Privacy policy
KRIŠTO TURIZAM d.o.o. for hotel management, Prosenička 14, Zagreb, OIB: 74581693165
1. Preliminary provisions
This Policy establishes an accountable and transparent framework for ensuring compliance with the General Data Protection Regulation.
The policy applies to all organizational parts of the company KRIŠTO TURIZAM d.o.o. (hereinafter referred to as the DATA PROCESSOR) and to all employees, including part-time workers and temporary workers, as well as to all external collaborators acting on behalf of the data controller.
2. Policy Statement
The Data Controller is committed to operating in accordance with all laws, regulations, and the highest standards of ethical business practices.
This policy sets out the expected conduct of employees of the controller and its external collaborators who are involved in the collection, use, storage, transfer, disclosure or destruction of any personal data belonging to employees, business partners of the controller and other natural persons. The purpose of the policy is to standardize the protection of the rights and freedoms of data subjects by preserving the privacy of their personal data in all aspects of the controller's business that include personal data. This policy establishes that KRIŠTO TURIZAM d.o.o. will not disclose personal data to a third party without authorization, nor act in a manner that endangers them.
3. Principles of personal data processing
The data controller adopts the following principles that will be adhered to when collecting, using, retaining, transferring and destroying personal data:
Personal data will be processed legitimately, fairly and transparently towards the data subject. This means that the controller will inform the data subject in all relevant situations about how the data will be processed (transparency), and the processing will be carried out exclusively in accordance with what has been said (fairness) and in accordance with the purpose prescribed in the applicable personal data protection law (legitimacy).
PURPOSE LIMITATION
Personal data will be collected for clearly defined and legitimate purposes and will not be processed in any way that is incompatible with those purposes. This means that the controller must clearly state what the collected data will be used for and limit the processing of personal data to only those processes that are necessary to achieve those purposes.
DATA MINIMIZATION
The personal data collected will be relevant and limited to what is necessary to achieve the purpose their processing.This means that the controller will not collect, process or store more personal data than is strictly necessary.
DATA ACCURACY
The collected personal data will be accurate and up-to-date, which means that the controller will have developed procedures for detecting and resolving outdated, inaccurate and unnecessary personal data.
CAREFUL DATA STORAGE
Personal data will not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes of the processing. This means that the controller will, wherever possible, store personal data in a manner which limits or prevents identification of data subjects.
DATA SECURITY
Personal data will be processed and stored in a manner that ensures adequate protection against violations such as unauthorized and unlawful processing and accidental loss, destruction or damage to data. The controller will implement appropriate technological and organizational measures described in the Personal Data Security Policy to ensure the integrity and confidentiality of personal data at all times.
PRIVACY BUILT INTO SYSTEM DESIGN
When designing new and reviewing and expanding existing systems and processes of the controller, care will be taken to apply all of these principles in order to maximally protect the privacy of data subjects.
4. Personal data collected and legal basis for collection
4.1. Reasons for collecting and processing your personal data
We collect and process your personal data in accordance with legal obligations, providing services you have requested or agreed to. Here are some of the reasons for collecting and processing your data:
Ø Communication with you: When you contact us with a question, request or comment, we use the information you provide to respond to you and act on your requests.
Ø Reservations of accommodation and other services: We collect the data necessary to monitor hotel occupancy and organize the services you have requested, including accommodation reservations, organizing events, and providing and billing for hotel services.
Ø Guest check-in and check-out: We are legally required to collect certain personal information to record your arrival and stay.
Ø Provision and billing of hotel services: We collect information about your specific requests and consumption to ensure proper billing of the services provided, including the use of the bar, mini bar, a la carte service, transportation, and other services
Ø Event organization: We collect personal data from event organizers to we would fulfill our contractual obligations.
Ø Monitoring and improving the quality of services: We use questionnaires to evaluate services, where you decide whether you want to fill them out and provide personal information.
Ø Realizing benefits: Based on contracts with partners, we offer certain benefits, for which we need your card information.
Ø Security and property protection: Part of the hotel area is monitored by video cameras for your safety and general safety.
4.2. Types of personal data we collect
We collect only the information necessary to achieve the stated purposes, including contact information, information about your reservation, stay or visit, your preferences, personal identification information, card numbers and other information that you provide to us or that we obtain from third parties.
We collect sensitive data, such as health information, only with your voluntary consent.
4.3. Video surveillance
In order to ensure the safety of employees, clients, and the protection of the legitimate interests of the controller, video surveillance may be installed at the entrance and around the perimeter of the hotel. The video recordings are stored on a local independent hard drive, and access is provided exclusively to the controller's management or with the consent of the controller's management.
The right to access personal data collected through video surveillance is held by the responsible person of the controller or processor and/or the person authorized by him/her by a special decision published on the notice board of the Controller's company.
All authorized persons of the Controller who are authorized and responsible for performing tasks related to the processing of personal data through the video surveillance system may not use recordings from the video surveillance system contrary to the purpose that is necessary and justified for the protection of persons and property, and unless the interests of the data subjects that are contrary to the processing of data through video surveillance prevail, and for the purposes and in the manner prescribed by the Occupational Safety and Health Act (Official Gazette 71/14, 118/14, 154/14, 94/18, 96/18) and the Act on the Implementation of the General Data Protection Regulation (Official Gazette 42/2018).
The video surveillance system is protected from access by unauthorized persons, and is guarded by physical barriers (locked doors and other appropriate means), and by controlling access to the video surveillance system control interface, which is only available to authorized workers.
The competent state bodies also have access to the data referred to in this article of the regulations within the framework of performing their duties tasks within its legally defined scope of work.
The controller has established an automated logging system for recording access to video surveillance footage, which will contain the time and place of access, as well as the identification of the persons who accessed the data collected through video surveillance.
Recordings obtained through video surveillance may be kept for a maximum of one month, unless another law prescribes a longer retention period or if they are evidence in a court, administrative, arbitration or other equivalent proceeding
Video surveillance is regulated in more detail by the Regulation on Video Surveillance
4.4. Sources of personal data
We collect data directly from you or from other people, including people traveling with you, travel agencies, online platforms, event organizers and other contractual partners.
It is your responsibility to ensure that the people whose data comes from you know and accept how their data will be used.
4.5. Providing personal information
We share data only with recipients necessary to achieve the purposes, adhering to contractual confidentiality obligations. This may include collaborating with external partners to provide certain services, with contractual obligations in accordance with personal data protection standards.
Personal data is usually stored on servers in the European Union, except for data exchanged via the website, which is stored in the USA with signed contractual clauses.
4.6. Data retention period
We only keep data for as long as necessary, depending on the type of data and the purpose of the processing. Exceptionally, we may retain data for longer periods if this is required to satisfy mutual legal requirements. We destroy it securely after the retention periods have expired.
5. Measures for the protection of personal data
Provisions on measures for the protection of personal data are contained in the Internal Act on Technical and Organizational Measures.
6. Cookies
We only use the two cookies listed below on our website:
Targeting cookies
By clicking "Accept All" on the website form, you consent to the use of ALL cookies
However, you can visit “Cookie Settings” to provide controlled consent to the way your data is stored and used.
7. Business partners
For the purpose of contacting our business partners and suppliers, and in connection with the conclusion and execution of contracts (e.g. agreements regarding the receipt of goods and the performance of services), we collect contact data of business partners who are natural persons and their employees (e.g. name and surname, official telephone/mobile number, email address).
We keep this data until the end of the business relationship and do not provide it to third parties or transfer it to third countries. We do not collect any personal data, but only data related to the fulfillment of work tasks.
8. Job candidates
You can send us an open job application via e-mail at delminivm@hotel-delminivm.hr or by post to our address. Providing data is voluntary. We process the personal data we receive in this way solely for employment purposes and do not transfer it abroad or provide it to persons outside our Company. We will keep the received CVs for a maximum of one year, and we will delete them earlier at your request.
In the event that you have applied for a job advertisement and have not been selected, we will delete your data upon completion of the selection process, unless you have expressly agreed to keep it for a longer period of time for the purposes of future employment.
9. Cross-border data transfers
The data controller does not transfer data outside the EU, i.e. the Republic of Croatia.
10. Data confidentiality
Data about the Data Controller's clients, together with data that the Data Controller has learned while providing services and conducting business with clients, are considered a business secret and may be disclosed by the Data Controller only in cases prescribed by law.
The data controller is obliged to forward personal data collected pursuant to legal obligations to individual state bodies within the scope of their legal powers. These may include: the Ministry of Finance, the Tax Administration, the Office for the Prevention of Money
Laundering, as well as other public authorities
11. Rights of the respondent
All respondents whose data is collected and processed by the data controller have the following rights:
RIGHT TO ACCESS INFORMATION
Each data subject has the right to a copy of the data held by the controller in its archives for the purpose of inspection. In addition to the right to inspect their own data, the data subject also has the right to information about:
- the purpose of the processing and the legal basis for the processing
- legitimate interest, if it is based on it
- types and categories of personal data collected
- third parties to whom the data is forwarded
- data retention period
- the source of personal data, if it was not collected from the respondent
All information should be provided to the respondent in clear and simple language to ensure understanding, and must be clearly marked and visible so that the respondent does not overlook it.
There is a possibility that providing the requested internments to the respondent may reveal information about another person. In such cases, it is necessary to anonymize or withhold that information altogether to protect the rights of that person.
RIGHT TO CORRECTION OF DATA
Each data subject has the right to have inaccurate or incomplete data that the controller holds in its archives corrected.
RIGHT TO BE FORGOTTEN
Respondents may request that their data be removed from the archive. The request will be considered and granted if it does not conflict with the legal basis for processing personal dana.
RIGHT TO RESTRICTION OF PROCESSING
Data subjects have the right to restrict the scope of processing, where applicable.
RIGHT TO DATA TRANSFER
Data subjects have the right to a copy of their data for transfer to another data controller.
RIGHT TO OBJECT
Data subjects have the right to object, in particular where the processing is based on the legitimate interests of the controller. In such cases, it is necessary to review the purpose of the processing and establish its legal basis and, where applicable, to enable the data subject to withdraw consent to the processing of their data and/or to stop the processing of their data.
RIGHT TO ASSESSMENT
Data subjects have the right to request from the supervisory authority an assessment of the violation of the provisions of the Regulation and the internal policies of the controller.
RIGHT TO OBJECT TO PROFILING
Data subjects have the right to object to automated profiling and other forms of automated decision-making.
In the event that the controller rejects the data subject's request, the response will state the reason for the rejection, which data subjects may appeal to the competent authority for personal data protection (AZOP).
12. Legal basis
The legal bases for collecting and processing personal data of respondents are as follows:
LEGAL OBLIGATION
The laws governing the business of the obliged entities prescribe data sets that are necessary for the performance of legal obligations. For the collection and processing of data prescribed by law, the Data Controller will not seek consent from the data subject, but will only collect data prescribed by law and will not use it for other purposes. This applies in particular to data collected pursuant to the following laws and their associated regulations, among which we highlight:
Act on the Implementation of the General Data Protection Regulation.
Tourist Tax Law
Regulations on the eVisitor system
Accounting Act
Value Added Tax Law
Income Tax Law
Labor Law
Rulebook on the content and method of keeping records of employees.
EXECUTION OF CONTRACTUAL OBLIGATION
The data controller will collect personal data necessary to fulfill the contractual obligation without the consent of the data subject, in the minimum amount necessary to fulfill the obligation.
LEGITIMATE INTEREST
The controller will hereinafter publish a list of its legitimate interests on the basis of which it collects and processes personal data for the purpose of enabling and/or improving its services or products.
PROTECTION OF THE VITAL INTERESTS OF RESPONDENTS
The controller may collect and process personal data without the consent of the data subject if this is for the purpose of protecting his vital interests.
PUBLIC INTEREST OR EXERCISE OF THE DATA CONTROLLER'S OFFICIAL AUTHORITY
In the case where the data controller's activity involves acting on behalf of the public interest or the data processing is based on another type of official authority, it is not always necessary to inform the data subject about the collection of personal data.
CONSENT
In all other cases, the controller will request consent from the data subject for the collection and processing of personal data, in which the purpose of the processing will be clearly stated. The data subject may withdraw consent at any time, and their data must be automatically removed and the processing terminated.
The data controller will keep records of active and withdrawn consents for the purpose of ensuring the correctness of business operations.
Consent
The data controller will use the following consents in certain cases:
RECORD OF DATA FOR WORKER REGISTRATION
Respondents have the right to withdraw consent at any time, and the data controller will keep an up-to-date record of all collected and withdrawn consents.
Terms and definitions
GENERAL DATA PROTECTION REGULATION (GDPR)
This General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify the processes of protecting the personal data of all individuals within the European Union (EU). The Regulation also applies to the transfer of personal data outside the EU.
PROCESSING MANAGER
The entity that determines the purpose, conditions and method of processing personal data. PROCESSING PERSON
The entity that carries out data processing on behalf of the controller.
PERSONAL DATA PROTECTION AGENCY
A state agency tasked with protecting data and privacy, overseeing the implementation processes of the Regulation, and actively enforcing the Regulation on the Protection of Personal Data within the European Union.
DATA PROTECTION OFFICER
A data protection professional who acts independently to ensure that a business entity operates in accordance with the policies and procedures set out under the Regulation. EXAMINEE
A natural person whose personal data is processed by a data controller or processor.
PERSONAL DATA
Any information that is linked to a natural person, i.e. the data subject, and that can be used to directly or indirectly identify the person.
PERSONAL DATA PROCESSING
Any activity performed on personal data, whether or not automated, which includes collection, use, creation of records, etc
PROFILING
Any automated processing of data for the purpose of evaluating, analyzing or predicting the behavior of the data subject.
RESPONDENT'S RIGHT OF ACCESS
Known as the "right of access", it allows the data subject to access personal data concerning him or her held by the controller
Legal regulations
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Act on the Implementation of the General Data Protection Regulation.
KRIŠTO TURIZAM D.O.O.
Director:
__________________________
Pavo Batinić