Privacy Policy


Baška Voda, Ulica Stjepana Radića  2

OIB 38304309304

Management Board

Baška Voda, 13 August 2023

Pursuant to Art. 3, paragraph 1 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and Art. 1 of the Articles of Association, on 16 August 2023, Managing Director of the Company adopts the following

Company Website Visitor 

Personal Data Protection Policy

(Effective date: 14 August 2023)

Data Controller

Company HOTELI BAŠKA VODA d.d.(“HBV”) respects your privacy and undertakes to protect it during and after your visit to this website (“Website”), during visits to our facilities, business premises, and when you use any of our products or services (Grand Hotel Slavia, Horizont Hotel, restaurants, Beach bar).

Designated employees of HBV act as data controllers (“Data Controller”), while this privacy policy (“Privacy Policy”) provides insight into our practices regarding the collection and processing of personal data.


As Data Controller, we process your personal data in accordance with the applicable rules on the protection of personal data, in particular in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Law on the Implementation of the General Data Protection Regulation (Official Gazette, 42/2018).

Types of personal data that will be processed

Grand Hotel Slavia and Horizont Hotel collect and process the following personal data:

  • Your name and surname, address, postal code and city, country, e-mail, telephone number or mobile phone number; place, country and date of birth; citizenship; visa number if you are subject to the visa regime; place of entry into the Republic of Croatia; credit card information (card type, card number, name on the card, expiration date and security code); arrival and departure time information (including preferences about the unit, amenities, or any other services used); people you are traveling with; any special requests related to the provision of our services; information about the services you used; information about your identification document; information about the airline and the vehicle used to get to our hotel; impressions about our services; information about the events you organize in our premises and the names of the participants at such events.

In addition to the above data about you, we can request such data about people traveling with you, including information about any minor children with the prior consent of parents/guardians.

  • Data on health, religious or philosophical beliefs and other special categories of personal data will be collected only if you personally voluntarily give them to us in order to provide you with a better service or to meet your special requests or needs (e.g. avoiding serving food to which you are allergic, providing access for persons with disabilities and the like). We will not actively request this type of data from you on our own initiative.

We collect your personal data (only such personal data as are necessary for the provision of the service you requested) in cases where:

  • you use the contact form on the Website;

  • you contact us via info e-mail indicated on the Website;

  • you fill out the form for booking accommodation in our facility;

  • you contact us or connect with us via social networks;

  • we photograph the events and activities organized by us;

  • you sign up for our newsletter/news;

  • you are a visitor to our business premises/hotel;

  • we cooperate with you as our suppliers/business partners;

  • we issue an invoice for our products/services.

Grand Hotel Slavia and Horizont Hotel will not collect any personal data unless you provide them to us voluntarily, except for certain personal data collected through IT systems and software used for the Website operation, the transfer of which is inherent in the use of internet communication protocols (e.g. IP addresses when logging into the contact form) and will not require more information than is necessary to participate in certain activities.

IP addresses are numbers that are unique to any computer currently connected to the internet. They are used to identify recipients and senders of data over the internet. Our server records the IP address of your PC during any transaction within the booking system for safe transfer and protection against misuse of your data. User personal data are not available outside the booking system.

Use of Website by minors

Please note that any personal data processing may refer only to persons who have reached the age of 18. It is prohibited to use any data of users below that age limit except with an appropriate consent of a parent/guardian. If, despite this, such data processing occurs, we will stop it as soon as we become aware of it and delete any data of such persons.

Denial of consent

If you are unwilling to provide your personal data (except for personal data related to the use of internet communication protocols that are usually collected when visiting a website), you can still access our Website, but you will not be able to log in to the contact form, or contact us, book accommodation, make purchases, or receive news from us.

At the entrances to the area of any event organized by us, which will be filmed and photographed, Privacy Policy will be clearly displayed, with a clear notice that you may be filmed and/or photographed, which is also our legitimate interest since the event is organized by us. If you do not want to be recorded/photographed, do not enter the recording/photographing area. We will not publish anywhere any recordings or pictures of children (under 16 years of age) in which they can be recognized without first obtaining the consent of their legal representatives.

The provision of information by a visitor/sender is voluntary and there is no contractual obligation or requirement for the visitor/sender to do so. Data Processor will not create profiles from the collected information, i.e., there is no automated decision-making.


Our Website uses cookies. Cookies are text files that are stored in the computer system via the internet browser.

According to the Electronic Communications Law, we can store cookies on your device if they are absolutely necessary for the operation of our Website. We need your consent for any other type of cookies. This Website uses different types of cookies. Some cookies are set by third parties that appear on our pages.

Necessary cookies

Necessary cookies help make the Website useful, enabling basic functions such as navigating the Website and accessing secure areas of the Website. The Website cannot function properly without these cookies. Necessary cookies can be stored independently of the consent of the Website user in accordance with the law.

Purpose: Necessary for user browsing. It serves for the normal functioning of the Website.

Duration: session

Analytical cookies

These cookies collect information about how visitors use the Website, for example which pages are visited by visitors most often. We use them to improve the functioning of our Website. However, some of them may be third-party cookies, and the data we collect may be used for purposes unknown to us as the owner of the Website. See the privacy policies of such third-party processors for more information. Cookie name: _ga

Provider: Google Analytics | Google Ireland Ltd. | | +35314361000

Barrow St, Grand Canal Dock, Dublin, 4, Ireland

Purpose: uses Google Analytics to distinguish users

Duration: Expires after 2 years by default. It is based on the consent of the subject. Cookie name: _gat

Provider: Google Analytics | Google Ireland Ltd. | | +35314361000 Barrow St, Grand Canal Dock, Dublin, 4, Ireland

Purpose: uses Google Analytics to regulate request rate

Duration: temporary cookie, expires after 1 minute. It is based on the consent of the subject. Cookie name: _gid

Provider: Google Analytics | Google Ireland Ltd. | | +35314361000 Barrow St, Grand Canal Dock, Dublin, 4, Ireland

Purpose: used for user identification

Duration: temporary cookie, expires after 24 hours. It is based on the consent of the subject.

Marketing cookies

Marketing cookies are used to track visitors through websites. The intent is to display ads that are relevant to a particular user and encourage them to participate, which is important for third-party advertisers.

Cookie name: Facebook _fbp

Provider: Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025, United States of America. If the person lives outside the United States or Canada, Data Controller is Facebook Ireland Ltd., 4 Square Grand Canal, Grand Canal Harbour, Dublin 2, Ireland. The data protection rules published by Facebook are available at

Purpose: This cookie helps deliver ads to people who have already visited our Website when they are on Facebook or a digital platform powered by Facebook advertising. It is used by Facebook to deliver a series of advertisements on Facebook.

Duration: session. It is based on the consent of the subject

Social networks

It collects personal data about its contacts on social networks (Facebook, Instagram, etc.) but does not contact them except in the case of responding to an inquiry or comment.

Provisions on the protection of data regarding the application and use of: Facebook, Instagram, LinkedIn

On its websites, Data Controller can integrate or has integrated components of Facebook, Instagram, LinkedIn.

Facebook and Instagram are social networks operated by Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025, United States of America. If the person lives outside the United States or Canada, the Data Controller is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Privacy policies published by Facebook and Instagram are available at i and provide information on the collection, processing and use of personal data on these social networks.

LinkedIn is a business social network operated, for users using the service within the EU, EEA and Switzerland, by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.

Privacy policy published by LinkedIn are available at: and provide information on the collection, processing and use of personal data on that social network.

Direct marketing – newsletter

Through the Newsletter, HBV sends information related to events organized  by HBV independently or in cooperation with its business partners. The Newsletter is sent in a period preceding a specific event or another activity organized by HVB. Each Newsletter recipient is provided with a simple and quick unsubscribe option with a single-click unsubscribe feature included in each Newsletter. Hoteli Baška Voda dd acts as Data Processor for sending the Newsletter and collects statistical data related to the opening of e-mails and clicks on URLs in order to monitor and improve the sending of e-mails, and to analyse interest in specific content. The Newsletter is sent based on legitimate interest when we are already cooperating and communicating with you or on the basis of your consent given by signing up for our Newsletters. Data is stored until the person withdraws consent or objects to our contact based on legitimate interest.

If you have given your consent for marketing purposes, you can always withdraw your consent and stop receiving our Newsletter (e.g. if you no longer want to receive our Newsletter, click on the unsubscribe link).

Purposes, legal basis of processing and possible consequences of not providing personal data

When you provide your personal data, we will limit the use of such personal data to the purpose for which they were collected in accordance with the terms of this Privacy Policy. Personal data is processed on the basis of your consent and our legitimate interest, for the performance of a contractual obligation, and on the basis of our legal duty. The processing of personal data is limited only to the purpose for which they were collected in accordance with the terms of this Privacy Policy. When we process data on the basis of your consent, we process only the personal data that you voluntarily gave us when communicating with us, for the purpose of responding to your questions, when you fill out the application form for booking accommodation, when you sign up for our Newsletters. The purpose of the processing is to take steps according to your request, for example, answering questions and comments, communicating about your activities on the Website, receiving your requests for accommodation booking and the like. On the basis of our legitimate interest, we process your personal data when you access our Website (IP address), when we send you a Newsletter as a customer with whom we already cooperate, when we photograph the events and activities we organize, as well as when we record you with surveillance cameras during your visits to our business locations. If we organize an event or other activities during which we photograph and film our guests, we will do so either on the basis of our legitimate interest, of which you will be informed in advance and before entering the filming/photographing area, or you will be asked for your consent beforehand. The purpose of this processing includes the investigation of suspected fraud, harassment, physical threats or any other violations of the Website's rules or any suspicious behaviour that we consider inappropriate. The recordings/pictures of the participants at our events are processed for the purpose of promoting the event. In order to fulfil contractual obligations and on the basis of laws and regulations, we are obliged to process your personal data when you buy our products, or use our services. On the basis of our legal obligation, we are obliged to process certain information when legally required to do so, such as a special law that prescribes what data we are obliged to collect about the guests to whom we provide accommodation services, the law that orders us to keep received and issued invoices. The data of business partners and suppliers are specially processed (e.g. agreements regarding the provision of services), and in addition we also process the contact data of our business partners who are physical persons as well as of their employees (e.g. first and last name, official telephone/mobile phone number, e-mail address), as well as customers due to issuing invoices.

Sources from which your data are collected

We may collect your personal data from the following sources

  • directly from you (via web contact forms, paper forms, e-mail correspondence, telephone conversations, personally through a conversation with you);

  • from other persons (e.g. travel agencies and event organizers who provide us with your data related to your stay with us, online platforms where you have booked our services, from persons traveling with you, from persons employed or otherwise engaged by your employer with whom we have a contract for the provision of services). In such cases, we rely on the fact that the persons who provide us with your personal data or give instructions for their processing are authorized to do so and that they have given you all the necessary information and obtained your approval if the same is necessary for providing the data to us;

  • from publicly available sources (e.g. court register, websites of business entities and other publicly available information);

  • through the video surveillance system installed in our premises;

  • in the event that you provide us with personal data of other persons, it is your responsibility to ensure that the person whose data you have provided us with is familiar with it and informed about the way in which we use their personal data.

Video surveillance

Video surveillance is used in our premises for the following purposes:

  • to protect the safety of our employees and other persons who are in our business premises for any reason and to protect their property;

  • to reduce the exposure of our employees to the risk of robbery, burglary, violence, theft or similar events at work or in connection with work, and to protect our property;

  • to protect the safety of our guests or other persons who for any reason find themselves in the premises under our control and to protect their property;

  • to protect the assets of Hoteli Baška Voda.

Preventing unauthorized entry

The processing of personal data obtained through video surveillance is carried out on the basis of a legitimate interest in the protection of persons and property. Recordings are automatically deleted after a maximum of 6 months, overwritten with newer content. Access to the video surveillance system is granted only to persons who need it for the performance of their tasks, and recordings are viewed only in the event that we learn that there is a justified reason to achieve one of the above purposes (with the approval of an authorized person), whereby only recordings relevant for such reasons can be exempted and kept longer, as long as there is a need and a legal basis for this. We do not deliver video surveillance recordings to any third parties, except when there is a relevant request or order from a competent government body (e.g. police, state attorney's office, courts, labour inspectorate). Recordings can be used as evidence in court, administrative, arbitration or other equivalent proceedings, in accordance with the applicable procedural rules applicable in such proceedings. The video surveillance system is not linked with other systems, nor do we use video surveillance for profiling or automatic decision-making.

Recipients of personal data

We are obliged to submit personal data of our visitors to the national visitor registration system - eVisitor. Exceptionally, on the basis of a written request based on applicable regulations, we are obliged to provide or enable access to certain personal data to competent government authorities (e.g. courts, police forces, regulatory bodies, etc.). Only when it is necessary to provide our service, personal data is forwarded to reliable partners (data processors) for the purpose of enabling user support, maintaining the information system or similar needs with mandatory data protection measures.

Data sharing with

In this section, we would like to inform you about the way we share data with We are in partnership with B.V. headquartered at Herengracht 597, 1017 CE Amsterdam, the Netherlands ( ) (“”) in order to provide you with an online accommodation reservation service. Although we are responsible for the content on this Website and you make the reservation directly through our site, the booking process itself takes place through The information you enter on that website will also be available to and its partners. This may include personal data such as your name, contact information, payment information, names of guests traveling with you, or any other information you provided during the booking process.

For more information about the group to which belongs, please visit the website About will send you a booking confirmation, an e-mail before your arrival and provide you with information about the facility and its surroundings. will also provide you with Customer Service available 24/7 from its local offices in more than 20 languages. Providing information to Customer Service enables a quick response if you need help. may use your personal data for technical, analytical or marketing purposes, as set out in's Privacy Policy. This may mean that other companies of the Booking Holdings Inc. group will also have access to your personal data for the purpose of analysis and to ensure they are able to prepare offers related to travel customized for you, and offer you a completely personalized service. If required by applicable law, will first ask for your consent. If your data is transferred to a country outside the European Economic Area (EEA), will enter into agreements to ensure that your personal data continues to be protected in accordance with European standards. In case of any questions related to's processing of your personal data, please contact:

Your personal data may be shared with BookingSuite B.V. with headquarters at Herengracht 597, 1017 CE Amsterdam, in the Netherlands, the company that operates this Website and the website

Transfer of personal data to third countries

The information we collect is stored within the European Union (EU) and the European Economic Area (EEA) excluding Switzerland, but may also be transferred to and processed in a country outside the EU and EEA, in particular the USA.

  1. Any such transfer of personal data will be carried out in accordance with applicable legal regulations. For such transfers, we use Standard Contractual Clauses and appropriate protective measures, which guarantee adequate protection of personal data.

Data retention

Personal data are processed only for the time necessary to achieve the purpose of their processing. Personal data that we process on the basis of your consent are processed only until your consent is withdrawn, while you can object to the processing of personal data on the basis of legitimate interest. Your personal data processed based on your inquiries from the contact form are kept for 2 years from the date of receipt, while data of business partners and suppliers are kept until the termination of business cooperation, and are not delivered to third parties, nor exported to third countries. In doing so, we do not collect any data of a private nature, but only data related to the fulfilment of work tasks.

All other personal data that we process on the basis of the performance of the contractual relationship and on the basis of our legal obligations are stored in accordance with the applicable regulations laying down the data storage time (e.g. the Accounting Act). Exceptionally, your personal data will be kept longer than the stated deadlines when it is necessary to fulfil mutual legal requirements.

Upon expiration of the storage term, your stored personal data printed on paper will be safely destroyed, for example by shredding or burning, while data in electronic form will be irreversibly deleted.

Your rights and exercise of your rights

  • The right to rectification:

If we process your personal data that is incomplete or incorrect, you can ask us to correct or supplement them at any time.

  • The right of access:

You have the right to receive a confirmation about whether we process your personal data or not, and where this is the case you have the right under the conditions of Art. 15 of GDPR to request access to such data.

  • The right to erasure:

You can ask us to erase your personal data, if we have processed them unlawfully or if such processing represents a disproportionate encroachment on your protected interests. Please note there are reasons that prevent immediate erasure, for example compliance with a legal obligation that requires processing.

  • The right to restrict processing:

You can ask us to restrict the processing of your data:

  • if you dispute the accuracy of the data during the period that allows us to check their accuracy;

  • if the data processing was unlawful, but you refuse the erasure and instead request the restriction of the use of the data;

  • if we no longer need the data for the intended purposes, but you still need them to fulfil legal requirements;

  • if you have filed an objection regarding the distribution of such data.


  • The right to data portability:

You can ask us to deliver the data you have entrusted to us in a structured form for archiving, in a common machine-readable format:

  • if we process this data on the basis of your consent, which you can revoke, or for the purpose of executing a contract;

  • if the processing is done using automated processes.

  • The right to object:

If your data are distributed for the purpose of performing tasks of public interest or tasks of public bodies, or if when processing them we refer to our legitimate interests, you can object against such data processing if there is an interest in protecting our data.

  • The right to file a complaint:

If you are of the opinion that we have violated any Croatian or European data protection regulations when processing your data, please contact us in order to clarify any questions. You certainly have the right to file a complaint with the competent supervisory body, which is the Personal Data Protection Agency, Martićeva 14, Zagreb.

Exercise of your rights

If you wish to exercise any of the above rights, please contact us using our contact details in this Privacy Policy.

When you submit a request in order to exercise your rights, we are obliged to establish your identity first, and for this purpose we will ask for additional information to verify it. This serves to protect your rights and privacy.

If you use any of the above rights too often and with the obvious intent of abuse, we may charge an administrative fee or refuse to process your request.

Security practices

The security of your personal data is extremely important to us, so we have put in place appropriate physical, electronic and control procedures to protect the data we collect. However, due to the inherent open nature of the internet, we cannot guarantee that communications between you and us or

information stored on the Website or on our servers to be completely secure from unauthorized access by third parties. To the fullest extent permitted by applicable law, we disclaim any responsibility and liability for any damages you may suffer as a result of any loss, unauthorized access, misuse or alteration of any information you submit to the Website.

Changes and updates to our Privacy Policy

HBV reserves the right to change or update this Privacy Policy at any time and without prior notice. Please check from time to time for any changes or updates to our Privacy Policy, which will be posted here and will show the updated effective date on the first page of the Privacy Policy if any changes or updates are made.

Contact information

If you have any questions or comments regarding the Website or the Privacy Policy, you can contact us through our contact available on , by e-mail at  or by phone at: +385 21 604 976.


Managing Director