HOTELI BAŠKA VODA d.d.
Baška Voda, Ulica Stjepana Radića 2
Baška Voda, 13 August 2023
Pursuant to Art. 3, paragraph 1 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and Art. 1 of the Articles of Association, on 16 August 2023, Managing Director of the Company adopts the following
Company Website Visitor
Personal Data Protection Policy
(Effective date: 14 August 2023)
Company HOTELI BAŠKA VODA d.d.(“HBV”) respects your privacy and undertakes to protect it during and after your visit to this website (“Website”), during visits to our facilities, business premises, and when you use any of our products or services (Grand Hotel Slavia, Horizont Hotel, restaurants, Beach bar).
As Data Controller, we process your personal data in accordance with the applicable rules on the protection of personal data, in particular in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Law on the Implementation of the General Data Protection Regulation (Official Gazette, 42/2018).
Types of personal data that will be processed
Grand Hotel Slavia and Horizont Hotel collect and process the following personal data:
Your name and surname, address, postal code and city, country, e-mail, telephone number or mobile phone number; place, country and date of birth; citizenship; visa number if you are subject to the visa regime; place of entry into the Republic of Croatia; credit card information (card type, card number, name on the card, expiration date and security code); arrival and departure time information (including preferences about the unit, amenities, or any other services used); people you are traveling with; any special requests related to the provision of our services; information about the services you used; information about your identification document; information about the airline and the vehicle used to get to our hotel; impressions about our services; information about the events you organize in our premises and the names of the participants at such events.
In addition to the above data about you, we can request such data about people traveling with you, including information about any minor children with the prior consent of parents/guardians.
Data on health, religious or philosophical beliefs and other special categories of personal data will be collected only if you personally voluntarily give them to us in order to provide you with a better service or to meet your special requests or needs (e.g. avoiding serving food to which you are allergic, providing access for persons with disabilities and the like). We will not actively request this type of data from you on our own initiative.
We collect your personal data (only such personal data as are necessary for the provision of the service you requested) in cases where:
you use the contact form on the Website;
you contact us via info e-mail indicated on the Website;
you fill out the form for booking accommodation in our facility;
you contact us or connect with us via social networks;
we photograph the events and activities organized by us;
you sign up for our newsletter/news;
you are a visitor to our business premises/hotel;
we cooperate with you as our suppliers/business partners;
we issue an invoice for our products/services.
Grand Hotel Slavia and Horizont Hotel will not collect any personal data unless you provide them to us voluntarily, except for certain personal data collected through IT systems and software used for the Website operation, the transfer of which is inherent in the use of internet communication protocols (e.g. IP addresses when logging into the contact form) and will not require more information than is necessary to participate in certain activities.
IP addresses are numbers that are unique to any computer currently connected to the internet. They are used to identify recipients and senders of data over the internet. Our server records the IP address of your PC during any transaction within the booking system for safe transfer and protection against misuse of your data. User personal data are not available outside the booking system.
Use of Website by minors
Please note that any personal data processing may refer only to persons who have reached the age of 18. It is prohibited to use any data of users below that age limit except with an appropriate consent of a parent/guardian. If, despite this, such data processing occurs, we will stop it as soon as we become aware of it and delete any data of such persons.
Denial of consent
If you are unwilling to provide your personal data (except for personal data related to the use of internet communication protocols that are usually collected when visiting a website), you can still access our Website, but you will not be able to log in to the contact form, or contact us, book accommodation, make purchases, or receive news from us.
The provision of information by a visitor/sender is voluntary and there is no contractual obligation or requirement for the visitor/sender to do so. Data Processor will not create profiles from the collected information, i.e., there is no automated decision-making.
According to the Electronic Communications Law, we can store cookies on your device if they are absolutely necessary for the operation of our Website. We need your consent for any other type of cookies. This Website uses different types of cookies. Some cookies are set by third parties that appear on our pages.
Necessary cookies help make the Website useful, enabling basic functions such as navigating the Website and accessing secure areas of the Website. The Website cannot function properly without these cookies. Necessary cookies can be stored independently of the consent of the Website user in accordance with the law.
Purpose: Necessary for user browsing. It serves for the normal functioning of the Website.
These cookies collect information about how visitors use the Website, for example which pages are visited by visitors most often. We use them to improve the functioning of our Website. However, some of them may be third-party cookies, and the data we collect may be used for purposes unknown to us as the owner of the Website. See the privacy policies of such third-party processors for more information. Cookie name: _ga
Provider: Google Analytics | Google Ireland Ltd. | analytics.google.com | +35314361000
Barrow St, Grand Canal Dock, Dublin, 4, Ireland
Purpose: uses Google Analytics to distinguish users
Duration: Expires after 2 years by default. It is based on the consent of the subject. Cookie name: _gat
Provider: Google Analytics | Google Ireland Ltd. | analytics.google.com | +35314361000 Barrow St, Grand Canal Dock, Dublin, 4, Ireland
Purpose: uses Google Analytics to regulate request rate
Duration: temporary cookie, expires after 1 minute. It is based on the consent of the subject. Cookie name: _gid
Provider: Google Analytics | Google Ireland Ltd. | analytics.google.com | +35314361000 Barrow St, Grand Canal Dock, Dublin, 4, Ireland
Purpose: used for user identification
Duration: temporary cookie, expires after 24 hours. It is based on the consent of the subject.
Marketing cookies are used to track visitors through websites. The intent is to display ads that are relevant to a particular user and encourage them to participate, which is important for third-party advertisers.
Cookie name: Facebook _fbp
Provider: Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025, United States of America. If the person lives outside the United States or Canada, Data Controller is Facebook Ireland Ltd., 4 Square Grand Canal, Grand Canal Harbour, Dublin 2, Ireland. The data protection rules published by Facebook are available at https://facebook.com/about/privacy/
Purpose: This cookie helps deliver ads to people who have already visited our Website when they are on Facebook or a digital platform powered by Facebook advertising. It is used by Facebook to deliver a series of advertisements on Facebook.
Duration: session. It is based on the consent of the subject
It collects personal data about its contacts on social networks (Facebook, Instagram, etc.) but does not contact them except in the case of responding to an inquiry or comment.
Provisions on the protection of data regarding the application and use of: Facebook, Instagram, LinkedIn
On its websites, Data Controller can integrate or has integrated components of Facebook, Instagram, LinkedIn.
Facebook and Instagram are social networks operated by Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025, United States of America. If the person lives outside the United States or Canada, the Data Controller is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Privacy policies published by Facebook and Instagram are available at https://facebook.com/about/privacy/ i https://help.instagram.com/519522125107875?helpref=page_content and provide information on the collection, processing and use of personal data on these social networks.
LinkedIn is a business social network operated, for users using the service within the EU, EEA and Switzerland, by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.
Direct marketing – newsletter
Through the Newsletter, HBV sends information related to events organized by HBV independently or in cooperation with its business partners. The Newsletter is sent in a period preceding a specific event or another activity organized by HVB. Each Newsletter recipient is provided with a simple and quick unsubscribe option with a single-click unsubscribe feature included in each Newsletter. Hoteli Baška Voda dd acts as Data Processor for sending the Newsletter and collects statistical data related to the opening of e-mails and clicks on URLs in order to monitor and improve the sending of e-mails, and to analyse interest in specific content. The Newsletter is sent based on legitimate interest when we are already cooperating and communicating with you or on the basis of your consent given by signing up for our Newsletters. Data is stored until the person withdraws consent or objects to our contact based on legitimate interest.
If you have given your consent for marketing purposes, you can always withdraw your consent and stop receiving our Newsletter (e.g. if you no longer want to receive our Newsletter, click on the unsubscribe link).
Purposes, legal basis of processing and possible consequences of not providing personal data
Sources from which your data are collected
We may collect your personal data from the following sources
directly from you (via web contact forms, paper forms, e-mail correspondence, telephone conversations, personally through a conversation with you);
from other persons (e.g. travel agencies and event organizers who provide us with your data related to your stay with us, online platforms where you have booked our services, from persons traveling with you, from persons employed or otherwise engaged by your employer with whom we have a contract for the provision of services). In such cases, we rely on the fact that the persons who provide us with your personal data or give instructions for their processing are authorized to do so and that they have given you all the necessary information and obtained your approval if the same is necessary for providing the data to us;
from publicly available sources (e.g. court register, websites of business entities and other publicly available information);
through the video surveillance system installed in our premises;
in the event that you provide us with personal data of other persons, it is your responsibility to ensure that the person whose data you have provided us with is familiar with it and informed about the way in which we use their personal data.
Video surveillance is used in our premises for the following purposes:
to protect the safety of our employees and other persons who are in our business premises for any reason and to protect their property;
to reduce the exposure of our employees to the risk of robbery, burglary, violence, theft or similar events at work or in connection with work, and to protect our property;
to protect the safety of our guests or other persons who for any reason find themselves in the premises under our control and to protect their property;
to protect the assets of Hoteli Baška Voda.
Preventing unauthorized entry
The processing of personal data obtained through video surveillance is carried out on the basis of a legitimate interest in the protection of persons and property. Recordings are automatically deleted after a maximum of 6 months, overwritten with newer content. Access to the video surveillance system is granted only to persons who need it for the performance of their tasks, and recordings are viewed only in the event that we learn that there is a justified reason to achieve one of the above purposes (with the approval of an authorized person), whereby only recordings relevant for such reasons can be exempted and kept longer, as long as there is a need and a legal basis for this. We do not deliver video surveillance recordings to any third parties, except when there is a relevant request or order from a competent government body (e.g. police, state attorney's office, courts, labour inspectorate). Recordings can be used as evidence in court, administrative, arbitration or other equivalent proceedings, in accordance with the applicable procedural rules applicable in such proceedings. The video surveillance system is not linked with other systems, nor do we use video surveillance for profiling or automatic decision-making.
Recipients of personal data
We are obliged to submit personal data of our visitors to the national visitor registration system - eVisitor. Exceptionally, on the basis of a written request based on applicable regulations, we are obliged to provide or enable access to certain personal data to competent government authorities (e.g. courts, police forces, regulatory bodies, etc.). Only when it is necessary to provide our service, personal data is forwarded to reliable partners (data processors) for the purpose of enabling user support, maintaining the information system or similar needs with mandatory data protection measures.
Data sharing with Booking.com
In this section, we would like to inform you about the way we share data with Booking.com. We are in partnership with Booking.com B.V. headquartered at Herengracht 597, 1017 CE Amsterdam, the Netherlands (www.booking.com ) (“Booking.com”) in order to provide you with an online accommodation reservation service. Although we are responsible for the content on this Website and you make the reservation directly through our site, the booking process itself takes place through Booking.com. The information you enter on that website will also be available to Booking.com and its partners. This may include personal data such as your name, contact information, payment information, names of guests traveling with you, or any other information you provided during the booking process.
Your personal data may be shared with BookingSuite B.V. with headquarters at Herengracht 597, 1017 CE Amsterdam, in the Netherlands, the company that operates this Website and the website suite.booking.com.
Transfer of personal data to third countries
The information we collect is stored within the European Union (EU) and the European Economic Area (EEA) excluding Switzerland, but may also be transferred to and processed in a country outside the EU and EEA, in particular the USA.
Any such transfer of personal data will be carried out in accordance with applicable legal regulations. For such transfers, we use Standard Contractual Clauses and appropriate protective measures, which guarantee adequate protection of personal data.
Personal data are processed only for the time necessary to achieve the purpose of their processing. Personal data that we process on the basis of your consent are processed only until your consent is withdrawn, while you can object to the processing of personal data on the basis of legitimate interest. Your personal data processed based on your inquiries from the contact form are kept for 2 years from the date of receipt, while data of business partners and suppliers are kept until the termination of business cooperation, and are not delivered to third parties, nor exported to third countries. In doing so, we do not collect any data of a private nature, but only data related to the fulfilment of work tasks.
All other personal data that we process on the basis of the performance of the contractual relationship and on the basis of our legal obligations are stored in accordance with the applicable regulations laying down the data storage time (e.g. the Accounting Act). Exceptionally, your personal data will be kept longer than the stated deadlines when it is necessary to fulfil mutual legal requirements.
Upon expiration of the storage term, your stored personal data printed on paper will be safely destroyed, for example by shredding or burning, while data in electronic form will be irreversibly deleted.
Your rights and exercise of your rights
The right to rectification:
If we process your personal data that is incomplete or incorrect, you can ask us to correct or supplement them at any time.
The right of access:
You have the right to receive a confirmation about whether we process your personal data or not, and where this is the case you have the right under the conditions of Art. 15 of GDPR to request access to such data.
The right to erasure:
You can ask us to erase your personal data, if we have processed them unlawfully or if such processing represents a disproportionate encroachment on your protected interests. Please note there are reasons that prevent immediate erasure, for example compliance with a legal obligation that requires processing.
The right to restrict processing:
You can ask us to restrict the processing of your data:
if you dispute the accuracy of the data during the period that allows us to check their accuracy;
if the data processing was unlawful, but you refuse the erasure and instead request the restriction of the use of the data;
if we no longer need the data for the intended purposes, but you still need them to fulfil legal requirements;
if you have filed an objection regarding the distribution of such data.
The right to data portability:
You can ask us to deliver the data you have entrusted to us in a structured form for archiving, in a common machine-readable format:
if we process this data on the basis of your consent, which you can revoke, or for the purpose of executing a contract;
if the processing is done using automated processes.
The right to object:
If your data are distributed for the purpose of performing tasks of public interest or tasks of public bodies, or if when processing them we refer to our legitimate interests, you can object against such data processing if there is an interest in protecting our data.
The right to file a complaint:
If you are of the opinion that we have violated any Croatian or European data protection regulations when processing your data, please contact us in order to clarify any questions. You certainly have the right to file a complaint with the competent supervisory body, which is the Personal Data Protection Agency, Martićeva 14, Zagreb.
Exercise of your rights
When you submit a request in order to exercise your rights, we are obliged to establish your identity first, and for this purpose we will ask for additional information to verify it. This serves to protect your rights and privacy.
If you use any of the above rights too often and with the obvious intent of abuse, we may charge an administrative fee or refuse to process your request.
The security of your personal data is extremely important to us, so we have put in place appropriate physical, electronic and control procedures to protect the data we collect. However, due to the inherent open nature of the internet, we cannot guarantee that communications between you and us or
information stored on the Website or on our servers to be completely secure from unauthorized access by third parties. To the fullest extent permitted by applicable law, we disclaim any responsibility and liability for any damages you may suffer as a result of any loss, unauthorized access, misuse or alteration of any information you submit to the Website.