Adria coast turizam d.o.o.

Privacy Policy

Personal Data Protection Statement and Privacy Policy

  1. Controller and Legal Framework

The Controller – Adria coast turizam d.o.o. za ugostiteljstvo i turizam, short name: Adria coast turizam d.o.o., having its registered office in Crikvenica, Bana Jelačića 16, Tax No. (OIB): 68449361346 – is a company engaged in the management and development of tourism and hospitality facilities and, as such, operates in accordance with the legislation of the Republic of Croatia and the European Union acquis.

Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“General Data Protection Regulation”), the Act on the Implementation of the General Data Protection Regulation (Official Gazette No. 42/2018) and other regulations governing the relevant field applicable in the Republic of Croatia, Adria coast turizam d.o.o. collects and processes your data.

As Adria coast turizam d.o.o. respects the privacy of every person whose personal data it collects, we would like to inform you about what personal data we collect, how we protect such data, and what rights you have in that regard.

This Privacy Policy also sets out your rights in relation to our processing of your personal data and your access to your personal data which we process. When processing your personal data, we respect the principles of personal data processing set out in Article 5 of the General Data Protection Regulation.

  1. Data Protection Officer

A processor is a person who processes personal data on behalf of the controller.

Adria coast turizam d.o.o. has appointed a Data Protection Officer (“DPO”) whom you can contact via email at: sluzbenik@a-c-t.hr or by post at: Adria coast turizam d.o.o., Bana Jelačića 16, 51260 Crikvenica, indicating Attn. DPO, if you have any questions relating to the protection of personal data and the exercise of your rights guaranteed under the General Data Protection Regulation.

Other requests sent to the address of the Data Protection Officer, which are not related to the same (such as job applications from candidates, inquiries regarding reservations for our facilities, etc.), will be forwarded to the competent departments.

  1. Personal Data – General

Personal Data means any information that can be used to identify you. In the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), personal data is defined as any information relating to a natural person whose identity is identified or can be identified, directly or indirectly, in particular by reference to an identifier.

In simpler terms, personal data means any information about you that allows you to be identified. This includes obvious information, such as your name and contact details, as well as certain less obvious information, such as identification numbers, location data, and online identifiers.

  1. Purposes of Processing Personal Data and Legal Basis for Processing

We process your personal data in accordance with Article 6 of the General Data Protection Regulation, i.e., we process the following data for the following purposes:

  1. a) data provided by the data subject on the basis of consent within the meaning of Article 6, para. 1, point (a) of the General Data Protection Regulation, such as consent to the processing of personal data, consent to post a photo on social networks, etc.; in this case, you can withdraw your consent at any time without adverse consequences, but please note that withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal;
  2. b) data which are necessary for the performance of contracts and obligations defined under contracts within the meaning of Article 6, para. 1, point (b) of the General Data Protection Regulation between Adria coast turizam d.o.o. and an existing counterparty, but also in case of potential future contractual relationships,
  3. c) data which are necessary for the purpose of complying with legal obligations of Adria coast turizam d.o.o. as the controller within the meaning of Article 6, para. 1, point (c) of the General Data Protection Regulation; for this purpose we collect and process data which we need to fulfil the obligations set out in the regulations, such as registering and deregistering employees with the Croatian Health Insurance Fund and the Croatian Pension Insurance Institute, registering guests in the e-Visitor system, with the Tax Administration, and similar;
  4. d) data which are necessary to protect the vital interests of the data subject or some other natural person within the meaning of Article 6, para. 1, point (d) of the General Data Protection Regulation in accordance with the principle of proportionality,
  5. e) data which are necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular if the data subject is a child within the meaning of Article 6(1)(f) of the General Data Protection Regulation, in which case Adria coast turizam d.o.o. ensures that the processing is appropriate and as nonintrusive as possible, e.g., processing for administrative purposes, sending promotional emails to previous users, maintaining security of computer networks, video surveillance for the purpose of protecting persons and property, etc. In this case, you have the right to object to the processing at any time.

What personal data we process and from which sources we collect it

We only collect the data we need to achieve the above-stated purposes. Depending on the circumstances, this may include the following:

  • your contact details, information regarding your reservation, stay or visit to the hotel, name and surname, date of birth, sex, identification document number, credit card number, country of birth, citizenship, visa number if you are subject to a visa regime, point of entry into the Republic of Croatia, date of arrival at the facility and date of departure, impressions of our services (if you decide to provide personal information in the questionnaires), information about events that you organise in our space, as well as other information that you provide yourself or that we receive for the purposes listed above.

We may collect your personal data directly from you (via email, phone, mobile phone, in person through a conversation with you), but also from other persons, e.g., persons traveling with you, travel agencies, online platforms you used to book services at our hotels, event organizers in our hotels, and other contractual partners. Such partners are also obligated to comply with applicable personal data protection regulations.

Since most of the personal data that Adria coast turizam d.o.o. collects is provided by the data subjects themselves, we kindly ask that you refrain from providing sensitive information (e.g., racial identity or ethnic origin, political opinions, religious or philosophical beliefs, and similar) when it is not necessary. By providing us sensitive information for any reason, you give us your express consent to collect and use such information in the ways described herein or in the manner described at the time of disclosure of such information.

Sharing data with third parties

Adria coast turizam d.o.o. shares personal data with others only when permitted.

In fulfilling its legal obligations, Adria coast turizam d.o.o. is obligated to provide data to third parties. For example, sending guest data via the e-Visitor system, sending employee data to competent institutions: Croatian Pension Insurance Institute, Croatian Health Insurance Fund, Tax Administration, and Central Register of Insured Persons, and pension companies. In certain cases, Adria coast turizam d.o.o. is also obligated to send or make employment-related data available to the Croatian Employment Service, e.g., for the purpose of involving workers in active employment policy measures, to the competent police stations or the ministry responsible for internal affairs, as well as for issuing work permits, to the ministry responsible for tourism when employing scholarship beneficiaries, to the ministry responsible for economy and entrepreneurship when it comes to using investment support, to insurance companies, banks and in other cases as required under the regulations.

In addition, certain employee data are sent to banks or pension funds as part of the payroll process, and some data may be sent to creditors pursuant to enforcement regulations. Sometimes, certain data are also shared in regards to contractual obligations, e.g., in the case of students participating in practical training – the data are exchanged with schools, universities. If you fail to comply with your contractual obligations, in order to protect ourselves as a creditor, we may forward the relevant personal data and use debt collection services provided by different natural or legal persons (e.g., law firms, debt collection agencies, and similar). Before we take such action, we will send you a special notice in that regard using the contact details you have provided to us, in order to give you an opportunity to provide an explanation.

Furthermore, certain personal data are also provided to business entities for the purpose of enabling the provision of specific services, e.g., medical examinations of workers (additional health insurance); institutions providing mandatory training (occupational safety, minimum hygiene standards, toxicology) or auditing companies when conducting legally required audits, notaries public when certifications are requested, the Financial Agency for the purpose of obtaining business certificates, and for the purpose of issuing and using company cards, company mobile devices, or for purchasing fuel.

Your data may also be delivered to business entities who act as processors, i.e., process data on behalf of Adria coast turizam d.o.o. as the controller, mostly including our business associates that provide IT services, keep data in their databases, or have the ability to view personal data until the processing is completed. A detailed contract is concluded with such entities to regulate their powers and obligations with regard to the processing of personal data, pursuant to the requirements set out in the Regulation.

Where the processing of personal data involves a transfer of data to third countries, Adria coast turizam d.o.o. ensures compliance with high standards of protection to ensure the highest possible standard of protection of personal data, in accordance with the strict requirements set out in the Regulation. In this regard, if international transfers of personal data are applicable, Adria coast turizam d.o.o. will inform the data subject of its intention to transfer personal data to a third country or an international organisation as well as of the existence or absence of an adequacy decision issued by the European Commission. Any transfer of personal data to third countries will be carried out in accordance with Chapter V of the Regulation.

Personal data retention period

Adria coast turizam d.o.o. is required to keep the data it collects pursuant to the law for such period as determined by the relevant law or other applicable regulation, e.g., respecting the data retention period defined under the Accounting Act, and similar.

The data which Adria coast turizam d.o.o. collects based on a contractual relationship will be kept only for as long as necessary for the purpose of fulfilling the contract or providing the service.

Considering that the period for which Adria coast turizam d.o.o. retains personal data is limited to the strict minimum, the company defines retention periods or periodic reviews of certain personal data in order to ensure that they are not kept longer than is strictly necessary to fulfil the purpose for which they were collected.

After the retention period expires, Adria coast turizam d.o.o. will delete the personal data. If the data is necessary for the purpose of producing statistical indicators, analysis or archiving, or to fulfil some other legitimate interest of Adria coast turizam d.o.o., all measures will be taken to anonymize the necessary personal data.

  1. Data Subject Rights

Your Right to Access

If you request that from us, we undertake to answer you whether we process your personal data and, if so, to provide a copy of the personal data that we process. If you request additional copies, Adria coast turizam d.o.o. reserves the right to charge you a fee.

Your Right to Rectification

The personal data you provide to us should be kept up to date, and you can update it by contacting us directly by post, email or when checking in at the reception. In the event that your data are incorrect or incomplete, you can request that they be rectified. If we have shared your personal data with others, we will inform them of the rectification of data, provided that is possible. If lawful and possible, we will also inform you with whom we have shared your personal data, so that you could contact them.

Your Right to Erasure

In certain circumstances you can request that your personal data be erased – if we no longer need them, or you want to withdraw your consent (where applicable).

If we have shared your personal data with others, we will inform them of the erasure of data, provided that is possible. If lawful and possible, we will also inform you with whom we have shared your personal data, so that you could contact them.

Your Right to Restriction of Processing

In certain circumstances you may request that the processing of your personal data be restricted – if you contest the accuracy of the data, or you object to the processing of the same. If the processing is restricted, we will inform you first. If we have shared your personal data with others, we will inform them of the restriction of processing, provided that is possible. If lawful and possible, we will also inform you with whom we have shared your personal data, so that you could contact them.

Your Right to Data Portability

(In certain circumstances) You have the right to receive from us the personal data we have collected from you and to transfer it to a third party.

Your Right to Object

If we distribute your data for the purpose of performing tasks of public interest or the tasks carried out by public authorities, or if we rely on our legitimate interests when processing your data, you can object to such processing if there is an interest to protect of your data.

If you have any questions regarding this Privacy Policy or you want to submit a request to exercise your right(s) regarding the protection of your personal data, you can contact our Data Protection Officer via email at: sluzbenik@a-c-t.hr or by post at: Adria coast turizam d.o.o., Bana Jelačića 16, 51260 Crikvenica, Attn. Data Protection Officer.

Your Right to Withdraw Consent

Where we rely on your consent as our legal basis for processing your personal data, you have the right to withdraw such consent at any time.

Your Right to Lodge a Complaint with a Supervisory Authority

If you have any objections regarding our privacy practices and the handling of your personal data, you can file a complaint with the supervisory authority – Personal Data Protection Agency (“AZOP”), whose contact details are available on the Agency’s website www.azop.hr, or by phone on +385(0)1 4609-000.

Protection of Children’s Personal Data

Adria coast turizam d.o.o. advises parents and guardians to teach their children about safe and responsible handling of personal data online.

Adria coast turizam d.o.o. has no wish or intention to collect personal data of children, and it will not use such data in any way or disclose them to third parties. A child, who must be 16 or above, can give his/her consent exclusively in relation to possible information society services. Any other processing of data in respect of children below the specified age limit and other type of processing, except such as expressly stated herein, of data that concern children up to 18 years of age by Adria coast turizam d.o.o. is subject to prior consent of the parents.

The personal data of the child and the parent(s) will be deleted from our database if the parents request so from us. As a parent or guardian, you always have the right to request access to all personal data that concern your child which we have received on our site, as well as to request that they be erased (if such data are still in our database) and/or to prohibit us from collecting and using data about your child in the future.

Links to other websites

The website of Adria coast turizam d.o.o. may contain links to other websites operated by JADRAN d.d. or some other organization that has its own privacy policy, so we advise you to read their terms of use and privacy policies before you provide them with any personal data, as Adria coast turizam d.o.o. will not assume responsibility for such websites or the organizations that operate them.

Video surveillance

Within the meaning of the provisions of the Act, video surveillance refers to the collection and further processing of personal data, which includes the production of a recording that forms or is intended to form part of the data storage system (Article 25, para. 1 of the Act).

The controller or processor must indicate, using an appropriate notice sign, that a particular facility, or a particular room within the facility, and the area surrounding the facility are under video surveillance, and such sign must be visible at the latest upon entering the perimeter which is under video surveillance.

The notice must contain all relevant information as well as an image along with the text providing the data subjects the following information:

  • that the space is under video surveillance,
  • the data about the controller,
  • contact details which the data subjects can use to exercise their rights.

If such notice is posted, it is considered that the data subject has been informed about the processing of personal data.

Adria coast turizam d.o.o. has a legitimate interest to implement video surveillance measures for the purpose of:

  • protecting the safety of its guests and other persons who, for any reason, find themselves in the area controlled by the Company, and their property,
  • controlling access to and exit from the work spaces and areas, and reducing workers’ exposure to the risk of robbery, burglary, violence, theft and similar events at work or in connection with work,
  • protecting the Company’s assets,
  • preventing unauthorized access to the Company’s premises.

The processing of personal data through video surveillance may only be carried out for the purposes which are necessary and justified in the sense of protection of persons and property, unless the interests of the data subjects that conflict with the processing of data through video surveillance override such purposes (Article 26, para. 1 of the Act).

Adria coast turizam d.o.o. has implemented strict rules to ensure that video recordings are stored locally on recorders for no longer than 30 days, that they are automatically deleted after a period of 30 days, that access to the video surveillance system is granted exclusively to authorized persons appointed by the Company’s Management Board, who need it to perform their work tasks, and that the recordings are viewed only when we learn that there is a legitimate reason to do so for the purpose of achieving one of the above-mentioned purposes.

Persons authorized to access the video recordings will do so exclusively on the basis of a written request from competent authorities.