Concerning the collection and processing of personal data
VILLA DUBROVNIK d.d., Branch for Tourism ŠIBENIK(hereinafter: the “Company”) pays great attention to the protection and processing of personal data. In performing its registered activity, the Company processes personal data in compliance with all relevant laws and regulations.
(1) The Head of Processing is responsible for data processing:
VILLA DUBROVNIK d.d., Branch for Tourism Šibenik, HR – 22000 Šibenik, Obala Jerka Šižgorića 1, OIB: 66669628743
T. +385 (0)22 331 452
(2) The Data Protection Officer (DPO) is:
Mr. Marko Rašica and is available for contact: T. +385 (0) 1 8891 027
(3) When we use the services of third-party personal data processing providers (“Processor”), we speak of commissioned processing (of personal data). In these cases, we are responsible for protecting your personal data. We do not use service providers outside the EU to process your personal data. Exceptionally, if necessary, we will only do so, if there is a decision by the European Commission on the suitability of that third country or if we have agreed on appropriate guarantees and on compliance with binding rules for the protection of personal data with that service provider as a Processor.
This Information sheet on the collection and processing of personal data (hereinafter: “Information”) describes what data we collect, how we process it and for which purposes we use it as well as, your rights related to your data. The purpose of this Information is to inform you about all relevant characteristics of the collection, processing and storage of your personal data. This applies to all personal data that you have shared with us electronically or by way of written or verbal communication or that has been shared with us through a travel agency and other groups with whom you are, either in a contractual or other similar relationship to, as well as data collected through other sources.
Personal data we collect
We process the following personal data:
a) Your basic personal data, that you or third parties make available to us whilst making a reservation – Name, surname, country and city and address of residence, e-mail address, telephone number, a child’s age, name and surname of a child and its date of birth, special requirements and habits as well as data about your travel companions; data required for making a reservation – credit card number, emergency contact information – name and surname, telephone number; other necessary data – e-mail address, health related data – in case of special dietary requests or the need for a medical doctor or information about epidemiological measures (COVID-19, etc.), internet related data – IP address, visits to the web pages, data from social media and similar data with regards to the use of Internet browsers.
b) Registration and deregistration of the guest – Name and surname, date of birth, gender, identity document number (identity card, passport, driver’s license), credit card number, country of birth, citizenship, visa number if the guest is subject to a visa regime, border crossing. place of entry into the Republic of Croatia, the guest’ s date of arrival at the facility and the departure date.
c) Use of hotel services – data on the guest’s consumption during their stay in the hotel. Data on the type of service provided and its price, e.g.: room service, list of telephone calls, use of minibar, use of bar, a la carte, list of watched movies, data on internet use – IP address, website visits, data from social media networks and similar data regarding the use of Internet browsers, the use of transport services, excursions and such. Data about a guest’s special requests is also collected in order for the Company to offer the required quality of service.
d) Monitoring and improving the quality of hotel services – name and surname, gender, age, the guest’s country of origin and the period of stay at the hotel, evaluation grades for each type of service, comments. Data collection is voluntary.
Purpose of collecting personal data and legal basis of processing
The Company determines the purpose and means of personal data processing and in that sense is considered the head of personal data processing. The main reason for collecting personal data is a legal obligation and / or to conclude and execute accommodation contracts, provide catering as well as tourism and travel-related services and so action can be taken upon your request before and for the duration of the contract. The scope of personal data we collect depends on the type of contract you intend to enter into or conclude or on the request for the execution of rights (type of service that is provided and price). Actions that are taken upon your request before entering into an agreement include checking your requirements and needs, if necessary, checking the suitability or appropriateness of products and services for your specific circumstances, all with the aim of making an offer and / or informative calculation. If you are not a contracting party but a person entitled to an allotment contract, a contract with a travel agency, etc., the purpose of collecting your personal data is either to fulfil the Company’s obligations arising from the contract or the collection of your data is necessary to enter into an agreement or to identify the users of the service e.g., in the case online booking platforms. In this case, the amount of personal data we collect depends on the type of request made and the information is needed to fulfil this request. The purpose of personal data processing may be part of the Company’s obligation of fulfilling contracted services with such a service provider.
We process your basic personal data and data of guest registration and deregistration on the basis of the legal obligation of entering them into the eVISITOR system, this in accordance with the regulations on the manner of keeping tourists records, in line with the form and content of the Tourist Board’ s tourist registration form and in accordance with the Tourist Tax Act or for use of the Ministry of the Interior in accordance with the Alien Act, providing the above information is also necessary to make a booking (in case of changes in regulations and/or new regulations, these will be directly applicable to this Information). We delete the aforementioned data after the transfer thereof to the eVISITOR system, i.e., after having submitted them to the Ministry of the Interior.
Consequently, the collecting of personal data with regard to a defined purpose is a legal and contractual obligation and a condition necessary for entering into an agreement. If you refuse to provide certain information, we will not be able to fulfil our legal or contractual obligations, which will result in the inability to enter into accommodation agreements and perform catering as well as tourism and travel-related services and the inability to fulfil the contractual obligations.
In order to fulfil our contractual obligation to provide hotel services, our Company’s internal rules require the data for an advanced order confirmation and it is not possible to make a reservation and therefor to enter into the said accommodation contract, without providing the aforementioned data which are kept until the termination of the accommodation contract.
The credit card number is collected because it is needed to enter into and execute the agreement with the guest. It is used as assurance for payment for the accommodation and for other services that may be incurred in the event that the guest does not settle his/her debt to the Company. This information is also used to pay for service.
Data on the use of hotel services are collected and processed for the purpose of fulfilling a contractual obligation. Data on a guest’s consumption during their stay at the hotel is also needed for fulfilment of the agreement and in order to issue an invoice for the provided services.
In case of emergency, we process contact information based on legitimate interests or potential situations when it is necessary and urgent to transmit certain relevant information to people close to you (in case of extraordinary circumstances such as illness, an accident, etc.). We process other needed data i.e., the e-mail address out of legitimate interest for the purpose of maintaining good communication between the contracting parties for the purpose of execution of all parts of the agreement or for easier communication with regard to the organization of your arrival and the reservation of your accommodation, which data we also delete after the agreement with regard to the offering of the accommodation service agreement has terminated.
Special categories of personal data
In principle, the following types of personal data are not processed: data related to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of unique identification of an individual and data related to health, sexual life and sexual orientation of the individual.
However, the Company does process the above-mentioned categories of personal data in the following situations:
1) the guest has given his explicit consent to the processing of such personal data for one or more specific purposes, unless applicable regulations state that such consent does not produce that effect;
2) processing is necessary to protect the vital interests of the respondent or another individual if the guest is physically or legally unable to give consent;
3) processing refers to personal data that are obviously published by the guest, 4) processing is necessary for the establishment, realization or defense of legal claims or whenever the courts act in a judicial capacity; 5) processing is necessary for the needs of significant public interest on the basis of applicable regulations which is proportional to the desired goal and which respects the essence of the right to data protection and provides appropriate and special measures to protect fundamental rights and interests of respondents; 6) processing is necessary for the purpose of preventive medicine, medical diagnosis, provision of health or social care or treatment or management of health or social systems and services on the basis of applicable regulations.
All your personal data that you or a third party provide to us are processed in accordance with the purpose of their processing (please note that if you travel with children under 16, we process their personal data regardless of the purpose, only with your explicit consent).
There is a possibility of use of an internal network of surveillance cameras and other security measures in our facilities, these can take pictures or record videos of guests and process information related to your location while you are in our facility (via keys-cards and other technologies), all for legitimate security interests.
Links to third party websites and services
The Company will take all reasonable steps to protect your personal information from unauthorized access, disclosure, alteration or destruction and to keep personal information as accurate and up-to-date as possible. We require of our partners and service providers with whom we share personal information to make reasonable efforts to maintain the confidentiality of your personal information. For online transactions, we apply a reasonable level of technological measures to protect the personal information you share with us through our website. In doing so, of course, we must take into account that no security system or Internet data transmission system can guarantee complete security.
Links to third party websites and services
The Company will take all reasonable steps to protect your personal information from unauthorized access, disclosure, alteration or destruction, and to keep personal information as accurate and up-to-date as possible. We require our partners and service providers with whom we share personal information to make reasonable efforts to maintain the confidentiality of your personal information. For online transactions, we apply a reasonable level of technological measures to protect the personal information you share with us through our website. In doing so, of course, we must take into account that no security system or Internet data transmission system can guarantee complete security.
Legitimate interest of the Company for the purpose of personal data processing
We will process your personal data for the purposes of our legitimate interest, except when your interests or your fundamental rights and freedoms that require the protection of personal data, take precedence over that interest. The legitimate interests of the Company in this regard are the processing of personal data in order to fully adapt our service to your needs and desires (e.g., special family packages, etc.). We may also use this data for our internal statistical and analytical purposes.
You can object to this legitimate interest of the Company at any time, in which case we will no longer process your data for this purpose, and this will not affect the legality of processing until the day of withdrawal. In any case, for direct marketing we need your explicit consent.
Consent is the legal basis for collecting personal data about monitoring the hotel’s quality of service. The Company cares about your opinion about the provided service and for this purpose we would like to ask you to fill out the quality questionnaires and evaluate us. This allows us to analyse various aspects of our service so that we can develop and improve it even more.
The questionnaire informs the guest that sharing any personal data is voluntary. The guest decides whether he/she will fill out the questionnaire or not, and if he/she indeed fills it out, he/she decides whether he/she will share personal data and if so, which. If the processing of the above data is based on your consent, we process the data until you withdraw your consent in this regard or request their deletion. Following this, based on your consent, we may also process other personal data beyond those listed in this Information. In this regard, we would like to point out that in accordance with applicable regulations, despite the respondent’s request to do so, the company does not delete this data to the extent necessary for the processing of such personal data: a) to comply with the legal obligation to process this data and to which regulations the company is subject, or to perform a task of public interest, b) for expression and information; c) for the benefit of the public interest in relation to public health d) for purposes of public interest, historical or scientific research or for statistical purposes or to satisfy or defend legal claims.
When processing your personal data based on your consent, we partly use automated processing or profiling processes to establish more individual contact with you and to be able to fully adapt our service to your needs and desires (e.g., special family packages, etc.).
With regard to giving marketing consent for which we ask your explicit consent, your personal data may exceptionally be subject to automated processing on the basis of which your profile is created for the purpose of analyzing services and rights and improving the quality of business relations. We will carry out automated decision-making, which includes profile creation, in cases of creating your client profile for the purpose of analyzing services provided and exercised rights and for the purpose of improving the quality of business relations and data processing based on consent for marketing purposes. In order to inform you about the benefits and novelties from our offer. If such processing of personal data is not necessary for concluding or executing a contract, you have the right to request that the outcome of the processing be decided by an employee of the Company, the right to express one’s views and the right to challenge a decision made by automated processing. We hereby also note that the use of your personal data for marketing purposes is possible only with your explicit consent. If you provide us with this consent, we will promptly inform you of all benefits, discounts, events and related services that we believe would be of interest to you. You can withdraw your consent at any time by notifying us via the contact provided in the introductory part of this Information.
To whom your personal information will be disclosed
The Company ensures that your personal data is processed exclusively for the purposes set out in this document. The purpose of personal data processing will require that your personal data be disclosed and that it be processed by other companies and persons in the capacity of Processor. The categories of Processors to whom your data will be disclosed include state and public authorities in accordance with the legal obligations of the Company, health care institutions, IT and legal service providers, delivery service providers and such. We may share the collected personal data with entrepreneurs who provide services that may be of interest to you, in accordance with your request (e.g., regarding the rental of a personal vehicle (rent-a-car) or boat, tickets for a particular event, cinema, theatre, restaurant, etc.).
Personal data processers, with the exception of state and public authorities, process data exclusively according to the Company’s instructions, while respecting technical and organizational measures to ensure the protection of your rights.
Where your personal data will be processed
The processing of your personal data will be carried out within the European Economic Area (by exception it may also be carried out outside the European Economic Area), but will in any case be carried out by a Processor whose responsibilities and obligations for the protection of personal data and applicable technical and organizational measures of protection are prescribed by the contractual relationship, in accordance with all legal regulations regarding the protection of personal data.
The period in which personal data will be stored
Your personal data will only be stored for as long as necessary to fulfil the purpose for which it is processed. The period of retention of personal data depends on the purpose of its collection. When entering into agreements with regards to accommodation, hotel services as well as catering and tourist services, this period will be determined by the duration of the agreement itself i.e., payment for these services in terms of the legal obligation to keep documents. The extension of this period is prescribed by the Company’s internal rules, which in turn depend on the statutory limitation periods for claims and whether these limitation periods can be extended due to statutory retention periods, as in the case with accounting documents.
Rights in relation to personal data collected
In relation to the data, you have disclosed to us, you have (I) the right to inspect the personal data being processed, (II) the right to correct or delete personal data, (III) the right to restrict processing, (IV) the right to object to processing, (V) the right to transfer data to another Processor, (VI) the right to withdraw consent, (VII) the right to object to the supervisory authority. To exercise all of the rights listed here, simply notify us using the contact details as shown in the introduction to this information.
For more information, our Personal Data Protection Policy is available on our website www.dresortsibenik.com.
The right to file a complaint with the supervisory authority
You can file a complaint against the processing of your personal data with the competent supervisory authority at any time, in accordance with the Act on the Implementation of the General Regulation on Personal Data Protection or other positive legal regulation regarding the protection of personal data and determines the supervisory powers regarding personal data processing.
We may change this Information from time to time. When we make material changes to this Information, we will post a link to the modified Information on the homepage of our website. Any changes to the Information will become effective upon posting the changed Information on the Website.
This Information on the collection and processing of personal data shall apply from 25 May 2018 in accordance with EU Regulation 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and the free movement of such data from 27 April 2016. Data Protection Regulation (GDPR) and in accordance with the Act Implementing the General Data Protection Regulation (OG 42/2018)1.
1 Note: All terms used in the text that have a gender meaning, regardless of whether they are used in the masculine or feminine gender, are gender neutral.