Privacy policy

General information

This Privacy Policy of the company Benefit Systems d.o.o. (hereinafter: Benefit Systems) applies to MultiSport Card holders, Clients, business partners and others whose personal data are processed by Benefit Systems (hereinafter: data subjects) and it is applicable from 1^st December, 2025.

Considering that you entrust us with your personal data, this Privacy Policy describes which personal data we collect, how we collect and process them, for what purposes we collect and process them, the data retention period, data transfer, how you can control these processes, as well as your rights related to your data.

We approach the processing of your data in a responsible and serious manner, fully in compliance with the Regulation (EU) of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), the Act on the Confirmation of the General Data Protection Regulation and other regulations by the European Union and/or Republic of Croatia which regulate personal data protection.

Who is the Controller of your personal data and what does it mean

The controller is responsible for personal data processing:
Benefit Systems d.o.o., Ulica Vjekoslava Heinzela 44, Zagreb, PIN (OIB): 57845277445.

This means that Benefit Systems makes decisions about the purposes and methods of processing your personal data, i.e. the manner in which they will be used.

How to contact us

You can contact us if you have any questions regarding the processing of your personal data:

by sending an email to the address that is also the address of the data protection officer: dpo@benefitsystems.hr,
by mail to the registered office address of the company Beneﬁt Systems d.o.o., Ulica Vjekoslava Heinzela 44, 10000 Zagreb, with a note “Personal data” on the envelope.

If we use external service providers as the processors of personal data, we refer to it as data processing by order, in which case we are also responsible for the protection of your personal data.

The types of personal data we process depend on your relationship with us (whether you are a Client, website user, MultiSport Card User, or Partner).

The types of personal data we collect and process, purposes and legal bases for processing, data retention period and data transfer

To be able to do our business, we need to process personal data. Personal data are any information relating to an identified or identifiable natural person (e.g. first name and surname, e-mail address, MultiSport Card number, IP address).

The types of personal data we process depend on your relationship with us (whether you are a Client, website user, MultiSport Card User, or Partner).

When you use our websites or applications, we process the data that you have provided in the registration form and in the account, data about your activity on the website or application (e.g. interaction with content, etc.) and data about your device (i.e. IP address, data collected by means of cookies or other similar technologies, browser data, IDs). To find out more about cookies, go to our “Cookies Policy” https://benefitsystems.hr/en/cookie-policy/

When you join the MultiSport Program or the MultiSport Lite Program or the MultiSport Kids Program, we process your data, such as identification data, contact details and data relating to your use of our services (including the services of our affiliated entities and providers of additional services offered in connection with the MultiSport Program). We receive the data directly from you or your Employer, e.g. through the registration form. We may also receive your data from the entity that has enabled you to use the MultiSport Program and from providers of additional services and benefits.

When we have a business relationship with you, we process your data, such as your identification data, contact data, data relating to your function, data on the cooperation, orders and settlements. If you are a party to a contract with us, we have received the data directly from you. If you are a representative or a contact person of an entity that is a party to a contract signed with Benefit Systems, we have received the data from the entity that is a party to the contract. We could also receive data from an intermediary that helped us establish the cooperation with you or an entity for which you are a representative or contact person.

a) MultiSport Card

Plastic MultiSport Card

If you use the Plastic MultiSport card as an Employee, we always collect and process the following personal data:

name and surname, the number of your Plastic MultiSport Card, card type and expiration date (which becomes your personal data after the card is issued in your name), place, time, where you use the card and service type you have used.

Sometimes we collect and process the following personal data:

MultiSport Card User’s ID number within Employer and contact information (email address and mobile phone number), if these data are also required to fulfil the purpose of processing personal data.

If you use the Plastic MultiSport Card as an Accompanying member, we always collect and process only the following personal data:

name and surname, MultiSport Card number, card type and expiration date (which becomes your personal data after the MultiSport Card is issued in your name), place and time of use of the MultiSport Card and type of service you used.

We collect and process the aforementioned data for the purpose of:

issuing your Plastic MultiSport Card that allows you to access the services included in our MultiSport Program;
notifying you of potential inability to use services included in our MultiSport Programme;
performing calculations based on which your Employer or the Employer of an Employee of whom you are an Accompanying member pays a fee for Plastic MultiSport Card use for you or on your behalf;
delivering the Plastic MultiSport Card,
improving the safety and functionality of the server we use to provide electronic services;
checking whether the Plastic MultiSport Card is used in accordance with the Terms of Use and verification for potential misuse of the Plastic MultiSport Card,
responses to inquiries made through contact forms and other communication channels.

The legal basis for collecting and processing the aforementioned personal data is our legitimate interest, to enable you to use the benefits of our MultiSport Program.

b) Virtual MultiSport Card

If you use the Virtual MultiSport Card, we always collect and process the following personal data:

name and surname;
email address;
mobile phone number;
your photograph.

We also process the data related to the device which you use for our MyMultiSport website or application, specifically the following data:

your IP address, data stored as cookies or other similar technologies (see Cookie Policy on the link https://benefitsystems.hr/cookie-policy-hr/), data related to your activities on our website or in the application, such as information about your preferred activities or activity locations, the content of HTTP requests sent to our server from your device (URL address, IP address, browser details, request date and time, HTTP response status code, error information, cookie identifier, viewed website resources). Data collected in this way are stored in the server log.

We process your data for the following purpose:

issuing a Virtual MultiSport Card that allows you to access the services included in our MultiSport Program;
accessing the MyMultiSport website or mobile application;
solving technical and other issues related to Virtual MultiSport Card use, which you report by email, by contacting the helpdesk, etc.
administration and server security, which includes improving the functionality of the services we provide electronically;
providing analysis and statistics for product development, as well as for monitoring activity within the application to improve the Virtual MultiSport Card performance;
conducting analyses and statistics for market research to make decisions about our commercial policy and surveys on satisfaction with Virtual MultiSport Card services via a telephone number as the communication channel you selected, all for the purpose of improving customer service and developing the products and services we offer;
checking whether the Virtual MultiSport card is used in line with the Terms of Use and verification for potential misuse of the Plastic MultiSport Card.

The legal basis for collecting and processing personal data for the aforementioned purposes is our legitimate interest, to enable you to use the benefits of our MultiSport Program.

With your consent, we can also process the data that refer to your geolocation in order to show you the centres and benefits closest to your location. In this case, the legal basis for the processing is your consent. You can find detailed information on the processing of personal data based on consent under section Consent.

c) MultiSport Card for Trial Period

If you use the MultiSport Card for Trial Period, we always collect and process the following personal data:

name and surname, MultiSport Card number, card type and expiration date (which become your personal data after the card is issued in your name), place, time you use the card and service type you have used.

We collect and process the aforementioned data for the purpose of:

issuing the MultiSport Card for Trial Period that allows you to access the services included in our MultiSport Program during the Trial Period;
notifying you of potential inability to use services included in our MultiSport Program;
delivering the MultiSport Card for Trial Period,
improving the safety and functionality of the server we use to provide electronic services;
checking for potential misuse of the Test MultiSport Card,
checking whether the MultiSport Card for Trial Period is used in line with the Terms of Use and verification for potential misuse of the MultiSport Card.
responding to inquiries made using our contact forms and other communication channels;
notifying your Employer of your participation in the Trial Period.

The legal basis for collecting and processing your personal data is our legitimate interest to enable you to use the benefits of our MultiSport Program during the Trial Period.

d) MultiSport Kids Card

With regard to the MultiSport Kids Card, we always collect and process the following personal data:

the name and surname of the child, the month and year of birth of the child, the number of the MultiSport Card, the type of card and the date of validity (which become the personal data of the child after the card is issued in the name of the child), the place and time of use of the card and the type of service used by the child.

We collect and process the above data for the purpose of:

creating a MultiSport Kids Card that allows children to access services that are included in our MultiSport Program,
notifying the child or the holder of parental responsibility about the possible inability to use the services included in our MultiSport Program,
delivery of MultiSport Kids Card,
performing calculations on the basis of which the Employer pays the fee for the use of the MultiSport Card to the holder of parental responsibility for the child or on behalf of the child,
improving the security and functionality of the server we use to provide electronic services,
check whether the MultiSport Card for children is used in accordance with the Terms of Use and check for possible misuse of the MultiSport Card for children. –
Responding to inquiries made through contact forms and other communication channels.

The legal basis for the collection and processing of children’s personal data is the consent of the holder of parental responsibility or guardian. Detailed information on the processing of personal data based on consent can be found under section Consent.

e) Common provisions for all MultiSport Cards

With your consent, we may send the data on service use time and location as well as service type included in the MultiSport Program to your Employer for them to assess the justification of your participation in the MultiSport Program. In this case, the legal basis for your data processing and forwarding is your consent. You can find detailed information on the processing of personal data based on consent under under section Consent.

When identifying you as a MultiSport Card holder, sports centres also have short-term access to MultiSport Card User data, which is available exclusively for identification purposes.

We retain Personal data of MultiSport Card Users for 18 months from the moment your MultiSport Card is deactivated. In case your card is a MultiSport Card for Trial Period, we retain your data for 6 months from the moment the MultiSport Card for Trial Period is deactivated. The aforementioned period is the period during which you can reactivate your MultiSport Card. If you do not reactive your card in the aforementioned period, your card will be archived, and data anonymised, which means they no longer exist in the form that allows for your identification as an individual.

We retain data about children as MultiSport Kids Card Users until the moment of withdrawal of consent by the parent/guardian, and after withdrawal of consent, we immediately delete it.

We retain data about the time and place of use of the MultiSport Card, except for the MultiSport Card for the Trial Period, for the period specified in advance, provided that our bill for the services used has been settled during that period, and if the bill has not been settled, then we store it for a period of 3 years from the date the bill is due, and if we have initiated the procedure for forced collection of the bill, then we store it until the final conclusion of the court proceedings, all for the purpose of defending our possible legal claims.

If you pay the fee for the use of the MultiSport Card via My MultiSport Platform for individual payments, then your data necessary for making the payment is processed by our business partner through whom you make the payment and only provides us with information about the number of the order that has been paid.

We transfer the data of MultiSport Card Users outside the Republic of Croatia to Benefit Systems S.A. (Poland), MultiSport Benefit s.r.o. (Czech Republic), Benefit Systems Slovakia s.r.o. (Slovakia), Benefit Systems Bulgaria OOD (Bulgaria) and Benefit Systems Spor Hi̇zmetleri̇ Li̇mi̇ted Şi̇rketi (Turkey), and to enable you to also use the benefits of the MultiSport Program (International visits) in the aforementioned countries.

f) Business partners

If you are our business partner, we collect and process the following personal data:

name and surname or company name, name and surname of the responsible person of the legal entity, name and surname of the legal entity’s contact person, address, personal identification number and/or company registration number, contact information (email address and phone or mobile phone number), website address, bank account number, credit/debit card number, information on the type and content of your contractual relationship with the company Benefit Systems, username and password if it is the MultiSport Card holder’s employer, sport facility name and location and the types of services it provides if the sport centre is a partner.

We process the aforementioned personal data for the purpose of concluding contracts, i.e. establishing a contractual relationship, execution of contracts, i.e. the fulfilment of rights and obligations arising from a concluded contract, e.g. issuing invoices for services provided if partners are employers or settling invoices for services provided if partners are sports centres, mutual use of logos and similar activities.

In relation to the personal data retention period, we point out that it depends on the type of collected personal data.

We retain name and surname or company name, address and personal identification number and/or company registration number found on the invoice issued for our services and on the invoice received for provided services, for 11 years (counting from the last day of the year in which the invoice was issued) since this is the legally required period for retaining invoices issued an received. The aforementioned data are also in the agreement you concluded with the company Benefit Systems, as well as the data regarding the content of the contractual relationship, the responsible person and contact person, and after the termination of the contractual relationship, they are kept for a period of 3 years from the due date of the last invoice issued before the termination of the contractual relationship, and if we have initiated a procedure for forced collection of the invoice, then we keep the contract until the final conclusion of the court proceedings, all for the purpose of defending our possible legal claims

We erase contact information immediately upon the termination of the contractual relationship, i.e. service performance, unless you give your consent to the aforementioned data being stored in order to send notifications about new services we offer. If you have given the aforementioned consent, detailed information about the processing of personal data based on consent can be found under section Consent.

g) Event organisation

If you participate in events we organise, we process your personal data found in multimedia content created during those events, specifically:

data found in photographs, video and audio recordings and other multimedia content.

We process the aforementioned data for the purpose of posting on our social media profiles (Facebook, Instagram, LinkedIn and all other social media) for marketing purposes and self-promotion.

If we process personal data for the aforementioned purposes, depending on the type of multimedia content, we process them based on your legitimate interest or consent. You can find detailed information on consent under under section Consent.

If we process data based on consent, we use and store the data until the moment of withdrawal of consent, and if we process it based on legitimate interest, then we use and store it for the time for which our legitimate interest exists to process personal data for the above purposes.

h) Organisation of prize contests

If you participate in prize contests we organise, we process the following personal data:

name and surname, MultiSport Card number, identification number with your employer (if applicable), email address, and your photo.

We process the aforementioned personal data for the purpose of conducting the prize contest, publishing your photo on our social media profiles (Facebook, Instagram, LinkedIn and all other social media) and if you win a prize, in order to deliver your data to the prize issuer.

If we process your personal data for the aforementioned purposes, we process them based on your consent. You can find detailed information on consent under under section Consent.

We retain the data we process for the above purposes until the prizes are awarded to the winners, and then delete them.

i) Marketing

For marketing purposes, such as sending offers, newsletters and performing other marketing activities, we process the following personal data:

your name and surname, email address, mobile phone number.

We process the aforementioned personal data for the purpose of sending offers and notifying you of our product and services.

If we process your personal data for the above purposes, and you are our business partner or a MultiSport Card user (except for the Multisport Kids Card), then we process your data based on our legitimate interest, and in other cases based on your consent. You can find detailed information about consent under the section Consent.

If we process data based on consent, we use and store the data until the moment of withdrawal of consent, and if we process it based on legitimate interest, then we use and store it for as long as our legitimate interest exists to process personal data for marketing purposes.

The way in which we process personal data for marketing purposes depends on the type of relationship between us (e.g. whether you have signed up on our website or mobile application, whether you are our client or counterparty) and the consents you have given us.

Our marketing activities may include displaying advertisements to you on websites or applications, presenting offers or advertisements via a communication channel such as e-mail or telephone (if you have authorised us to deliver marketing content to you via the communication channel of your choice, e.g. e-mail, SMS/MMS, telephone, push notifications), traditional marketing mailings, conducting analyses and statistics for marketing purposes and conducting service satisfaction surveys, including by contacting you by means of the communication channel of your choice. We can also perform profiling for marketing purposes.

Tailored marketing

We may process your personal data for marketing purposes, including for profiling, in the following cases:

if you consent to the storage of cookies or similar technologies on your device, we may use the information collected by means of those technologies to provide you with advertisements or offers tailored to your potential interests identified on the basis of the content you view and your activity. For example, if you browse pages related to MultiSport packages, we will be able to display you an advertisement for MultiSport or our other services on other websites and in applications;

if you are a registered user of our website or application and you log in to your account, we will be able to associate information on the content you viewed with you, and use it for profiling purposes to better adjust our marketing communication and offer for you;

If you consent to the delivery of marketing content by us to you through a communication channel of your choice;

If we are bound by contract or are conducting professional cooperation;

if you agree to our use of information about the location of your device (e.g. smartphone) for marketing purposes, we will be able to display to you advertisements or offers relevant to your location. For example, we will be able to show you an invitation to an event held nearby;

to conduct analyses and statistics for our marketing needs and to test your satisfaction with the services we offer by contacting you via the communication channel of your choice.

We can also present you with unprofiled advertisements and offers.

What is profiling for marketing purposes

Our processing of your personal data for direct marketing purposes involves profiling.

Profiling is the use of automatic processing of your data to draw conclusions about your potential interests and preferences. By profiling, we can match products, offers and advertisements to you in the best way possible. As part of profiling, we can also combine information that you leave us when using our different products and services, such as information that you leave when visiting our website or application, using the MultiSport or MultiLife Programme, the Cafeteria, or the services of our Fitness Club.

For profiling, we use tools provided by specialised third parties. See our “Cookies Policy” for more information about our partners and the possibility of adjusting your advertising preferences. We seek to ensure that profiling brings you clear benefits: offers, promotions and advertisements that you may find interesting. In this way, we want to ensure we do not present you with content that might be inappropriate or unattractive for you. Example: if we determine that you are a woman and as part of the MultiSport Programme you regularly attend dance classes in a particular location, this will give us a signal that you may be interested in new dance classes in your favourite location, but you are probably not interested in martial art classes in another, distant city.

Our legitimate interest and your interests, rights and freedoms

We process your personal data for marketing purposes, including profiling, based on our legitimate interest. For this reason, we have assessed whether your interests, rights and freedoms (e.g. the right to privacy) outweigh our interests. This assessment has shown that we can process your personal data in the indicated manner, because:

we process your personal data for marketing purposes only when we find that you can reasonably expect that processing (e.g. you are a user of the MultiSport card, you sign up on our website or in our application, and consent to receiving marketing e-mails from us);
we will send you marketing communications via e-mail, SMS/MMS or phone calls only with your consent;
we will send you marketing communications about products or services of third parties not affiliated with Benefit Systems via e-mail, SMS/MMS or phone calls only if you separately consent to those communications;
we enable you to easily object to the processing of your personal data for direct marketing purposes, and we inform you about this right;
our profiling for marketing purposes does not excessively interfere with your privacy. We focus on what products or services available on our offer you may find interesting. We do not want to provide you with content that you might find unattractive. Based on our profiling, we do not take any decisions against you with adverse legal effects (e.g. refusal to conclude a contract) or that might significantly affect you in a similar way.
we use technical and organisational measures that adequately protect your personal data.

Social media

You can find us on social media such as Facebook, Instagram, LinkedIn, TikTok and YouTube among others. Each social media platform informs you about the way in which it processes your data during registration, under their terms and conditions or privacy policies. We do not have access to all the information about you in the same capacity as the aforementioned platforms. However, if you have an account on a social media platform and observe our profiles or engage with us ( e.g. leaving likes, hearts, comments, or texting us directly via the communicator of a given service), then we can see the information about you that you have provided on a given social media platform when contacting us, or that the platform provides us with, e.g. in relation to displaying advertisements or our profile (depending on your privacy settings on that platform).

Our pages on social media platforms

As mentioned above, the social media platform will be the administrator of your personal data, which it processes in accordance with the information provided to you during registration, for example on:

LinkedIn (Privacy Policy: https://www.linkedin.com/legal/privacy-policy#others; Page Insights Joint Controller Addendum: https://www.linkedin.com/legal/l/page-joint-controller-addendum)
Meta (Facebook; Instagram, Threads) (Privacy Center Facebook: www.facebook.com/about/privacy, Data Policy Instagram: https://help.instagram.com/155833707900388).

Only when you interact with our profile in the given service can we process your data as its administrator, which we inform you about in the information clauses posted on individual social media platforms. Additionally, we may act as so-called joint controllers with certain social media platforms. For example, with regard to data processing for statistics purposes as part of our Facebook and Instagram pages, we and Meta Platforms Ireland Limited, Block J, Serpentine Avenue, Dublin 4, Ireland act as joint controllers of your data. The joint controller arrangements can be found at www.facebook.com/legal/controller_addendum. When we make use of Meta products, we do it in compliance with their Terms and Conditions. You can find more information about website statistics at: www.facebook.com/legal/terms/information_about_page_insights_data.

If you would like detailed information about data processing on social media platforms, you can also contact us. You will find our contact details above in the section How to contact us.

Social media plugins and codes

Remember, if you sign up and log in using external authentication services offered by Facebook, Google, Apple or others, we will receive your personal data, notably your name, surname/ username, profile photo, ID, and authorisation details for a given platform. Depending on your privacy settings in the indicated external platform, we can also receive other data. Before using this service, read the terms and conditions for using the data by the external platform.

In addition, we place social media buttons and codes on our websites and in our applications. When you are redirected to a given social media portal by clicking one of those buttons, you can, for example, like or start following our website. Your activity and personal data are then also processed by the entity operating the portal and are used by that entity for its own purposes, e.g. for marketing. Your activity on pages containing codes and your personal data are collected by entities running social media portals, in particular for statistical purposes and to check whether you are a logged user of this portal, and to enable the provision of services (e.g. logging in by means of your social media account). The data are also further processed for other purposes specified by those entities. This applies to all users of our websites, regardless of whether they are registered users of those social media portals.

We process and enable social media portals to access specified data based on our legitimate interest (Article 6(1)(f) of the GDPR). This consists in enabling you to share your content of interest on social media, facilitating your logging in, and promoting our business, services and products. Detailed information on the processing of your personal data and the method of exercising your rights related to data processing by social medial portals are described in the privacy policies of respective portals. Please read them.

j) Body composition analysis

If we process your personal data for the purpose of body composition analysis (e.g. Tanita body composition analysis), we process the following personal data:

name and surname, email, date of birth, sex, height, body fat percentage, visceral fat percentage, weight, BMI, muscle mass, lean body mass, skeletal muscle mass, bone mass, water percentage in your body, metabolic age, basal metabolic rate and daily calorie intake.

We analyse the aforementioned personal data for the purpose of conducting body composition analysis and generating and delivering measurement results.

The legal basis for the processing of the aforementioned personal data is the contractual relationship based on your request for body composition analysis and measurement result generation and delivery.

We retain the aforementioned data only during 24 hours from the time you provide them, and we erase them immediately upon delivering your measurement results via email.

k) Signing up using a contact form

By filling out our contact forms that appear as surveys or questionnaires on the official websites of Benefit Systems, or its social media (Facebook, Instagram, LinkedIn, TikTok, YouTube), or as Microsoft or Google forms, you also entrust us with your personal data.

If you fill out contact forms as an employer, we collect the following personal data: name and surname of the person contacting us on behalf of the employer, company or sole proprietorship name, number of employees, employer’s PIN (OIB), employer’s email address and phone number.

If you fill out contact forms as an employee, we collect the following personal data: your name and surname, your employer’s company or sole proprietorship name, your employer’s email address and phone number.

If you fill out contact forms as an owner of a sports centre or facility, we collect the following personal data: name and surname of the person contacting us on behalf of the sports centre, sports centre’s name and registered office, service type which the sports centre provides, website address, sports centre’s email and phone number.

If you fill out contact forms as a user of a sports centre or facility, we collect the following personal data: your name and surname, the name of the sports centre, sports centre website address, your email and phone number.

We collect and process the aforementioned data for the purpose of contacting you in order to establish cooperation and store your data in our database.

If we process your personal data for the aforementioned purposes, we process them based on your consent. You can find detailed information on consent under section Consent.

We retain the data for 18 months from the moment you granted consent for the processing of your personal data, and in the event of withdrawal of consent, we delete them immediately after withdrawal of consent.

l) Webinars

If you participate in webinars that we have organized, we process the following personal data:

name and surname and e-mail address.

We process the above personal data for the purpose of analysis and statistics on webinar attendance.

We process the above personal data based on our legitimate interest in performing analysis and creating statistics on webinar attendance.

We use and store the above data while performing analysis and statistics on webinar attendance and then delete it.

If during the webinar you request the creation of a MultiSport card for the Test Period, then the data processing rules for that type of card specified in this article under point a) apply.

m) Employment candidates

If you have applied for employment and submitted your job application and CV, we process the following data:

your name and surname;
permanent or temporary residence address;
mobile phone number;
email address;
citizenship;
date of birth;
sex;
work experience;
education and training;
personal skills;
as well as all other data you entered in your CV.

We process the aforementioned data for the purpose of your participation in the employment tender and employment candidate selection.

The legal basis for processing the aforementioned data is undertaking legal actions regarding your request to conclude an employment agreement with the company Benefit Systems.

During the employment candidate selection, we conduct psychological testing which is performed by our business partner as a processor on our behalf, and in such cases, we additionally process the results of the conducted psychological testing. In this case, the legal basis for your personal data processing is our legitimate interest to select the candidate who best meets the requirements of the individual job position and who will best fit into the work environment.

We retain the aforementioned data until we select the candidate whom we want to hire, i.e. conclude an employment contract, and we erase them immediately thereafter.

If you withdraw your application during the candidate selection process, we erase all your data immediately after you notify us of your withdrawal.

We deliver your aforementioned data to our business partner who acts as the processor and provides us with expert consulting services regarding the employment candidate selection.

n) Business premises video surveillance

Certain areas of the Benefit Systems’ business premises are covered by a video surveillance system which processes the following data subject’s data, but only when they enter the surveillance cameras’ recording perimeter:

– recordings of data subjects (excluding sound).

The aforementioned personal data are processed for the purpose of the Benefit Systems’ assets protection.

The aforementioned data, i.e. recordings are delivered to the competent state authorities if unlawful conduct is recorded.

The legal basis for processing is legitimate interest of the Benefit Systems company to protect its assets.

The aforementioned data, i.e. recordings are retained for 1 (one) month after they are generated. In case unlawful conduct is recorded, a longer retention period may be conditioned based on appropriate judicial, administrative, arbitration or other proceeding, of which the data subjects will be informed in a timely manner by Benefit Systems.

Is providing data compulsory

As a rule, providing personal data is not compulsory, but may be necessary for you to use the services provided by Benefit Systems, e.g. to enter into an agreement with us, to participate in our competitions or to have a matter your raise examined. Therefore, your failure to provide your data may in some instances make it impossible for us to provide services or undertake other actions. Our forms used to collect data clearly indicate the data the provision of which is necessary.

Who do we transfer your data to

Your personal data may be transferred to the following entities: entities from Benefit Systems Group companies – here, hosting and maintenance service providers for our websites and applications, ICT and IT support and security service providers, data storage and destruction service providers, providers of services that are in addition to the services we provide you with, our Partners (sports and recreation, entertainment, and cultural facilities, hotels, offices and tourist intermediaries), entities that have enabled you to use the MultiSport Programme, MultiLife, Cafeteria or other services (usually your employer or the employer of the person who reported you to the MultiSport or MultiLife Programme), card printers, social network operators, payment operators, firms supporting us in debt collection, entities providing services related to serving our clients, and to other stakeholders (e.g. couriers) and to those entities which support our marketing activities, as well as to legal advisors and auditors.

If you wish to use your MultiSport virtual card outside Republic of Croatia, your personal data will be transferred to the Benefit Systems group company that provides its services in the country where you use the card. Detailed information on the identity of the company as well as on the processing of your personal data it shall carry out are available here.

Your data may also be transferred to public authorities in cases provided for by law.

We do not forward or make available your personal data to unrelated third parties, and they remain securely stored on our chosen internal or external server and in our business premises, which sufficiently guarantee the implementation of appropriate technical and organisational measures, ensuring that processing complies with the requirements of the General Data Protection Regulation and that your rights are protected.

Considering that we operate within a group, the companies we are affiliated with also have the possibility to access your data, specifically the company Benefit Systems International S.A., Mlynarska 8/12, 01-194 Warsaw, Poland and Benefit System S.A., Pl. Europejski 2, 00-844 Warsaw, Poland for the purpose of maintaining the security of our information system.

If we need your data to exercise our rights and/or defend legal claims before competent state authorities and/or comply with legal obligations, we will deliver your data to our legal representative who represents us in these proceedings (e.g. an attorney) or to a partner who fulfils these legal obligations on our behalf (e.g. an accounting firm or a tax advisor). In that case, depending on the type of the proceeding, your data may be made available to personal data recipients, e.g. courts, notaries public, Financial Agency and other state authorities that are in any way related to the proceeding in question.

In certain cases, we also forward your data to the accounting company that performs bookkeeping and accounting tasks, such as posting invoices and preparing financial statements for tax calculation and payment on behalf of the company Benefit Systems and also fulfils other obligations that we as a company must fulfil based on accounting, bookkeeping and tax regulations. We forward some of your data to the Tax Administration as the recipient of your data for the aforementioned purposes.

We forward your personal data, specifically your name and surname or company name and address, to legal entities performing postal consignment delivery and which require the aforementioned data in order to deliver the consignment. This applies if deliveries are made via regular mail.

The bank where we opened our business account, through which monetary transactions are conducted, also has access to some of your data.

We will limit the data we forward and deliver to the smallest amount possible by forwarding to the aforementioned legal or natural persons we share your data with only the data they require for the processing purpose defined by the company Benefit Systems.

All legal and natural persons we forward your personal data to have to keep their confidentiality as part of the contractual relationship and have also implemented organisational and technical protection measures.

Certain data may be forwarded to the authorities of the Republic of Croatia upon their request in order for us to comply with the obligations prescribed by the law of the Republic of Croatia and/or the European Union.

Are your data transferred outside the European Economic Area

As a rule, your personal data are not transferred outside the European Economic Area (EEA). Some of the data recipients (such es technological solution providers) may process them in third countries. We make every effort for the provision of data to these providers to be lawful and that all relevant safeguards are in place. If the European Commission has not issued a decision confirming that a given third country ensures an adequate level of personal data protection, we ensure that data transfers are carried out on the basis of other legal protection measures, e.g. based on standard contractual clauses or codes of conduct. You can contact us to obtain copies of the implemented security measures. You can find contact details above in section How to contact us.

How long will your personal data be stored

We store your data for a period necessary to achieve the processing purposes outlined above in the section How do we process your personal data [link]. We will delete the data when they are no longer needed for the above purposes. We store your data in particular:

to perform the contract and provide services until the contract has been performed or the service provision has ended, and subsequently for a period necessary for effective investigation or defence against claims, which is usually 3 or 6 years, but may be shorter o longer in certain situations provided for by law, with the note that we only keep the data that was necessary for us to defend our legal claims in the proceedings;
when the law imposes certain obligations on us, in particular tax and accounting obligations, we will process the data necessary for the performance of those obligations for the period required by law;
when we process data on the basis of your consent, we will process them no longer than until you withdraw your consent;
when we process data on the basis of a legitimate interest, we will process them no longer than until the objection is effectively raised and until the completion of the objection process, unless the data are no longer necessary for the performance of our legitimate interests.

Consent management

If we process your personal data based on a consent, we ensure that consent is always given in the form of a written statement (including an opt-in option if consent is given via electronic media) and that the consent is voluntary, specific, informed and unambiguous.

The statement whereby you give consent to the processing of your personal data will be drafted for each specific purpose of processing in an understandable and easily accessible form, using clear and plain language.

You have the right to withdraw your consent to personal data processing at any moment, which you will be additionally notified of prior to giving your consent and you will be notified of the way to withdraw your consent.

Please note that if consent was given for a one-time processing action which has already been completed, the withdrawal of the consent has no legal effect.

In case you withdraw your consent, we will immediately erase all your personal data.

Please also note that personal data processing based on a valid consent before it was withdrawn is entirely lawful.

If you do not consent to data processing based on consent, we are not able to perform the processing based on consent.

WHAT ARE YOUR RIGHTS

Right of access

We can issue a confirmation as to whether your personal data are being processed, and if so, grant you access to that data and the following information: purpose of the processing, personal data categories in question, recipients or recipient categories to whom the personal data were or will be disclosed, estimated period during which the personal data will be stored and the existence of data subjects’ rights regarding personal data processing (which rights are listed below in this Privacy Policy).

Right to rectification

If your personal data that we process are incomplete or inaccurate, you can ask us to rectify or complete them at any moment by providing an additional statement. Please note that you are responsible for providing correct data and you also have to inform us about relevant changes to your personal data. Personal data rectification and update may take up to 5 business days, which is related to our system’s technical conditions.

Right to erasure

You are entitled to request erasure of your personal data if you filed a complaint to processing based on our legitimate interest, or if you believe your data were unlawfully processed, or you believe your data should be erased based on the law of the European Union or the Republic of Croatia. We will erase your data immediately after you file your request for erasure, except for the data we have to retain according to the regulations of the European Union and the Republic of Croatia.

Right to restriction of processing

You can ask us to restrict the processing of your data:

if you dispute the accuracy of the data during the period that allows us to verify the accuracy of those data;
if data processing was not allowed, but you refuse erasure and instead request the restriction of their use;
if we no longer require the data for intended purposes, but they are still necessary in order to fulfil legal requirements.

If data processing is restricted, such personal data may only be processed with your consent, except in case of data storage or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural person or legal entity or for important public interest. If you obtain a restriction of data processing, we will inform you before the restriction is lifted.

Right to object

Considering that we refer to our legitimate interests when processing your personal data, you can submit an objection to such data processing if there is an interest in protecting your data. If you submitted an objection to such processing, we will no longer process your data unless we demonstrate compelling and legitimate grounds for the processing that override your interests, rights and freedoms or if it is required for the establishment, exercise or defence of our legal claims.

Right to lodge a complaint

If you believe that we acted against the law of the European Union or the Republic of Croatia when processing your personal data, please contact us to resolve any potential issues. You have the right to submit a request for determination of a violation of rights regarding the processing of your personal data at any time to the Personal Data Protection Agency, Ulica Metela Ožegovića 16, 10 000 Zagreb, and you can find the request form on the following link https://azop.hr/zahtjev-za-utvrdivanje-povrede-prava/.

Right to be informed about a personal data breach

In case a breach of your personal data occurs despite all measures taken, we will inform you of such a breach if the breach is likely to result in a high risk to your rights and freedoms. In that case, we will notify you without undue delay and in written form.

The aforementioned notification will contain a description of the nature of the personal data breach, provide the contact information of the data protection officer from whom additional information about the breach can be obtained, describe the likely consequences of the personal data breach and the measures taken by the company Benefit Systems to address the personal data breach, including measures to mitigate harmful effects.

Exercise of the rights

If you wish to exercise any of the aforementioned rights, you can contact us using the following communication channels:

email address which is also the address of the data protection officer: dpo@benefitsystems.hr,
registered office address of the company Beneﬁt Systems d.o.o., Vjekoslava Heinzela 44, 10000 Zagreb with the note “Personal data” on the envelope.

The company Benefit Systems will respond to your requests to exercise your rights in accordance with the deadlines and authorisations prescribed by the General Data Protection Regulation.

In any case, when exercising the aforementioned rights, keep in mind that we must unequivocally verify your identity, which serves to protect your rights and privacy. When we need more time, we will inform you about the prolonged time for considering your request and about the reasons for the prolongation. If your request is manifestly unjustified or excessive, we may refuse to take the requested actions.

If you exercise any of the aforementioned rights too frequently or with an obvious intent of misuse, we may charge you a reasonable fee considering the administrative costs of providing information or notifications or acting on a request or we may refuse to act on your request.

Personal data protection measures

The company Benefit Systems has implemented appropriate technical, organisational and personnel-related measures to enable effective application of data protection principles, such as reducing the amount of data and the integration of safety measures into processing, measures necessary to protect personal data from accidental loss or destruction, unauthorized access or alteration, unauthorized disclosure and any other misuse, in relation to all data regardless of storage or processing location or format, all to meet the requirements of the General Data Protection Regulation and protect data subjects’ rights.

The company Benefit Systems trained its employees who participate in personal data processing and those employees have to keep these data confidential based on a confidentiality statement.

Amendments to the Privacy Policy

This Privacy Policy may be amended at times in accordance with the law or industry and practice development and any new measures we may take to improve the security of your personal data.
You will be notified of any change in a timely manner by highlighting the Privacy Policy amendment on the Benefit Systems’ website.

Benefit Systems d.o.o.