Protection of Personal Data


​​ With this Personal Data Protection Policy (Policy), (Controller) informs customers (travelers) and visitors to the website (Website) and other individuals whose personal data it processes (Individuals) regarding all aspects of processing personal data, including the rights of Individuals and the procedure for exercising them.

In addition to this Policy, information and explanations regarding the protection of personal data of Individuals may be contained in other documents, such as e.g. notices or consents.  

Contact information of the Manager and authorized person for data protection

Operator:, Tourist agency, Abdullah Ma Al Mahmood sp  
Headquarters : Novo Polje Cesta XIII 14, 1260 Ljubljana, Republic of Slovenia
Registration number : 8900213000 
Registered authority: AJPES Ljubljana, Republic of Slovenia
Telephone number : +386 40 341 111 
VAT ID: SI61838888 
IBANSI56 2900 0005 3381 285
Bank Name: UniCredit Banka Slovenija d.d.
Bank address: Ameriška ulica 2 SI-1000 Ljubljana, Republic of Slovenia

What personal data is processed, for what purpose and on what legal basis and how long it is kept:

Contractual relationship between the Administrator and the Individual:   

​ The Administrator processes certain personal data because it is necessary to fulfill the contract or order placed by the Individual on the website. The contractual relationship is also the legal basis for the processing of this data. It concerns the following personal data:

:Name and surname, 
:Address of residence (for unique identification of the Individual as a contractual party);
:E-mail address (for communication regarding the contract);
:Purchased (ordered) services (arrangement or travel, date of travel, destination and other features of the arrangement);
:the selling price of the service;
:Method of payment;
:Data on payments received by the Individual;
:Data on actual (non)participation in the trip;
:Data on complaints and other claims of the Individual. The operator keeps the personal data indicated for 5 years from the performance of the service (trip).  

​Fulfillment of the legal obligations of the Controller:  

​ The Controller is obliged by law to issue an invoice to the Individual for each purchased service.

The invoice contains the following personal data:
- name and surname of the Individual;
- address of residence
- tax number;
- number, date and place of issue of the invoice;
-purchased services and their prices;
-total value (amount) of purchase (orders);
-rate and amount of value added tax (VAT).

The manager keeps the personal data (accounts) listed for 10 years from the date of issue.   

Legitimate interest pursued by the Administrator:

​ On this legal basis, the Administrator records the IP addresses of the networks from which the Individual accesses the Website. Logging is necessary to detect and prevent abuse on the website. The operator keeps the above data for 3 years.

Consent (consent) to the processing of personal data: 

The Administrator processes certain personal data only on the basis of the Individual's voluntary personal consent, namely:

-E-mail address and gender, insofar as it is used to receive e-news from the Administrator; The administrator also stores data on sent e-newsletters (date and time of sending) and on the Individual's response to received e-newsletters (whether the Individual received the message, whether he opened it and whether he clicked on the link in the message and which links he clicked on) ;

-E-mail address, gender and data on past purchases for the purposes of targeted notification (by e-mail) based on created segments (profiles); when creating profiles and targeted notifications, the Controller takes into account the Individual's past purchases (travel destinations, date of last trip and total number of trips of the Individual), behavior on the Website, reading e-news (clicks on links pointing to the Website or to certain contents on website).

-E-mail address for the purposes of displaying online advertisements in the Google and Facebook advertising networks; The administrator provides information about the Individual's e-mail address to Google and Facebook, which then check whether the Individual is also a registered Google or Facebook user; Google and Facebook then display customized advertisements to such Individuals (Google and Facebook will in no case reveal to the Controller which Individual whose e-mail address they have provided is also a registered Google or Facebook user at the same time; the Controller processes all personal data based

on personal consent, processes and stores until this consent is revoked, unless it has previously achieved the purpose for which it processed the data.Consent

can be revoked at any time.  

Transfer of data to third parties and transfer of data to third countries (countries that are not members of the European Economic Area)

​​ The controller entrusts certain actions of the processing of the Individual's personal data to third parties, which means that the personal data is either forwarded to these third parties or they are given access to them or insight into them.

Third parties are contractually bound to process personal data only within the framework of the Controller's instructions and may not use it to pursue any of their own interests.

These third parties are:

- providers of sending e-mail messages;
-providers of business information (ERP) systems (for issuing invoices and recording purchases);
-providers of marketing automation systems (for targeted information based on segments (profiles));
-providers of data processing and analytics;
- providers of payment systems;
- providers of online advertising (Google Inc., Facebook Inc.);
-providers of online advertising leasing (online advertising agency)

Some of the listed third parties may transfer personal data outside the European Union (EU) or the European Economic Area (EEA), whereby appropriate protective measures are applied to such transfers, and the Individual also has enforceable rights and effective legal remedies available in case of such transfers.  

Handling of personal data after the retention period has expired

​ When the retention period for individual personal data or a set of data expires (which is defined under point 3. above), the Controller effectively and permanently deletes or anonymizes such personal data so that it can no longer be linked to the Individual.

Individual rights in relation to the processing of personal data

​​ The individual has the following rights regarding personal data:

The right to request from the controller at any time:

-confirmation of whether personal data is being processed in relation to him;

access to personal data and the following information: processing purposes; types of personal data; users or categories of users to whom personal data has been or will be disclosed, in particular users in third countries or international organizations; the intended period of retention of personal data or, if this is not possible, the criteria used to determine this period; the existence of automated decision-making, including the creation of profiles and the reasons for it, as well as the meaning and intended consequences of such processing for the Individual;

one (free of charge) copy of personal data in the form determined by him/herself (if the request is made by electronic means of communication and the Individual does not request otherwise, the copy is provided in electronic form); for additional copies requested by the Individual, the Controller may charge a reasonable fee, taking into account the costs;

-correction of inaccurate personal data;

-deletion of all personal data (right to be forgotten), if the assumptions from Article 17 of the General Data Protection Regulation are met, and especially in the case when the Individual withdraws consent to the processing of personal data;

-printout of personal data in a structured, commonly used and machine-readable format, with the right for the Individual to forward this data to another manager, without the Manager hindering him in doing so;

-stopping the use of personal data for direct marketing purposes, including creating profiles;

-that the Individual is not subject to a decision based solely on automated processing, including the creation of profiles, which has legal effects in relation to the Individual or in a similar way significantly affects him, if the assumptions from Article 22 of the General Data Protection Regulation are met;
- the right to file a complaint against the controller with the information commissioner if he believes that the processing of his personal data violates the General Data Protection Regulation.

Restriction of processing when:

- The individual disputes the accuracy of personal data, namely for a period that allows the Administrator to verify the accuracy of personal data;

- the processing is illegal and I object to the deletion of personal data, and instead the Individual requests the restriction of their use;

- The controller no longer needs the personal data for processing purposes, but the Individual needs them to assert, implement or defend legal claims;  

Revocation of consent to the processing of personal data and consequences for the Individual

​​ The individual can revoke the given consent (consent) to the processing of personal data at any time, namely:

- by clicking on the link to unsubscribe from receiving e-mails (the link is in every e-mail sent); in this way, the Individual achieves the termination of the processing of the e-mail address for the purpose of notification;

with a written statement sent to the Manager at the address tourist agency,, Abdullah Ma Al Mahmood sp

-Revocation of consent for the processing of personal data does not have any negative consequences or sanctions for the Individual. However, it is possible that the Controller will no longer be able to offer one or more of its services to the Individual after the withdrawal of consent, if they are services that cannot be provided without personal data (e.g. club, membership in a benefits club or customized information based on segments ( If there is no other legal basis after the

cancellation of the consent to the processing (storage) of personal data, the Controller will delete or anonymize the personal data of the Individual to which the cancellation refers.  

Procedure for exercising rights regarding personal data

​ The individual can address all requests concerning the exercise of rights in relation to personal data in writing to the Controller, namely to the address: tourist agency, HolidayMaldives, Abdullah Ma Al Mahmood sp, Novo Polje Cesta XIII 14, 1260 Ljubljana.

Due to the need for unique identification and the prevention of abuse, the Controller may request additional information from the Individual, and may refuse to take action only if it proves that it cannot reliably identify the Individual.

The Controller must respond to the request of the Individual, with which he exercises his rights in relation to personal data, without undue delay and at the latest within one month of receiving the request.

This Policy is valid from 03/04/2022.