on the MS card.

3. Forwarding of personal data 

We do not pass on or transfer your personal data to unrelated third parties, and they are securely stored on our or an external server of our choice and in our business premises, which sufficiently guarantees the implementation of appropriate technical and organizational measures in such a way that processing complies with the General regulation of data protection and to ensure the protection of your rights.

We provide insight into your data listed under article 2. of this Privacy Policy to sports centers as our business partners, so that you can use their products and services based on your MS card, ie so that they can identify you as an MS card user.

Our business partner who maintains and develops the security of our information system also has the possibility of insight into your data, which also increases the security of your data.

Since we operate within one group, insight into your data have affiliated companies Benefit Systems International d.o.o., Plac Europejski 2, 00-844 Warsaw, Poland and Benefit System A.D, Pl. European 2, 00-844 Warsaw, Poland.

All natural or legal persons to whom we pass on your personal data and who have opportunity to inspect your data have the obligation to maintain confidentiality within the contractual relationship and have also implemented organizational and technical protection measures.

Certain data may be forwarded to the authorities of the Republic of Croatia at their request in order to meet the obligations prescribed by the law of the Republic of Croatia.

In no case shall your personal data be transferred to a third country, international organization or recipient in a third country or international organization.

4. Retention period 

We keep your personal data for six months from the moment of deactivation of the MS card, since the specified period represents the time during which the MS card can be reactivated. If the card is not activated within the specified time, it is archived, and your data is anonymized, which means that it no longer exists in a form that allows you to be identified as an individual.

At the moment of deactivation of the MS card, you can request that the MS card be archived immediately and the data deleted immediately, in which case we will act upon your request, in accordance with the deadlines and authorizations prescribed by the General Data Protection Regulation.

5. Respondent’s rights 

Right of access
You can obtain confirmation from us whether your personal data is being processed and, if so, access to that data and the following information: information on the purpose of the processing, the categories of personal data in question, the recipients or categories of recipients to whom the personal data were or will be disclosed, on the envisaged period in which personal data will be stored and the existence of the rights of the respondents with regard to the processing of personal data (which rights are stated in the further text of this Privacy Policy).

Right to correction
If your personal data that we process is incomplete or inaccurate, you can at any time ask us to correct or supplement it by giving an additional statement. Please note that you are responsible for providing correct information, and in addition you have an obligation to inform us of relevant changes to your personal information. Correction and updating of personal data can take up to 48 hours, which is related to the technical conditions of our systems.

Right to delete
You have the right to request the deletion of your personal data immediately after deactivation of the MS card or if you have filed an objection to the processing based on our legitimate interest. You also have the right to request the deletion of your data if you believe that your data has been processed illegally or if you believe that your data should be deleted under the law of the European Union or the Republic of Croatia. We will delete your data after the request for deletion has been submitted, in accordance with the deadlines and authorizations prescribed by the General Data Protection Regulation.

Right to limit processing
You can ask us to limit the processing of your data:

• if you dispute the accuracy of the data, during a period that allows us to verify the accuracy of that data,
• if the data processing was not allowed, but you refuse to delete it and instead request a restriction on the use of data,
• if we no longer need the data for the intended purposes, but we still need them to meet the legal requirements,
• if you have objected to the processing of personal data for the purpose of carrying out a task in the public interest.

If the processing of data is restricted then such personal data may be processed only with your consent except for the storage of data or the setting, realization or defense of legal claims or protection of the rights of another natural or legal person or for important public interest. If you obtain a data processing restriction, we will notify you before the restriction is lifted.

Right to object
If we process your data for the purpose of performing tasks in the public interest or invoke our legitimate interests in processing them, you may object to such data processing if there is an interest in protecting your data. If we process our legitimate interests when processing data, and you have objected to such processing, then we will not further process your data unless we prove that there are compelling and legitimate reasons for the processing that go beyond your interests, rights and freedoms or if necessary for setting, realizing or defending our legal claims.

Right to appeal
If you are of the opinion that during the processing of your personal data we acted contrary to the law of the European Union or the Republic of Croatia, please contact us to clarify any questions. You also have the right to file a claim for infringement with the Personal Data Protection Agency.

Right to be notified of personal data breaches
In the event that, in spite of all measures taken, your personal data is breached, we will notify you of any such breaches without undue delay by sending a written notice. In this notice we will describe the nature of the personal data breach, provide a contact with the Data Protection Officer from whom additional information on the breach can be obtained, a description of the probable consequences of the personal data breach and a description of the measures BENEFIT SYSTEMS has taken to address personal data breach and to mitigate harmful consequences.

Right to data portability does not apply since the processing of MS card user data does not constitute automated processing.

Achieving rights
If you want to exercise any of these rights, please contact us

• to the e-mail address which is also the address of the data protection officer: dpo@benefitsystems.hr,
• to the address of the headquarters of Benefit Systems d.o.o., Heinzelova 44, 10000 Zagreb with a note on the envelope “Personal data”,
• via the contact form on the web address: www.benefitsystems.hr

We will respond to your request for the exercise of rights in accordance with the deadlines and authorizations prescribed by the General Data Protection Regulation. In any case, when using these rights, take into account that we must unequivocally establish your identity, which serves to protect your rights and the private sphere. Your rights, which are stated in advance, can also be exercised by your attorney, who must identify himself with a power of attorney certified by a notary public, except when the attorney is a lawyer in which case a certified power of attorney is not required. If you exercise any of these rights too often and with the apparent intent to abuse, we may refuse to process your request.

6. Personal data protection measures 

We have implemented appropriate technical, organizational and personnel measures to enable the effective application of data protection principles, such as reducing the amount of data, and including safeguards in processing, then the measures needed to protect personal data from accidental loss or destruction, from unauthorized access or unauthorized changes, unauthorized publication and any other misuse in relation to all data regardless of the place of storage or processing or format, all in order to meet the requirements of the General Data Protection Regulation and protect the rights of respondents. We have educated our employees, who participate in the processing of personal data, and at the same time we have committed them in a special statement to the confidentiality and the obligation to keep confidential data.

7. Changes to the Privacy Policy 

This Privacy Policy may be amended in accordance with legislation or industry and practice. You will be notified of any changes in a timely manner.