1. THE DATA CONTROLLER AND THE LEGAL FRAMEWORK
JADRAN D.D., a joint-stock company for the hotel industry and tourism, abbreviated as Jadran d.d., with headquarters in Crikvenica, Bana Jelačića 16, OIB: 56994999963 is a joint-stock company that manages and develops tourist and catering facilities and as such operates in accordance with the legislation of the Republic of Croatia and the acquis communautaire.
In accordance with EU Regulation 2016/679 of the European Parliament and the Council of April 27, 2016, on the protection of individuals in connection with the processing of personal data and the free movement of such data (General Data Protection Regulation), the Law on the Implementation of the General Data Protection Regulation (OG 42 /2018) and other regulations governing that area, which apply in the Republic of Croatia Jadran d.d. collects and processes your data.
Given that Jadran d.d. respects the privacy of every person whose personal data it collects, we would like to inform you about the personal data Jadran d.d. collects, how we protect them, and your rights.
2. DATA PROTECTION OFFICER
Jadran d.d. has appointed a Data Protection Officer whom you can contact by e-mail at email@example.com or by mail at Jadran d.d., Bana Jelačića 16, 51260 Crikvenica, indicating “DPO”, for all matters regarding personal data protection and exercise of your rights guaranteed by the General Data Protection Regulation.
Other requests submitted to the Data Protection Officer’s address that are not associated therewith (such as job applications, queries regarding reservations in our properties, etc.) will be forwarded to our relevant departments.
3. PERSONAL DATA - GENERAL INFORMATION
Personal data are all data which can be used to determine your identity. According to the General Data Protection Regulation (“GDPR”), “personal data” means any information relating to an identified or identifiable natural person, i.e. a person who can be identified, directly or indirectly, in particular by reference to an identifier.
Simply put, the term “personal data” refers to any information which concerns you and can be used to determine your identity, including both obvious data, such as names and contact data, and less obvious data, such as identification numbers, location data, and web identifiers.
4. PURPOSE OF DATA COLLECTION
We process your personal data in accordance with Article 6 of the General Data Protection Regulation for the following purposes:
a) data provided by the data subject based on his/her consent within the meaning of Article 6(1)(a) of the General Data Protection Regulation such as consent to personal data processing via cookies for better functioning of all website features and enabling a better user experience, consent to posting photographs on social networks, etc., in which case you cam withdraw your consent at any time without suffering any adverse consequences, provided, however, that the withdrawal of your consent does not affect the lawfulness of processing based on consent before its withdrawal;
b) data necessary to perform a contract and contractual obligations within the meaning of Article 6(1)(b) of the General Data Protection Regulation between Jadran d.d. and another party, as well as potential future contractual arrangements;
c) data necessary to comply with legal obligations of Jadran d.d. within the meaning of Article 6(1)(c) of the General Data Protection Regulation – for this purpose, we collect and process data necessary to perform our legal obligations such as registration and deregistration of employees with the Croatian Health Insurance Fund and Croatian Pension Insurance Fund, registration of customers in the e-Visitor system, provision of information to the Tax Administration etc.;
d) data necessary to protect vital interests of data subjects or other natural persons within the meaning of Article 6(1)(d) of the General Data Protection Regulation based on the principle of proportionality; and
e) data processed for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child meaning of Article 6(1)(f) of the General Data Protection Regulation, in which case Jadran d.d. ensures that the processing is appropriate and minimally invasive, e.g. processing for administrative purposes, sending promotional e-mails to former users, security of computer networks, video surveillance to protect persons and property, etc. In this case, you have the right to object to processing at any time.
Types of Personal Data We Collect and Sources of Data
We collect only such data that we need to fulfill the above-mentioned purposes. Therefore, depending on the circumstances, we may collect the following information:
your contact data, information about your reservation, stay or hotel visit, your first and last name, date of birth, sex, identification document number, credit card number, country of birth, citizenship, visa number (if you are subject to the visa regime), place of entry into the Republic of Croatia, date of arrival to and departure from the facility, impressions about our services (if you decide to provide your personal data in the questionnaires), data about the events organized for you in our facilities/on our premises, and any other data that you provide to us voluntarily, or that we receive in connection with the above-mentioned purposes.
We may collect your personal data directly from you (e.g. via e-mail, phone, mobile phone, in person through individual communication), but also from other people, such as your travel companions, travel agencies, online platforms that you used to make reservations for our hotel services, organizers of events in our hotels, and other contractual partners. Such partners are also required to comply with the applicable personal data protection regulations.
When you provide to us the personal data that concern other people, it is your responsibility to ensure that the person whose data you have provided is aware of that fact and that he/she accepts the manner in which we use personal data.
If your personal data is not collected directly from you, but from other persons, we may be held liable only for what we do with your personal data from the moment they are collected. We will and may not be held liable for the activities involving your personal data performed by the persons from which we have received your data. We therefore kindly ask that you read the privacy protection policies of such other persons to which you provide your personal data.
Most of the data collected by Jadran d.d. are provided by data subjects – please do not provide any sensitive information (e.g. your racial or ethnic origin, political opinions, religious or philosophical beliefs, etc.) unless necessary. If you do provide such sensitive personal data for any reason whatsoever, you thereby give your explicit consent to the collection and use of such information as described in this Policy or as described at the time of disclosure of such information.
|Processing||Type of data||Legal basis|
|Booking of accommodation - Creating and accepting reservations and sending reservation confirmations, selection of property and terms of payment, credit card guarantee or advance payment. Reservation management. Preparation of documents in accordance with the applicable accounting regulations.||Identity data; Contact data; Financial data||Contract. Legitimate interest (conduct of business and product and service management). Compliance with a legal obligation of Jadran d.d.|
|Check-in/Check-out - Operations regarding customers checking in and our, including the registration of customers in internal systems and e-Visitor. Registration of data regarding customer preferences and requirements and options for further communication.||Identity data; Contact data; Preference data; Marketing data.||Compliance with a legal obligation. Contract performance.Legitimate interest (maintenance of customer records, communication and business management). Explicit consent (information about health and allergies).|
|Booking and use of optional services - Selecting times and making appointments for optional services during customers’ stay (spa, wellness, restaurants, etc.)||Identity data; Contact data; Transaction data; Marketing data.||Contract performance. Legitimate interest (maintenance of customer records, communication and business management). Explicit consent (health information).|
|Requests/Complaints - Additional requests at the reception (delivery, concierge, etc.)Complaints about our service||Identity data; Transaction data; Preference data.||Contract performance.Legitimate interest (conduct of business, HR management and service improvement).|
|Customer queries - Responding to queries||Identity data; Contact data.||Contract performance. Legitimate interest (conduct of business, service improvement, analytics).|
|Security of persons and property - Surveillance cameras, electronic cards/keys.||Identity data (recording, room entrance)||Legitimate interest (ensuring security of persons and property).|
|Direct marketing - Contacting customers at their e-mail addresses and sending offers of services in accordance with the applicable legislation.||Identity data; Contact data; Preference data; Marketing data.||Legitimate interest (conduct of business, provision of information about our offers and services, personalization of offers and tips for similar services).|
|Satisfaction surveys and questionnaires - Contacting customers at their e-mail or sending them flyers with a request to complete a customer satisfaction survey or questionnaire.||Contact data||Legitimate interest (conduct of business, obtaining information about customer satisfaction for service improvement purposes.|
|Payment, collection and refunds - Issuance of invoices, payment, collection of amounts receivable and making refunds to customers.||Identity data; Contact data; Financial data; Transaction data.||Contract performance. Legal obligation.|
|Advertising - Sending of ads||Identity data; Contact data; Usage data; Marketing data; Technical data; Preference data||Consent. Legitimate interest (tracking ad performance, business planning, designing of marketing campaigns and development of business strategies).|
|Accommodation and service recommendations - Sending personalized tips to customers||Identity data; Contact data; Preference data.||Contract performance. Legitimate interest (service personalization).|
|Use of the internet - Providing customers with internet connections.||Technical data; Usage data.||Contract performance. Legitimate interest (maintaining IT system security).|
|Analytics and business planning - Creating models for planning, analysis and reporting based on customer behaviors.||Transaction data; Contact data; Preference data; Marketing data.||Legitimate interest (service improvement, creating offers, strategic business planning).|
|Incident monitoring - Collecting internal lists of customers to be used in case of an incident caused by a customer (failure to pay the bill, vandalism, aggressive behavior, etc.)||Identity data; Behavior description.||Legitimate interest (ensuring security of persons and property). Establishment and defense of legal claims.|
|Claims - Maintaining records of customer claims, descriptions of incidents and communication with third parties.||Identity data; Contact data; Incident data.||Legitimate interest (protection of property and reputation). Establishment and defense of legal claims.|
|Website security - Protection of our business and ensuring website security (fixing of errors, data analysis, testing, system maintenance, support, reports).||Technical data; Usage data.||Legitimate interest (service continuity, network security and protection).|
|Website analytics - Improving website functionality, identification of interests and service and marketing strategy improvement||Technical data; Usage data.||Legitimate interest (business development, marketing strategy, strategic planning).|
|Social networks - Communication via social network profiles.||Identity data; Contact data.||Contract performance. Legitimate interest (communication with customers, customer expectation management, marketing strategy).|
Sharing data with third-party entities
Jadran d.d. only shares data with others if permitted to do share them.
For the purposes of complying with its legal obligations, Jadran d.d. is required to provide data to third parties. This, for example, includes providing customer data via the e-Visitor system, providing employee data to the relevant institutions: the Croatian Pension Insurance Fund, Croatian Health Insurance Fund, Tax Administration, Central Registry of Insured Persons and pension companies. In certain cases, Jadran d.d. is also required to provide or present employment-related data to the Croatian Employment Service, for example, to include its employees in active employment policy measures, provide data to the relevant police stations and the Ministry of the Interior and data necessary for the issuance of work permits, provide data to the Ministry of Tourism in case it employs scholars, provide data to the Ministry of the Economy and Entrepreneurship in case it uses investment aid, and provide data to insurance companies and banks and when required under the applicable regulations.
In addition, certain data of employees are sent to banks or pension funds as part of salary disbursement and may also be sent to creditors in accordance with the applicable enforcement regulations. Data are sometimes sent for the purposes of contractual obligations, for example in case of students performing their practice where data is shared with schools and faculties. If you fail to perform your contractual obligations, we may, for the purpose of protecting ourselves as the creditor, forward your relevant personal data and retain the services of natural or legal persons for the purpose of collecting debt owed to us (e.g. law firms, debt collection agencies, etc.). Before we take such steps, we will notify you thereof using the contact details provided by you to give you an opportunity to respond.
Certain personal data are also provided to business entities for the purpose of obtaining specific services, such as medical examinations of employees (additional health insurance), to institutions arranging legally prescribed trainings (workplace safety, minimum hygienic requirements, toxicology) or auditors for mandatory audit purposes, to notaries public for notarization purposes, to the Financial Agency for the purpose of obtaining business certificates, and to other entities for the purpose of assigning and use of corporate credit cards, company mobile devices or purchasing of fuel.
Data may be provided to processors that process data on behalf of Jadran d.d. as the controller. These are mostly entities that provide IT services and store such data in their databases or have access to personal data until completion of processing. We enter into contracts with such entities that detail their authorities and obligations with regard to personal data processing, as required by the Regulation.
In certain situations, such contractors and Jadran d.d. may jointly determine the purposes and methods of personal data processing, in which case such contractors and Jadran d.d. act as joint controllers. In such arrangements, the joint controllers transparently define their responsibilities for compliance with the obligations set forth in the Regulation, in particular with respect to the exercise of data subject rights and duties regarding the transparency of processing, unless such responsibilities are legally defined.
Jadran d.d. may in particular provide data to third-party entities with which it has commercial contracts in place, based on which it conducts its tourism-related activities.
If data are exported to third countries as part of processing, Jadran d.d. ensure that the highest standards of personal data protection are applied, as specifically required under the Regulation. In case of international transfer of data, Jadran d.d. will inform the data subject of its intention to export personal data to a third country to transfer them to an international organization and of whether or not the European Commission has rendered its adequacy decision.
We use the third-party cookies Turneo on our website to improve your experience. Turneo products also allow access to other third-party applications such as Stripe. Data collected to provide the Service may include data about the identity of the subject, contact data and financial data.
Personal Data Retention Period
The data that Jadran d.d. collects on the basis of the law must be kept for the period stated in the relevant law or other applicable regulation.
The data that Jadran d.d. collects on the basis of a contractual relationship are kept only for as long as they are needed for the purpose of executing a particular contract or providing a particular service.
The period during which Jadran d.d. keeps personal data is limited to the strictly necessary minimum. In that regard, Jadran d.d. defines retention periods or periodic review deadlines for particular personal data in order to avoid retention of such data for longer than necessary to fulfill the purpose for which they were collected.
After the expiry of such period, Jadran d.d. will erase the personal data. However, if such data are necessary for the purpose of generating statistical indicators, making analyses or archiving, or on the basis of some other legitimate interest of Jadran d.d., all actions will be taken to ensure that the relevant personal data are anonymized.
Through our website, you can register to receive our newsletter, through which we will inform you about the news and benefits in our offer. To register, we need your first and last name and e-mail address. Your consent is the basis for collecting this data.
We will keep the above data for as long as you agree to receive the newsletter and for a maximum of 5 years from the date of consent. You have the right to change data and the right to erasure (to be forgotten) at any time.
We use your information for these marketing purposes:
- To send you regular news about our products and services. You can unsubscribe from receiving notifications by email quickly, easily, and at any time - click on the "Unsubscribe" link in each newsletter.
- Based on your information, you may be shown personalized offers on our websites, in mobile apps, or even on other sites/apps (social media included), and the site content shown to you may be personalized. These may include offers that can be booked directly through our website or other third-party offers and products that we think you might like.
- When participating in other promotional activities (such as contests, loyalty programs, or sweepstakes), the relevant information will be used to administer those promotional activities.
5. RIGHTS OF RESPONDENTS
Your right of access
If you ask us, we undertake to answer whether we are processing your personal data and, if so, to deliver a copy of the personal data we are processing. If you are looking for additional copies, Jadran d.d. retains the possibility of charging a fee.
Your right to rectification
The personal data you provide should be updated, and you update it by contacting us directly by mail, e-mail, or when registering at the front desk. If these data are incorrect or incomplete, you can request their correction. If we have shared your personal data with others, we will notify them of the correction if possible. Also, if it is legal and possible, we will inform you with whom we have shared your personal data so that you can contact them.
Your right to erasure
You can submit a request to erase your personal data in certain circumstances - in the event that we no longer need it or when you want to withdraw your consent (when applicable)
If we have shared your personal data with others, we will notify them of the erasure if possible. Also, if it is legal and possible, we will inform you with whom we have shared your personal data so that you can contact them.
Your right to restriction of processing
You can ask for the restriction of the processing of your personal data in certain circumstances - in case you dispute its accuracy or object to their processing. If processing restrictions occur, we will inform you initially. If we have shared your personal data with others, we will notify them of the restriction of processing if possible. Also, if it is legal and possible, we will inform you with whom we have shared your personal data so that you can contact them.
Your right to data portability
You have the right to receive the personal data we have collected from you (in certain circumstances) and transfer it to a third party.
Your right to object
If we distribute your data for the purpose of performing tasks of public interest or tasks of public bodies, or when processing them, we refer to our legitimate interests, you can file an objection against such data processing if there is an interest in protecting your data.
Your right to withdraw consent
If we rely on your consent as our legal basis for processing your personal data, you have the right to withdraw such consent at any time.
Your right to submit a complaint to the supervisory authority
If you have objections related to our privacy practice and handling of your personal data, you can submit a complaint to the supervisory authority - Personal Data Protection Agency (AZOP), whose information is available on the Agency's website www.azop.hr or by phone at +385(0) 1 4609-000.
Children's Personal Data Protection
Jadran d.d. advises all parents and guardians to teach their children how to safely and responsibly manage their personal data on the internet. Jadran d.d. does not want or intend to collect personal data concerning children, and will not use such data in any manner whatsoever or disclose the same to third parties. A child may, however, give his/her consent exclusively in relation to the potential offer of information society services, in which case the child must be above 16 years of age. All other processing of data concerning children under the above-specified age and any processing of data, other than such as explicitly described herein, concerning children up to the age of 18, will be allowed only with the prior consent of the parent (holder of parental responsibility).
The personal data concerning children and parents will be erased from our database, if the parents so request. As a parent or guardian, you always have the right to inspect all the personal data concerning your child provided via our website, and you can request that such data be erased (if the relevant data are still in our database), and/or forbid us to collect and use the data which concern your child in the future.
Links to other Web Pages
Jadran d.d. has a legitimate interest to use video surveillance for the purpose of:
- protecting the safety of guests and other persons who find themselves located on the premises controlled by the Company for any reason, and their property,
- managing the access and exit from the operating facilities and areas, and for the purpose of reducing the exposure of employees to the risk of robbery, burglary, aggression, theft and similar events at work or in connection with work,
- protecting the property of the Company,
- preventing unauthorized access to the Company’s premises.
Jadran d.d. applies strict rules with the aim of ensuring that all video recordings are automatically erased after the period of 30 days by recording new content over the old, that access to the video surveillance system is restricted to the persons who need it to perform their tasks, and that the video recordings are only viewed/inspected if there is a justified reason for doing so, i.e. if that is necessary to fulfill any of the above-mentioned purposes.
By exception, if they are used as evidence in procedures held before competent state authorities, the video recordings will be kept for a longer period of time.
Jadran d.d. uses so-called “cookies” on its website. Cookies are data files stored in your computer or mobile device when you visit our website to enable basic or additional features of the website.
Cookies are generated when the browser of the user’s device uploads a visited website, which then sends data to the browser and creates a text file (cookie). The browser retrieves and sends the cookie to the website server when the user returns to it.
Our website uses the following cookies:
- technical cookies (required cookies that cannot be disabled) necessary for the functioning of our website;
- functional cookies (these may be disabled) which allow the website to improve functionality and personalization; and
- marketing cookies (these may be disabled) which allow us to record visits and traffic sources and measure and improve the performance of our website.
This website uses Google Analytics and Google Ads, services provided by Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (“Google”).
For further information about the use of Google data for advertising purposes, settings and enabling options, please visit: https://www.google.com/intl/en/policies/privacy/partners/ (“How Google uses information from sites or apps that use our services”), http://www.google.com/policies/technologies/ads (“Use of personal data for promotional purposes”), http://www.google.com/settings/ads (“Management of information used by Google to show you ads”) and http://www.google.com/ads/preferences/ (“Define ads Google shows you”).
All your data collected based on your consent that relate to Google Analytics are automatically deleted after 14 months.
6. EMPLOYMENT / CAREER
We process personal data that we receive through the voluntary provision of personal data that are given for the purpose of employment (open job application) exclusively for employment purposes, and we do not transfer them abroad or to persons outside Jadran d.d. Data received for the purpose of employment are kept until the end of the calendar year, and at your request, we will delete them before that. In the event that you responded to a published job advertisement and were not selected, we will delete your data upon completion of the selection process unless you have expressly agreed for us to keep it longer for the purposes of future employment.
Secondary school and university students – we may engage secondary school and full-time university students to work for us. In such cases, we are required to collect such students’ personal data as required by the law, as well as their data necessary to perform the contract. We may for such purpose exchange data with a secondary school or student center via which the secondary school/university student works. We do not export secondary school and university students’ personal data abroad. We are legally required to retain secondary school and university students’ personal data for 6 years after the end of their work, we delete them on expiry of such period and we delete the data of secondary school and university students not engaged to work for us on completion of the selection process.
This also applies to personal data of secondary school students attending practical classes at our hotels in accordance with the plan and program for the organization and delivery of practical training.
Scholars – we may collect personal data for the purpose of paying scholarships to secondary school and university students trained for occupations relevant to our business. Persons interested in entering into a scholarship contract may apply for scholarship competitions we launch for such purpose by providing the required information, after which contracts are entered into with the selected candidates. Personal data of selected candidates are retained for no more than 5 years after the contract execution date, whereas data of candidates who are not selected are deleted on completion of the selection process. No personal data are exported abroad.
In its capacity as employer, Jadran d.d. collects, processes and stores all employee data in an employee database maintained by software and in employees’ personnel files. The data collected for such purpose are defined in the Ordinance on the Contents and Method of Maintaining Records of Employees laid down by the Ministry of Labor and Pension System.
The data necessary to establish an employment relationship normally include: a copy of the identity card, a copy of the checking account or bank’s payment instruction, a copy of a protected account (if any), OIB (Personal ID No.), evidence of education (a copy of a certificate or diploma), e-book: certificate of service length for pension purposes (it is obtained from the Croatian Pension Insurance Fund or via e-Građani), electronic record of tax card form, so-called PK Form (it is obtained from the Tax Administration or via e-Građani; persons who are being employed for the first time do not hold an electronic record of tax card form and must open it at the Tax Administration), birth certificate for a child below the age of 15 years old. Information concerning remuneration and payroll statements are subject to specific retention regulations. In any event, all employees and other persons in a business relationship comparable to an employment relationship or persons undergoing practical and professional training enjoy all rights granted to data subjects.
7. BUSINESS PARTNERS
For the purpose of contacting our business partners and suppliers in connection with the signing and performance of contracts (e.g. negotiating the handover of goods and provision of services), we collect contact data of our business partners who are natural persons and of their employees (e.g. first and last name, official phone/mobile phone number, e-mail address). Such data are kept until the business cooperation is terminated. We do not provide such data to third parties, or transfer the same to third countries. We also do not collect any data which are private in nature, but only such that are associated with the performance of work-related tasks.
8. ACTIONS TAKEN IN CASE OF A PERSONAL DATA BREACH
In case of a personal data breach, Jadran d.d., as the data controller, will notify the competent supervisory body of the personal data breach that has occurred without undue delay and, where possible, no later than within 72 hours from the moment of becoming aware of the same, unless the relevant breach is unlikely to result in a risk to the rights and freedoms of natural persons. The report which is delivered to the supervisory body in this case contains all information pursuant to the Regulation.
In case of a personal data breach which is likely to result in a high risk to the rights and freedoms of natural persons, Jadran d.d., as the data controller, will notify the data subject of the personal data breach without delay. In cases where the Regulation does not prescribe such a requirement, the data subjects will not be notified of the personal data breach.
Protection of Your Data
To ensure personal data protection, we apply physical, technical and organizational safety measures. The security technology implemented for this purpose is continuously upgraded and tested. Access to your personal data is restricted to employees who need to know such information in order to provide particular benefits or services to you. Furthermore, we make efforts to ensure that our employees are aware of the importance of data confidentiality and privacy and data protection.
The concrete protection measures are regulated in more detail in rulebooks and procedures adopted for this purpose.
Any changes will be posted on our website without delay, and you will be deemed to accept the terms of our Data Protection Policy with your first use of our website after the changes. We advise you to regularly monitor this page so that the latest information is always available to you.
9. GOOGLE SIGNALS
Jadran d.d. uses Google Signals on its website, as part of the Google Analytics system provided by Google Inc.
This updates the existing features of Google Analytics (advertising reports, remarketing, cross-device reports, interest reports and demographic reports) to provide aggregated and pseudonymized data, provided that you have enabled personalized ads in your Google account. We only accept pseudonymized data in the form of reports showing user behavior patterns.
This feature will not be enabled unless:
1) you have a Google account;
2) you are logged into your Google at the time of accessing a website; and
3) you have turned on the “Personalized Ads” feature in your Google account.
If you prefer not to use this feature, you need to disable the “Personalized Ads” feature in your Google account - https://www.google.com/account/about/
What makes this special is that it is intended to track different devices. This means that your data may be analyzed across devices. By enabling Google Signals, data are collected and matched with your Google account. Google can thus identify a situation where, for example, you are viewing a product appearing on our website via a smartphone and later buy a product using your laptop computer. Thanks to enabling Google Signals, we are able to launch cross-device remarketing that would otherwise be impossible to implement in this form. Remarketing means that we may present our offering to you on other websites.
Reports also help us evaluate your behavior, your preferences and your interests more accurately. This allows us to optimize and personalize our services and products based on your preferences. In default settings, these data expire after 14 months. Please note that such data will not be collected unless you have enabled personalized ads in your Google account. Such data are always aggregated and pseudonymized and never identify an individual. You may manage such data or erase them in your Google account.