Privacy Policy

The controller of personal data within the meaning of European Union law is FraVeRa Journey, an economic activity registered in the Kingdom of the Netherlands, operating as a disclosed travel agent.

The controller fulfills the information obligation towards data subjects through this Privacy Policy, made available on the website.

The controller's identification data, including legal form, country of registration, registration number and contact details, are indicated in the Impressum and in the contact section of the website.

FraVeRa Journey processes personal data independently and does not act as a joint controller of personal data within the meaning of Article 26 GDPR.

FraVeRa Journey is not obliged to appoint a data protection officer, as it does not meet the criteria specified in Article 37(1) GDPR.

The controller is subject to the law of the Kingdom of the Netherlands as a Member State of the European Union where it has its establishment, while simultaneously applying the directly applicable GDPR.

The controller processes only such personal data that are adequate, relevant and limited to what is necessary for the clearly defined purposes of processing.

The controller may process identification and contact data, in particular name, surname, email address, telephone number and other data necessary for contacting and identifying the Client.

The controller may process data concerning the planned trip, accommodation preferences, dates, scope of services and other organizational information.

The controller may process technical data including IP address, browser data, device, operating system and cookie identifiers, to the extent permitted by law and consent given.

The controller may process health data only when necessary for organizing a health or spa stay and only to the extent voluntarily provided. Not processed for diagnosis or treatment purposes.

The controller does not process personal data that are not necessary to achieve the purposes indicated in this Privacy Policy.

The controller does not collect personal data from covert sources, third-party databases or publicly available registers for the purpose of creating customer profiles.

Article 13 GDPR applies in most cases (data collected directly). Article 14 GDPR applies only in exceptional situations.

Statistical analysis of website traffic using Google Analytics 4, only after obtaining user consent.

Marketing and remarketing purposes (Google Ads, Meta Ads) only after obtaining user consent, without combining with health data.

Processing is carried out on the basis of Regulation (EU) 2016/679 (GDPR).

Article 6(1)(b) GDPR - Necessary for performance of a contract or steps before entering into a contract.

Article 6(1)(c) GDPR - Necessary for compliance with legal obligations (accounting, tax).

Article 6(1)(a) GDPR - Processing based on voluntarily, knowingly and unambiguously expressed consent.

• Article 9(1) - General prohibition on processing health data
• Article 9(2)(a) - Explicit consent exception
• Article 9(2)(h) - Health care organization exception

Article 5(3) ePrivacy Directive - Consent required for storing/accessing information in terminal equipment.

Article 7(3) GDPR - Right to withdraw consent at any time, without affecting prior lawful processing.

Health data means personal data relating to the physical or mental health of a natural person, including information about the use of health care services (Article 4(15) GDPR).

Processing of health data is generally prohibited unless one of the legalizing premises is met (Article 9(1) GDPR).

• Explicit consent (Article 9(2)(a))
• Health care organization (Article 9(2)(h))

Under Article 9(2)(h), data must be processed by or under responsibility of a person subject to professional secrecy (Article 9(3) GDPR).

Preliminary stage: Only descriptive health information for matching stays.
Finalization stage: Health data transferred to Partner only to extent necessary for service performance.

Consent must be freely given, specific, informed and unambiguous. Demonstrable under Article 7(1) GDPR. Withdrawal possible at any time under Article 7(3) GDPR.

The controller does not provide medical advice, make diagnoses or therapeutic decisions. Health data processed solely for organizing and coordinating stays.

No automated decision-making or profiling based on health data (Article 22(1) GDPR).

• Storage limitation - Deleted or anonymized after organizational purposes (Article 5(1)(e))
• Security measures - Access restriction and authorization control (Article 32)
• Accountability - Compliance documentation (Article 5(2))

The controller discloses personal data only to specified categories of recipients and only to the extent necessary to achieve the purposes of processing.

The controller does not sell, provide for a fee or exchange personal data with other entities for commercial purposes unrelated to service provision.

Access to personal data is restricted to entities and persons for whom such access is necessary to achieve processing purposes.

The controller documents transfers of personal data to recipients and is able to demonstrate compliance with GDPR.

Transfer of personal data to third countries or international organizations is permissible only on the terms specified in Chapter V of the GDPR (Article 44).

Transfer is permissible if the European Commission has decided that the country ensures an adequate level of protection (Article 45(1) GDPR).

If no adequacy decision, transfer may take place with appropriate legal safeguards, in particular standard contractual clauses (Article 46 GDPR).

For tools provided by entities outside EU/EEA (Google, Meta), transfer takes place only in accordance with Chapter V GDPR mechanisms.

For transfers based on standard contractual clauses, the controller conducts a transfer impact assessment to verify whether third country law undermines safeguards (CJEU Judgment C-311/18 - Schrems II).

Health data is transferred outside EU/EEA only in exceptional cases, if conditions of Chapter V GDPR and Article 9 GDPR are jointly met.

In absence of adequacy decision and safeguards, transfer may take place only on basis of exceptions in Article 49 GDPR, applied restrictively.

The controller informs data subjects about intention to transfer data outside EU/EEA and about applied safeguards or exceptions (Article 13(1)(f)).

The controller documents all cases of data transfer outside EU/EEA and is able to demonstrate compliance with GDPR.

Cookies and similar technologies (including localStorage, sessionStorage, pixels, tags and online identifiers) constitute information stored or read in the user's terminal equipment.

The controller uses necessary, analytical and marketing cookies, where cookies other than necessary are activated only after obtaining user consent.

Necessary cookies are used solely to ensure the proper functioning of the website and its basic features and do not require user consent.

Analytical cookies are used for statistical analysis of website traffic using Google Analytics 4, only after obtaining user consent.

Marketing and remarketing cookies (Google Ads, Meta Ads) are used only after obtaining user consent for displaying personalized advertisements and analyzing campaign effectiveness.

The controller uses a consent management platform (CMP) that allows the user to express, refuse or change consent for the use of cookies.

The controller uses Google Consent Mode v2, which transmits consent signals to Google for categories: ad_storage, analytics_storage, ad_user_data, ad_personalization.

Lack of consent for analytical or marketing cookies does not affect the ability to use the website, except for functions directly related to these cookies.

The cookie storage period depends on their type and is indicated in the detailed Cookie Policy or in the CMP settings.

The controller ensures easy access to information about cookies used and enables changing consent settings at any time via a link in the website footer.

Personal data are stored in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

After the storage period expires, personal data are deleted or anonymized in a manner that prevents identification of the data subject.

The controller documents the adopted data storage periods and is able to demonstrate their compliance with GDPR principles.

The data subject has the right to lodge a complaint with the competent supervisory authority if he or she considers that processing infringes GDPR provisions.

Competent authority in NL: Autoriteit Persoonsgegevens - autoriteitpersoonsgegevens.nl

The controller implements rights of the data subject without undue delay, no later than within one month of receipt, with possibility of extension in indicated cases.

The data subject has the right to lodge a complaint with a supervisory authority if he or she considers that the processing of personal data infringes GDPR provisions.

The competent supervisory authority is the Autoriteit Persoonsgegevens in the Kingdom of the Netherlands.

Website: autoriteitpersoonsgegevens.nl

The data subject may lodge a complaint with the supervisory authority in the Member State of his or her habitual residence, place of work or place of the alleged infringement.

The right to lodge a complaint is independent of other legal remedies, including the right to lodge a complaint with a court.

The controller cooperates with the competent supervisory authority in the performance of its tasks and provides all required information.

• Article 78 GDPR - Right to effective judicial remedy against decision of supervisory authority
• Article 79 GDPR - Right to effective judicial remedy against the Controller

Lodging a complaint with the supervisory authority is free of administrative charges.

The controller implements appropriate technical and organizational measures to ensure a level of security of personal data appropriate to the risk.

The controller uses only processors providing sufficient guarantees to implement appropriate technical and organizational measures.

The controller has procedures enabling detection, reporting and assessment of personal data breaches.

The controller documents applied security measures and is able to demonstrate compliance with GDPR.

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.

The controller implements procedures enabling immediate detection, analysis and assessment of each personal data breach.

After detecting a breach, the controller conducts an assessment of the risk of infringement of rights or freedoms of natural persons.

If a breach may result in risk to rights and freedoms, the controller reports it to the supervisory authority without undue delay, no later than 72 hours from becoming aware.

The report includes: nature of breach, categories of data, possible consequences, and measures taken or proposed.

The controller documents all personal data breaches, regardless of whether they were subject to reporting obligation.

If breach may result in high risk to rights and freedoms, the controller notifies the data subject without undue delay.

Notification not required if technical measures eliminating risk have been applied or other premises in Article 34(3) GDPR are met.

Breaches involving health data are subject to particularly rigorous risk assessment and as a rule qualify as high-risk breaches.

The controller cooperates with supervisory authority and is able to demonstrate compliance of breach response procedures with GDPR.

The controller is entitled to make changes to the Privacy Policy in the event of changes in law, changes in manner or scope of processing, changes in applied technologies or business development.

The controller ensures that information provided to data subjects is up-to-date, reliable and corresponds to actual manner of data processing.

The current version of the Privacy Policy is published on the website and marked with the date of entry into force.

If changes concern essential aspects of processing, the controller ensures fulfillment of information obligations towards data subjects.

Changes to the Privacy Policy do not have retroactive effect and do not affect lawfulness of processing carried out before entry into force of changes.

Changes introduced to adapt to mandatory provisions of law apply from date of entry into force of those provisions.

The controller documents the Privacy Policy update process and is able to demonstrate compliance with GDPR principles.

This Privacy Policy enters into force on the date of its publication, unless another date is expressly indicated.