PRIVACY POLICY PRIVACY NOTICE FOR GUESTS AND VISITORS TO WEBSITE



1.INTRODUCTION

We respect your privacy, and we are committed to protecting your personal data. In this document (“Privacy Notice”), we would like to provide you with clear and transparent information about which personal data we collect, as well as the legal basis we rely on when processing your personal data.

Please read this document carefully; it contains our Privacy Policy and information on how we use your personal data when you visit our website, book accommodations, stay in one of our properties or if you communicate with us for other reasons.

This Privacy Notice applies in all cases of processing your personal data, except in certain particular cases, in which case we will inform you about the way your personal data is processed by providing you with a special Privacy Notice on the processing of personal data, which will contain a Privacy Policy relating to these particular cases of personal data processing.

If you have any questions, do not hesitate to contact us, as is described below in paragraph 4 – Contact information.

2.VERSIONS AND AMENDMENTS

We will update this Privacy Notice from time to time to provide you with timely, accurate, and reliable information about how we collect and use your personal data. We will notify you of any changes to the way we process your personal data by updating our Privacy Policy and this Privacy Notice on the processing of personal data.

3.ABOUT US

For the purposes of this Privacy Notice and applicable personal data protection provisions, including the General Data Protection Regulation (EU) 2016/679 (hereinafter: “GDPR”), the data controller and the company responsible for processing your personal data is ZELENA GORICA d.o.o. with a registered seat in Zagreb, Kalinovica 3/V, PIN (OIB): 73197884037 (hereinafter: “ZELENA GORICA” or “we”).

 
4.CONTACT INFORMATION

If you have any questions related to the protection of your personal data, you can contact us by:

-e-mail at info@cascade-dubrovnik.com

-mail at the address ZELENA GORICA d.o.o., Kalinovica 3/V, 10000 Zagreb, attn. DPO.

 
5.REASONS FOR COLLECTING PERSONAL DATA

ZELENA GORICA d.o.o. is a company that, among other things, provides hospitality services.

We collect different types of personal data about you, depending on your relationship with us and the reasons for our communication.

 
6.WAYS OF COLLECTING PERSONAL DATA

We collect your personal data directly from you, indirectly or automatically.

Directly from you

For example, in the following cases, we collect your personal data directly from you:

  • when you book accommodation, send us a request or otherwise provide us with your personal data;
  • at check-in and checkout;
  • when you make a payment; 
  • when you make any additional requests or complaints (communication with our staff, including reception, waiting staff, housekeepers, and concierge services);
  • when you communicate with us on social media or by email; 
  • during your stay in one of our properties or when using our services
  • when you leave comments about your stay;
  • when you leave us contact information; 
  • when you use our app.

Indirectly

We collect your personal data indirectly when it is provided to us by another legal or natural person, for example, in the following cases:

  • if another person makes a booking for you; 
  • if the data about you is provided to us by our business partner, or an agency or intermediary through which you have arranged an accommodation service in our hotels (e.g., travel agency, accommodation booking platform);
  • if we receive data about you from your airline;
  • we may also obtain data about you from your payment service provider;
  • we may also obtain data about you from our advertising service provider.

Automatically

We collect your personal data through automated systems, for the purpose of improving our service or for security, for example, in the following cases:

  • by you using this website, we collect certain information about how you use our site, as well as device data (such as IP address, browser type); 
  • for security reasons and to enable you to use the free internet, we record certain data about your device when you connect to our network;
  • for security reasons, we can record your photo on our surveillance cameras when passing through public areas (reception, hallway).

7.THE TYPES OF PERSONAL DATA WE COLLECT

Personal data includes any data relating to an identified natural person or other data by which a person can be identified. The data we collect and process about you depends on your relationship with us and the reasons for our communication.

Examples of personal data we collect are:

  • Identification data
    First and last name, form of address, gender, date of birth, username, PIN (OIB), and similar identifiers and data indicated on an identity card or passport.
  • Contact information
    Address, e-mail address, telephone number, preferred language information. 
  • Financial data
    Payment details and invoice or credit/debit card number, i.e. data about which of our services you have used, dates and descriptions of services
  • Technical data
    Technical data includes IP addresses, login information, location data, time zone, browser type and version, operating system, and other data about the technology you use to access our website.
  • Usage data
    Includes data on how you use our website, products and services. 
  • Marketing data
    This includes data about your contact preferences. 
  • Data about your preferences
    Data on what kind of apartment you want, type of bedding and similar special requirements.

Special categories of personal data

Special categories of personal data are data on race, ethnicity, religious or philosophical beliefs, sexual orientation, political views, union membership, data about your health, genetic and biometric data.

As a rule, we do not collect these types of data, or data on criminal offences, except in the following exceptional cases:

  • We collect and process your allergy-related health data, if you have advised us to do so, in order to fulfil a contract and on the basis of your express consent;  
  • If you have made any of the above data manifestly public.

8.LEGAL BASES FOR THE USE OF PERSONAL DATA

We process your personal data only if we have a valid legal basis for it. The most common legal bases we rely on will be the following:

Contract

E.g. , when you book accommodation in one of our properties, you enter into a contract with us.

Legal obligation

E.g., we check-in guests in the e-Visitor system in order to act in accordance with our legal obligation.

Legitimate interest

In cases where your rights and freedoms do not prevail over our legitimate interests, we process your data, for example, in order to record via surveillance cameras shared areas in our properties (e.g. outdoor area for which there is a sign that it is the same recording area) for the protection of property and security. We do not use your personal data under this legal basis if we have determined that this would adversely affect your privacy and that our legitimate interest does not prevail over the obligation to protect your rights and freedoms.

Consent

As a rule, we do not rely on this legal basis, except in those situations where it is provided for by law and other legal bases are not applicable. For example, we process your data based on consent in the case of sending personal data via e-mail that are necessary for the purpose of booking accommodation and/or entering it into the E-visitor system.

9.YOUR PERSONAL DATA

We collect different types of personal data about you, depending on your relationship with us and the services you use. In any case, we collect and process your personal data for legitimate purposes and on a valid legal basis.

By booking accommodation, you enter into an agreement on the provision of accommodation services with ZELENA GORICA d.o.o. We collect the information we need about you in order to establish a contractual relationship and to process a booking. Before your arrival, we will collect and process the information we need in order to provide you with the best and highest quality service and prepare for your arrival.

We also collect some data when you check into our facilities in order to fulfill our legal obligations.

In addition to collecting data to fulfil a contract and comply with our legal obligations, we process data because it is in our legitimate interest to do so, but only when our legitimate interest – based on the assessment we have made – does not prevail over the obligation to protect your privacy. Such situations are, for example, direct marketing or video-surveillance over public areas, such as outdoor spaces that are marked as surveillance area.

We rely on consent as a legal basis in exceptional cases, for example, when we ask you to provide your consent to send personal data via e-mail, which are necessary for the purpose of booking accommodation and/or entering it into the E-visitor system.

For some types of data processing, several legal bases for data processing are applicable, depending on the circumstances and context. For example, when we process your personal data for the purpose of issuing invoices and billing accommodation, we do so both on a contractual basis and in order to comply with our obligations arising from accounting regulations.

We have listed some basic ways in which we collect your personal data in the table below.

Processing activity

Data type

Legal basis

Accommodation booking

Booking the date of stay, choice of property and terms of payment, credit card guarantee or advance payment, making a booking, accepting the booking and sending a booking confirmation

Booking management

Preparation of documentation in accordance with accounting regulations

Identification data, contact information, payment information

Entering into a contract and providing a contractual service

Legitimate interest (managing the business and managing products and services)

Compliance with a legal obligation

Check-in/check-out

Registration and check-out of a guest, room allocation Guest registration in internal systems, pairing the guest with requested offers and services, data entry in the e-Visitor system

Entering data on guest preferences and requirements, and further communication options.

Identification data, contact information, preference data, marketing data

Compliance with a legal obligation

Providing a contractual service

Legitimate interest (guest record keeping, communication and business management)

Explicit consent (health and allergy data)

Booking services during the stay

Choosing dates and ordering additional services during the stay – trips and similar

Identification data, contact information, transaction data, marketing data

Providing contractual services

Legitimate interest (guest record keeping, communication and business management)

Explicit consent (health data)

Use of services during the stay

Use of additional services during the stay – restaurants and bars outside our managment

Identification data, contact information, transaction data, marketing data

Providing contractual services.

Legitimate interest (guest record keeping, communication and business management)

Explicit consent (health data)

Complaints/requests

Making additional requests at the reception during the stay (special wishes, deliveries and similar services);
Complaints

Identification data, transaction data, preference data

Providing contractual services

Legitimate interest (managing the business, managing staff and improving the service provided)

Answering queries

Sending answers to guest inquiries

Identification data, contact information

Providing contractual services

Legitimate interest (managing the business, managing staff, improving services, analytics)

Property security

Surveillance cameras

Electronic cards/keys

Identification data (recording, entrance to the room)

Legitimate interest (protection of security of property and persons)

Satisfaction surveys and questionnaires

Contacting a guest at their e-mail address or delivering a flyer to request a guest to complete a guest satisfaction survey or questionnaire

Contact information

Legitimate interest (managing the business, informing about customer satisfaction in order to improve the service)

Payment, billing and refund

Issuing invoices, payments, billing of receivables and refunds to guests

Identification data, contact information, financial data, transaction data

Providing contractual services

Acting in accordance with a legal obligation

Advertising

Preparing and sending ads, monitoring the effectiveness of submitted ads.

Identification data, contact information, usage data, marketing data, technical data, preference data

Consent (for re-targeting)

Legitimate interest (monitoring the effectiveness of ads business planning, developing marketing campaigns and business strategies)

Enabling the use of the internet

Connecting the guest to the internet

Technical data, usage data

Providing contractual services

Legitimate interest (maintaining the security of IT systems)

Incident monitoring

Internal lists of guests who caused incidents and are undesirable guests in our facilities due to inappropriate behaviour (unpaid services, aggressive incidents towards staff or other guests, theft, vandalism)

Identity data, behaviour description

Legitimate interest (protection of security of property and persons)

Establishment and defence of legal claims

Compensation claims

Keeping records of guest compensation claims, incident description, communication with third parties

Identification data, contact information, incident data

Legitimate interest (protection of property and reputation)

Establishment and defence of legal claims

Website security protection

Protection of our business and website security (debugging, data analysis, testing, system maintenance, support, reports)

Technical data, usage data

Legitimate interest (maintaining service continuity, network security and protection)

Analytical website monitoring

Improving website functionality, recognising interests, service optimisation and marketing strategies

Technical data, usage data

Legitimate interest (business development, marketing strategy, strategic planning)

Social networks

Communication through social media profiles

Identification data, contact information

Providing contractual services

Legitimate interest (communication with guests, management of guest expectations, marketing strategy)

Mobile web App Use

Booking accommodation in the property of choice, check-in and checkout, account overview with transactions and food & beverage consumption, feedback on stay at the property, collecting preference data.

Identification data, contact information, form of address, preference data, payment details.Marketing data, technical data, usage data, financial data, transaction data

The consent given when installing or using the mobile app


10.COOKIES

Our website collects cookies that contain certain information about how and in what way you use our website. Cookies are small text files that contain a unique identification and reference code that the web browser saves on your device and with which we can recognise you again when you access our website.

We do not use this data to identify you, nor do we use third party cookies for this purpose. Some cookies we collect last only during your use of our site, and some last a little longer, so that we can recognise you when you access our site again.

11.RECIPIENTS OF PERSONAL DATA

We do not share your personal data with third parties for the purpose of advertising their services. We will not sell your personal data to third parties.

In certain cases, we will share your personal data with other recipients, as follows:

In cases where you have agreed to share your personal data with a third party (e.g. in the case of the use of cookies);
With judicial, tax, auditing and other competent authorities, when we have reason to believe that we are obliged by law and other regulations to share such data (for example, at the request of the tax authority or in connection with expected litigation);
With payment service providers with whom we have concluded agreements on the processing of personal data;
With IT service providers with whom we have concluded appropriate data processing agreements, and whose systems we use in our business (e.g. Rentlio booking system (Rentlio d.o.o);
With the e-Visitor system, in accordance with the regulations on the provision of hospitality services and the manner of keeping a list and registration of tourists;
With other service providers who provide a specific service for us, including external consultants, technical support service providers and IT consultants who conduct certain testing or work on developing technical solutions in our systems;
In case of a merger or takeover of ZELENA GORICA d.o.o. in the future, we may share your personal data with the new owners of the company, and certain personal data may also be transferred during the purchasing process, to potential customers and their advisors, as part of the due diligence process.
With the mobile app service provider, if used.

12.CROSS-BORDER DATA TRANSFERS

We want to ensure that your personal data is stored and transferred securely. Therefore, outside the European Economic Area (hereinafter: EEA), we will only transfer data if this complies with the applicable data protection regulations and if the means of transmission ensure an adequate level of security for your data, for example:

  • Transfer of data to a third country, based on a decision of the European Commission on adequacy, which establishes that the legislation of that country has ensured an adequate level of data protection; or 
  • A Data Transfer Agreement concluded with a third party, which contains standard contractual clauses accepted by the European Commission for data transfer cases within the EEA, to controllers and processors in jurisdictions without an adequate level of data protection; or 
  • if you have expressly consented to the data transfer.

When we transfer your data outside the EEA and in cases where the country or territory to which the data is transferred does not ensure an adequate level of data protection, we will take all reasonable steps to ensure that your data is treated securely and in accordance with the privacy policy contained in this Privacy Notice.

13.SECURITY OF PERSONAL DATA

We apply technical and organisational measures to ensure that your data is secure and to protect it from accidental or intentional unauthorised access, loss or modification. We have ensured that your data can be accessed only by those persons who have a business need for it, solely for the purposes that are permitted and of which you have been notified, and that these persons are obliged to keep your data confidential.

If you suspect any unauthorised use, loss or unauthorised access to your personal data, please notify us.

 
14.DATA STORAGE AND RETENTION PERIODS 

We store your data as long as it may be necessary in accordance with the purpose for which it was collected, including in order to comply with legal obligations. After the expiry of the retention period, we will delete the data, and in cases where this is not technically possible, we will make the data unreadable. In the event that we still need some data for legitimate business purposes after the retention period has expired, we will take appropriate steps to anonymise that data.

According to the law, we keep data on guests for at least two years after the year of stay, and we must keep data in the e-Visitor system for 10 years.

We keep data related to accounting regulations for 11 years. This includes invoices and bills that may contain your personal data.

If using a credit card to guarantee a reservation, we keep a record of credit card data in our system up to 30 days after you check out; if a credit card is charged in the amount of the guarantee, we store the data in accordance with accounting regulations.

If we use your credit card data for the purpose of guaranteeing your reservation, we will keep this information in our systems for a maximum period of 30 days after your check-out. If the guarantee is used and we charge your card, this information will be retained for a longer time period, in line with accounting regulations.

We store data based on our legitimate interest in accordance with justified and reasonable business needs.

We keep data related to surveillance videos for up to six months.

We store the data we collect on the basis of consent, until the consent is withdrawn.

We keep data on reservations made from the official website for up to 5 (five) years.

15.YOUR RIGHTS REGARDING THE PROCESSING OF PERSONAL DATA 

Access. You have the right to access your personal data at any time by sending a request requesting that we provide you with all your personal data that we process.

Restriction of processing. You have the right to object to certain processing activities, for example, if we process your personal data on the basis of a legitimate interest.

Portability. You have the right to request a transfer of personal data to another service provider – in practice, this means that you have the right to request that we provide you with all personal data that we process in a machine-readable format or to request that we provide it directly to another company.

Rectification. You have the right to request an update, rectification or supplementation of your personal data at any time.

Erasure. You have the right to request the deletion of your personal data. We will comply with your request if we do not have a legal obligation or a valid reason of a legal or business nature for which we should continue to keep it.

Withdrawal of consent. In the event that we process your data on the basis of consent, you are entitled to withdraw your consent at any time. We will stop processing personal data collected on this legal basis without delay.

You can make all requests by sending a written request to the business address ZELENA GORICA d.o.o. in Zagreb, Kalinovica 3/V (attn. DPO) or by e-mail to info@cascade-dubrovnik.com.

Complaint. You are also entitled to submit a complaint to the local supervisory authority for data protection – the Croatian Personal Data Protection Agency, at the address:

Agencija za zaštitu osobnih podataka

Selska cesta 136

HR – 10 000 Zagreb

Tel. +385 (01) 4609-000

Fax. + 385 (01) 4609-099

E-mail: azop@azop.hr

Web: www.azop.hr

We inform you that we will keep records of our communication so that we can resolve any issue you contact us about as efficiently as possible. We will keep the same data for 5 (five) years, after which period we will delete the said data.

We process your rights free of charge, and we will only exceptionally charge you the administrative cost of processing the request, in accordance with the provisions of the GDPR. In that case, we will notify you before the cost is incurred.