Politika zasebnosti

Valamar Riviera d.d. s sedežem v Poreču, Hrvaška, Stancija Kaligari 1, OIB (osebna identifikacijska številka): 36201212847 (v nadaljnjem besedilu: VALAMAR RIVIERA ali mi ali naš) spoštuje zasebnost vsake osebe, katere osebne podatke zbira. V pravilniku o varstvu zasebnosti vas želimo obvestiti o tem, katere osebne podatke VALAMAR RIVIERA kot upravljavec zbira, za kateri namen, kako jih varuje in katere so vaše pravice. VALAMAR RIVIERA v določenih primerih nastopa kot upravljavec tudi za posameznike, na katere se nanašajo osebni podatki in ki so hkrati posamezniki, na katere se nanašajo osebni podatki, družb, s katerimi ima VALAMAR RIVIERA sklenjene podjetniške pogodbe, na podlagi katerih upravlja turistični del poslovanja v okviru svojih pooblastil na podlagi teh pogodb.

V primeru rezervacije nastanitve prek spletnega mesta www.valamar.com je vaš upravljavec VALAMAR RIVIERA, lahko pa je tudi Imperial Riviera d.d. s sedežem na naslovu Rab, Hrvaška, Jurja Barakovića 2, OIB (osebna identifikacijska številka): 90896496260 managed by Valamar, HELIOS FAROS d.d. s sedežem na naslovu Stari Grad (Grad Stari Grad), Hrvaška, Naselje Helios 5, OIB (osebna identifikacijska številka): 48594515409 managed by Valamar, Valamar Obertauern GmbH, s sedežem na naslovu Obertauern, Avstrija, Gamsleitenstraße 6, FN: 195893 d, managed by Valamar, Kesselspitze GmbH & Co KG, s sedežem na naslovu Obertauern, Avstrija, Alpenstraße 1, FN: 581638 a, managed by Valamar, odvisno od tega, v katerem objektu ste nastanjeni. PREBERITE VEČ
Dodatne informacije o obdelavi osebnih podatkov in svojih pravicah najdete v pravilnikih o varstvu zasebnosti v nadaljevanju.

Valamar Riviera d.d. Helios Faros d.d. Imperial Riviera d.d. Valamar Obertauern GMBH Kesselspitze GmbH & Co KG Valamar Marietta GmbH

Valamar Riviera d.d. politika zasebnosti

Januar 2024

Valamar Riviera dioničko društvo za turizam s sedežem v Republiki Hrvaški, v Poreču, na naslovu Stancija Kaligari 1, je vodilna hrvaška turistična družba, ki upravlja hotele, letovišča in letovišča za kampiranje na znanih turističnih destinacijah – v Istri, na otokih Krk, Rab in Hvar, v Makarski in Dubrovniku ter Obertauernu v Avstriji. Valamar Riviera spoštuje zasebnost vsake osebe, katere osebne podatke obdeluje. V okviru tega Pravilnika o varstvu zasebnosti vas obveščamo o tem, katere osebne podatke Valamar Riviera kot upravljavec zbira in obdeluje, za kateri namen, kako jih ščitimo in kakšne so vaše pravice.

Zaradi lažjega sklicevanja in hitrejše najdbe informacij, ki jih iščete, lahko s klikom naslova v kazalu hitro pridete do teme, ki vas zanima. V splošnem delu se nahajajo naša splošna pravila, ki veljajo za vsako obdelavo osebnih podatkov, medtem ko smo v posebnem delu navedli naše najpogostejše primere obdelave osebnih podatkov, ki predstavljajo glavnino vseh naših obdelav.

SPLOŠNI DEL

UPRAVLJAVEC IN ZAKONSKI OKVIR

Valamar Riviera s sedežem v Republiki Hrvaški, v Poreču, Stancija Kaligari 1, OIB (osebna identifikacijska številka): 36201212847 (v nadaljnjem besedilu: Valamar Riviera ali mi ali naš) se kot upravljavec zavezuje k zaščiti vaših osebnih podatkov. Zbiranje in hramba podatkov se izvajata v skladu z določbami Uredbe (EU) 2016/679 Evropskega parlamenta in Sveta z dne 27. aprila 2016 o varstvu posameznikov pri obdelavi osebnih podatkov in o prostem pretoku takih podatkov (v nadaljnjem besedilu: Uredba), Zakona o izvajanju Splošne uredbe o varstvu podatkov (Uradni list, št. 42/2018) in ostalih predpisov, ki urejajo zadevno področje in veljajo v Republiki Hrvaški.

OBSEG UPORABE

Ta Pravilnik o varstvu zasebnosti velja za vsako obdelavo osebnih podatkov, ki jo izvaja Valamar Riviera kot upravljavec, razen če drug pravilnik ali dokument Valamar Riviere določa za posamezno obdelavo drugače. Valamar Riviera v določenih primerih nastopa kot upravljavec tudi za posameznike, na katere se nanašajo osebni podatki, ki so hkrati posamezniki, na katere se nanašajo osebni podatki, družb, s katerimi ima Valamar Riviera sklenjene pogodbe o upravljanju turističnih objektov in vsebin v okviru svojih pooblastil na podlagi teh pogodb.

Ta Pravilnik o varstvu zasebnosti je razdeljen na dva dela: Splošni in Posebni del. Osnovna načela obdelave osebnih podatkov, podatki za stik pooblaščene osebe za varstvo osebnih podatkov in ostale določbe, določene v splošnem delu Pravilnika o varstvu zasebnosti, veljajo brez izjeme za vsako obdelavo osebnih podatkov ne glede na to, ali je takšna obdelava posebej obdelana v Posebnem delu Pravilnika o varstvu zasebnosti ali ne. V Posebnem delu Pravilnika o varstvu zasebnosti so podrobneje obdelani posebni primeri obdelave podatkov, ki predstavljajo glavnino vseh naših obdelav.

POOBLAŠČENA OSEBA ZA VARSTVO PODATKOV

Valamar Riviera je imenovala pooblaščeno osebo za varstvo osebnih podatkov, na katero se lahko z zvezi z vprašanji o varstvu osebnih podatkov in za uveljavitev svojih pravic, zagotovljenih z Uredbo, kadar koli obrnete prek naslova dpo@valamar.com prek navadne pošte na naslov Valamar Riviera d.d., Stancija Kaligari 1, Poreč, Republika Hrvaška – za DPO.

NAČELA VARSTVA OSEBNIH PODATKOV

Valamar Riviera je prepoznala načela obdelave podatkov kot osnovne vrednote, ki se morajo spoštovati skozi celoten cikel obdelave osebnih podatkov – od njihovega zbiranja pa vse do njihovega uničenja ali drugega prenehanja obdelave. Podatke obdelujemo:

  • Zakonito – obdelava bo mogoča, če jo dovoljuje zakonodaja, in bo izvedena v mejah, ki jih zakonodaja omogoča.
  • Pošteno – ob upoštevanju posebnosti vsakega razmerja, z izvajanjem vseh ustreznih ukrepov za varstvo osebnih podatkov in brez preprečevanja posameznikom, na katere se nanašajo osebni podatki, da uveljavijo svoje pravice.
  • Transparentno – z obveščanjem posameznikov, na katere se nanašajo osebni podatki, o obdelavah osebnih podatkov. Od samega zbiranja podatkov, ko so posamezniki, na katere se nanašajo osebni podatki, obveščeni o vseh vidikih obdelave podatkov, pa vse do prenehanja obdelave podatkov se posameznikom, na katere se nanašajo osebni podatki, zagotavlja enostaven in hiter dostop do lastnih podatkov. Določene informacije se lahko omejijo samo, ko to zahteva zakonodaja ali je to nujno za zaščito tretjih oseb.
  • Glede omejitve namena – z obdelavo osebnih podatkov za tiste namene, za katere so zbrani, za druge namene pa, če so za to izpolnjeni pogoji iz Uredbe. Podatki se lahko obdelujejo v usklajene namene samo ob upoštevanju: (a) vsake povezave med namenom zbiranja osebnih podatkov in namenom nameravanega nadaljevanja obdelave; (b) konteksta, v katerem so osebni podatki zbrani, posebej glede razmerja med nami in posamezniki, na katere se nanašajo osebni podatki; (c) narave osebnih podatkov, posebej dejstva, ali se obdelujejo posebne kategorije osebnih podatkov v skladu z 9. členom Uredbe ali osebni podatki, ki se nanašajo na kazenske obsodbe in kazniva dejanja v skladu z 10. členom Uredbe; (d) možnih posledic nameravanega nadaljevanja obdelave za posameznike, na katere se nanašajo osebni podatki; (e) obstoja ustreznih zaščitnih ukrepov.
  • Z omejitvijo hrambe – s hrambo podatkov v obliki, ki omogoča identifikacijo posameznikov, na katere se nanašajo osebni podatki, samo tako dolgo, dokler je to potrebno za namene, zaradi katerih se osebni podatki obdelujejo, dlje pa samo, če to dovoljujejo predpisi.
  • Z zmanjšanjem količine podatkov – z obdelavo podatkov, če so primerni, relevantni in omejeni na to, kar je nujno. Posebna pozornost se namenja temu, da se ne zbirajo podatki, za katere ne obstaja upravičena potreba po obdelavi.
  • Z upoštevanjem točnosti – z upoštevanjem točnosti in posodobitve podatkov in brisanjem netočnih podatkov v okviru zmožnosti.
  • Z upoštevanjem celovitosti in zaupnosti – z zagotavljanjem tehničnih in organizacijskih ukrepov za omogočanje ustrezne varnosti osebnih podatkov, vključno z zaščito pred nepooblaščeno ali nezakonito obdelavo ter slučajno izgubo, uničenjem ali poškodovanjem z uporabo ustreznih tehničnih ali organizacijskih ukrepov. Relevantni ukrepi se izvajajo ob upoštevanju tveganosti vsake vrste obdelave podatkov.

ZAKONITOST OBDELAVE OSEBNIH PODATKOV

Za spoštovanje zakonitosti obdelave osebnih podatkov obdelujemo osebne podatke samo in v tistem obsegu, v katerem je izpolnjena najmanj ena od naslednjih pravnih podlag:

  • Obdelava je nujna za izpolnitev pogodbe, v kateri je posameznik, na katerega se nanašajo osebni podatki, stranka ali da bi se izvedla dejanja na zahtevo posameznika, na katerega se nanašajo osebni podatki, pred sklenitvijo pogodbe; to je najpogostejši namen obdelave podatkov posameznikov, na katere se nanašajo osebni podatki, kjer je temelj obstoječe pogodbeno razmerje ali pogodbeno razmerje, ki se poskuša skleniti.
  • Obdelava je nujna zaradi spoštovanja pravnih obveznosti upravljavca. Valamar Riviera ima kot pravni subjekt številne obveznosti, ki jih določajo razni predpisi. Ta obveznost obsega zbiranje, pogosto pa tudi posredovanje podatkov državnim organom. Nekaj takšnih primerov: obdelava osebnih podatkov delničarjev, ki se prijavljajo za glavno skupščino, obdelava osebnih podatkov gostov in posredovanje prek sistema eVisitor.
  • Obdelava je nujna za potrebe zakonitih interesov upravljavca ali tretje strani, razen če nad temi interesi prevladajo interesi ali temeljne pravice in svoboščine posameznikov, na katere se nanašajo osebni podatki, ki zahtevajo varstvo osebnih podatkov, ob upoštevanju razumnih pričakovanj posameznikov, na katere se nanašajo osebni podatki, ki temeljijo na njihovem razmerju z upravljavcem, razen če je posameznik, na katerega se nanašajo osebni podatki, otrok. Pri uporabi te pravne podlage ocenjujemo, da je obdelava primerna glede na poslovne potrebe, da je kar najmanj invazivna in da interesi posameznika, na katerega se nanašajo osebni podatki, ne prevladajo nad našimi zakonitimi interesi ali zakonitimi interesi tretje strani. Primer takšne obdelave podatkov so obdelava za administrativne namene, namen ohranitve varnosti računalniških omrežij, namen neposrednega marketinga in izboljšanja našega poslovanja. Posameznik, na katerega se nanašajo osebni podatki, lahko v takšnih situacijah vedno ugovarja takšni obdelavi.
  • Obdelava je nujna za zaščito ključnih interesov posameznika, na katerega se nanašajo osebni podatki, ali druge fizične osebe. Pravica do zaščite osebnih pravic ni absolutna pravica in jo izenačujemo z drugimi temeljnimi pravicami v skladu z načelom sorazmernosti. Valamar Riviera upošteva možnost, da je treba v določenih situacijah obdelovati osebne podatke, da bi se zaščitili ključni interesi posameznika, na katere se nanašajo osebni podatki, ali druge fizične osebe. Primer za takšno obdelavo podatkov so izjemni primeri bolezni, poškodbe gosta ali druge fizične osebe, zaradi česar je včasih treba zaprositi za osebni dokument gosta in zaprositi za zdravstvene podatke, ki spadajo v posebno kategorijo osebnih podatkov. Prav tako lahko v nekaterih izrednih situacijah, na primer v primeru epidemije, obdelujemo podatke na podlagi priporočil Hrvaškega zavoda za javno zdravstvo.
  • Posameznik, na katerega se nanašajo osebni podatki, je podal privolitev za obdelavo svojih podatkov za enega ali več posebnih namenov. Pri obdelavi osebnih podatkov na podlagi privolitve posebej upoštevamo, da so to situacije, v katerih ne obstajajo nobene, formalne ali neformalne, posledice za dajanje, zavrnitev dajanja ali odrekanje privolitve. Ko obdelava temelji na privolitvi, lahko posameznik, na katerega se nanašajo osebni podatki, prekliče privolitev kadar koli brez negativnih posledic. Preklic privolitve ne vpliva na zakonitost obdelave na podlagi privolitve, preden je bila ta preklicana.

VRSTE OSEBNIH PODATKOV, KI SE OBDELUJEJO

Posebne kategorije osebnih podatkov: posebne kategorije osebnih podatkov se obdelujejo samo, če so izpolnjeni pogoji iz 9. člena Uredbe. Na primer: obdelujemo podatke delavcev, ki spadajo v posebne kategorije osebnih podatkov, kot so podatki o članstvu v sindikatu (na primer pri uveljavljanju posebnih pravic glede na relevantne predpise), verskih ali filozofskih prepričanjih (na primer pri uveljavljanju pravic do dodatnih dela prostih dni za verske praznike, če je posameznik prostovoljno razkril takšne podatke za naveden namen) ali podatkov, ki se nanašajo na zdravje (na primer glede na posebne predpise o zaščiti pri delu ali vodenju evidence o delavcih ali ko se za določene naloge zahtevajo posebna potrdila o zdravstvenem stanju).

Podatki o kazenskih obsodbah in kaznivih dejanjih: ko za to obstaja zakonsko dovoljenje, obdelujemo tudi osebne podatke, ki se nanašajo na kazenske obsodbe in kazniva dejanja, kot so na primer potrdila o nekaznovanosti za delavce pri prijavah na javne razpise, če je to zahteva takšnega razpisa.

Osebni podatki, ki se ne uvrščajo v prejšnji dve skupini: takšni osebni podatki tvorijo največji del obdelanih podatkov, pri tem pa gre najpogosteje za identifikacijske in kontaktne podatke, kot so ime in priimek, OIB, podatki, ki nastanejo na podlagi gibanja v prostorih, ki so pod videonadzorom.

Osebni podatki, ki ne spadajo v prejšnji dve skupini: takšni osebni podatki predstavljajo največji del obdelanih podatkov; najpogosteje so to identifikacijski podatki in podatki za stik, kot so ime in priimek, osebna identifikacijska številka, podatki, ki nastanejo na podlagi gibanja v prostorih pod video nadzorom.

Večino osebnih podatkov, ki jih zbiramo, zagotovijo posamezniki, na katere se nanašajo osebni podatki, sami, prosimo pa vas, da ne navajate občutljivih informacij (na primer rase ali etničnega porekla, političnega mnenja, verskega ali filozofskega prepričanja in podobnega), razen ko je to nujno. Če boste vseeno navedli občutljive informacije iz katerega koli razloga, s tem dejanjem dajete svojo izrecno privolitev za zbiranje in uporabo teh informacij na načine, opisane v tem Pravilniku o varstvu zasebnosti, ali na način, opisan v trenutku razkritja teh informacij.

DOSTAVA PODATKOV TRETJIM OSEBAM

Valamar Riviera osebne podatke deli z drugimi samo, ko za to obstaja zakonska podlaga.

Možno je, da v določenih primerih pride do prenosa osebnih podatkov zunaj Evropske unije (EU) in Evropskega gospodarskega prostora (EGP), in to v države, za katere ne obstaja sklep o ustreznosti Evropske komisije. V teh primerih zagotavljamo spoštovanje visokih standardov zaščite osebnih podatkov, v skladu s strogimi zahtevami Uredbe pa bo vsak prenos osebnih podatkov v tretje države izveden v skladu s poglavjem V. Uredbe. Najpogostejši modeli prenosa v teh primerih so uporaba standardnih pogodbenih določil, ki jih je odobrila Evropska komisija, ter izrecna privolitev posameznika, na katerega se nanašajo osebni podatki.

Pravne obveznosti
V okviru izpolnjevanja zakonskih obveznosti smo dolžni dostavljati podatke tretjim osebam. Na primer: dostava podatkov gostov prek sistema eVisitor, dostava podatkov delavcev pristojnim zavodom: Hrvaškemu zavodu za pokojninsko zavarovanje, Hrvaškemu zavodu za zdravstveno zavarovanje, Davčni upravi in Osrednjemu registru zavarovancev in pokojninskim zavodom. Prav tako moramo v določenih primerih dostaviti ali omogočiti vpogled v podatke glede zaposlitve Hrvaškemu zavodu za zaposlovanje, na primer zaradi vključitve delavcev v ukrepe aktivne politike zaposlovanja, pristojnim policijskim postajam oziroma ministrstvu, pristojnemu za notranje zadeve, na primer v primeru zadrževanja višjih državnih uslužbencev v objektih ter za izdajo dovoljenj za delo, ministrstvu, pristojnemu za zadeve turizma, v primeru zaposlovanja štipendistov, ministrstvu, pristojnemu za zadeve gospodarstva in podjetništva, ko gre za uporabo podpor za naložbe, zavarovalnim družbam, bankam in v ostalih primerih, ko to določajo predpisi. Prav tako se določeni podatki delavcev pošiljajo bankam ali pokojninskim skladom v okviru izplačila plač, podatki pa se lahko pošiljajo tudi upnikom v okviru izvršilnih predpisov. Včasih se podatki pošiljajo na podlagi pogodbene obveznosti; na primer pri dijakih, ki so vključeni v učenje na podlagi dela (praksa), se podatki izmenjujejo s šolami in/ali fakultetami.
Določeni osebni podatki se dostavljajo tudi poslovnim subjektom za namen zagotavljanja specifičnih storitev, kot so na primer storitve zdravstvenih pregledov delavcev (izbrana medicina dela), ustanovam, ki organizirajo zakonsko obvezno izobraževanje (zaščita pri delu, higienski minimum, toksikologija) ali revizijskim družbam pri izvajanju obvezne revizije, notarjem, ko se zahtevajo overitve, finančni agenciji za potrebe pridobivanja poslovnih certifikatov, zavezancem v okviru javnih naročil, ko se prijavljamo na razpise za javna naročila, za namen dodelitve in uporabe službenih kartic, službenih mobilnih naprav ali nakup goriva.

Valamar Riviera kot družba za upravljanje
Poseben primer dostave podatkov tretjim subjektom se nanaša na dejstvo, da ima Valamar Riviera sklenjene dolgoročne pogodbe o upravljanju turističnih vsebin in objektov z nekaj turističnimi družbami. To pomeni, da upravljamo Valamarjeve objekte, ki jih predstavljajo naši nastanitveni objekti (v naši lasti ali ki jih uporabljamo na drugi podlagi) ter nastanitveni objekti družb, ki jih upravljamo. Storitve upravljanja vključujejo predvsem storitve, povezane z gosti Valamarjevih objektov, in tudi kader. Glede na navedeno včasih delimo osebne podatke gostov, kandidatov za zaposlitev oziroma delavcev Valamarjevih objektov z družbami, ki jih upravljamo, oziroma so posamezniki, na katere se nanašajo osebni podatki, teh družb tudi naši posamezniki, na katere se nanašajo osebni podatki, vse za namen razvoja poslovanja in storitev Valamarjevih objektov, obveščanja o ponudbah Valamarjevih objektov, identifikacije posameznikov, na katere se nanašajo osebni podatki, s podobnimi potrebami in analitike, povezane s tržnimi gibanji. Vsa načela iz tega Pravilnika se nanašajo tudi na posameznike, na katere se nanašajo osebni podatki, teh družb v segmentih, v katerih smo vključeni kot upravljavec, medtem ko so te družbe prav tako odgovorne kot upravljavci za svoje obdelave podatkov posameznikov, na katere se nanašajo osebni podatki. Pravilniki o varstvu zasebnosti vseh družb, ki jih upravljamo, se nahajajo na strani https://www.valamar.com/si/izjava-o-zasebnosti.

Valamar Riviera kot turistična agencija
Ker smo tudi turistična agencija, posredujemo podatke tretjim osebam, ko je to nujno za izvedbo dogovorjenih storitev. Podatke gosta, ki je rezerviral nastanitev, na primer posredujemo družbi, ki zagotavlja storitve konkretne nastanitve, ali podatke kupca določenega doživetja posredujemo organizatorju tega doživetja.

Valamarjevi partnerji – obdelovalci
Podatki se lahko posredujejo poslovnim subjektom, obdelovalcem, ki obdelujejo podatke v imenu nas kot upravljavca. Najpogosteje so to naši poslovni sodelavci, ki nam zagotavljajo določene storitve, na primer informacijske ali marketinške, za obdelavo plačil, storitve zaščite. Z vsemi partnerji sklenemo podrobno pogodbo glede njihovih pooblastil in obveznosti pri obdelavi osebnih podatkov v skladu z zahtevami Uredbe. Ti so prav tako dolžni uporabljati podatke, ki so jim zaupani, izključno v skladu z našimi pogodbami in strogo za namen, ki smo ga navedli. Prav tako morajo ustrezno zaščititi vaše podatke in jih ohranjati tajne.

ČAS HRAMBE PODATKOV

Podatki posameznikov, na katere se nanašajo osebni podatki, se obdelujejo in hranijo v skladu z veljavnimi zakonskimi predpisi, ko je obveznost hrambe predpisana.

Ko sme Valamar Riviera sama določiti roke hrambe podatkov, se podatki hranijo samo tako dolgo, kot je to potrebno za izpolnitev namena, zaradi katerega se osebni podatki obdelujejo, ob upoštevanju namena obdelave, zakonitih interesov Valamar Riviere in interesov posameznikov, na katere se nanašajo osebni podatki. Ko za določeno obdelavo v tem Pravilniku o varstvu zasebnosti ali drugje nismo navedli roka hrambe podatkov, vas obveščamo, da je rok hrambe pet let.

Po poteku predvidenega roka hrambe podatkov bomo podatke izbrisali, če pa to ne bo mogoče, bomo poskrbeli, da bodo neberljivi.

OBDELAVA OSEBNIH PODATKOV OTROK

Osebne podatke otrok obdelujemo, ko je to povezano z našimi storitvami, na primer takrat, ko so otroci gostje naših objektov, obiskovalci igralnic Maro, pa tudi v drugih primerih, na primer takrat, ko so mladoletni dijaki pri nas vključeni v učenje, zasnovano na delu (praksa). Včasih ne moremo vplivati na uporabo naših storitev, na primer takrat, ko se otroci pojavijo kot sledilci naših profilov na družbenih omrežjih. Staršem in skrbnikom svetujemo, da otroke poučijo o varnem in odgovornem ravnanju z osebnimi podatki, posebej na spletu.

VIRI OSEBNIH PODATKOV

Osebne podatke najpogosteje prejmemo od vas. Pri posredovanju osebnih podatkov na kateri koli način (rezervacija nastanitve, prijava za zaposlitev, uporaba mobilne aplikacije, uporaba storitev restavracije, wellnessa ipd.) zagotavljate, da so informacije, ki ste jih zagotovili, točne, da ste poslovno sposobni in pooblaščeni za razpolaganje z zadevnimi informacijami in da se v celoti strinjate, da lahko vaše podatke uporabljamo in zbiramo v skladu s pozitivnimi predpisi in pogoji tega Pravilnika o varstvu zasebnosti.

Prav tako vaše osebne podatke prejmemo posredno, od drugih fizičnih in pravnih oseb, na primer od turističnih agencij, ki posredujejo podatke gostov za potrebe nastanitve, gostov, ki rezervirajo nastanitev za osebe, s katerimi bodo bivali v objektih, agencij za posredovanje pri zaposlovanju in napotitvi delavcev, poslovnih partnerjev o njihovih delavcih, ki bodo sodelovali pri izpolnjevanju določenih pogodb, in drugih. Pri posredovanju osebnih podatkov drugih oseb nam zagotavljate, da so informacije, ki ste jih priložili, točne, da ste poslovno sposobni in pooblaščeni za razpolaganje z danimi informacijami, da se posamezniki, na katere se nanašajo osebni podatki, katerih osebne podatke nam posredujete, strinjajo s tem, da lahko njihove podatke obdelujemo. Če posredujete podatke drugih oseb, jih morate seznaniti z našim Pravilnikom o varstvu zasebnosti.

V določenih primerih osebne podatke prejmemo tudi iz javnih virov, na primer sodnega registra, vaših spletnih mest, oglasov in podobnega.

TEHNIČNA IN INTEGRIRANA ZAŠČITA PODATKOV

Spoštujemo najvišje organizacijske in tehnične standarde zaščite podatkov. Ob upoštevanju najnovejših dosežkov, stroška izvedbe in narave, obsega, konteksta in namena obdelave ter tveganj različnih ravni verjetnosti in resnosti za pravice in svoboščine posameznikov, ki izhajajo iz obdelave podatkov, med določitvijo sredstev obdelave in tudi v času same obdelave izvajamo ustrezne tehnične in organizacijske ukrepe za omogočanje učinkovite uporabe načel zaščite podatkov.

Prav tako izvajamo ustrezne tehnične in organizacijske ukrepe, s katerimi se zagotavlja, da so integrirano obdelani samo osebni podatki, ki so nujni za vsak poseben namen obdelave. Ta ukrep uporabljamo za količino zbranih osebnih podatkov, obseg njihove obdelave, obdobje hrambe in njihovo dostopnost. Točneje: takšni ukrepi zagotavljajo, da osebni podatki niso samodejno, brez poseganja posameznika dostopni neomejenemu število posameznikov.

Za zagotovitev visoke ravni varnosti pri obdelavi osebnih podatkov in njihovo zaščite pred nenamernim ali namernim nepooblaščenim dostopom, izgubo ali spreminjanjem, zagotavljamo dostop do sistemov, kjer hranimo največ osebnih podatkov posameznikov, samo pooblaščenim osebam, in to v obsegu, ki je potreben za opravljanje njihovih delovnih nalog, kar počnemo prek sistema večkratnega preverjanja pristnosti, ki je zaščiten pred nepooblaščenim dostopom in uporabo ter redno posodobljen.

KRŠITVE ZASEBNOSTI OSEBNIH PODATKOV

Uvedli smo ustrezne tehnično-organizacijske ukrepe, da bi tveganje za kršitve kar najbolj zmanjšali. Če kljub temu opazite, da je prišlo do kršitve zasebnosti osebnih podatkov, nam to vedno brez odlašanja sporočite na e-poštni naslov: dpo@valamar.com. Da bi se v takšnih primerih ustrezno pravočasno odzvali, smo vzpostavili interne mehanizme.

V skladu z Uredbo in tudi internimi pravilniki v primeru kršitve zasebnosti osebnih podatkov brez nepotrebnega odlašanja in če je izvedljivo, najpozneje v 72 urah po tem, ko izvemo za kršitev, pristojnemu nadzornemu organu sporočimo kršitev zasebnosti osebnih podatkov, razen če ni verjetno, da bo kršitev zasebnosti osebnih podatkov povzročila tveganje za pravice in svoboščine posameznika.

Poročilo, ki se dostavi nadzornemu organu, vsebuje vse informacije v skladu z Uredbo.

V primeru kršitve zasebnosti osebnih podatkov, pri kateri bo kršitev verjetno povzročila visoko tveganje za pravice in svoboščine posameznika, brez nepotrebnega odlašanja obvestimo posameznika, na katerega se nanašajo osebni podatki, o kršitvi zasebnosti osebnih podatkov. Ko Uredba to določa, obveščanje posameznika, na katerega se nanašajo osebni podatki, včasih ni obvezno.

PRAVICE POSAMEZNIKOV, NA KATERE SE NANAŠAJO OSEBNI PODATKI

Ne glede na podlago za zbiranje podatkov lahko posamezniki, na katere se nanašajo osebni podatki, brezplačno uveljavljajo naslednje pravice v okviru omejitev, ki jih določa Uredba:

Pravico do obveščanja: pravico imate biti obveščani o obdelavi in njenih namenih. Posamezniku, na katerega se nanašajo osebni podatki, zagotavljamo vse informacije, ki so nujne za zagotovitev poštene in pregledne obdelave, ob upoštevanju konteksta obdelave.

Pravica do brisanja (»pravica do pozabe«): zahtevate lahko izbris osebnih podatkov, ki se nanašajo na vas, brez nepotrebnega odlašanja, v skladu s pogoji iz Uredbe. V ta namen pošljite zahtevo nam kot upravljavcu pisno, vključno z elektronsko obliko komunikacije. Opozarjamo, da je v zahtevi treba specificirati, kaj konkretno želite izbrisati, saj lahko vaše podatke hranimo na podlagi različnih pravnih podlag, na primer posameznik, na katerega se nanašajo osebni podatki, je lahko tako naš gost kot kandidat za zaposlitev. Izbris osebnih podatkov, ki se nanašajo na vas, lahko zahtevate, če je izpolnjen eden od naslednjih pogojev: p>

  • Vaši osebni podatki niso več nujni glede na namen, za katerega smo jih zbrali ali obdelali.
  • Privolitev, na kateri obdelava temelji, ste preklicali, druga pravna podlaga za obdelavo pa ne obstaja.
  • Vložili ste pritožbo zoper obdelavo svojih osebnih podatkov, pri čemer ne obstajajo zakoniti razlogi za obdelavo, ki bi prevladali nad vašimi.
  • Osebni podatki so se obdelovali nezakonito.
  • Osebni podatki se morajo izbrisati zaradi spoštovanja pravne obveznosti.

V nekaterih primerih ne bo mogoče v celoti izpolniti zahteve po izbrisu, na primer ko obstaja zakonska obveznost hrambe, ko zakoniti interes upravljavca prevlada nad interesom posameznika, na katerega se nanašajo osebni podatki, ko obstaja interes upravljavca zaradi uveljavljanja, izvajanja ali obrambe pravnih zahtevkov.

Pravica do dostopa do podatkov: pravico imate do dostopa do svojih osebnih podatkov, ki jih obdelujemo o vas, prav tako pa lahko zahtevate podrobne informacije posebej o njihovem namenu obdelave, vrsti/kategorijah osebnih podatkov, ki se obdelujejo, vključno z vpogledom v svoje osebne podatke, prejemnikih ali kategorijah prejemnikov ter predvidenem obdobju hrambe osebnih podatkov. Dostop do osebnih podatkov je lahko omejen samo v zakonsko predpisanih primerih oziroma ko se s takšno omejitvijo spoštuje bistvo temeljnih pravic in svoboščin drugih.

Pravica do popravka: pravico imate do popravka ali dopolnitve osebnih podatkov, če vaši podatki niso točni, popolni in posodobljeni. V ta namen pošljite zahtevo nam kot upravljavcu pisno, vključno z elektronsko obliko komunikacije. Opozarjamo, da je treba v zahtevi specificirati, kaj konkretno ni točno, popolno ali posodobljeno in v katerem smislu bi bilo treba navedeno popraviti, in dostaviti potrebno dokumentacijo v podkrepitev svojih navedb.

Pravica do prenosa podatkov: Posameznik ima pravico prejeti osebne podatke, ki se nanašajo nanj, v strukturirani, splošno uporabljani in strojno berljivi obliki v skladu z zahtevami Uredbe.

Pravica do ugovora: pravico imate prejeti osebne podatke, ki se nanašajo na vas, v strukturirani, običajno uporabljeni in strojno berljivi obliki, ter te podatke prenesti drugemu upravljavcu brez oviranja s strani upravljavca, ki so mu bili osebni podatki posredovani, vse v skladu z zahtevami Uredbe.

Pravica do omejitve obdelave:uveljavitev pravice do omejitve obdelave lahko zahtevate v naslednjih primerih:

  • če ugovarjate njihovi točnosti;
  • če je obdelava nezakonita, vi pa nasprotujete njihovemu izbrisu;
  • če upravljavec osebnih podatkov ne potrebuje več ali pa ste jih vi zahtevati zaradi uveljavljanja, izvajanja ali obrambe pravnih zahtevkov;
  • če ste vložili pritožbo zoper obdelavo svojih osebnih podatkov in pričakujete potrditev, ali zakoniti razlogi upravljavca nadvladajo nad razlogi posameznika, na katerega se nanašajo osebni podatki.

Pravica do pritožbe zoper obdelavo osebnih podatkov: ko obdelujemo podatke na podlagi svojih zakonitih interesov, ki prevladajo nad interesi posameznika, na katerega se nanašajo osebni podatki, lahko posameznik, na katerega se nanašajo osebni podatki, na podlagi svoje posebne situacija kadar koli vloži pritožbo zoper obdelavo osebnih podatkov, ki se nanj nanašajo.

V vsakem primeru imajo posamezniki, na katere se nanašajo osebni podatki, prav tako pravico:

  • vložiti pritožbo pri pooblaščeni osebi za varstvo osebnih podatkov
    Valamar Riviera d.d.,
    za DPO
    Stancija Kaligari 1, Poreč
    e-mail: dpo@valamar.com
  • vložiti pritožbo pri nadzornem organu, če menijo, da so bile kršene njihove pravice do varstva podatkov
    Agencija za zaštitu osobnih podataka
    Selska cesta 136, HR – 10 000 Zagreb
    e-mail: azop@azop.hr

Mi kot upravljavci imamo pravico zaščititi naše interese in zaščititi posameznike, na katere se nanašajo osebni podatki, ter imamo v skladu s tem pravico izvesti aktivnosti za ugotovitev identitete vlagatelja zahteve.

Prav tako lahko objavimo obrazec, ki se bo uporabljal za vložitev zahteve, da bi bilo njeno reševanje kar najučinkovitejše.

V primeru vložitve zahteve vam bomo zagotovili informacije o izvedenih ukrepih glede uveljavitve vaših pravic brez nepotrebnega odlašanja in vedno v roku enega meseca od dneva prejema zahteve. Ta rok se lahko po potrebi podaljša za dodatna dva meseca ob upoštevanju kompleksnosti in števila zahtev. V tem primeru vas bomo v roku enega meseca od dneva prejema zahteve o tem obvestili skupaj z razlogi za podaljšanje.

Če vložite zahtevo elektronsko, vam bomo informacije zagotovili elektronsko, če je to mogoče, razen če boste navedli drugače.

Opozarjamo, da bomo v primeru zahteve vse zahteve in spremljevalno korespondenco hranili za namen dokazovanja ravnanja.

Reševanje zahtev posameznika, na katerega se nanašajo osebni podatki, je praviloma brezplačno, če pa so zahteve posameznika, na katerega se nanašajo osebni podatki, očitno neutemeljene ali pretirane, posebej pa se pogosto ponavljajo, lahko zaračunamo razumno nadomestilo na podlagi administrativnih stroškov ali zavrnemo reševanje zahteve.

Vse zahteve, ki niso povezane z zaščito osebnih podatkov in so dostavljene na naslov pooblaščene osebe za varstvo podatkov, npr. ponudbe kandidatov za zaposlitev, povpraševanja za rezervacije v Valamarjevih objektih, bodo posredovane neposredno pristojnim oddelkom v Valamar Rivieri brez posebnega odgovora pošiljatelju s strani pooblaščene osebe za varstvo podatkov. Prav tako se lahko po potrebi vse zahteve, povezane z varstvom osebnih podatkov, ki jih prejmejo naši drugi oddelki na naše druge e-poštne naslove, posredujejo naši pooblaščeni osebi za varstvo osebnih podatkov.

POSEBNI DEL

BIVANJE V VALAMARJEVIH OBJEKTIH (hoteli, apartmaji, kampi)

Osnovni predmet našega poslovanja je zagotavljanje storitev nastanitve v Valamarjevih objektih. V ta namen z vami sklenemo pogodbe o gostinskih storitvah (o hotelskih storitvah, nastanitvi v turističnih apartmajih in storitvah kampiranja). V skladu s tem zbiramo in obdelujemo vaše osebne podatke za različne namene s končnim ciljem kakovostnega zagotavljanja storitev nastanitve in spremljevalnih storitev – vse v skladu z najvišjimi standardi turističnih družb.

Valamarjevi objekti so naši nastanitveni objekti (v naši lasti ali ki jih uporabljamo na drugi podlagi) ter nastanitveni objekti družb, ki jih Valamar upravlja.

Valamarjevi objekti so:

  • Hoteli in apartmaji (vile, apartmaji, suitevi, case, sobe)
  • Parcele v kampih
  • Mobilne hiške v kampih (vile, suite in camping home, glamping šotori)

V primeru rezervacije nastanitve prek naših prodajnih kanalov (rezervacije prek spletnega mesta, mobilne aplikacije ali rezervacije s pomočjo telefonskega klica v Valamarjev klicni center (na podlagi zakonitega interesa vodimo evidenco klicev) ali rezervacije s sprejetjem ponudbe po e-pošti) je vaš upravljavec Valamar Riviera in tudi druge družbe, odvisno od tega, v katerem objektu bivate.

Vaše osebne podatke, ki jih morate dostaviti, da bi se vam zagotovila storitev nastanitve, hranimo v svoji bazi podatkov za namen izpolnitve pogodbe o gostinskih storitvah ter izpolnitve zakonskih obveznosti v zvezi z gostinsko dejavnostjo. Če nam ne posredujete minimalnih podatkov, potrebnih za rezervacijo nastanitve, in pri bivanju za prijavo vsem pristojnim registrom, vam ne bomo mogli zagotoviti storitve rezervacije nastanitve oziroma storitve nastanitve v skladu s pogodbo in zakonodajo.

Določeni podatki so nujni za izvedbo dejanj na zahtevo posameznika, na katerega se nanašajo osebni podatki, pred sklenitvijo pogodbe o nastanitvi. Pred samo rezervacijo nastanitve se na podlagi poizvedbe potencialnih gostov na primer pošljejo ponudbe za nastanitev, za katerih izdelavo in pošiljanje potrebujemo osebne podatke, najmanj ime, priimek in e-poštni naslov, ter informacije o želenem bivanju.

Osebni podatki, ki jih zbiramo zaradi izpolnitve obveznosti rezervacije, so:

  • Ime in priimek nosilca rezervacije
  • Naslov stalnega bivališča (hrvaški državljani)
  • Datum rojstva
  • Številka, vrsta identifikacijska dokumenta in kraj izdaje
  • Državljanstvo
  • Naziv objekta
  • Številka namestitvene enote, vrsta namestitvene enote (tip sobe)
  • Datum prihoda in odhoda
  • Število oseb, za katere se rezervira namestitev in namestitev po sobah
  • Katere osebe so mladoletne
  • Morebiti druge posebnosti, odvisno od zahtev osebe, ki rezervira namestitev
  • E-pošta, če ga oseba ima
  • Jezik
  • Telefon
  • Članstvo v Programu zvestobe, če vpliva na ceno namestitve ali zbiranje točk
  • Način plačila in morebiti dodatni podatki, potrebni za potrebe izvedbe transakcij ali zagotovitve plačila

Glede na to, da je predpisano, da se podatki za prijavo gostov vpišejo na podlagi podatkov z osebne izkaznice oziroma potnega lista ali drugega identifikacijskega dokumenta, nam je gost dolžan omogočiti vpogled v takšen dokument in zagotoviti vse druge informacije, ki so potrebne za vpis podatkov, a jih takšen dokument na vsebuje. Prav tako je treba za uveljavitev določenih pravic in ugodnosti priložiti (kopije) ustreznega dokumenta, potrdila in dokumente, s katerimi se takšne pravice in ugodnosti dokazujejo in uveljavljajo. Pri prihodu v Valamarjev objekt se gosti praviloma prijavijo na recepciji objekta prek registracijske kartice, ki jo gost izpolni oziroma pregleda in potrdi točnost podatkov.

Gostom omogočamo tudi samostojno prijavo prihoda prek aplikacije za prijavo, prek katere gost sam vnese svoje osebne podatke, tako da naloži fotografijo svojega osebnega dokumenta, katerega fotografija se ne shrani, saj aplikacija z njega prebere samo nujno potrebne osebne podatke.

Podatki se v vsakem primeru vnesejo v bazo gostov, iz katere se nato samodejno pošljejo v sistem eVisitor (enotni spletni informacijski sistem za prijavo gostov in njihovo odjavo) zaradi spoštovanja naših zakonskih obveznosti. Podatki, ki se zbirajo, so naslednji (podatki se lahko spremenijo glede na spremembe pozitivnih predpisov):

  • Ime in priimek
  • Kraj, država in datum rojstva
  • Državljanstvo
  • Številka in vrsta identifikacijskega dokumenta
  • Stalno (začasno) prebivališče in naslov
  • Datum in čas prihoda oziroma odhoda iz objekta
  • Spol
  • Podlaga za oprostitev plačila turistične takse oziroma zmanjšanje njene višine
  • spremljanje izvajanja obveznosti prijave in odjave turistov s strani zavezancev za prijavo in odjavo (ponudnikov storitev nastanitve);
  • evidenca, obračun in plačilo turistične takse;
  • vodenje knjig ali seznamov gostov s strani ponudnikov storitev nastanitve ter spremljanje izpolnitve navedene obveznosti s strani inšpekcijskih organov;
  • prijava tujcev pri ministrstvu, pristojnemu za notranje zadeve, ter spremljanje izpolnjevanja navedene obveznosti s strani inšpekcijskih organov;
  • vodenje seznama turistov s strani turističnih skupnosti in statistična obdelava ter poročanje;
  • nadzor nad poslovanjem ponudnika storitev nastanitve v delu, ki se nanaša na zakonitost opravljanja dejavnosti oziroma zagotavljanja registriranih storitev ter spoštovanja davčnih in drugih predpisov o javnih dajatvah.

Podatki o gostih v knjigi gostov, ki se vodi elektronsko, se v skladu s predpisi hranijo dve leti. Hranili bomo določene podatke oseb, ki so zahtevale ponudbo, rezervirale nastanitev, odpovedale nastanitev, podatke gostov za namen dokazovanja vsebine razmerja s posameznikom, na katerega se nanašajo osebni podatki, oziroma za namen uveljavljanja, izvajanja ali obrambe pravnih zahtevkov v obdobju pet let od zadnjega bivanja v Valamarjevih objektih. V navedene namene bomo hranili podatke, ki so potrebni za samo rezervacijo, ter tudi ostale podatke, odvisno od posameznega primera, na primer: datum prejema pritožbe gosta in vsebino pritožbe, korespondenco in drugo. Prav tako moramo v skladu z zakonskimi predpisi hraniti vse račune in podlage za izdajo računov, izdane gostom, z osebnimi podatki gosta.

Ostali podatki, povezani z okoliščinami vašega bivanja, kot na primer zahteve za otroško posteljico, bodo prav tako zbrani in se obdelovali samo med vašim bivanjem, ko so neposredno povezani zagotavljanjem konkretne storitve nastanitve.

IGRALNIE MARO

V določenih Valamarjevih objektih omogočamo uporabo igralnic otrokom naših gostov. Da bi lahko vaš otrok uporabljal igralnico MARO, je treba izpolniti obrazec/izkaznico za registracijo, t. i. otroški potni list, kjer boste navedli: ime in starost otroka, obdobje bivanja v Valamarjevem objektu, ime, priimek in mobilno številko starša/skrbnika, ime Valamarjevega objekta, v katerem bivate, in številko nastanitvene enote ter ali ima otrok alergije. Prosili vas bomo tudi za podpis na seznamu prihodov/odhodov.

Namen je zaščita in evidenca bivanja otroka, pravna podlaga pa vaša privolitev. Valamarjev potni list s podatki se hrani za čas trajanja konkretnega bivanja v Valamarjevem objektu.

MENJALNICA

V svojih menjalnicah, praviloma na recepcijah Valamarjevih objektov, ponujamo tudi storitev menjave denarja. Valamar Riviera mora v skladu z veljavnimi predpisi o preprečevanju pranja denarja in financiranja terorizma v določenih primerih ugotoviti in preveriti identiteto oseb, ki uporabljajo storitve menjalnice, z vpogledom v uradni osebni dokument stranke v njeni prisotnosti in izvesti globinsko analizo. Če ne moremo izvesti ukrepa globinske analize, ko smo to dolžni, ne smemo vzpostaviti poslovnega razmerja ali izvesti transakcije oziroma moramo prekiniti že vzpostavljeno poslovno razmerje in ugotoviti, ali moramo pristojnemu državnemu organu posredovati obvestilo o sumljivi transakciji, sredstvih in osebah.

Prav tako je v skladu s predpisi obvezen video nadzor menjalnic. Podatki se hranijo v skladu s predpisi na podlagi naše zakonske obveznosti.

ČLANSTVO V PROGRAMU ZVESTOBE

Valamar Riviera je nosilec Programa zvestobe Valamar Plus Club (v nadaljnjem besedilu: Program zvestobe). Pogoji članstva so navedeni v Pravilniku Programa zvestobe, ki se nahaja na naslovu www.valamar.com/hr/program-vjernosti/valamar-plus-club/pravilnik-programa. Včlanitev v Program zvestobe se izvede izključno na podlagi zahteve posameznika, na katerega se nanašajo osebni podatki, in to predvsem gostov Valamarjevih objektov. Vsak član Programa zvestobe (v nadaljnjem besedilu: član zvestobe) ima svoj uporabniški račun, za katerega so potrebni določeni podatki.

S sprejetjem članstva potrjujete, da ste seznanjeni z obdelavo osebnih podatkov in ustvarjanjem svojega profila kot člana Programa zvestobe s strani Valamarja kot upravljavca

V postopku ustvarjanja profila bo Valamar obdeloval osebne podatke:

  • zbrane pri izpolnitvi pristopne izjave za članstvo oziroma odprtju uporabniškega računa (ime, priimek, spol, rojstni datum, e-poštni naslov, mobilna številka, naslov (ulica, hišna številka, poštna številka, kraj in država));
  • o vseh rezervacijah in bivanjih (datumi prihoda in odhoda, objekti, tip nastanitvene enote);
  • zbrane med bivanjem (npr. objekt, število otrok, zakonski status, jezik, hišni ljubljenčki, interesi in aktivnosti med bivanjem, način potovanja, preferenca glede nastanitve, preferenca glede destinacije, poraba in podobno);
  • zbrane med izpolnjevanjem ankete o zadovoljstvu;
  • povezane s samim članstvom (identifikacijska številka članske kartice, število točk, število unovčenih točk, raven članstva, način uporabe točk, uporaba ugodnosti, jezik sporazumevanja, način naslavljanja, vsi podatki, ki jih izpolnite s posodobitvijo svojega profila v uporabniškem računu, kot so: interesi, način potovanja, hišni ljubljenčki, želen nastanitveni objekt, želena kategorija nastanitvenega objekta, želena destinacija, povezanost z družbenimi omrežji).

Vse te kategorije osebnih podatkov veljajo za pomembne in pričakovane, ker jih uporabljamo, da bi vam lahko izpolnili svoje naloge, prevzete s Programom zvestobe (na primer: rojstni datum je pomemben za morebitno pošiljanje informacij o določeni ugodnosti v času vašega rojstnega dneva v obliki popusta in podobno), predlagali druge izdelke in vas obveščali o dogodkih, za katere predvidevamo, da bi vas lahko zanimali.

Član ni dolžan posredovati vseh navedenih podatkov, brez vsakršnih posledic na članstvo, so pa nekateri osebni podatki nujni za članstvo in uveljavljanje pravic do ugodnosti, na primer: ime, priimek, podatki o bivanjih, na podlagi katerih se zbirajo točke, ipd. Če ne bomo imeli določenih podatkov, se prav tako lahko zgodi, da bodo naše e-novice, ki jih boste prejemali, manj prilagojene vašim interesom. Če recimo nimamo podatkov, da vas zanima kolesarstvo, to ne bo vplivalo na članstvo, morda pa ne boste prejeli e-novic z obvestili o ugodnostih za ljubitelje kolesarstva.

Navedeni podatki se hranijo v bazi gostov Valamarja deset let od včlanitve ali zadnjega bivanja v Valamarjevih objektih.

Valamar bo vsakemu članu Programa zvestobe občasno pošiljal sporočila z obvestili o novostih v Programu zvestobe, posebnih ugodnostih, posebnih ponudbah, stanju točk in ravni članstva.

Valamar prav tako na podlagi legitimnega interesa obdeluje osebne podatke članov Programa zvestobe za potrebe neposrednega trženja, in sicer v namen profiliranja za pošiljanje personaliziranih e-novic, ki ustrezajo izkazanim interesom članov, prek elektronske pošte, SMS-sporočil in/ali prek platforme za takojšnje sporočanje (Viber, WhatsApp ipd.).

Član ni dolžan posredovati vseh navedenih podatkov brez kakršnih koli posledic za članstvo, vendar so nekateri osebni podatki nujni za članstvo in uveljavljanje pravic do ugodnosti, na primer: ime, priimek, podatki o bivanju, na podlagi katerih se zbirajo točke ipd. Če nimamo nekaterih podatkov, se lahko zgodi, da naše e-novice, ki jih boste prejemali, ne bodo ustrezale vašim interesom; na primer če nimamo podatkov, da ste zainteresirani za kolesarstvo, to nima sicer nobenih posledic za članstvo, vendar morda ne boste prejeli e-novic z obvestili o ugodnostih za ljubitelje kolesarstva.

Namen obdelave navedenih podatkov je:

  • uveljavljanje pravic, ki jih pridobite s članstvom v Programu zvestobe;
  • pošiljanje storitvenih sporočil zaradi obveščanja o pomembnih pogojih članstva (stanju točk in ravni članstva, nujnosti spremembe gesla, novostih v Programu zvestobe, spremembah pravil in podobnem);)
  • boljše razumevanje vaših potreb in želja, da bi vam lahko pošiljali po meri prilagojena marketinška sporočila z obvestili o posebnih ugodnosti, posebnih ponudbah o naših izdelkih in storitvah, ki bi vas morda zanimale; več o tem najdete v poglavju MARKETINŠKA SPOROČILA.

Posebej izpostavljamo, da se lahko član pritoži zoper takšno obdelavo osebnih podatkov, in to glede začetne ali nadaljnje obdelave, kadar koli, brezplačno.

Član lahko kadar koli in brez navedbe razloga prekine svoje članstvo v Programu zvestobe s pisnim obvestilom na e-poštni naslov info-loyalty@valamar.com ali s klicem na številko +385 52 408 222.

VALAMAR EXPERIENCE CONCIERGE (VEC)

Valamar Riviera je tudi turistična agencija, ki gostom Valamarjevih objektov in drugih osebam promovira, priporoča in tudi rezervira in/ali prodaja blago, storitve in doživetja, na primer storitve wellnessa, izposojo športne opreme in športnih igrišč, mesta v restavracijah, izlete, vstopnice za koncerte, storitve prevoza, smučarske storitve (skupaj v nadaljnjem besedilu: VEC-storitve).

VEC-storitve se lahko kupijo ali rezervirajo prek:

  • spletnega mesta www.valamar-experience.com/sl/ (v nadaljnjem besedilu: VEC-spletno mesto);
  • prodajnih mest (točke za odnose z gosti in informacijske točke ter pulti za dobrodošlico) v Valamarjevih objektih;
  • telefona;
  • e-pošte;
  • aplikacij My Valamar in Places [PLACESAPP].

Glede na tip VEC-storitve, ki jo želite kupiti ali rezervirati, vas bomo prosili za različne podatke, na primer:

  • pri nakupu blaga, storitev in doživetij vas bomo prosili za ime, priimek, e-poštni naslov, naslov, kraj, poštno številko, državo, številko mobilnega telefona;
  • če boste zaprosili za storitev prevoza od letališča do Valamarjevega objekta ali obratno ali storitev prevoza znotraj RH, vas bomo prosili za ime, priimek, številko mobilnega telefona, podatek o številki rezervacije nastanitve, številko in datum leta, v primeru čezmejnega prevoza pa tudi za državljanstvo;
  • če boste želeli kupiti izlet v tujino, vas bomo prosili tudi za rojstni datum, vrsto in številko identifikacijskega dokumenta;
  • če boste želeli rezervirati smučarske storitve in/ali opremo, vas bomo prosili za vaše ime, priimek, spol, rojstni datum, e-poštni naslov, telefonsko številko, višino, težo, obseg glave in velikost noge.

Nekatere podatke bomo navedli tudi na vavčerjih in potrdilih rezervacij, ko bo to primerno.

Namen obdelave podatkov je uspešno odgovarjanje na vašo zahtevo, identifikacija vas kot kupca in sklenitev ter izpolnitev pogodbe ter po potrebi vzpostavljanje stika zaradi dostave na želen naslov. Pravna podlaga sta predvsem izpolnitev pravnih obveznosti ter izpolnitev pogodbe oziroma obdelava je nujna zaradi izvajanja ukrepov na zahtevo posameznika, na katerega se nanašajo osebni podatki, pred sklenitvijo pogodbe.

Če že uporabljate VEC-spletno mesto, lahko odprete svoj VEC-uporabniški račun, pri čemer vas bomo prosili za ime, priimek, e-poštni naslov in geslo. O registraciji boste prejeli potrdilo po e-pošti. Namen ustvarjanja profila je omogočanje vpogleda v rezervacije, zgodovino nakupov, seznam želja in veljavne ali potekle vavčerje. Pravna podlaga za ustvarjanje VEC-profila je vaša privolitev. Ustvarjanje uporabniškega profila ni pogoj za nakup/rezervacijo storitev na VEC-spletnem mestu.

V primeru klica na podlagi zakonitega interesa vodimo evidenco klicev.

Nekatere vaše osebne podatke bomo po potrebi zaradi izpolnitve pogodbe dostavili tistim našim družbam in partnerjem, ki ponujajo posamezne storitve in blago oziroma organizirajo doživetja, ki ste jih kupili oziroma rezervirali, v primeru dostave blaga pa tudi dostavnim službam. V tem primeru bodo oni nadaljnji upravljavci, zato vam priporočamo, da se seznanite z njihovimi pravilniki o varstvu zasebnosti.

Podatke, ki jih zbiramo med zagotavljanjem VEC-storitev, bomo hranili največ pet let zaradi morebitnih reklamacij za zagotovljene storitve, dlje pa samo, če bodo tako zahtevali posebni predpisi (računovodski ipd.).

V primeru izpolnjevanja vprašalnika o kakovosti doživetja in objave komentarja na spletnem mestu se bodo izključno z vašo privolitvijo navedeni podatki hranili eno leto.

Na podlagi zakonitega interesa lahko zbiramo določene podatke kupcev in jih uporabljamo za namen neposrednega marketinga, kot je opisano v poglavju MARKETINŠKA SPOROČILA.

VALFRESCO

Valfresco Direkt je naše spletno mesto www.valfresco.com (v nadaljnjem besedilu: spletno mesto Valfresco), ki je namenjeno zagotavljanju storitev spletne trgovine prehranskih in drugih izdelkov ter naročanja hrane in pijače iz Valamarjevih objektov. Pri nakupu prek spletnega mesta Valfresco obdelujemo osebne podatke, ki ste jih vpisali v spletni obrazec svojega uporabniškega računa (ime, priimek, e-poštni naslov, telefonska številka, naslov, naslov za dostavo) za namen identifikacije posameznika, na katerega se nanašajo osebni podatki, kot kupca, sklenitve in izpolnitve enkratne kupoprodajne pogodbe na daljavo in vzpostavljanja stika zaradi dostave. Pravna podlaga je pogodba oziroma izpolnitev kupoprodajne pogodbe, v kateri je kupec pogodbena stranka. Prav tako je obdelava nujna zaradi spoštovanja naših zakonskih obveznosti.

Zaradi izpolnitve pogodbe in tudi zakonske obveznosti lahko kupcu po e-pošti, SMS-sporočilu in/ali platformi za neposredno sporočanje pošiljamo t. i. storitvena sporočila – potrdila o sklenjeni pogodbi, račune, potrdila naročil in ostala obvestila, tesno povezana s konkretnim nakupom.

Prav tako lahko po nakupu na podlagi zakonitega interesa kupcem po e-pošti, SMS-sporočilih in/ali platformi za neposredno sporočanje pošiljamo vprašalnike o zadovoljstvu in jih prosimo, da ocenijo našo storitev in izdelke, če to želijo. Glavni namen vprašalnika o zadovoljstvu je zbiranje podatkov o storitvah zaradi zakonitega interesa izboljšanja naših storitev. Te podatke iz vprašalnika lahko depersonaliziramo in obdelujemo za statistične namene za lastne potrebe analiziranja poslovanja in izboljšanja storitev.

S klicem na telefonsko številko spletne trgovine lahko zbiramo podatke, povezane z namenom klica, na primer: če gre za opravljen nakup, bomo zbrali ime, priimek, številko naročila, da bi lahko odgovorili na zahtevo. Prav tako na podlagi zakonitega interesa vodimo evidenco klicev.

Na podlagi zakonitega interesa lahko zbiramo določene podatke kupcev in jih uporabljamo za namen neposrednega marketinga, kot je opisano v poglavju MARKETINŠKA SPOROČILA.

NAGRADNE IGRE IN NAGRADNI NATEČAJI

Valamar Riviera lahko občasno organizira tudi nagradne igre in natečaje, pri katerih bo zbirala vaše osebne podatke samo, če se odločite sodelovati v nagradni igri oziroma natečaju. Podatki, ki se bodo tako zbirali in so nujni za sodelovanje v nagradni igri/natečaju, bodo določeni v pravilnikih nagradne igre/natečaja in se lahko razlikujejo. Podatki nagrajencev oziroma zmagovalcev bodo morda tudi javno objavljeni.

Tako zbrani podatki se bodo na podlagi svojevrstne pogodbene obveznosti uporabljali za namen izvedbe nagradne igre/natečaja v skladu z objavljenimi pravilniki nagradne igre in se bodo v petih letih od njenega zaključka izbrisali.

Gosti, ki bodo izpolnili anketni obrazec za oceno kakovosti storitev v Valamarjevih objektih, bodo lahko pogosto sodelovali tudi v nagradni igri, kar bo jasno navedeno v samem obrazcu. Na podlagi zakonitega interesa lahko zbiramo določene podatke udeležencev v naših nagradnih igrah in natečajih in jih uporabljamo za namen neposrednega marketinga, kot je opisano v poglavju MARKETINŠKA SPOROČILA.

JAVNE OBJAVE

Valamar Riviera prek svojih spletnih mest, medijev, profilov na družbenih omrežjih, internega časopisa VIV (v tiskani ali elektronski različici), video sten in oglasnih tabel v objektih objavlja informacije, ki zanimajo obstoječe in tudi potencialne delavce, goste, poslovne partnerje, torej javnost. Takšne objave lahko vsebujejo omejen nabor osebnih podatkov, kot so ime in priimek, funkcija, profesionalni podatki, videi, izjave in fotografije.

Pravna podlaga za obdelavo je zakoniti interes obveščanja javnosti in tudi marketing. Pri takšni obdelavi se vedno namenja posebna pozornost interesu posameznikov, na katere se nanašajo osebni podatki, zato se osebni podatki ne objavljajo, če se ugotovi, da interes posameznikov, na katere se nanašajo osebni podatki, za to, da se določeni podatki ne objavijo, prevlada nad interesom Valamar Riviera za njihovo objavo. V nekaterih situacijah lahko objava informacij temelji na privolitvi v skladu z najvišjimi standardi.

Objave so trajne, kar zagotavlja obveščanje o aktualnih dogodkih in vpogled v predhodne aktivnosti.

Obdelava se bo ustavila, če se na podlagi pritožbe posameznika, na katerega se nanašajo osebni podatki, ugotovi, da je takšna pritožba upravičena, ali pa je posameznik, na katerega se nanašajo osebni podatki, preklical privolitev v situacijah, ko se privolitev uporablja, in to na način, ki ga je mogoče izvesti.

MARKETINŠKA SPOROČILA

Osebne podatke želimo obdelovati za namen neposrednega marketinga za pošiljanje marketinških sporočil, za kar Valamar uporablja različne načine:

  • e-poštni marketing (vključno s SMS-sporočili in/ali platformami za neposredno sporočanje (Viber, WhatsApp ipd.)), kar predpostavlja pošiljanje marketinških sporočil (e-novice);
  • t. i. potisna sporočila/obvestila, poslana prek spletnih in mobilnih aplikacij (kratka in enostavna sporočila, ki se pošljejo iz brskalnika ali aplikacije v vašo napravo);
  • remarketing, ki omogoča prikaz oglasov uporabnikom, ki so že kdaj obiskali katero od Valamarjevih spletnih mest ali mobilnih aplikacij; več o tem najdete v Pravilnikih o uporabi piškotkov, ki se nahajajo na vsakem spletnem mestu.

Pravne podlage za obdelavo osebnih podatkov za neposredni marketing so:

ZAKONITI INTERES v primeru relevantnega in ustreznega razmerja med posameznikom, na katerega se nanašajo osebni podatki, in Valamarjem v skladu s 70. točko uvodnih določb Uredbe, in sicer:

za osnovne e-novice (sporočila), ki se pošiljajo določenim kategorijam posameznikov, na katere se nanašajo osebni podatki, ki so npr.

  • gosti Valamarjevih objektov;
  • zaprosili za ponudbo in/ali rezervirali nastanitev;
  • sodelovali v nagradni igri;
  • izpolnili vprašalnik o zadovoljstvu;
  • izpolnili prijavo v objektih za brezplačen Wi-Fi;
  • opravili nakup v spletni trgovini;

za e-novice (sporočila), prilagojene posebej vam, ki se pošiljajo samo našim članom zvestobe.

PRIVOLITEV za:

  • osnovne e-novice (sporočila);
  • e-novice (sporočila), prilagojene posebej vam, ki se pošiljajo samo posameznikom, na katere se nanašajo osebni podatki, ki so podali izrecno privolitev za takšne ponudbe (niso pa hkrati člani zvestobe);
  • potisna sporočila/obvestila;
  • dodatne podatke, če posamezniki, na katere se nanašajo osebni podatki, sami pri posodobitvi profila na spletnih mestih posredujejo dodatne podatke;
  • remarketing, ki se omogoči s podajanjem privolitve za piškotke. Posebej izpostavljamo, da se lahko v nekaterih primerih poleg podatkov, pridobljenih iz piškotkov in pikslov, za katere se podeli posebna privolitev, lahko uporabljajo tudi podatki posameznikov, na katere se nanašajo osebni podatki, iz obstoječe Valamarjeve baze podatkov (npr. podatki o osebah, ki so uporabljale določeno nastanitev). V določenih primerih remarketinga se podatki z vašo privolitvijo po potrebi prenesejo v tretjo državo zunaj EU, kjer je morda potrebna drugačna raven varstva podatkov.

Osnovne e-novice (sporočila), ki se pošiljajo na podlagi zakonitega interesa, se pošiljajo samo posameznikom, na katere se nanašajo osebni podatki, ki so v določenem razmerju z Valamarjem oziroma Valamarjevimi objekti. Podatki, ki se obdelujejo, so ime in priimek, e-poštni naslov, mobilna številka, naslov, spol, država/jezik sporazumevanja in osnovni podatki, povezani s konkretnim razmerjem z Valamar Riviero (na primer objekt, destinacija, kjer bivate, podatki o izvedenem nakupu, kupljenem doživetju ipd.). Vse te kategorije osebnih podatkov se štejejo za pomembne, ker omogočajo smiselno sestavljanje e-novic, ki je v skladu z interesi posameznika, na katerega se nanašajo osebni podatki.

Osnovne e-novice (sporočila), ki se pošiljajo na podlagi privolitve, ki se poda z naročanjem na e-novice. Naročanje na e-novice je možno prek spletnih obrazcev na nekaterih naših spletnih mestih. Da bi zagotovili, da pri vnosu e-poštnega naslova ni prišlo do napake ali zlorabe, uporabljamo t. i. postopek Double-Opt in (dvojna potrditev); ko je naslov vnesen v polje za prijavo, Valamar Riviera pošlje povezavo po e-pošti za potrditev. Šele ko kliknete povezavo za potrditev, se vaš e-poštni naslov doda v bazo podatkov za pošiljanje določenih e-novic. Takšne e-novice se pošiljajo na podlagi vaše privolitve, ki nam jo podate z izpolnitvijo in potrditvijo obrazca na spletnem mestu. Vsebina e-novic in namen bosta navedena med vašim naročanjem (na primer: obvestila o aktualnih posebnih ponudbah v naših objektih, ponudbe za delovna mesta ipd.). Če ste posodobili svoj profil in posredovali dodatne podatke, se bodo obdelovali tudi ti.

Sporočila (e-novice), prilagojeni posebej vam, so sporočila, ki se pošiljajo vsem članom zvestobe in osebam, ki so podale posebno privolitev za to vrsto sporočil. Za pošiljanje sporočil, prilagojenih posebej vam, Valamar uporablja oblikovanje profilov posameznikov, na katere se nanašajo osebni podatki, za namen vzpostavljanja stika in obveščanja o ponudbah, ki so prilagojene posebej vam. Za te e-novice se obdeluje širok spekter osebnih podatkov, kar lahko vključuje tudi naslednje: ime in priimek, e-poštni naslov, mobilna številka, naslov, kraj, država, poštna številka, spol, jezik sporazumevanja, naslavljanje, rojstni datum, obletnica poroke, zakonski status, število in starost otrok, interesi (npr. potapljanje, kolesarstvo ipd.), podatki o zahtevah za ponudbo, rezervacijah in bivanjih (destinacija, objekt, tip nastanitvene enote, datumi prihoda in odhoda, število nočitev, število odraslih, število otrok), hišni ljubljenčki, interesi, način potovanja, preferenca glede nastanitve in destinacije, povezanost z družbenimi omrežji, podatki o izvedenem nakupu na Valamarjevih spletnih mestih, kupljenem doživetju, podatki, zbrani z izpolnitvijo ankete o zadovoljstvu, za člane zvestobe pa tudi podatki, zbrani v zvezi s članstvom zvestobe, kar vključuje podatke, ki so zbrani med izpolnjevanjem pristopne izjave za članstvo zvestobe in povezani s statusom člana (identifikacijska številka članske kartice, število točk, število unovčenih točk, raven članstva, način uporabe točk, uporaba ugodnosti, podatki, povezani z aktivnostmi v programu Ambasador).

Posledica oblikovanja profilov je izključno čim boljše oblikovanje sporočil in ponudb, ki ustrezajo vašim interesom. Če določenih podatkov nimamo, bodo morda naše e-novice, ki jih boste prejemali, manj ustrezale vašim interesom; če na primer nimamo podatka, da vas zanima kolesarstvo, morda ne boste prejeli e-novic z obvestilom o ugodnostih za ljubitelje kolesarstva.

Rok obdelave osebnih podatkov za namen pošiljanja e-novic je 10 let, pri čemer ta začne teči:

  • od dneva zadnjega bivanja oziroma drugega poslovnega razmerja z nami, ko se e-novice pošiljajo na podlagi zakonitega interesa;
  • od dneva vaše privolitve, ko se e-novice pošiljajo na podlagi vaše privolitve.

V določenih primerih bomo morda uporabljali tudi storitve platform za upravljanje kampanj (npr. Oracle Responsys) za večkanalno upravljanje kampanj, ki omogoča ustvarjanje po meri prilagojenih sporočil na podlagi posameznih interesov in preferenc gostov ter potencialnih strank. V teh primerih gre za avtomatizirano obdelavo podatkov, zato s temi partnerji sklenemo tudi ustrezne pogodbe.

Rok obdelave za podatke, ki se zbirajo prek piškotkov, je odvisen od vrste piškotkov in je opisan na vsakem spletnem mestu, kjer se uporabljajo.

Ko je posameznik, na katerega se nanašajo osebni podatki, podal privolitev, ima ta vedno pravico kadar koli, brezplačno in brez pojasnila podano privolitev preklicati. Preklic privolitve ne vpliva na zakonitost obdelave, ki se je izvajala na podlagi privolitve, preden je bila ta preklicana.

Vedno, ko obdelava poteka na podlagi zakonitega interesa, se lahko posamezniki, na katere se nanašajo osebni podatki, kadar koli, brezplačno in brez pojasnila zoper njo pritožijo.

Preklic privolitve in pritožba se lahko pošljeta po e-pošti na naslov newsletter@valamar.com .

Kadar koli, brez pojasnila in brez nadomestila in ne glede na pravno podlago prejemanja marketinških sporočil (e-novic) se lahko odjavite od prejemanja katerih koli e-novic s klikom povezave, ki se nahaja na dnu vsakih e-novic, oziroma blokiranjem pošiljatelja v skladu s pravili spletnega kanala, ki ga uporabljate; v tem primeru e-novic ne boste več prejemali, bodo pa podatki ostali arhivirani.

Odjava od e-novic ni povezana z zakonitim interesom Valamar Riviere, da posameznikom, na katere se nanašajo osebni podatki, za katere obstaja tudi kakšna druga pravna podlaga (na primer gosti objektov, kandidati za zaposlitev), pošilja storitvena sporočila in vprašalnike o zadovoljstvu glede konkretnega bivanja, kupljenega doživetja ipd. ter druga storitvena sporočila.

Podana privolitev za piškotke se lahko prav tako kadar koli prekliče brez pojasnila in nadomestila; več o tem najdete v Pravilniku o uporabi piškotkov.

STORITVENA SPOROČILA IN VPRAŠALNIKI O ZADOVOLJSTVU

Storitvena sporočila so sporočila, ki jih lahko pošiljamo po e-pošti, SMS-sporočilih, potisnih sporočilih mobilnih aplikacij in/ali platforme za neposredno sporočanje (Viber, WhatsApp ipd.) in ki so povezana z določenim razmerjem, ki ga imamo z vami, in ki jih pošiljamo na podlagi zakonitega interesa oziroma privolitve, ko zanjo zaprosimo, na primer:

  • pred, med in po bivanju v Valamarjevih objektih lahko pošiljamo sporočila glede potrditve rezervacije, opomnike za bivanje in ostala obvestila, tesno povezana s konkretnim bivanjem, ki ste ga rezervirali;
  • pri nakupu/rezervaciji blaga, storitev ali doživetij na katerem od naših prodajnih spletnih mest lahko pošiljamo potrdila o sklenjeni pogodbi, račune, potrditve naročila, vavčerje in ostala obvestila, tesno povezana s konkretnim nakupom oziroma rezervacijo.

Vprašalnike o zadovoljstvu, ki so tesno povezani z določenim razmerjem, ki ga imamo z vami, pošiljamo na podlagi zakonitega interesa, na primer:

  • med in po bivanju v Valamarjevih objektih lahko pošiljamo vprašalnike o zadovoljstvu z zagotovljenimi storitvami v Valamarjevih objektih;
  • po nakupu/rezervaciji blaga, storitev ali doživetij, ki ste jih kupili prek naših prodajnih kanalov, lahko pošiljamo vprašalnike o zadovoljstvu z zagotovljenimi storitvami oziroma kupljenim blagom.

Glavni namen vprašalnika o zadovoljstvu je zbiranje podatkov zaradi zakonitega interesa izboljšanja storitev. Rezultate lahko obdelujemo sami ali s pomočjo sodelavcev.

Storitvena sporočila in sporočila z vprašalniki o zadovoljstvu se ne štejejo za marketinška sporočila, zato opozarjamo glede naslednjega: če ste nas prosili, da vam ne pošiljamo marketinških sporočil, nato pa rezervirate nastanitev, boste morda prejeli storitvena sporočila in vprašalnike o zadovoljstvu.

Vedno, ko vam pošljemo sporočila na podlagi zakonitega interesa, se lahko pritožite.

SPLETNA MESTA

Kako bi vam pružili što bolju uslugu i omogućili Vam jednostavniji i brži pristup sadržajima koji Vas zanimaju imamo više internetskih stranica od kojih izdvajamo: www.valamar-riviera.com, www.valamar.com/si/, www.valamarcamping.com/sl/, www.places-hotels.com/en/, www.valamarlovesbike.com/hr/, www.blog.valamar.com, www.maroworld.valamar.com, www.valamar-experience.com/sl/, www.dobarposaouvalamaru.com, www.valfresco.com. Ova Politika privatnosti odnosi se na sve naše stranice sa svim poddomenama.

Od obiskovalcev naših spletnih mest lahko zbiramo osebne podatke, ki se uporabljajo za namene, za katere so posredovani, vse v skladu z informacijami, navedenimi v trenutku zbiranja (ali očitnim namenom, ki se lahko izpelje iz konteksta zbiranja). Uporabniki imajo nadzor nad osebnimi podatki, ki jih vnesejo v spletne obrazce. Na nekaterih naših spletnih mestih imate na primer možnost, da se naročite na naše e-novice zaradi prejemanja informacij ali ponudb. Prav tako lahko na nekaterih spletnih mestih rezervirate nastanitev, kupite izlet in blago, se prijavite za delo, na razne dogodke ipd. V vsakem primeru vi posredujete podatke, ki jih potrebujemo za izpolnitev namena vsakega posameznega primera. Informacije o obdelavi osebnih podatkov se nahajajo tudi na vsakem spletnem mestu na vsakem mestu, kjer se podatki zbirajo.

Na svojih spletnih mestih lahko uporabljamo tudi širok spekter novih orodij za namen izboljšanja uporabniške izkušnje, pri čemer uporabljamo piškotke in razne druge načine spremljanja obiskovalcev, na primer Google ads, META ads, Dynamic Yield, Google Analytics, Hotjar in druge. Uporabljamo tudi platformo za upravljanje privolitev za piškotke Usercentrics Consent Management Platform. Več o piškotkih in drugih tehnologijah preberite v našem Pravilniku o uporabi piškotkov, ki se nahaja na vsakem našem spletnem mestu.

Na svojim internetskim stranicama možemo koristiti i širok spektar novih alata u svrhu poboljšanja korisničkog iskustva i pritom upotrebljavamo kolačiće i različite druge načine praćenja posjetitelja, primjerice Google ads, META ads, Dynamic Yield, Google Analytics, Hotjar i druge. Koristimo i platformu za upravljanje privolama za kolačiće Usercentrics Consent Management Plattform. Više o kolačićima i drugim tehnologijama molimo da pročitate u našoj Politici kolačića koja se nalazi na svakoj našoj internetskoj stranici.

Pravna podlaga za obdelavo osebnih podatkov obiskovalcev naših spletnih mest je zakoniti interes, izpolnitev pogodbe ali privolitev, če se od posameznikov, na katere se nanašajo osebni podatki, zahteva podajanje privolitve.

Obiskovalci imajo vse pravice, ki so opisane v poglavju PRAVICE POSAMEZNIKOV, NA KATERE SE NANAŠAJO OSEBNI PODATKI.

Ta Pravilnik o varstvu zasebnosti ne zajema načinov ravnanja z informacijami drugih družb in organizacij, ki so v določenih primerih povezane z našimi spletnimi mesti in lahko uporabljajo piškotke in tudi druge tehnologije, zato vam priporočamo, da se seznanite z njihovimi pravilniki o varstvu zasebnosti in pogoji poslovanja. Prav tako zbiranje podatkov na spletnih mestih, odprtih za dogodek, kjer smo mi navedeni samo kot sponzor, partner in podobno, ni naša odgovornost.

MOBILNE APLIKACIJE

Mobilni aplikaciji MyValamar in PLACES uporabljamo, da bi bili uporabnikom s svojimi storitvami dostopnejši.

Glede na to, da lahko mobilno aplikacijo uporabljate samo z uporabo trgovine Google play oziroma App store (odvisno od vrste vaše naprave), vas opozarjamo, da v tem primeru Google in Apple samodejno beležita določene podatke, kot so država, jezik, starost uporabnika, vrsta naprave, trajanje uporabe aplikacij, mi pa lahko prek svojih vmesnikov, ki jih imamo vzpostavljene z Googlom in Applom, pridobimo analizo teh podatkov, pri čemer pa slednjih ne moremo povezati s konkretno osebo. Ti Pravilniki o varstvu zasebnosti ne veljajo za Google in Apple, ki imata svoje pravilnike o varstvu zasebnosti. Več informacij o Google play najdete na povezavi https://policies.google.com/privacy, a o Apple store pa na https://www.apple.com/legal/privacy/data/en/app-store/ .

Pri uporabi aplikacij lahko delite podatek, torej samo s privolitvijo:

  • imam rezervacijo
  • že bivam v objektu;
  • članstvo Valamar+club.

V tem primeru vas bomo povezali kot uporabnika aplikacije s podatki, ki jih imamo o tej rezervaciji, in takrat vas lahko identificiramo.

Za uporabo aplikacije vam sicer ni treba vnesti tega podatka in lahko ta korak preskočite ter si ogledate naše objave.

Prav tako se lahko prijavite v Valamarjev program zvestobe; v tem primeru vas usmerimo v poglavje ČLANSTVO V PROGRAMU ZVESTOBE.

Če želite rezervirati bivanje, vas bomo preusmerili na naše ustrezno spletno mesto.

Če nam boste dovolili pošiljanje obvestil, t. i. potisnih sporočil, torej samo s privolitvijo, vam bomo lahko pošiljali tudi storitvena in promocijska sporočila.

DRUŽBENA OMREŽJA

Da bi lahko boljše komunicirali z uporabniki družbenih omrežij in platform za pretakanja ter jih obveščali o svojih ponudbah, imamo profile/strani na družbenih omrežjih Facebook, Instagram, YouTube, Pinterest, Tik tok in Spotify (v nadaljnjem besedilu skupaj: družbena omrežja).

Z uporabo družbenih omrežij sprejemate njihova pravila, med drugim tudi pravila, povezana z obdelavo osebnih podatkov, zato vam priporočamo, da se z njimi seznanite. Družbena omrežja in njihove funkcije uporabljate na lastno odgovornost. Opozarjamo, da pri vsaki interakciji na naših profilih na družbenih omrežjih in na drugih profilih družbena omrežja beležijo vaše vedenje prek piškotkov in drugih tehnologij oziroma vrsto, obseg in namene obdelave podatkov na družbenih omrežjih določajo predvsem upravljavci družbenih omrežij.

Na podlagi navedenega nekatere podatke (npr. skupno število obiskovalcev ali obiskov strani, aktivnosti na strani in podatke, ki jih posredujejo obiskovalci, interakcije (npr. komentiranje, deljenje, ocenjevanje)) obdelujejo in nam dostavljajo družbena omrežja. Na ustvarjanje in prikaz teh podatkov ne moremo vplivati.

Osebne podatke, povezane z vašimi uporabniškimi aktivnostmi na družbenih omrežjih, lahko obdelujemo za marketinške namene, in to izključno na podlagi vaše privolitve za uporabo piškotkov, ki jo podate na naših spletnih mestih. Za katere piškotke točno gre in za kateri namen, najdete v nastavitvah piškotkov za vsako spletno mesto. Več o piškotkih lahko preberete v Pravilniku o uporabi piškotkov.

Poleg tega zbiramo podatke tudi za statistične namene, nadaljnji razvoj in optimizacijo vsebin in atraktivnejše oblikovanje svoje ponudbe. To se posebej nanaša na uporabo interaktivnih funkcij.

Zaradi boljšega upravljanja družbenih omrežij uporabljamo tudi storitve partnerjev, s katerimi imamo sklenjene ustrezne pogodbe.

Če želimo uporabite kakšen vaš komentar ali sliko, ki ste jo objavili na našem profilu, vas bomo prosili za dovoljenje.

Če ste član kakšnega družbenega omrežja, ne želite pa, da to omrežje prek naših strani na tem omrežju zbira podatke o vas in jih povezuje z vašimi članskimi podatki, shranjenimi na zadevnem omrežju,

  • se pred obiskom naše strani na zadevnem omrežju odjavite iz tega omrežja,
  • izbrišite piškotke iz svojega računalnika,
  • zaprite brskalnik in stran znova odprite.

Po ponovni prijavi vas omrežje znova prepozna kot določenega uporabnika.

Ker nimamo popolnega dostopa do vaših osebnih podatkov na družbenih omrežjih, se v primeru želje po uveljavitvi svojih pravic obrnite neposredno na ponudnike storitev družbenega omrežja, saj ima vsak od njih dostop do osebnih podatkov svojih uporabnikov in lahko izvede ustrezne ukrepe ter posreduje informacije.

Ker uporabljamo storitve družbenih omrežij, ki ne poslujejo na območju Evropske unije, smo vas dolžni obvestiti, da lahko te tretje strani, ki upravljajo družbena omrežja, prenesejo vaše podatke v ZDA.

V nadaljevanju navajamo povezavo do pravilnikov o varstvu zasebnosti družb, ki vodijo družbena omrežja
Facebook in (Meta Platforms Inc.) https://www.facebook.com/privacy/policy/
Instagram (Meta Platforms Inc.) https://privacycenter.instagram.com/policy/
Youtube (Google LLC) https://policies.google.com/privacy?hl=si
TikTok (TikTok Ireland, TikTok UK) https://www.tiktok.com/legal/page/eea/privacy-policy/en
Pinterest (Pinterest Europe Ltd. in Pinterest, Inc.) https://policy.pinterest.com/en/privacy-policy
Spotify (Spotify AB) https://www.spotify.com/at/legal/privacy-policy/

KANDIDATI ZA ZAPOSLITEV IN ZAPOSLENI

Ta del Pravilnika o varstvu zasebnosti ureja varstvo osebnih podatkov predvsem v postopkih v zvezi z zaposlitvijo, razvojem in izobraževanjem. V tem smislu so posamezniki, na katere se nanašajo osebni podatki, predvsem nekdanji in sedanji delavci, iskalci zaposlitve, osebe, ki so vključene v učenje, zasnovano na delu (dijaki), osebe na strokovnem usposabljanju, študenti, ki delajo na podlagi t. i. študentske pogodbe, štipendisti dijaki, ki delajo na podlagi t. i. dijaške pogodbe, agencijski delavci in napoteni delavci ter druge osebe, katerih podatki se obdelujejo v okviru delovnopravnih in sorodnih razmerij.

V okviru obdelav podatkov, ki se izvajajo v zvezi z zaposlitvijo, smo identificirali naslednje namene obdelave:

  • Izbor kadrov: vključuje zbiranje in nadaljnjo obdelavo relevantne razpisne dokumentacije prijavljenih kandidatov za delo, testiranje (vključno z možnostjo spletnega psihološkega testiranja) in ocenjevanje, zbiranje in analizo informacij o kandidatih iz javno dostopnih virov, vključno z informacijami, ki jih je kandidat samo o sebi javno objavil, samo če je to pomembno zaradi tveganja, ki ga določeno delovno mesto predpostavlja. Pravna podlaga je izvajanje predhodnih dejanj za sklenitev pogodbe in privolitev.
  • Zmanjševanje tveganja glede ugleda: zbiranje in analiza informacij o zaposlenih in osebah v primerljivem odnosu iz javno dostopnih virov, vključno z informacijami, ki jih je posameznik, na katerega se nanašajo osebni podatki, sam o sebi javno objavil, samo če je to pomembno zaradi tveganj, ki jih določeno delovno mesto predpostavlja. Pravna podlaga je zakoniti interes.
  • Sklenitev in izpolnitev pogodbe: obdelava za namene sklenitve pogodbe o zaposlitvi, študentske pogodbe, učenja, zasnovanega na delu (praksa), ali strokovnega usposabljanja, pogodbe o štipendiranju z osebami, ki niso v delovnem razmerju, ali katerega koli drugega primerljivega razmerja. Pravna podlaga sta tudi spoštovanje pravnih obveznosti in izvajanje dejanj na zahtevo posameznika, na katerega se nanašajo osebni podatki, pred sklenitvijo pogodbe in izpolnitev pogodbe.
  • Vodenje evidence zaposlenih, oseb v primerljivem razmerju: ali drugih oseb (npr. otroci, zakonski partnerji ali zavarovalni upravičenci). Pravna podlaga je spoštovanje pravnih obveznosti.
  • Obračun in izplačilo plač ter uveljavljanje materialnih in drugih pravicIzpolnitev pogodbe: obdelava je nujna za uveljavitev materialnih in drugih pravic, na primer za uveljavitev pravice za vključitev v ukrepe aktivne politike zaposlovanja (stalni sezonski delavci in ostali), uveljavitev dodatnih pravic delavcev po kolektivni pogodbi (na primer rojstvo otroka) in drugo. Pravna podlaga je spoštovanje pravnih obveznosti.
  • Prijava bivanja: obdelava podatkov je nujna, če posamezniki, na katere se nanašajo osebni podatki, bivajo v objektih za osebno nastanitev delavcev, zaradi prijave bivanja pristojnim organom. Pravna podlaga je izpolnitev pravnih obveznosti.
  • Upravljanje z delovnim učinkom: ta namen vključuje tudi informacije o doseganju predhodno določenih ciljev, pravočasni izpolnitvi ciljev in nadaljnje analize zaradi določitve prihodnjih ciljev, upravljanja kadrov, določanja zneskov nagrad in drugih relevantnih ukrepov. Pravna podlaga je zakoniti interes.
  • Nagrajevanje: obdelava vključuje nagrajevanje oziroma izplačila nadomestil, pri čemer lahko takšna obdelava zajema tudi podatke o kršitvah etičnih in drugih internih pravil, podatke iz sistema upravljanja delovnega učinka, izvedenih izobraževanjih in vse druge relevantne podatke. Pravna podlaga je zakoniti interes.
  • Izobraževanje: obdelava za namen izobraževanja zaposlenih in oseb v primerljivem razmerju, vključno z vabili na obvezno in neobvezno izobraževanje, preverjanje znanja, kar vključuje tudi vsa potrebna dejanja za analizo pridobljenega znanja in vse druge relevantne informacije za organiziranje, izvedbo in nadaljnje ravnanje po izvedbi izobraževanj. Pravna podlaga sta zakoniti interes in privolitev, ko se zahteva.
  • Izdelava različnih poročil o delavcih: Pravna podlaga sta lahko izpolnitev pravnih obveznosti in zakoniti interes (na primer pri izdelavi načrtov za prihodnja obdobja in podobno).
  • Navodila, povezana z delom in obveščanjem: zbiranje in obdelava podatkov za namen kakovostnega in pravočasnega obveščanja kandidatov o odprtih delovnih mestih in razpisih oziroma možnostih zaposlitve. Zbiranje in obdelava podatkov vseh zaposlenih, oseb v primerljivem razmerju za namen kakovostnega in pravočasnega obveščanja o: navodilih, povezanih z izpolnitvijo delovnih obveznosti (na primer urnik dela, opozorila o hekerskih napadih ipd.); informacije, povezane z obveznim in neobveznim izobraževanjem; informacije o uveljavljanju pravic iz delovnega razmerja; informacije o ugodnostih za zaposlene; informacije o našem poslovanju, zaposlenih, nagradah, ključnih aktivnostih in pobudah; ostale informacije, povezane z delovnim razmerjem. Za te namene lahko zaradi hitrosti in boljše obveščenosti informacije pošiljamo prek SMS-obvestil, e-pošte ali platforme za neposredno sporočanje (Viber, WhatsApp ipd.) in prek posebnih aplikacij (ki jih delavci namestijo na svoje mobilne naprave). Pravna podlaga so izpolnitev pogodbe, zakoniti interes in privolitev, ko zanjo zaprosimo.
  • Ugodnosti za zaposlene: Odločimo se lahko za uvedbo uporabe raznih orodij s cilje doseganja raznih ugodnosti, na primer izdajo ID-kartice delavcem, s katero lahko uveljavljajo popuste v Valamarjevih objektih in pri naših partnerjih. Pravna podlaga je zakoniti interes.
  • Zaščita premoženja in oseb: vključuje evidentiranje vstopa/izstopa iz poslovnih prostor, možnost evidentiranja in preverjanja uporabe službenih mobilnih naprav, računalniške opreme, internetnega in telefonskega prometa, službenih vozil, prostorov in drugega našega premoženja. Pravna podlaga je zakoniti interes.
  • Prenehanje delovnega razmerja: obdelava podatkov zaradi prenehanja pogodbe o zaposlitvi ali druge primerljive pogodbe. Pravna podlaga sta izpolnitev zakonskih in pogodbenih obveznosti.
  • Sremljanje etičnega vedenja: obdelava vključuje vse postopke, v katerih se preverja spoštovanje predpisov o etičnem vedenju ali predpisov glede zaščite dostojanstva oziroma v okviru katerega koli drugega disciplinskega postopka ne glede na to, ali je posameznik, na katerega se nanašajo osebni podatki, prijavljena oseba ali prijavitelj. Pravna podlaga je zakoniti interes, v nekaterih primerih pa tudi naša pravna obveznost.
  • Zaščita pri delu: obdelava podatkov je lahko potrebna tudi takrat, ko je nujna za izpolnitev namena posebnih predpisov o zaščiti pri delu, vključno s testiranjem na alkohol, v skladu s predpisi. Pravna podlaga je zakoniti interes, v nekaterih primerih pa tudi naša pravna obveznost.

Poleg navedenih namenov je možna obdelava osebnih podatkov tudi za druge specifične namene, vedno pa v okviru zakonodaje ali če je obdelava potrebna za uveljavitev pravic in obveznosti iz delovnega razmerja oziroma v povezavi z delovnim razmerjem in vsakim primerljivim razmerjem.

Izbor kadrov

Podatke kandidatov za zaposlitev zbiramo, obdelujemo in hranimo v bazi podatkov na podlagi njihove prostovoljne prijave:

  • prijava kandidata prek spletnega prijavnega obrazca na strani www.dobarposaouvalamaru.com, ki se uporablja kot svojevrsten življenjepis (CV);
  • prijava prek e-sporočila;
  • s prihodom na organizirane razgovore in izpolnitvijo prijavnih obrazcev;
  • na drugi način.

Podatki, ki se praviloma zbirajo: ime, priimek, rojstni datum, naslov, državljanstvo, OIB (osebna identifikacijska številka; za hrvaške državljane, saj je OIB najzanesljivejši podatke, s katerim razlikujemo kandidate med sabo), telefonska številka, e-poštni naslov (za namen vzpostavljanja stika), spol, strokovna izobrazba, jezik, želen način komunikacije.

Podatke o kandidatih praviloma prejmemo neposredno od njih, lahko pa jih prejmemo tudi posredno, od domačih in tujih agencij za zaposlovanje; v tem primeru so slednje dolžne obvestiti kandidate o naši obdelavi njihovih osebnih podatkov.

Kandidati svoje prijave za zaposlitev pošljejo:

  • kot odprte prošnje; v tem primeru obdelujemo podatke zaradi vzpostavljanja stika s kandidatom v zvezi z zaposlitvijo tri leta (če se oseba pri nas ne zaposli);
  • pri prijavi na konkretne razpise, ki imajo naveden rok zaključka; v tem primeru obdelujemo podatke za čas trajanja razpisa in pet mesecev po njegovem zaključku zaradi vzpostavljanja stika s kandidatom v zvezi z zaposlitvijo, nato pa se prijave arhivirajo za tri leta. Če kandidati, ki se javijo na konkreten razpis, ki ima naveden rok zaključka, podajo posebno privolitev, obdelujemo podatke zaradi vzpostavljanja stika s kandidatom v zvezi z zaposlitvijo tri leta, enako kot velja za odprte prošnje (če se oseba pri nas ne zaposli).

V skladu z zakonitim interesom lahko prejete zasebne e-poštne naslove in tudi ostale dostavljene podatke za stik uporabljamo za vzpostavljanje stika s kandidati glede zaposlitve. Na primer: po prijavi lahko kandidati prejmejo samodejni odgovor, da je njihova prijava prejeta in da bomo stopili v stik s kandidati, katerih kvalifikacije in izkušnje so v skladu z iskanimi za posamezna delovna mesta. Prav tako lahko kandidati po prijavi prejmejo sporočilo na telefonsko število s predlaganim terminom razgovora, kjer je navedena dokumentacija, potrebna za zaposlitev, in podobno. Prav tako lahko z osebami, ki so delale določen čas, pretežno sezonska dela, stopimo v stik v skladu z zakonitim interesom za namen sporočanja obvestil, pomembnih za zaposlovanje, in ključnih aktivnostih pri nas in v naših družbah, ki jih upravljamo, zaradi ohranjanja stika za namen morebitnega nadaljnjega sodelovanja.

Kadar koli se lahko brezplačno odjavite s seznama prejemnikov naših novic o zaposlovanju z e-poštnim sporočilom, poslanim na naslov ljudski.potencijali@valamar.com.

Podatke, ki se hranijo, posredujejo sami kandidati, vendar tudi mi na podlagi zakonitega interesa zagotavljanja najboljših kandidatov tudi sami ustvarjamo osebne podatke v zvezi z aktivnostmi zaposlovanja, kot so rezultati razgovorov za delo, testiranja (vključno s spletnim psihološkim testiranjem) in ocenjevanja, ter zbiramo osebne podatke tudi od tretjih oseb, predvsem s preverjanjem podatkov, pridobljenih med postopkom zaposlovanja, z vzpostavljanjem stika z relevantnimi tretjimi osebami (na primer agencijami za zaposlovanje, ponudniki storitev izobraževanja in usposabljanja) ali uporabo javno dostopnih virov.

Delovno razmerje in ostala primerljiva razmerja

Kot delodajalec zbiramo, obdelujemo in hranimo vse podatke delavcev v bazi delavcev, ki se vodi v informacijskem programu in fizičnih mapah delavcev. Podatki, ki se zbirajo, so navedeni v Pravilniku o vsebini in načinu vodenja evidence o delavcih, ki ga je objavilo ministrstvo, pristojno za delo in pokojninski sistem.

Potrebni podatki za sklenitev delovnega razmerja so praviloma: kopija osebne izkaznice, kopija tekočega računa ali navodilo za plačilo banke, kopija zaščitenega računa (če ga delavec poseduje), OIB (osebna identifikacijska številka), dokazilo o strokovni izobrazbi (kopija spričevala ali diplome), e-knjižica: potrdilo o pokojninski dobi (pridobiti na Hrvaškem zavodu za pokojninsko zavarovanje ali prek storitve e-Građani), elektronski zapis obrazca davčne kartice, t. i. PK-obrazca (pridobiti ga na davčni upravi ali prek storitve e-Građani; osebe, ki se prvič zaposlijo, nimajo elektronskega zapisa obrazca davčne kartice in jo morajo odpreti na davčni upravi), rojstni list otroka, če je mlajši od 15 let. Po Zakonu o delu morajo delavci dostaviti potrdilo o nekaznovanosti in podati soglasje, da za njih pridobimo potrdilo o obsojenosti, v primeru zaposlitve na delovnih mestih, kjer so v rednem stiku z mladoletnimi osebami.

Potrebni podatki za sklenitev študentskih pogodb so praviloma: potrdilo fakultete za tekoče leto kot dokazilo študentskega statusa ali kopija indeksa o vpisu v tekočem letu, kopija osebne izkaznice, potrdilo o vpisnini za študentski center (ne velja za vse študentske centre), ena fotografija ali X-ica, OIB (osebna identifikacijska številka).

Poleg teh podatkov lahko v mapi delavca hranimo tudi ostale podatke, ki so zbrani v postopku zaposlovanja, ter ostale podatke, ki so zbrani med delovnim razmerjem, določeni z našimi pravilniki (na primer nagrade, opomini, certifikati ipd.).

Vsi podatki delavcev se hranijo v bazi delavcev z datumom sklenitve delovnega razmerja in se posodabljajo ter vodijo do prenehanja delovnega razmerja, hranijo pa se kot dokumentacija trajne vrednosti v skladu z relevantnimi predpisi.

V svoji bazi hranimo tudi podatke ostalih oseb v poslovnem razmerju, primerljivem z delovnim razmerjem, in na strokovnem usposabljanju, in to z začetkom dela, ter jih posodabljamo in vodimo do prenehanja dela, hranijo pa se v skladu z relevantnimi predpisi. Poseben primer so podatki dijakov, ki so lahko mladoletni, ki se jim namenja posebna pozornost in katerih podatki se zbirajo in hranijo v skladu s posebnimi predpisi z odobritvijo šole in staršev.

Podatki o plači in plačilne liste so predmet posebnih predpisov o hrambi. V vsakem primeru imajo vsi delavci in ostale osebe v poslovnem razmerju, primerljivem z delovnim razmerjem, in na strokovnem usposabljanju vse pravice posameznikov, na katere se nanašajo osebni podatki.

POSLOVNI PARTNERJI

Valamar Riviera v svojem poslovanju obdeluje tudi podatke poslovnih partnerjev ali potencialnih poslovnih partnerjev, in to so:

  • fizične osebe, ki so, lahko postanejo ali so bile poslovni partnerji Valamar Riviere, npr. obrtniki, osebe, ki spadajo v režim samostojnih poklicev (npr. odvetniki, zdravniki in drugo), osebe, s katerimi se sklepajo pogodbe o delu (npr. pevci, slikarji, fotografi in drugo) in ostale fizične osebe, ki imajo položaj podjetnika;
  • fizične osebe, ki v nekem delu poslovanja predstavljajo pravne osebe, s katerimi Valamar Riviera ima, lahko ima ali je imela poslovno razmerje (npr. osebe, ki izvajajo dostavo za svojega delodajalca, ki je podjetje, osebe, ki se jim pošiljajo računi za njihovega delodajalca, ki je pravna oseba, podpisniki pogodbe za podjetje, ki predstavljajo osebe, ki za podjetje opravljajo primopredajo, osebe, ki za svojo pravno osebo organizirajo kongrese in podobno).

V okviru obdelave podatkov posameznikov, na katere se nanašajo osebni podatki, je Valamar Riviera identificirala naslednje namene obdelave:

  • Sklenitev pogodbe: obdelava za namen sklenitve pogodbe s katerega koli področja našega delovanja (na primer: pošiljanje povpraševanj, pošiljanje posebnih ponudb, zahtevanje podatkov o podpisnikih pogodbe, pošiljanje razpisa za pravne osebe, ki jih posamezniki, na katere se nanašajo osebni podatki, predstavljajo, ipd.). Uporabljamo lahko aplikacije, ustvarjene za ponudnike, ki želijo sodelovati v Valamarjevih razpisih; v tem primeru vas bomo prosili za registracijo.
  • Izpolnitev pogodbe: obdelava podatkov je nujna za namen izpolnitve pogodbe, kar vključuje izpolnitev obveznosti, spremljanje njihovega izpolnjevanja in zagotavljanja vseh relevantnih ukrepov za njihovo izpolnitev (na primer: za dogovor o času in kraju dostave opreme na podlagi pogodbe, pošiljanje računa ipd.; v tem primeru bomo izmenjali podatke za stik delavcev (e-poštni naslov, mobilna številka), izključno za namen izpolnitve pogodbe).
  • Obveščanje: zbiranje in obdelava podatkov sta nujna za namen kakovostnega in pravočasnega obveščanja, zato ima Valamar Riviera pravico na podlagi zakonitega interesa zbirati določene podatke in jih uporabljati za namen neposrednega marketinga, kot je opisano v poglavju MARKETINŠKA SPOROČILA.

Poleg navedenih namenov je možna obdelava osebnih podatkov tudi za druge specifične namene, vedno pa v okviru zakonodaje ali če je obdelava potrebna za uveljavitev pravic in obveznosti iz poslovnega razmerja.

Vrste osebnih podatkov posameznikov, na katere se nanašajo osebni podatki, ki se zbirajo:

  • ime in priimek;
  • e-naslov;
  • telefonska št.;
  • podatki o funkciji v pravni osebi, ki jo predstavlja (npr. prodajni referent, tajnica uprave ipd.);
  • poklic, če je posameznik fizična oseba, s katero se sklepa pogodbeno razmerje (pevec, slikar, fotograf, odvetnik, zdravnik ...);
  • včasih reference in kratki življenjepisi (posebej za svetovalce);
  • podatki, ki so navedeni na obrazcih bianco bianco zadolžnice, zadolžnice, menice;
  • številka računa v banki (IBAN), ko je poslovni partner fizična oseba, s katero se vstopa v pogodbeno razmerje, in
  • drugi podatki glede na naravo poslovnega razmerja.

Mesta zbiranja poslovnih podatkov posameznikov, na katere se nanašajo osebni podatki:

  • prejete ponudbe posameznikov, na katere se nanašajo osebni podatki, za izpolnitev poslovnega sodelovanja;
  • prejeti podatki od posameznikov, na katere se nanašajo osebni podatki, v kontekstu prodaje izdelkov/storitev ali nakupa izdelkov/storitev od poslovnega partnerja (na primer: sejmi, kongresi ipd.);
  • poslovna korespondenca, povezana z določenim predhodnim in sedanjim poslovnim sodelovanjem (na primer korespondenca, ki se izvaja v sklopu izpolnjevanja pogodbe);
  • javno objavljeni podatki (na primer sodni register, spletna mesta poslovnih partnerjev, časopisi, bilteni ipd.).

Poleg navedenih vrst podatkov in mest zbiranja je možna obdelava osebnih podatkov tudi za druge specifične namene, vedno pa v okviru zakonodaje ali če je obdelava potrebna za uveljavitev pravic in obveznosti iz poslovnega razmerja.

VIDEONADZOR

Valamar Riviera ima kot upravljavec zakoniti interes izvajati ukrepe video nadzora zaradi zaščite premoženja in oseb, v določenih primerih (na primer: menjalnice na recepcijah objektov) pa ima tudi zakonsko obveznost namestitve nadzornih kamer, ki snemajo vse osebe, ki se gibljejo na območju nadzorne kamere (gostje, zaposleni, poslovni partnerji in drugi).

Obdelava osebnih podatkov zaposlenih prek sistema video nadzora se izvaja tudi ob pogojih, ki jih določajo predpisi, ki urejajo zaščito pri delu.

Na predpisan način označimo vsa mesta, kjer je video nadzor nameščen.

Zavedamo se, da video posnetki vsebujejo osebne podatke vseh oseb, ki se gibljejo na območju kamere, zato jih hranimo posebej pozorno, prav tako pa imamo urejen sistem varnosti ter dostopa in politiko brisanja, ki jo urejajo naši interni predpisi o varnosti.

Video posnetki se samodejno izbrišejo po največ 15 dnevih od dneva snemanja. V primeru potrebe po izločanju (presnemavanju) se video posnetki hranijo največ šest mesecev, razen če zakonodaja določa daljši rok hrambe ali so dokaz v sodnem, upravnem, arbitražnem ali drugem enakovrednem postopku. Izločeni video posnetki bodo shranjeni v osrednjem sistemu obveščanja z izjemno omejenim dostopom.

V primeru sodnih in/ali kazenskih postopkov lahko navedene video posnetke uporabimo. Vpogled v osebne podatke na video posnetkih imajo lahko tudi tretje osebe, upravljavci, naši pogodbeni partnerji, registrirani in strokovni za zagotavljanje storitev zaščite premoženja in oseb, ki na noben način ne uporabljajo navedenih podatkov samostojno, temveč skrbijo za varnost centralnih nadzornih sistemov in sistemov obveščanja. Za vse ostale podrobnosti, povezane z video nadzorom, veljajo posebni predpisi, ki urejajo to področje.

KONČNE DOLOČBE

Ta Pravilnik o varstvu zasebnosti je na voljo na straneh https://valamar-riviera.com/en/gdpr-privacy-policies/, https://www.valamar.com/si/izjava-o-zasebnosti in drugih Valamarjevih spletnih mestih ter v pisarnah kadrovskih služb in na recepcijah Valamarjevih objektov.

Glede na zahteve preglednosti bomo ta Pravilnik o varstvu zasebnosti redno pregledovali.

Ta Pravilnik o varstvu zasebnosti je bil objavljen 1. januarja 2024.

Helios Faros d.d. privacy policy

GENERAL PART

DATA CONTROLLER AND LEGAL FRAMEWORK

HELIOS FAROS, as the data controller, undertakes to protect your personal data. The collection and storage of data is carried out pursuant to provisions of EU Regulation 2016/679 of the European Parliament and of the Council as of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter: Regulation), the Act on implementation of the General Data Processing Regulation (OG 42/2018) and other regulations governing the subject area, which are applicable in the Republic of Croatia.

SCOPE OF APPLICATION

This Policy applies to any processing of personal data by HELIOS FAROS as the controller, unless another HELIOS FAROS policy or other document provides otherwise for a particular processing. In some cases, HELIOS FAROS also acts as a data controller for respondents who are also respondents to companies with which HELIOS FAROS has concluded business contracts on the basis of which it manages the tourism part of its business within its powers under these contracts.

This Privacy Policy is divided into two parts: the General Part and the Special Part. The basic principles of personal data processing, contact details of personal data protection officers and other provisions set out in the General Part of the Policy apply without exception to any processing of personal data regardless of whether such processing is specifically processed in the Special Part of the Policy. The Special Part of the Policy deals in more detail with special cases of data processing, which represent the majority of all HELIOS FAROS processing.

HELIOS FAROS concluded on 16.08.2019 the Agreement with VALAMAR RIVIERA d.d. Contract in relation to the management of hotel and tourist facilities and contents on the basis of which VALAMAR RIVIERA d.d. manages certain business segments, i.e., performs certain tasks based on general powers on behalf and for HELIOS FAROS as a management company. In this sense, HELIOS FAROS and VALAMAR RIVIERA d.d. can act as joint managers of personal data of employees, guests and business partners for the purpose of managing the operational part of business, business process management and providing contracted services, providing appropriate information to employees, guests and business partners (hereinafter: access to personal data from management services).

DATA PROTECTION OFFICER

HELIOS FAROS has appointed a personal data protection officer who you can contact at any time via the following e-mail address: gdpr@heliosfaros.hr or by mail to the postal address Helios Faros d.d., Naselje Helios 21460 Stari Grad, Republic of Croatia - for DPO, for issues related to personal data protection and exercising the rights guaranteed by the Regulation.

All non-personal data protection requests submitted to the Data Protection Officer, such as offers of job candidates, inquiries for reservations at HELIOS FAROS facilities, etc., will be forwarded directly to the relevant HELIOS FAROS departments, without special replies to the sender from the data protection officer.

PRINCIPLES OF PERSONAL DATA PROTECTION

HELIOS FAROS has recognized the principles of data processing as basic values that must be respected throughout the cycle of personal data processing, from their collection to their destruction or other cessation of processing. HELIOS FAROS processes data:

  • Legally - processing will be possible if it is allowed by law, within the limits set by law.
  • Fair enough - respecting the specifics of each relationship, applying all adequate measures for protection of personal data and not preventing the respondent from exercising his rights.
  • Transparently - informing the respondents about the processing of personal data. From data collection when respondents are informed about all aspects of data processing until the end of data processing, respondents are provided with easy and fast access to their own data, which includes the ability to view and obtain a copy in accordance with the Regulation. Certain information may be restricted only when required by law or when necessary to protect third parties.
  • With purpose limitation - processing personal data for the purposes for which they were collected, and for others purposes if the conditions set out in the Regulation are met. Data may be processed for concurrent purposes only taking into account: (a) any link between the purposes of the collection of personal data and the purposes of the intended continuation of the processing; (b) the context in which personal data were collected, in particular as regards the relationship between the respondents and HELIOS FAROS; (c) the nature of personal data, in particular whether specific categories of personal data are processed in accordance with Article 9 of the Regulation or personal data relating to criminal convictions and criminal offenses in accordance with Article 10. Regulations; (d) the possible consequences of the intended continuation of processing for the respondents; and (e) the existence of appropriate safeguards.
  • With storage restriction - storing data in a form that allows the identification of respondents only for as long as necessary for the purposes for which personal data are processed, and longer only if permitted by regulations.
  • With a reduction in the amount of data - processing data if they are appropriate, relevant and limited to what is necessary. Particular care is taken not to collect data for which there is no justified need for processing.
  • Taking care of accuracy - taking into account the accuracy and timeliness of the data and deleting inaccurate data as far as possible.
  • Taking care of integrity and confidentiality- providing technical and organizational measures for adequate security of personal data, including protection against unauthorized use or illegal processing and from accidental loss, destruction or damage by the application of appropriate technical or organizational measures. Relevant measures are applied taking into account the risk of each type of data processing.

LEGALITY OF PERSONAL DATA PROCESSING

In order to respect the lawfulness of the processing of personal data, HELIOS FAROS processes personal data only if and to the extent that at least one of the following is met:

  • Processing is necessary for the execution of the contract in which the respondent is a party or to take action at the request of the respondent prior to the conclusion of the contract; this is the most common purpose of data processing of respondents where the backbone is an existing contractual relationship or a contractual relationship that is sought to be achieved. Processing is necessary to comply with the legal obligations of the data controller. HELIOS FAROS as a legal entity has a number of obligations prescribed by various regulations. This obligation includes the collection and often the provision of data to public authorities. For example, the processing of personal data of shareholders who apply for the General Assembly, the processing of personal data of participants in meetings held at the premises of HELIOS FAROS in accordance with anti-epidemic measures and the like.
  • Processing is necessary for the legitimate interests of the controller or a third party, except where those interests outweigh the interests or fundamental rights and freedoms of respondents requiring the protection of personal data, taking into account reasonable expectations of respondents based on their relationship with the controller, in particular if the respondent is a child. In applying this legal basis, HELIOS FAROS estimates that the processing is appropriate to business needs, that it is as invasive as possible and that the interests of the respondents do not outweigh the legitimate interests of HELIOS FAROS or a third party. Examples of such processing are processing for administrative purposes, the purpose of maintaining the security of computer networks, the purposes of direct marketing and improving our business. The respondent in these situations always has the right to object to such processing.
  • Processing is necessary to protect the key interests of the respondent or other natural person. The right to the protection of personal data is not an absolute right and HELIOS FAROS equates it with other fundamental rights in accordance with the principle of proportionality. HELIOS FAROS acknowledges the possibility that in some situations it is necessary to process personal data in order to protect the key interests of respondents or other natural persons.
  • The respondent consented to the processing of his personal data for one or more special purposes. When processing personal data on the basis of consent, HELIOS FAROS takes special care that these are situations in which there are no, formal or informal, consequences for granting, refusing to give or denying consent. When processing is based on consent, the respondent may withdraw consent at any time without negative consequences. Withdrawal of consent does not affect the lawfulness of processing based on consent prior to its withdrawal.

In some emergencies, HELIOS FAROS may process data that would not be processed in regular situations, such as collecting data based on the recommendations of the Croatian Institute of Public Health in the event of epidemics and the like.

TYPES OF PERSONAL DATA PROCESSED

Special categories of personal data: special categories of personal data are processed only if the conditions of Article 9 of the Regulation are met. For example, HELIOS FAROS processes employee data that fall into special categories of personal data, such as data on trade union membership (for example, when exercising special rights under relevant regulations), religious or philosophical beliefs (for example, when exercising the right to additional non-working days for religious holidays), if the individual has voluntarily disclosed such data for the stated purpose)or data related to health (for example according to special regulations on occupational safety or keeping records of workers or when special health certificates are required for certain jobs), etc.

Data on criminal convictions and criminal offenses: where there is legal authority to do so, HELIOS FAROS also processes personal data relating to criminal convictions and criminal offenses, such as certificates of impunity for workers.

Personal data that do not belong to the previous two groups: such personal data make up the largest part of the processed data, and these are most often identification and contact data such as name and surname, PIN, data generated on the basis of movement in the premises under video surveillance.

Most personal information that HELIOS FAROS is collected, provided by the respondents themselves, and please do not provide sensitive information (e.g., race or ethnic origin, political opinions, religious or philosophical beliefs, etc.) when not necessary. If you nevertheless provide sensitive information for any reason, you hereby give your express consent to the collection and use of this information in the ways described in this Policy or in the manner described at the time of disclosure of this information.

DELIVERY OF DATA TO THIRD ENTITIES

HELIOS FAROS shares personal information with others only when permitted.

As part of its legal obligations, HELIOS FAROS is obliged to provide data to third parties. For example, delivery of guest data via the eVisitor system, delivery of employee data to the competent institutions: the Croatian Pension Insurance Institute, the Croatian Health Insurance Institute, the Tax Administration and the Central Register of Insured Persons and pension companies. Also, in certain cases, HELIOS FAROS is obliged to submit or make available data related to employment to the Croatian Employment Service, for example to include workers in active employment policy measures, competent police stations or the ministry responsible for internal affairs, for example in the case of senior government officials. in HELIOS FAROS facilities, as well as for issuing work permits, to the ministry in charge of tourism in the case of employment of scholarship holders, the ministry in charge of economy and entrepreneurship when it comes to the use of investment aid, insurance companies, banks and in other cases when required by regulations.

Also, certain employee data is sent to banks or pension funds as part of payments, and data can also be sent to creditors in accordance with enforcement regulations. Sometimes data are sent with regard to contractual obligations, for example with students in practice, data are exchanged with schools, colleges.

Certain personal data are also provided to business entities for the purpose of providing specific services such as health examinations of workers (contracted occupational medicine), further, institutions that organize legally mandatory training (occupational safety, hygiene, toxicology) or audit firms in conducting statutory audit, public notaries when certifying, the Financial Agency for the purpose of obtaining business certificates, public procurement officers when HELIOS FAROS applies for public procurement tenders, further for the purposes of awarding and using official cards, official mobile devices or for the purchase of fuel.

It is possible to deliver data to business entities, executors of processing, who process data on behalf of HELIOS FAROS acting as data controller. Most often, these are HELIOS FAROS business associates who provide IT services, who keep them in their databases or have the possibility of accessing personal data until the end of processing. A detailed agreement is concluded with such entities regarding their powers and obligations in the processing of personal data, in accordance with the requirements of the Regulation.

In certain situations, it is possible for external entities together with HELIOS FAROS to jointly determine the purposes and methods of personal data processing, then these external partners and HELIOS FAROS are joint controllers. In these relations, the joint controllers shall determine in a transparent manner their responsibilities for compliance with the obligations under the Regulation, in particular with regard to the exercise of respondents' rights and their duties for compliance with processing transparency, unless responsibilities are established by law.

A special case of data delivery to third parties is the fact that HELIOS FAROS has concluded business contracts with companies on the basis of which it manages the tourism part of the business. This means that in certain cases, guests of HELIOS FAROSA can also receive from HELIOS FAROSA offers that contain information about other hotels and facilities managed by HELIOS FAROS. Also, based on entrepreneurial contracts, HELIOS FAROS has certain rights and obligations related to human resources. In these cases, HELIOS FAROS has the right to process the personal data of the respondents of these companies. All the principles from this Policy also apply to the respondents of those companies in the segments in which HELIOS FAROS was included as the data controller, however, these companies are also responsible as the controllers of their data processing of respondents.

If data is transferred to third countries as part of data processing, HELIOS FAROS ensures compliance with high standards of protection in order to comply with the highest possible standard of personal data protection, in accordance with the strict requirements of the Regulation. In this sense, when international transfers of personal data are in use, HELIOS FAROS will inform the respondent about the intention to disclose personal data to a third country or international organization and about the existence or non-existence of a European Commission decision on adequacy. Any transfer of personal data to third countries will be carried out in accordance with Chapter V of the Regulation.

DATA STORAGE TIME

Respondents' data are processed and stored in accordance with applicable legal regulations when the retention obligation is prescribed (e.g. payrolls, analytical records on salaries for which mandatory contributions are paid are kept permanently, and accounting documents based on which data are entered in the diary, the main book and auxiliary books are kept for at least eleven years), and in situations where HELIOS FAROS is authorized to determine the retention periods, the data are kept as long as necessary for the purposes for which personal data are processed taking into account the purpose of processing, legitimate interests of HELIOS FAROS and the interests of the respondents to have the data deleted.

RIGHTS OF RESPONDENTS

Regardless of the basis of data collection, respondents can exercise the following rights free of charge within the limits prescribed by the Regulation:

Right to information: the respondent has the right to be informed about the processing and its purposes. HELIOS FAROS takes care to provide all information to the respondent that is necessary to ensure fair and transparent processing taking into account the context of processing.

Right to delete („Right to oblivion“): the respondent has the right to ask HELIOS FAROS to delete personal data concerning him / her, without undue delay in accordance with the conditions set out in the Regulation. To do so, send us your request as a data controller in writing, including an electronic form of communication. Please note that the application needs to specify what exactly you want to be deleted because we may store your data on different legal grounds, for example the respondent may be both our guest and a candidate for employment. You have the right to request the deletion of personal data relating to you if one of the following conditions is met:

  • Your personal information is no longer necessary in the relationship for the purpose for which we collected or processed them
  • you have withdrawn the consent on which the processing is based even if there is no other legal basis for the processing
  • you have objected to the processing of your personal data and if there are no stronger legitimate reasons for our processing
  • personal data has been processed illegally
  • personal data must be deleted in order to comply with a legal obligation.

In some cases, it may not be possible to fully fulfil the deletion request, such as when there is a legal obligation to keep, when the legitimate interest of the data controller is stronger than the interest of the respondent, when there is an interest of the data controller to set, realize or defend legal claims.

Right of access to data: Upon the request of the respondent, HELIOS FAROS will issue him with a certificate as to whether his personal data are being processed and, if such personal data are being processed, access to personal data and purpose of processing, categories of data, potential recipients to whom personal data will be disclosed and other data in accordance with the requirements of the Regulation. The respondent is also entitled to receive a copy of the personal data being processed. Access to personal data may be restricted only in cases prescribed by law, i.e., when such restriction respects the essence of the fundamental rights and freedoms of others.

Right to correction: the respondent has the right to obtain from HELIOS FAROS, without undue delay, the correction of inaccurate personal data relating to him. Taking into account the purposes of processing, the respondent has the right to supplement incomplete personal data. To do so, send us your request as a data controller in writing, including an electronic form of communication. We note that in the request it is necessary to specify what is not accurate, complete or up-to-date and in what sense the above should be corrected and submit the necessary documentation in support of their allegations.

Right to data portability: The respondent has the right to receive personal data relating to him in a structured, commonly used and machine-readable format in accordance with the requirements of the Regulation.

Right to object: when HELIOS FAROS processes data on the basis of its legitimate interests which are stronger than the interests of the respondent, then the respondent has the right, based on his special situation, to object at any time to the processing of personal data relating to him.

Right to limit processing: the respondent has the possibility to ask HELIOS FAROSA to exercise the right to limit the processing in case he disputes the accuracy of personal data, considers the processing illegal and opposes the deletion of personal data and instead requests restriction of their use and the respondent objected to legitimate reasons of the leader processing the reasons of the respondents.

In any case, respondents also have the right to:

  • file a complaint with the Personal Data Protection Officer
  • file a complaint with the supervisory body (Personal Data Protection Agency) if they consider that their data protection rights have been violated.

Send your written request to the contact address of the Personal Data Protection Officer: katija.damijanic@heliosfaros.hr or by mail to Helios Faros d.d., Settlement Helios 21460 Stari Grad, Republic of Croatia - for DPO

HELIOS FAROS has the right to publish a form that will be used to submit the request in order to process the request as efficiently as possible.

Upon request, HELIOS FAROS shall provide information on the actions taken in relation to the exercise of the rights of the respondents without undue delay and in any case within one month from the date of receipt of the request. This period may be extended by an additional two months, as appropriate, taking into account the complexity and number of applications. HELIOS FAROS shall inform the respondent of any such extension within one month from the date of receipt of the request, together with the reasons for the postponement.

If the respondent submits the request electronically, HELIOS FAROS shall provide the information electronically, if possible, unless the respondent requests otherwise.

Respondents' requests are generally free of charge, but if respondents' requests are clearly unfounded or excessive, especially due to their frequent recurrence, HELIOS FAROS is entitled to charge a reasonable fee based on administrative costs or refuse to act on the request.

PROTECTION OF PERSONAL DATA OF CHILDREN

HELIOS FAROS advises parents and guardians to teach children (up to 18 years of age) about safe and responsible handling of personal data, especially on the Internet. HELIOS FAROS processes personal data of children only with the prior consent of parents / guardians (for example: scholarship holders, when children are guests of our facilities, visitors to Maro playrooms, etc.).

SOURCES OF PERSONAL DATA

HELIOS FAROS receives personal information most often from respondents. When providing personal information to HELIOS FAROS, in any way (booking accommodation, job application…), you guarantee that the information you provide is correct, that you are legally capable and authorized to dispose of the information and that you fully agree that HELIOS FAROS your information uses and collects in accordance with the positive regulations and terms of this Privacy Policy.

HELIOS FAROS also receives personal data from other natural and legal persons, for example: from travel agencies that forward guest data for accommodation purposes, guests who book accommodation for people with whom they will stay in facilities, employment agencies and employees . When giving personal data of other persons to HELIOS FAROS, you guarantee that the information you have provided is accurate, that you are legally capable and authorized to dispose of the given information, that respondents whose personal data you forward to HELIOS FAROS agree that HELIOS FAROS uses and collects their data in accordance with positive regulations. and the terms of this Privacy Policy.

TECHNICAL AND INTEGRATED DATA PROTECTION

As the data controller, HELIOS FAROS takes care of the highest organizational and technical standards of data protection. Therefore, taking into account the latest developments, cost of implementation and the nature, scope, context and purposes of processing, as well as risks of different levels of probability and seriousness for the rights and freedoms of individuals arising from data processing, appropriate technical and organizational measures to enable the effective application of data protection principles.

Also, HELIOS FAROS implements appropriate technical and organizational measures to ensure that only personal data necessary for each specific processing purpose are processed in an integrated manner. HELIOS FAROS applies this measure to the amount of personal data collected, the scope of their processing, the storage period and their availability. Specifically, such measures ensure that personal data are not automatically, without the intervention of an individual, available to an unlimited number of individuals.

TREATMENT OF PERSONAL DATA BREACHES

HELIOS FAROS, as the controller, ensures that in the event of a personal data breach without undue delay and, if possible, no later than 72 hours after learning of the breach, reports to the competent supervisory authority on the personal data breach, unless the personal data breach is likely to pose a risk. for the rights and freedoms of individuals.

The report submitted to the supervisory authority shall contain all information in accordance with the Regulation.

In the event of a personal data breach that is likely to pose a high risk to the rights and freedoms of individuals, HELIOS FAROS, as the controller, informs the respondent about the personal data breach without undue delay. Sometimes, in cases where the Regulation prescribes, informing respondents is not mandatory.

SPECIAL PART


STAY IN FACILITIES (hotels, apartments, camps)

The main business of HELIOS FAROS is the provision of accommodation services in hotels, apartments and camps. Therefore, HELIOS FAROS collects and processes your personal data for various purposes with the ultimate goal of providing quality accommodation and related services all according to the highest standards of tourist companies.

Your personal data, which you must provide in order to be provided with the service of HELIOS FAROS, as the data controller, keeps in its database for the purpose of fulfilling the accommodation contract and fulfilling the legal obligations related to the catering business. In case you do not provide HELIOS FAROS with the minimum data required for booking accommodation and during the registration stay with all competent registries, HELIOS FAROS will not be able to provide you with accommodation booking services or accommodation services in accordance with the contract and law.

Certain information is necessary in order to take action at the request of the respondent before concluding the accommodation contract. For example, before booking accommodation, at the request of potential guests, offers for accommodation are sent, for the creation of which HELIOS FAROS needs personal data, at least the name, surname and e-mail address in order to send an offer.

Personal information that HELIOS FAROS collects when booking accommodation (reservations via the web or reservations by phone by calling the call centre or reservations by accepting the offer by e-mail) in order to fulfil the reservation obligation are:

  • name and surname of the reservation holder
  • residence address (Croatian citizens)
  • date of birth
  • number, type of identification document and place of issue
  • citizenship
  • object name
  • number of accommodation units, type of accommodation unit (room type)
  • date of arrival and departure
  • number of persons for whom accommodation and accommodation by rooms are reserved
  • which persons are minors
  • eventually other specifics depending on the request of the person booking the accommodation
  • email address if the person has it
  • language
  • phone
  • membership in the Loyalty Program if it affects the price of accommodation or the collection of points
  • method of payment and possibly additional information necessary for the purpose of executing transactions or securing payments.

In case of cancellation, we must save your data for the purpose of proving the reservation or cancellation.

Upon arrival at the facility, guests usually check in at the reception of the facility via a registration card that the guest fills out or reviews and confirms the accuracy of the data or check in using self-check-in applications. In any case, the data is entered into the guest database from which the data is automatically sent to the eVisitor system (unique online information system for check-in and check-out of guests) in order to comply with legal obligations.HELIOS FAROS Data to be collected (data subject to change due to changes in positive regulations):

  • name and surname
  • place, country and date of birth
  • citizenship
  • number and type of identification document
  • residence and address
  • date and time of arrival or departure from the facility
  • sex
  • basis for exemption from payment of tourist tax or reduction of tourist taxes.

These data are processed by tourist boards and public authorities of the Republic of Croatia for the following legal purposes:

  • monitoring the fulfilment of the obligation to register and deregister tourists by the person obliged to register and deregister (accommodation service provider)
  • records, calculation and collection of tourist tax
  • keeping a book or guest list by the accommodation service provider and monitoring the execution of stated obligations by inspection bodies
  • reports of aliens to the ministry responsible for the interior and monitoring the implementation of this obligation by inspection bodies
  • keeping a list of tourists by tourist boards and statistical processing and reporting
  • supervision over the operations of the accommodation service provider in the part related to the legality of performing activities or the provision of registered services and compliance with tax and other regulations on public benefits.

Considering that it is prescribed that guest registration data be entered on the basis of data from the identity card, i.e., travel or other identity document, the guest is obliged to provide HELIOS FAROS with such a document and provide all other information necessary for registration data and are not contained in such a document. Also, in order to exercise some rights and benefits, it is necessary to attach (copies) of appropriate documents, certificates and documents proving and exercising such rights and benefits.

Also, HELIOS FAROS is obliged to keep all invoices, as well as the basis for issuing invoices issued to guests with personal data of the guest in accordance with legal regulations.

Other data related to the circumstances of your stay, such as: mode of travel, who you are traveling with, marital status, number of children, pets, other interests, will also be collected and processed during your stay when directly related to the accommodation service.

Before, during and after your stay, HELIOS FAROS, as the data controller, has the right to send you, as a guest, a so-called service messages - booking confirmations, reminders of the stay and other information closely related to the specific stay you have booked.

Also, during and after the stay, HELIOS FAROS as the data controller has the right based on the legitimate interest of you as a guest by email, SMS and / or instant messaging platform (Viber, WhatsApp, etc.) to send satisfaction questionnaires that will process alone or through collaborators. The primary purpose of the satisfaction questionnaire is to collect data on the service for the legitimate interest of improving the service by HELIOS FAROS, and HELIOS FAROS can depersonalize and process the data from the questionnaire for statistical purposes.

HELIOS FAROS has the right, on the basis of a legitimate interest, to collect certain data and use it for direct marketing purposes as described in the Newsletters section.

Service messages and messages with satisfaction questionnaires related to the specific stay of the guest are not considered newsletters for the purpose of sending offers and news HELIOS FAROS.

In relation to the above information, VALAMAR RIVIERA d.d. provides access to personal data from management services.

CANDIDATES FOR EMPLOYMENT AND WORKERS

HELIOS FAROS is the employer of a large number of individuals and this part of the Policy regulates the protection of personal data primarily in the processes related to employment, development and education within HELIOS FAROS. In this sense, the respondents are primarily former and current workers, job seekers, interns (students), professional development, students who work on the basis of the so-called. student contract, scholarship holders and other persons whose data are processed within the framework of employment law and related relations.

As part of the processing of employment data, HELIOS FAROS identified the following processing purposes:

  • Personnel selection: includes the collection and further processing of relevant competition documents, testing and evaluation, the collection and analysis of information on candidates from publicly available sources, including information publicly disclosed by the candidate if relevant to the risks of the job.
  • Reputation risk reduction: collecting and analysing information on employees and persons in a comparable relationship from publicly available sources, including information publicly disclosed by the respondent if relevant because of the risk involved in the job.
  • Conclusion of the contract: processing for the purpose of concluding an employment contract, student contract, professional practice or professional training, scholarship contract with persons not employed in the IMPERIAL RIVIERA or any other comparable relationship.
  • Exercise of material and other rights: processing is necessary in order to exercise the material and other rights of workers, persons in a comparable relationship or other persons (e.g., children, spouses or insurance beneficiaries), for example to exercise the right to enter into active employment policy measures (permanent seasonal and others), for realization of additional rights of workers under the collective agreement HELIOS FAROS (for example: birth of a child) and others.
  • Fulfilment of the contract: data processing is necessary for the purpose of fulfilment of the contract by the respondents, which includes fulfilment of work obligations, monitoring of their execution and ensuring all relevant measures for their execution.
  • Accommodation registration: data processing is necessary in case the respondents stay in the facilities for personal accommodation of workers in order to register their stay with the competent authorities.
  • Performance management: this purpose includes information on the achievement of previously set goals, timely fulfilment of goals and further analysis to determine future goals, human resources management, determining the number of awards and other relevant measures.
  • Rewarding: processing includes rewarding or payment of fixed and variable part of the fee, where such processing may include data on violations of ethical and other internal rules, data from the performance management system, on attended training, as well as all other relevant data.
  • Education: processing for the purpose of educating persons acting under the guidance of HELIOS FAROS, including knowledge tests, which includes all necessary actions for candidacy and registration of respondents, analysis of acquired knowledge and all other relevant information for organizing, implementing and further action.
  • Preparation of various reports on workers: some reports are prepared for the legal obligation of HELIOS FAROS, some for the exercise of certain rights, fulfilment of obligations of HELIOS FAROS in case of contracting and realization of additional benefits for workers, budgeting, etc.
  • Informing: collection and processing of data for the purpose of quality and timely informing of candidates about open positions and competitions, i.e., employment opportunities within HELIOS FAROS. Collection and processing of data for the purpose of quality and timely informing all HELIOS FAROS employees about new changes or special notices important for the exercise of employment rights or important information in the field of general knowledge of events and activities in HELIOS FAROS related to employment rights or of every comparable relationship. For this purpose, for the sake of speed and better information, information is sent by phone and / or to official e-mail addresses, or private if the employee has given consent to use the e-mail address for this purpose. Furthermore,
  • Protection of property and persons: includes monitoring of entry / exit from business premises, use of official mobile devices, computer equipment, internet and telephone traffic, cars, premises, and other HELIOS FAROS property as well as access to guest property in accordance with internal acts.
  • Termination of employment: data processing due to termination of employment contract or other comparable contract, in order to fulfil legal and contractual obligations.
  • Monitoring ethical behaviour: processing includes all procedures in which compliance with ethical conduct or regulations related to the protection of dignity is investigated, or in the framework of any other disciplinary action, regardless of whether the respondent is a registered person or an applicant.
  • Safety at Work: data processing may also be required in cases where it is necessary to fulfil the purpose of special regulations on occupational safety, including alcohol testing in accordance with regulations.

HELIOS FAROS has a legitimate interest in realizing various benefits for its employees, as well as facilitating some business processes. In this sense, HELIOS FAROS can, based on a special decision, decide on various tools to achieve these purposes (for example, issuing employees ID cards that receive discounts, giving certain instructions via SMS, taking photos in certain cases, etc.) in which case inform all workers in a timely manner.

In addition to the stated purposes, it is possible to process personal data for other specific purposes, but always within the framework prescribed by law or if the processing is necessary for the exercise of rights and obligations arising from employment, or in relation to employment and any comparable relationship.

HELIOS FAROS database on former and current employees, candidates, interns (students), professional development, students working on the basis of the so-called. student contract, scholarship holders and other persons whose data are processed in the framework of labour law and related relations is kept in a special application. An appropriate contract has been concluded with the holder of maintenance and support of the application as the executor of personal data processing.

Personnel selection

HELIOS FAROS as a potential employer collects, processes and stores data of candidates for employment in HELIOS FAROS in the database of candidates on the basis of their voluntary application, in the following ways:

  • Candidate application via a web application form that serves as a CV
  • login via email
  • by attending organized auditions and filling out application forms
  • on the other way.

Data collected as a rule: name, surname, date of birth, address, citizenship, OIB (for Croatian citizens, given that OIB is the most reliable information that distinguishes candidates), mobile phone, e-mail address (for contact purposes), gender, education, language, preferred mode of communication.

Candidates may obtain information from HELIOS FAROS indirectly, from domestic and foreign employment agencies, in which case those agencies are obliged to inform candidates about the processing of their personal data by HELIOS FAROS.

Candidates send their job applications to:

  • as open applications in which case we process data to contact the candidate in connection with employment for five years
  • as applications for specific tenders that have a specified deadline in which case, we process the data during the competition and five months from the end of the competition in order to contact the candidate in connection with employment, and these applications are archived for five years.

In the event that candidates who apply for a specific competition that has a specified deadline give special consent, we process data to contact candidates in connection with employment for five years, as well as open applications.

HELIOS FAROS has a legitimate interest in using the obtained e-mail addresses, as well as other submitted contact information for contacting candidates related to employment. For example, after applying, candidates may receive an automatic reply that their application has been received and that candidates whose qualifications and experience are in line with those required for individual jobs will be contacted. Also, after applying, candidates can receive a message on the phone number with the proposed date of the interview, a message stating the documentation required for employment and the like. In addition, HELIOS FAROS has a legitimate interest in contacting temporary workers, mainly seasonal jobs, for information on information relevant to business and key activities in HELIOS FAROS, and to maintain contact for possible further cooperation.

The data is kept by the candidates themselves, but HELIOS FAROS creates personal data related to employment activities, such as the results of job interviews, tests and assessments, based on the legitimate interest of ensuring the best candidates, and collects personal data from third parties, primarily by verification data obtained during the recruitment process by contacting relevant third parties (for example: employment agencies, education and training providers) or using publicly available sources.

Employment relationship and other comparable relationships

HELIOS FAROS as an employer collects, processes and stores all employee data in the employee database kept in the IT program and in the physical files of employees. The data collected are listed in the Ordinance on the content and manner of keeping records of workers published by the ministry responsible for labour and the pension system.

Needed data for employment are usually: copy of ID card, copy of current account or instructions for payment from the bank, copy of protected account (if the employee has one), OIB, proof of education (copy of certificate or diploma), e-book: certificate of retirement, (obtain it from the HZMO or through the e-Citizens service), Electronic record of the tax card form, the so-called PK form (obtained from the Tax Administration or through the e-Citizens service, first-time employees do not have an electronic record of the tax card form and must open it at the Tax Administration), birth certificate of a child under 15 years of age.

Necessary data for concluding student contracts are usually: confirmation of the faculty for the current year as proof of student status or a copy of the index of enrolled current year, copy of ID card, certificate of enrolment for the Student Center (not all student centres), one photo or student card, PIN.

In addition to this information, HELIOS FAROS may keep in the employee's file other data collected during the employment process, as well as other data collected during the employment, determined by the regulations of HELIOS FAROS (for example: awards, warnings, certificates, etc.).

All employees' data are kept in the database of employees on the date of employment and are kept up to date until the termination of employment and they are kept as documentation of permanent value in accordance with relevant regulations.

In its database, HELIOS FAROS also stores data of other persons in a business relationship comparable to an employment relationship or persons in practice and professional development, starting from work and promptly leading them to termination of employment and kept in accordance with relevant regulations. A special case is the data of students in practice who may be minors, about whom special attention is paid and whose data are collected and stored in accordance with special regulations with the approval of the school and parents.

Salary data, payroll - subject to special storage regulations. Anyway, all employees and other persons in a business relationship comparable to an employment relationship or a person in practice and professional development have all the rights of the respondents.

In relation to the above information, VALAMAR RIVIERA d.d. provides access to personal data from management services.

BUSINESS PARTNERS

In its business operations, HELIOS FAROS also processes data from business partners or potential business partners, which are:

  • natural persons who are, may become or have been business partners of HELIOS FAROS, e.g., craftsmen, persons in the regime of independent professions (e.g., lawyers, doctors, etc.), persons with whom employment contracts are concluded (e.g., singers, painters , photographers, etc.) and other natural persons who have the status of entrepreneurs
  • natural persons who in some part of the business represent legal entities with which HELIOS FAROS has, may have or has had a business relationship (e.g., persons delivering for their employer company, persons to whom invoices are sent for their employer legal entity, signatories of contracts for companies representing persons who hand over the company, persons who organize congresses for their legal entity, etc.).

As part of the processing of respondents' data, HELIOS FAROS identified the following purposes of processing:

  • Conclusion of the contract: processing for the purpose of concluding contracts from any area of activity of HELIOS FAROS (for example: sending inquiries, sending special offers, requesting data on signatories of contracts, sending tenders for legal entities represented by respondents, etc.)
  • Fulfilment of the contract: data processing is necessary for the purpose of fulfilling the contract, which includes fulfilling obligations, monitoring their execution and ensuring all relevant measures for their execution (for example: to agree on the time and place of delivery of equipment under the contract, to send invoices, etc.).
  • Informing: data gathering and processing for the purpose of quality and timely information; HELIOS FAROS has the right, on the basis of a legitimate interest, to collect certain data and use it for direct marketing purposes as described in the Newsletters section.

In addition to the stated purposes, it is possible to process personal data for other specific purposes, but always within the framework prescribed by law or if the processing is necessary for the exercise of rights and obligations arising from the business relationship.

Type of personal data of the respondents that are collected are:

  • name and surname
  • email address
  • telephone number
  • data on the function within the legal entity he represents (e.g., sales officer, secretary of the administration, etc.)
  • occupation when the respondent is a natural person with whom he enters into a contractual relationship (for example: singer, painter, photographer, lawyer, doctor ...)
  • sometimes references and short CVs (especially for consultants)
  • data listed on the forms of blank promissory notes, debentures, bills of exchange
  • bank account number (IBAN) when the business partner is a natural person with whom a contract is entered into
  • other information depending on the nature of the business relationship.

Places of collecting personal data of respondents:

  • respondents' offers for business cooperation received
  • data received from respondents in the context of selling HELIOS FAROS products / services or buying products / services from a business partner (e.g., fairs, congresses, etc.)
  • business correspondence related to certain previous or current business cooperation (for example, correspondence performed as part of the execution of a contract)
  • publicly published data (for example: court register, websites of business partners, magazines, newsletters, etc.).

In addition to the above types of data and places of collection, it is possible to process personal data for other specific purposes, but always within the framework prescribed by law or if the processing is necessary to exercise the rights and obligations of the business relationship.

Storage time

Data of respondents who are natural persons in a business relationship with HELIOS FAROSOM are kept in accordance with the applicable legal regulations (for example, HELIOS FAROS is obliged to keep all invoices, as well as the basis for issuing invoices in accordance with legal regulations).

In situations when HELIOS FAROS is authorized to set deadlines for data retention, they are determined taking into account the purpose of processing and the interests of respondents to destroy data, and this is set at a maximum of five years from the termination of the contractual relationship (if any).

In relation to the above information, VALAMAR RIVIERA d.d. provides access to personal data from management services.

PUBLIC ANNOUNCEMENTS

HELIOS FAROS publishes information of interest to existing, but also potential employees, guests, business partners, i.e., the public, through its website, social media profiles, video walls and bulletin boards in the facilities. Such disclosures may contain a limited set of personal information, such as first and last names, functions, professional information, videos, statements and photographs.

The legal basis for processing is the legitimate interest of informing the public, but also marketing, during which processing always takes into account the interest of respondents, so personal data are not published if it is determined that the interest of respondents not to publish certain personal data is stronger than HELIOS FAROS publication of the same. In some situations, disclosure of information may be based on consent to the highest standards.

The announcements have a permanent character, which provides information on current events, as well as insight in previous activities.

Processing will stop on the basis of the respondent's objection; it is determined that such objection is justified or if the respondent has withdrawn the consent in situations where the consent is applicable and in a manner that can be enforced.

WEB-SITE, COOKIES AND INTERNET TECHNOLOGIES

Web site of HELIOS FAROS apply cookies, and the cookie policy is available at the link: www.heliosfaros.hr/cookie-policy/.

VALAMAR RIVIERA d.d., which acts as a management company in the name and on behalf of HELIOS FAROS (see introduction), has several websites (for example: www.valamar.com, https://www.valamar.com/en/hotels-hvar/hvar-places-hotel, www.camping-adriatic.com, www.valamar-experience.com, www.dobarposaouvalamaru.com, www.valfresco.com…) and it is possible that they will create them and more, all in order to provide the best possible service and provide users with easier and faster access to content that interests them.

The privacy policies of VALAMAR RIVIERA d.d. are available via the link: https://www.valamar.com/hr/izjava-o-privatnosti

VIDEO SURVEILLANCE

HELIOS FAROS as the data controller has a legitimate interest in implementing video surveillance measures to protect property and persons, and in some cases has a legal obligation to install surveillance cameras that record all persons moving around the perimeter of the surveillance camera (guests, employees, business partners, etc.).

The processing of personal data of employees through the video surveillance system is also carried out under the conditions determined by the regulations governing safety at work.

HELIOS FAROS in the prescribed manner indicates all places where video surveillance is installed.

HELIOS FAROS is aware that the videos contain personal data of all persons moving around the perimeter of the camera and therefore keeps them with special care, has a security system, availability and deletion policy, which is governed by internal security rules HELIOS FAROS.

Videos are automatically deleted after a maximum of 15 days from the date of recording. In case of the need for exemption (dubbing), videos are kept for a maximum of six months, unless another law prescribes a longer retention period or if the evidence is in court, administrative, arbitration or other equivalent proceedings. Excluded videos will be stored in an extremely restricted central alert system.

HELIOS FAROS may use the videos in court and / or criminal proceedings. Insight into personal data on videos may also have third parties, executors, contractors HELIOS FAROS registered and professional for the provision of services for the protection of persons and property, and who in no way use the data independently but take care of the security of central surveillance and reporting system. Special regulations governing this area apply to all other details related to video surveillance.

FINAL PROVISIONS

This Privacy Policy is available athttps://www.valamar.com/en/hotels-hvar/hvar-places-hotel and www.heliosfaros.hr and also in human resources offices and at the receptions of HELIOS FAROS facilities.

HELIOS FAROS reserves the right to change and / or amend these Privacy Policies at any time, and will update the updated Privacy Policy on the above media.

Imperial Riviera d.d. privacy policy

GENERAL SECTION

PROCESSING MANAGER AND LEGAL FRAMEWORK

As the processing manager, IMPERIAL RIVIERA, is committed to protecting your personal data. The collection and storage of data is carried out in accordance with the provisions of EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter: Regulation), of the Law on the application of the General regulation of data protection (NN 42/2018) and other regulations governing the subject area, which are applied in the Republic of Croatia.

SCOPE OF APPLICATION

This Policy applies to any processing of personal data performed by IMPERIAL RIVIERA as the processing manager, unless another policy or other IMPERIAL RIVIERA document prescribes otherwise for a particular processing.

This Policy is divided into two parts: the General Section and the Specific section. The basic principles of personal data processing, contact details of personal data protection officials and other provisions specified in the General Section of this Policy are applied without exception to any personal data processing regardless of whether such processing is specifically processed in the Specific Section of this Policy or not. The Specific Section of the Policy deals, in more detail, with specific cases of data processing which represent the majority of all processing by IMPERIAL RIVIERA.

DATA PROTECTION OFFICIAL

IMPERIAL RIVIERA has appointed a personal data protection official who you can contact at any time via e-mail: gdpr@imperial.hr or by mail to the address Imperial Riviera d.d., Jurja Barakovića 2, 51280 Rab, Republic of Croatia - for DPO, issues related to personal data protection and for exercising their rights guaranteed by the General Data Protection Regulation.

All requests not related to personal data protection, which are delivered to the address of the data protection official, e.g. offers of job candidates, booking inquiries in IMPERIAL RIVIERA properties, etc. will be provided directly to the relevant departments within IMPERIAL RIVIERA, without special response to the sender by the data protection official.

PERSONAL DATA PROTECTION PRINCIPLES

IMPERIAL RIVIERA has recognized the principles of data processing as basic values that must be respected throughout the cycle of personal data processing, from their collection to their destruction or other cessation of processing. IMPERIAL RIVIERA processes data:

  • Lawfully - by processing data only if allowed by law and within the limits prescribed by law.
  • Fairly - by taking into account the specifics of each relationship, applying all appropriate measures to protect personal information and privacy in general and not impeding data subjects in exercising their rights.
  • Transparently - by informing data subjects about the processing of personal data. From the start of the data collection process, when data subjects are informed about all aspects of data processing, until its termination, data subjects are provided easy and fast access to their own data, which includes the possibility of accessing and obtaining a copy in accordance with the provisions of the Regulation. Certain information may be restricted only when required by law or when necessary for the protection of third parties.
  • Purpose limitation - by processing personal data for the purposes they were collected for and for other purposes only if the conditions of the Regulation are met. Data may be processed for matching purposes only taking into account (a) any link between the purposes of the collection of personal data and the purposes of the intended continuation of the processing; (b) the context in which the personal data was collected, in particular concerning the relationship between the data subjects and IMPERIAL RIVIERA; (c) the nature of the personal data, in particular whether special categories of personal data are processed in accordance with Article 9. Regulations or personal data relating to criminal convictions and criminal offenses in accordance with Article 10. Regulations; (d) the possible consequences of the intended continuation of processing for the data subjects; and (e) the existence of appropriate protection measures.
  • Storage limitation - by storing data in a form which permits identification of data subjects for no longer than is necessary for the initial purposes, and longer only if permitted by the Regulation.
  • Data minimization - by processing data if it is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Particular attention is given to not collecting data for which there is no justifiable reason for processing.
  • Accuracy - by keeping data accurate and up-to-date, and erasing inaccurate data in the scope of possibility.
  • Integrity and Confidentiality - by using appropriate technical and organisational measures to ensure appropriate personal data protection, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. Relevant measures are applied taking into account the risk of each type of data processing.

LEGALITY OF PERSONAL DATA PROCESSING

In order to respect the lawfulness of processing personal data, IMPERIAL RIVIERA processes personal data only if and to the extent that at least one of the following is met:

  • Processing is necessary for the performance of the contract to which the data subject is a party or in order to take action at the request of the data subject prior to the conclusion of the contract; this is the most common purpose of data processing with an existing contractual relationship or a contractual relationship in negotiations as its basis.
  • Processing is necessary to comply with the legal obligations of the processing manager. As a legal entity, IMPERIAL RIVIERA has a number of obligations prescribed by various regulations. This obligation includes the collection and often the submission of data to public authorities. For example, the processing of personal data of shareholders who apply for the General Assembly, the processing of personal data of participants at meetings held at the premises of IMPERIAL RIVIERA in accordance with anti-pandemic measures and the like.
  • Processing is necessary for the legitimate interests of the processing manager or a third party, except where those interests are stronger than the interests or fundamental rights and freedoms of data subjects requiring the protection of personal data, taking into account reasonable expectations of data subjects based on their relationship with the processing manager, especially if the data subject is a child. In applying this legal basis, IMPERIAL RIVIERA assesses that the processing is appropriate to business needs, that it is the least invasive as possible and that the interests of the data subjects do not exceed the legitimate interests of IMPERIAL RIVIERA or a third party. Examples of such processing are processing for administrative purposes, the purposes of maintaining computer network security, direct marketing, and improving our business.The data subject always has the right to object to such processing in these situations.
  • Processing is necessary to protect key interests of the data subject or other natural person. The right to personal data protection is not an absolute right and IMPERIAL RIVIERA equates it with other fundamental rights in accordance with the principle of proportionality. IMPERIAL RIVIERA acknowledges the possibility that in some situations it is necessary to process personal data in order to protect the key interests of the data subjects or other natural persons.
  • The data subject has consented to the processing of his or her personal data for one or more specific purposes. When processing personal data on the basis of consent, IMPERIAL RIVIERA provides that these are situations in which there are no, formal or informal, consequences for giving, refusing or denying consent. When processing is based on consent, the data subject may withdraw consent at any time without negative consequences. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

In certain exceptional situations, IMPERIAL RIVIERA may process data that would not be processed in regular situations, for example data collection based on the recommendations of the Croatian Institute of Public Health in case of epidemics, etc.

TYPES OF PERSONAL DATA PROCESSED

Special categories of personal data: specific categories of personal data shall be processed only if the conditions set out in Article 9 of the Regulation are met. For example, IMPERIAL RIVIERA processes employee data that fall into specific categories of personal data, such as union membership data (for example, when exercising special rights under relevant regulations), religious or philosophical beliefs (for example, when exercising the right to additional non-working days for religious holidays, if the individual has voluntarily disclosed such data for the stated purpose), or health related data (for example according to special regulations on occupational safety or keeping records of workers or when special health certificates are required for certain jobs), etc.

Data on criminal convictions and criminal offenses: when there is a legal authority to do so, IMPERIAL RIVIERA also processes personal data relating to criminal convictions and offenses, such as certificates of impunity for workers.

Personal data that do not belong to the previous two groups: such personal data make up the largest part of the processed data, and these are most often identification and contact data such as name and surname, OIB, data generated by movement in rooms under video surveillance.

Most of the personal data that IMPERIAL RIVIERA collects is provided by the data subjects themselves and we ask that you do not provide sensitive information (such as race or ethnic origin, political opinions, religious or philosophical beliefs, etc.) when this is not necessary. If you nevertheless provide sensitive information for any reason, you hereby give your express consent to the collection and use of such information in the ways described in these Policy or in the manner described at the time of disclosure of that information.

THE ROLE OF VALAMAR RIVIERA d.d.

IMPERIAL RIVIERA concluded with the company Valamar Riviera d.d. with its registered office in Poreč, Stancija Kaligari 1 OIB: 36201212847 (hereinafter: Valamar) Contract in relation to the management of hotel and tourist facilities and contents (hereinafter: Management contract) based to which Valamar manages certain business segments of IMPERIAL RIVIERA. In this sense, IMPERIAL RIVIERA and Valamar may act as separate managers or as joint managers of personal data processing, or Valamar may act as the executor of personal data processing of respondents.

Due to such enterpreneur agreement, when managing hotel and and tourist facilities and contents, Valamar sometimes directly manages certain activities, including the management of some of the activities described in the Special Part of this Privacy Policy, and in addition Valamar sometimes receives data from IMPERIAL RIVIERA and has a rights to view the data in certain activities where it subsequently comes to personal data processing. For example, Valamar manages the reservation function through the Valamar reservation center (call center) and via the websites www.valamar.com and www.camping-adriatic.com, and in these cases Valamar is an independent processing manager, however, all this information related to IMPERIAL RIVIERA facilities are also processed by IMPERIAL RIVIERA as an independent processing manager. Furthermore, Valamar has a legitimate interest in processing of personal data carried out for the purposes of direct marketing, primarily for the purpose of sending marketing messages (newsletters) by e-mail, SMS and / or instant messaging platform (Viber, Whatsapp, etc.). Based on a legitimate interest, Valamar may send different newsletters depending on the relationship that respondents have with Valamar or the facilities under Valamar's management. For this purpose, personal data is collected from guests and persons who have asked for an offer or booked accommodation, persons who have participated in the prize game, joined the loyalty program, filled out a satisfaction questionnaire, persons who have filled in the application at free Wi-Fi, a person who made a purchase in a web store or otherwise had a relationship with Valamar. Following the above, in certain cases IMPERIAL RIVIERE guests can receive from Valamar newsletters containing information about other hotels and facilities managed by Valamar, as well as accommodation quality questionnaires and other service e-mails. For IMPERIAL RIVIERA´s guests, prize games can be organized from time to time, which can be organized by Valamar, in which case your personal data will be collected only if you decide to participate in the prize game. Valamar's Plus Club Loyalty Program is applied in the IMPERIAL RIVIERA. The conditions of membership are contained in Valamar's Rules of Loyalty Program, which can be found at www.valamar.com/hr/program-vjernosti/valamar-plus-club/pravilnik-programa. Also, based on the Management Agreement, Valamar has certain rights and obligations related to human resources, so in these cases Valamar has the right to process personal data of employees and candidates applying for employment in IMPERIAL RIVIERA, for example when sending applications through the website www.dobarposaouvalamaru.com.

When Valamar acts as the processing manager, the Valamar Privacy Policy applies, which can be found at: https://www.valamar.com/hr/izjava-o-privatnosti.

DATA DELIVERY TO THIRD ENTITIES

IMPERIAL RIVIERA shares personal information with others only when permitted.

IMPERIAL RIVIERA is obliged by law to provide data to third parties. For example, delivering guest data via the eVisitor system, delivering employee data to the competent institutions to the Croatian Pension Insurance Institute, to the Croatian Health Insurance Institute, the Tax Administration and the Central Register of Insured Persons and pension companies. Furthermore, in certain cases, IMPERIAL RIVIERA is obliged to submit or make available employment data to the Croatian Employment Service, for example to include workers in active employment policy measures, the competent police stations or the ministry responsible for internal affairs, for example in the case of senior government officials staying in IMPERIAL RIVIERA's properties, as well as for the issuance of work and residence permits, the ministry responsible for tourism in the case of employing scholarship holders, the ministry responsible for the economy and entrepreneurship when it comes to the use of investment subventions, insurance companies, banks and other cases required by law.

Also, certain employee data is sent to banks or pension funds as part of salary payments, and data can also be sent to creditors in accordance with enforcement regulations. Sometimes data is sent according to contractual obligations, for example with students in practice, data is exchanged with schools, colleges.

Certain personal data is also provided to business entities for the purpose of providing specific services such as the workers' health examinations (contracted ocupational medicine), further, to institutions that organize legally mandatory training (occupational safety, hygiene, toxicology) or audit companies when conducting mandatory audits, public notaries when certifying, the Financial Agency for the purpose of obtaining business certificates, public procurement payers when IMPERIAL RIVIERA applies for public procurement tenders, further for the purposes of awarding and using official cards, official mobile devices or for the purchase of fuel.

It is possible to deliver data to business entities, processors, who process the data on behalf of IMPERIAL RIVIERA, which acts as the processing manager. Most often, these are IMPERIAL RIVIERA's business associates who provide IT services, who store them in their databases or have the possibility of accessing personal data until the end of processing. A detailed contract is concluded with such subjects regarding their powers and obligations in the processing of personal data, in accordance with the requirements of the Regulation.

In certain situations, it is possible for external entities and IMPERIAL RIVIERA to jointly determine the purposes and methods of personal data processing, in which case these external partners and IMPERIAL RIVIERA are joint processing managers. In these relations, the joint processing managers shall transparently determine their responsibilities for complying with the obligations under the Regulation, in particular with regard to the exercise of data subjects' rights and their duties to respect the transparency of processing, unless responsibilities are established by law.

A special case of data delivery to third parties is the fact that IMPERIAL RIVIERA has an entrepreneurial contract with Valamar and the data is submitted to Valamar, i.e. Valamar has access to personal data of IMPERIAL RIVIERA respondents in accordance with Management and other agreements (see chapter: ROLE OF VALAMAR RIVIERA d.d.).

If data are transferred to third countries as part of data processing, IMPERIAL RIVIERA ensures compliance with high protection standards in order to comply with the highest possible standard of personal data protection, in accordance with the strict requirements of the Regulation. Hence, when international transfers of personal data are in use, IMPERIAL RIVIERA will inform the data subjects about the intention to disclose personal data to a third country or international organization and about the existence or non-existence of a European Commission's decision on adequacy. Any transfer of personal data to third countries will be carried out in accordance with Chapter V of the Regulation.

DATA STORAGE RETENTION

Data subjects' data are processed and stored, in accordance with applicable legal regulations when the retention obligation is prescribed (for example, payrolls, analytical records of salaries for which mandatory contributions are paid are kept permanently, and accounting documents on the basis of which data is entered in the journal, general ledger and auxiliary books are kept for at least eleven years), and in situations where IMPERIAL RIVIERA is authorized to set retention periods, data is stored as long as necessary for the purposes for which personal data is processed taking into account the purpose of processing, the legitimate interests of IMPERIAL RIVIERA and the interests of the data subjects to delete the data.

RIGHTS OF THE DATA SUBJECTS

Regardless of the basis for data collection, all users of our website can exercise the following rights free of charge within the limits prescribed by the Regulation:

Right to information: The data subject has the right to be informed about the processing and its purposes. IMPERIAL RIVIERA provides the data subjects with all the information necessary to ensure fair and transparent processing, taking into account the context of processing.

Right to deletion („right to forget“): The data subject has the right to request IMPERIAL RIVIERA to delete personal data relating to him/her, without undue delay in accordance with the terms of the Regulation. To do so, send your request to us (the processing manager) in writing, including an electronic form of communication. Please note that the request needs to specify what you wish to be deleted, since we can store your data on different legal bases, for example, the respondent can be both our guest and a candidate for employment. You have the right to request the deletion of personal data relating to you if one of the following conditions is met:

  • Your personal information is no longer necessary for the purpose for which we collected or processed it;
  • you have withdrawn the consent on which the processing is based and if there is no other legal basis for processing;
  • you have objected to the processing of your personal data and if there are no stronger legitimate reasons for our processing;
  • personal data has been processed illegally;
  • personal data must be deleted in order to comply with a legal obligation.

In some cases, it will not be possible to fully comply with the deletion request, for example when there is a legal obligation for retention, when the legitimate interest of the processing manager are stronger than the interest of the data subjects, when there is an interest of the processing manager to set, enforce or defend legal claims.

The right to access data: At the request of the data subject, IMPERIAL RIVIERA will provide him with confirmation whether his personal data is processed and if such personal data is processed, he will be granted access to personal data and the purpose of processing, data categories, potential recipients of the data to whom those data shall be disclosed, and other data in accordance with Regulation. The data subject is also entitled to receive a copy of the personal data being processed. Access to personal data may be restricted only in cases prescribed by law, i.e. when such restriction respects the fundamental rights and freedoms of others.

Right to rectification: The data subject has the right to obtain, without undue delay, the correction of incorrect personal data relating to him from IMPERIAL RIVIERA. Taking into account the purposes of processing, the data subject has the right to supplement incomplete personal data. To do so, send your request to us (the processing manager) in writing, including an electronic form of communication. We note that it is necessary to specify what is incomplete or not up-to-date in the request, and in what sense the above should be corrected and submit the necessary documentation in support of the allegations.

Right to data portability: The data subject has the right to receive personal data relating to him in a structured, commonly used and machine-readable format in accordance with the requirements of the Regulation.

Right to object: When IMPERIAL RIVIERA processes data on the basis of its legitimate interests which are stronger than the interests of the data subjects, then the data subject has the right to object to the processing of personal data related to him at any time.

Right to restricted processing: The data subject has the opportunity to ask IMPERIAL RIVIERA to exercise the right to restrict processing in case he disputes the accuracy of personal data, considers the processing to be illegal and opposes the deletion of personal data and instead requests restriction of their use, and has submitted a complaint and awaits confirmation as to whether the legitimate reasons of the processing manager go beyond the reasons of the data subject.

In any case, data subjects also have the right to:

  • submit a complaint to the Personal Data Protection Official,
  • file a complaint to the supervisory body (Personal Data Protection Agency) if they believe that their rights to data protection have been violated.

Send your written request to the contact address of the Personal Data Protection Official:gdpr@imperial.hr or by mail to the address Imperial Riviera d.d., Jurja Barakovića 2, 51280 Rab, Republic of Croatia - for DPO.

IMPERIAL RIVIERA as the Processing Manager has the right to protect the interests of the Processing Manager as well as the protection of the data subjects and accordingly has the right to carry out the activities of establishing the identity of the applicant.

IMPERIAL RIVIERA has the right to publish a form that will be used to submit a request in order to process the request as efficiently as possible.

On request, IMPERIAL RIVIERA provides information on the actions taken in relation to the exercise of data subject's rights without undue delay and in any case within one month from the date of receipt of the request. This period may be extended by an additional two months, taking into account the complexity and number of applications. IMPERIAL RIVIERA shall notify the data subject of any such extension within one month from the date of receipt of the request, together with the reasons for the postponement.

If the data subject submits the request electronically, IMPERIAL RIVIERA provides the information electronically if possible, unless the data subject requests otherwise.

The data subject's request is generally free of charge, but if the data subject's request is manifestly unfounded or excessive, and in particular because of their frequent repetition, IMPERIAL RIVIERA is entitled to charge a reasonable fee based on administrative costs or refuse to act on the request.

PROTECTION OF PERSONAL DATA OF CHILDREN

IMPERIAL RIVIERA advises parents and guardians to teach children (up to 18 years of age) about safe and responsible handling of personal data, especially on the Internet. IMPERIAL RIVIERA processes personal data of children only with the prior consent of parents/guardians (for example: scholarship holders, when children are guests at our properties, visitors to Maro playrooms, etc.).

PERSONAL DATA SOURCES

IMPERIAL RIVIERA receives personal data most often from data subjects. When providing personal data to IMPERIAL RIVIERA, in any way (booking accommodation, job application…) you guarantee that the information you have provided is correct, that you are legally capable and authorized to dispose of the given information and that you fully agree that IMPERIAL RIVIERA collects and uses your data in accordance with the positive regulations and terms of this Privacy Policy.

Also, IMPERIAL RIVIERA receives personal data from other natural and legal persons, for example: from Valamar as a company that manages certain business aspects of business, from travel agencies that forward guest data for accommodation, guests who book accommodation for people with whom they will stay in facilities, agency for employment mediation and assignment of workers, from the holder of accommodation reservations for others guests for whom the reservation is made. When providing personal data of other persons to IMPERIAL RIVIERA, you guarantee that the information you provide is accurate, that you are legally capable and authorized to dispose of the information, that respondents whose personal data you forward IMPERIAL RIVIERI agree that IMPERIAL RIVIERA uses and collects their data in accordance with positive regulations and the terms of this Privacy Policy.

TECHNICAL AND INTEGRATED DATA PROTECTION

IMPERIAL RIVIERA, as the processing manager, provides the highest organizational and technical standards of data protection. Therefore, considering the latest developments, the cost of implementation and the nature, scope, context and purposes of processing, as well as risks of different levels of probability and seriousness for the rights and freedoms of individuals arising from data processing, at the time of processing, appropriate technical and organizational measures to enable the effective application of the principles of data protection are applied.

Also, IMPERIAL RIVIERA implements appropriate technical and organizational measures to ensure that only personal data necessary for each specific purpose of processing are processed in an integrated manner. IMPERIAL RIVIERA applies this measure to the amount of personal data collected, the scope of their processing, the retention period and their availability. Specifically, such measures ensure that personal data is not automatically, without the intervention of an individual, available to an unlimited number of individuals.

TREATMENT OF PERSONAL DATA INFRINGEMENTS

As the data processing manager, IMPERIAL RIVIERA shall without undue delay and, where feasible, no later than 72 hours after discovering, notify the competent supervisory authority about the breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

The report submitted to the supervisory authority shall contain all information prescribed by the Regulation.

In the event of a personal data breach that is likely to pose a high risk to the rights and freedoms of individuals, IMPERIAL RIVIERA, as the processing manager, shall inform the data subjects of the personal data breach without undue delay. Sometimes, in cases where the Regulation prescribes, informing data subjects is not mandatory.

SPECIFIC SECTION


STAY IN PROPERTIES (hotels, apartments, campings)

IMPERIAL RIVIERA'S main business activity is the provision of accommodation services in its hotels, apartments and campings. Therefore, IMPERIAL RIVERA collects and processes your personal data for various purposes with the ultimate goal of providing quality accommodation and related services all according to the highest standards of tourism companies.

IMPERIAL RIVIERA, as the processing manager, stores your personal data that you must provide for accommodation services in its database for the purpose of fulfilling accommodation contracts and fulfilling legal obligations related to the hospitality business. In case you do not provide IMPERIAL RIVIERA with the minimum data required for booking accommodation and for the registration to all competent registers, IMPERIAL RIVIERA will not be able to provide you with booking services or accommodation services in accordance with the contract and law.

Certain information is necessary in order to take action at the request of the data subject before concluding the accommodation contract. For example, before booking accommodation at the request of potential guests, we send accommodation offers, for which composition IMPERIAL RIVIERA needs personal data, at least name, surname and e-mail address in order to be able to send an offer.

The personal data that IMPERIAL RIVIERA collects when booking accommodation (reservations via the web or reservations by phone by via the call center or reservations by accepting the offer via e-mail) in order to fulfill the reservation obligation are:

  • name and surname of the reservation holder
  • residence address (Croatian citizens)
  • date of birth
  • number, type of identification document and place of issue
  • citizenship
  • property name
  • number of accommodation units, type of accommodation unit (room type)
  • date of arrival and departure
  • number of persons per accommodation unit
  • minors
  • possibly other specifics depending on the request of the person booking the accommodation
  • e-mail if the person has one
  • language
  • phone number
  • membership in the Loyalty program, if it affects the price of accommodation or collecting points
  • payment method and possible additional information needed to execute the transaction or secure payment

In case of cancellation, we must save your data for the purpose of proving the reservation or cancellation.

Upon arrival at the property, guests usually check in at the reception via a registration card that the guest fills out or reviews and confirms the accuracy of the data or checks in using the self-check-in applications. In any case, the data is entered into the guest database from which the data is automatically sent to the eVisitor system (a unique online information system for registration and deregistration of guests) in order to comply with the legal obligations of IMPERIAL RIVIERA. The data collected are (data is subject to change due to changes in positive regulations):

  • name and surname
  • place, country and date of birth
  • citizenship
  • number and type of identification document
  • residence and address
  • date and time of arrival or departure from the property
  • sex
  • basis for exemption from tourist tax payment or for reduction of tourist tax payment

This data are processed by tourist boards and public authorities of the Republic of Croatia for the following legal purposes:

  • monitoring the fulfillment of obligation to register and deregister tourists (accommodation service provider);
  • records, calculation and collection of tourist tax;
  • keeping a book or a list of guests by the service provider and monitoring the execution of the said obligation by the inspection bodies;
  • reporting foreigners to the ministry in charge of internal affairs and monitoring the execution of the stated obligation by inspection bodies;
  • keeping a list of tourists by tourist boards and statistical processing and reporting;
  • supervising the operations of the service provider in the part related to the legality of business conduct, i.e. the provision of registered services, and compliance with tax and other regulations concerning public liabilities.

Since it is prescribed that the data for guest registration is entered on the basis of data from the identity card, or travel or other identity document, the guest is obliged to provide IMPERIAL RIVIERA with such a document and provide all other information necessary for data entry, but are not contained in such a document. Also, in order to exercise certain rights and benefits, it is necessary to enclose (copies) of appropriate documents or certificates by which such rights and benefits are proven and exercised.

In addition, IMPERIAL RIVIERA is obliged to keep all invoices, as well as the basis for issuing invoices issued to guests with personal data of the guest in accordance with legal regulations.

Other data related to the circumstances of your stay such as: mode of travel, who you are traveling with, marital status, number of children, pets, other interests, will also be collected and processed during your stay when they have a direct connection with the accommodation service.

Before, during and after the stay IMPERIAL RIVIERA as the processing manager has the right based on the legitimate interest to send you so-called service messages - booking confirmations, reminders and other information closely related to the specific stay you have booked.

Also, during and after the stay, IMPERIAL RIVIERA as the processing manager has the right based on the legitimate interest to send to you as guest questionnaires about service satisfaction via e-mail, sms and/or instant messaging platforms (viber, whatsapp, etc.) which will be processed by us or through associates. The primary purpose of the service satisfaction questionnaire is to collect service data for the legitimate interest of service improvement by IMPERIAL RIVIERA, and IMPERIAL RIVIERA may depersonalize and process this data from the questionnaire for statistical purposes.

IMPERIAL RIVIERA has the right, based on a legitimate interest, to collect certain data and use it for direct marketing.

Service messages and messages with service satisfaction questionnaires related to a specific stay of the guest are not considered newsletters for the purpose of sending IMPERIAL RIVIERA offers and news.

EXCHANGE OFFICE

IMPERIAL RIVIERA also provides exchange services at its exchange offices, usually at the receptions of properties. IMPERIAL RIVIERA is obliged in accordance with applicable regulations on the prevention of money laundering and terrorist financing, in some cases to establish and verify the identity of the person using the exchange services by inspecting the official identity document of the party in his presence and perform in-depth analysis. In the event that we are unable to carry out in-depth analysis measures when required to do so, IMPERIAL RIVIERA must not establish a business relationship or perform a transaction, or must terminate an already established business relationship and consider whether to notify the competent authority of a suspicious transaction, funds and persons.

Also, in accordance with the regulations, video surveillance of exchange offices is mandatory. The data is stored in accordance with the regulations based on the legal obligation of IMPERIAL RIVIERA.

EXCURSIONS, CONCERTS, TRANSFERS AND OTHER EXPERIENCES

IMPERIAL RIVIERA is also a travel agency and provides or mediates additional services to its guests and other persons, being preciselly: sales of various excursions, concerts, other experiences, transport services, car rental services and, if necessary, other services.

If you wish to use these services, IMPERIAL RIVIERA may collect the following information if necessary:

  • Name and Surname
  • contact information (phone and/or e-mail address)
  • other information closely related to the services provided (for example: flight number if you are requesting a transfer from the airport to IMPERIAL RIVIERA; gender, citizenship, date of birth, type and number of identification document due to legal provisions related to border crossing if you want a cross-border trip).

The stated data, but also other depending on the specific service you are looking for, will be collected solely for the purpose of providing the service you want to use.

In the case of services organized by other associates, this information will be forwarded to the associate in charge of providing a particular selected service and they become the processing managers of the personal data and we kindly ask you to get yourselves familiar with their privacy policies.

In the case of sending personalized offers, at the request of the customer, the specified data is stored for two months.

Data collected by IMPERIAL RIVIERA during the provision of other services to guests or third parties (excursions, concerts, experiences, transport) requesting the services in question by phone, at receptions or via the web, will be kept for a maximum of 5 years for possible complaints about services provided, and longer only if it is so required by special regulations (accounting, etc.). For certain services (for example: rental of deck chairs, etc.) the data will be kept until the services are performed.

CANDIDATES FOR EMPLOYMENT AND EMPLOYEES

IMPERIAL RIVIERA is the employer of a large number of individuals and this part of the Policy regulates the protection of personal data primarily in the processes related to employment, development and education within IMPERIAL RIVIERA. In this sense, the data subjects are primarily former and current employees, job seekers, interns (students), professional development, students who work on the basis of the so-called student contract, scholarship holders and other persons whose data is processed within the framework of employment and related relations.

As part of the data processing carried out in connection with employment, IMPERIAL RIVIERA identified the following purposes of processing:

  • Personnel selection: includes the collection and further processing of relevant competition documents, testing and evaluation, collection and analysis of information on candidates from publicly available sources including information publicly disclosed about the candidate if relevant to the risks of the job.
  • Reputation risk reduction: collection and analysis of information about employees and persons in a comparable relationship from publicly available sources including information that the respondent has publicly disclosed about himself if this is important because of the risk that a particular job entails.
  • Conclusion of the contract: processing for the purpose of concluding an employment contract, student contract, professional internship or professional training, scholarship contract with persons not employed in IMPERIAL RIVIERA or any other comparable relationship.
  • Exercise of material and other rights: processing is necessary in order to exercise the material and other rights of workers, persons in a comparable relationship or other persons (e.g. children, spouses or insurance beneficiaries), for example to exercise the right to enter active employment policy measures (permanent seasonal and others), for the realization of additional rights of workers under the collective agreement IMPERIAL RIVIERA (for example: the birth of a child) and others.
  • Fulfilment of the contract: data processing is necessary for the purpose of fulfillment of the contract by the respondents, which includes fulfillment of work obligations, monitoring of their execution and ensuring all relevant measures for their execution.
  • Registration of accommodation: data processing is necessary in case the data subjects stay in the facilities for personal accommodation of workers in order to register their stay with the competent authorities.
  • Performance Management: this purpose includes information on the achievement of previously set goals, timely fulfillment of goals, and further analysis to determine future goals, human resources management, determining the amount of rewards and other relevant measures.
  • Rewarding: processing includes rewarding or payment of a fixed and variable part of the remuneration, where such processing may include data on violations of ethical and other internal rules, data from the performance management system, on attended trainings, as well as all other relevant data.
  • Education: processing for the purpose of educating persons acting under the guidance of IMPERIAL RIVIERA including knowledge tests, which includes all necessary actions for candidacy and registration of respondents, analysis of acquired knowledge and all other relevant information for organizing, implementing and further action in education process.
  • Preparation of various reports on employees: some reports are made for the legal obligation of IMPERIAL RIVIERA, some for the realization of certain rights, fulfillment of IMPERIAL RIVIERA's obligations in case of contracting and realizing additional benefits for workers, budgeting, etc.
  • Information: data collection and processing for the purpose of quality and timely informing candidates about open positions and competitions, i.e. employment opportunities within IMPERIAL RIVIERA. Collection and processing of data for the purpose of quality and timely informing all IMPERIAL RIVIERA employees about new changes or special notices important for the exercise of employment rights or important information in the field of general knowledge of events and activities in IMPERIAL RIVIERA regarding the exercise of employment rights or any comparable relationship. For this purpose, information is sent by phone and/or to official e-mail addresses, or private if the employee has given consent to use the e-mail address for this purpose. Furthermore, IMPERIAL RIVIERA may offer employees the use of applications that employees voluntarily install on their mobile devices through which they can find out various news related to IMPERIAL RIVIERA or its partners.
  • Protection of property and persons: includes monitoring of entry/ exit from business premises, use of official mobile devices, computer equipment, internet and telephone traffic, cars, premises, and other property of IMPERIAL RIVIERA as well as access to guest property in accordance with internal acts.
  • Termination of employment: data processing due to termination of employment contract or other comparable contract, in order to fulfill legal and contractual obligations.
  • Ethical Behavior Monitoring: processing includes all proceedings that investigate compliance with ethical conduct or dignity regulations, or in any other disciplinary action, whether the respondent is a reported person or a notifier.
  • Work Safety: data processing may be required in cases where it is necessary to fulfill the purpose of special work safety regulations, including alcohol testing in accordance with regulations.

IMPERIAL RIVIERA has a legitimate interest in realizing various benefits for its employees, as well as facilitating some business processes. In this sense, IMPERIAL RIVIERA can, based on a special decision, decide on various tools that achieve these purposes (for example, issuing ID cards to employees who receive discounts, giving certain instructions via SMS, taking photos in certain cases, etc.) in which case employees will be timely informed.

In addition to the stated purposes, it is possible to process personal data for other specific purposes, but always within the framework prescribed by law or if the processing is necessary for the exercise of rights and obligations arising from employment, or in relation to employment and any comparable relationship.

IMPERIAL RIVIERA's database on former and current employees, candidates, interns (students), professional training, students working on the basis of the so-called student contract, scholarship holders and other persons whose data is processed in the framework of employment and related relations is kept in a special application. An appropriate contract has been concluded with the application maintenance and support holder as the enforcer of personal data processing.

Personnel Selection

IMPERIAL RIVIERA as a potential employer collects, processes and stores the data of candidates for employment in IMPERIAL RIVIERA in the candidate database based on their voluntary application in the following ways:

  • application of candidates via a web application form that serves as a kind of CV,
  • Sign in via Email,
  • by coming to organized auditions and filling out application forms,
  • or otherwise.

Data which is usually collected is: name, surname, date of birth, address, nationality, personal identification number (OIB for Croatian citizens, as is it the most reliable data to differentiate candidates), mobile phone number, e-mail (for contacting), sex, qualifications, language, preferred manner of communication.

IMPERIAL RIVIERA may obtain information on candidates indirectly, from domestic and foreign employment agencies, in which case these agencies are obliged to inform candidates about the processing of their personal data by IMPERIAL RIVIERA.

Candidates send their job applications to:

  • open applications in which case we process data for the purpose of contacting candidates regarding employment for 5 years;
  • as applications for specific vacancies that have a specified deadline, in which case we process the data during the vacancy and 5 months from the end of the vacancy to contact candidates for employment, and these applications are archived for 5 years.

In the event that candidates who apply for specific vacancies that have a specified deadline give special consent, we process the data to contact candidates for employment for 5 years, as well as open applications.

IMPERIAL RIVIERA has a legitimate interest in using the obtained e-mail addresses, as well as other submitted contact information for contacting candidates related to employment. For example, after applying, candidates can receive an automatic response that their application has been received and that candidates whose qualifications and experience are in line with those required for individual jobs will be contacted. Also, after applying, candidates can receive a message on the phone number with the proposed date of the interview, a message stating the documentation required for employment and the like. Additionally, persons who have worked for a fixed period of time, predominantly seasonal jobs, IMPERIAL RIVIERA has a legitimate interest in contacting them in order to inform them on important issues concerning business and key activities in IMPERIAL RIVIERA and in order to maintain contact in case of future cooperation. You can unsubscribe from the list of recipients news from IMPERIAL RIVIERA for free, any time.

The data is kept provided by the candidates themselves, but IMPERIAL RIVIERA creates personal data related to employment activities, such as the results of job interviews, tests and assessments, based on the legitimate interest of ensuring the best candidates, and collects personal data from third parties, primarily by data verification obtained during the recruitment process by contacting relevant third parties (for example: employment agencies, education and training providers) or by using publicly available sources.

Employment relation and other comparable relations

As an employer, IMPERIAL RIVIERA collects, processes and stores all employee data in the employee database kept in the IT program and in the physical files of employees. The data collected is listed in the Regulation on the content and manner of keeping records on workers published by the ministry responsible for labor and pension system.

The necessary information for employment is usually: a copy of the ID card, a copy of the current account or payment instructions from the bank, a copy of the protected account (if the employee has it), PIN, proof of education (copy of certificate or diploma), e-book: certificate of pensionable service, (to be obtained from HZMO or via the e-Citizens service), Electronic record of the tax card form, so-called PK form (obtained from the Tax Administration or through the e-Citizens service, persons who are employed for the first time, do not have an electronic record of the tax card form and must open it at the Tax Administration), birth certificate of a child under 15 years, certificate of residence (obtained from the Ministry of the Interior or through the e-Citizens service), wedding certificate (obtained from the registry office or through the e-Citizens service).

The necessary data for concluding student contracts are usually: a certificate from the faculty for the current year as proof of student status or a copy of the index of the enrolled current year, a copy of the ID card, a certificate of enrollment for the Student Center (not all student centers), one photo or X -ica card, PIN.

In addition to these data, IMPERIAL RIVIERA may keep in the employee's file other data collected in the employment process, as well as other data collected during employment determined by IMPERIAL RIVIERA regulations (for example: awards, reminders, certificates, etc.).

All employee data is stored in the employee database on the date of employment and are kept up to date until the termination of employment and are kept as documentation of permanent value in accordance with the relevant regulations.

IMPERIAL RIVIERA also keeps in its database the data of other persons in a business relationship comparable to the employment relationship or persons in practice and professional development with the beginning of work and promptly leads them to termination of work and are stored in accordance with relevant regulations. A special case is the data of students in practice who may be minors of whom is taken special care and whose data is collected and stored in accordance with special regulations with the approval of the school and parents.

Salary data, payroll - are subject to special storage regulations. In any case, all workers and other persons in a business relationship comparable to the employment relationship or a person in practice and on professional development have all the rights of a data subject.

BUSINESS PARTNERS

In its business operations, IMPERIAL RIVIERA also processes data from business partners or potential business partners, which are:

  • natural persons who are, can become or have been business partners of IMPERIAL RIVIERA, e.g. craftsmen, persons who are in the regime of independent professions (e.g. lawyers, doctors, etc.), persons with whom work contracts are concluded (e.g. singers, painters, photographers, etc.) and other natural persons who have the status of entrepreneurs and
  • natural persons who in some part of the business represent legal entities with which IMPERIAL RIVIERA has, may have or had a business relationship (e.g. persons who deliver for their employer company, persons to whom invoices are sent for their employer legal entity, signatories of contracts for companies representing persons who hand over for the company, persons who organize congresses for their legal entity, etc.)

As part of the data processing of data subjects, IMPERIAL RIVIERA identified the following purposes of processing:

  • Conclusion of the contract: processing for the purpose of concluding the contract from any area of IMPERIAL RIVIERA's activity (for example: sending inquiries, sending special offers, requesting data on the signatories of the contract, sending tenders for legal entities represented by data subjects, etc.);
  • Fulfilment of the contract: data processing is necessary for the purpose of fulfilling the contract, which includes fulfilling obligations, monitoring their execution and ensuring all relevant measures for their execution (for example: to agree on time and place of delivery of equipment under the contract, to send invoices, etc.);
  • Information: data collection and processing for the purpose of quality and timely information; IMPERIAL RIVIERA has the right, based on legitimate interest, to collect certain data and use it for the purpose of direct marketing.

In addition to the stated purposes, it is possible to process personal data for other specific purposes, but always within the framework prescribed by law or if the processing is necessary for the exercise of rights and obligations arising from the business relationship.

Type of personal data collected from data subjects are:

  • Name and Surname,
  • E-mail,
  • Phone Number,
  • data on the function within the legal entity he represents (eg sales clerk, secretary of the administration, etc.),
  • occupation when the data subject is a natural person with whom a contractual relationship is entered into (for example: singer, painter, photographer, lawyer, doctor ...),
  • sometimes references and short CVs (especially for consultants),
  • data stated on the forms of blank promissory notes, promissory notes, bills of exchange,
  • bank account number (IBAN) when the business partner is a natural person with whom a contractual relationship is entered into, and
  • other information depending on the nature of the business relationship.

Places of personal data collection of data subjects:

  • received offers of data subjects for business cooperation,
  • data received from data subjects in the context of selling IMPERIAL RIVIERA products / services or purchasing products / services from a business partner (for example: fairs, congresses, etc.),
  • business correspondence related to certain previous or current business cooperation (for example, correspondence performed as part of the execution of a contract),
  • publicly published data (for example: court register, business partner websites, magazines, newsletters, etc.).

In addition to the stated type and place of data collection, it is possible to process personal data for other specific purposes, but always within the framework prescribed by law or if the processing is necessary for the exercise of rights and obligations arising from the business relationship.

Retention period

Data kept from data subjects who are natural persons in a business relationship with IMPERIAL RIVIERA are kept in accordance with applicable legal regulations (for example, IMPERIAL RIVIERA is obliged to keep all invoices, as well as the basis for issuing invoices in accordance with legal regulations. ).

In situations when IMPERIAL RIVIERA is authorized to set deadlines for data retention, they are determined taking into account the purpose of processing and the interests of data subjects to destroy the data, and this is set at a maximum of 5 years from the termination of the contractual relationship (if any).

PUBLIC ANNOUNCEMENTS

IMPERIAL RIVIERA can through its website,video walls, billboards in buildings and in other ways publish information that is of interest to existing but also potential workers, guests, business partners, and therefore the public. Such disclosures may contain a limited set of personal information, such as first and last names, functions, professional information, videos, statements and photographs.

The legal basis for processing is the legitimate interest of informing the public, but also marketing, during which the interest of the data subjects is always taken into account, so personal data is not published if it is determined that the interest of data subjects not to publish certain personal data is stronger than the interest of IMPERIAL RIVIERA to publish them. In some situations, the disclosure of information may be based on consent in accordance with the highest standards.

Announcements have a permanent character, which ensures information about current events as well as insight into previous activities.

Processing shall cease if, on the basis of the data subjects' objection, it is established that such objection is justified or if the data subject has withdrawn the consent in situations where the consent is applicable in a manner that can be enforced.

VIDEO SURVEILLANCE

IMPERIAL RIVIERA, as the processing manager, has a legitimate interest in implementing video surveillance measures to protect property and persons, and in certain cases (such as: exchange offices which are located at reception desks of the propertie), and has the legal duty to install surveillance cameras that record all persons moving around the perimeter of the surveillance camera (guests, employees, business partners, etc.).

The processing of personal data of employees via video surveillance is also enforced through conditions provided by provisions which regulate work safety.

IMPERIAL RIVIERA marks all places where video surveillance is installed in the prescribed manner.

IMPERIAL RIVIERA is aware that the videos contain personal data of all persons moving around the perimeter of the camera, and therefore keeps them with special care, has a regulated system of security, availability and deletion policy in accordance with IMPERIAL RIVIERA's internal safety rules.

Videos are automatically deleted after a maximum of 15 days from the date of recording. In case of exceptions (recording over), videos are kept for maximum period of 6 months, or longer in case law prescribes it or in case the tape is evidence in a legal, administrative, arbitration or other equivalent procedures. Videos being excepted shall be stored in centraly-informing system with extremely limited approach.

In the event of court and/or criminal proceedings, IMPERIAL RIVIERA may use these videos. Insight into personal data on videos may also be obtained by third parties, data processors, contractual partners of IMPERIAL RIVIERA registered and professional for the provision of services for the protection of persons and property, who in no way use the data independently but take care of the security of central surveillance and reporting system. Special regulations governing the area apply to all other details related to video surveillance.

FINAL PROVISIONS

This Privacy Policy is available at http://imperial-riviera.hr/uploads/privatnost/en/IR-PRIVACY-POLICY.pdf as well at the human resources offices and receptions of IMPERIAL RIVIERA's properties.

IMPERIAL RIVIERA reserves the right to change and / or amend these Privacy Policies at any time, and will update the Privacy Policy on the above media.

Valamar Obertauern GMBH privacy policy

Valamar Obertauern GmbH with its headquarters at Gamsleitenstrasse 6, 5562 Obertauern, Austria, FN 195893d, UID AT U50245104, (hereinafter: OBERTAUERN or we or our or controller) as owner of Valamar Obertauern Hotel 4*, respects the privacy of every person from whom collects personal data. We would like to inform you about what personal data we collect as the data controller, for what purpose, how we protect the data and what your rights are.

DATA CONTROLLER AND LEGAL FRAMEWORK

As the data controller, OBERTAUERN is committed to protect your personal data. The collection and storage of data is carried out in accordance with the provisions of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: Regulation), TKG (Telecommunications Law 2021) and other regulations governing the subject area, which are applied in the Republic of Austria.

SCOPE OF APPLICATION

This Policy applies to any processing of personal data performed by OBERTAUERN as the data controller, unless another policy or other OBERTAUERN document prescribes otherwise for a particular processing.

This Policy is divided into two parts: The General Section and the Specific section.

The basic principles of personal data processing, contact details and other provisions specified in the General Section of this Policy are applied without exception to any personal data processing regardless of whether such processing is specifically processed in the Specific Section of this Policy or not.

The Specific Section of the Policy deals, in more detail, with specific cases of data processing which represent the majority of all processing by OBERTAUERN.

CONTACT FOR DATA PROTECTION REQUESTS

Regarding issues related to personal data protection and for exercising their rights guaranteed by the Regulation please contact OBERTAUERN at any time via e-mail:dsgvo.obertauern@valamar.at or by mail to the address OBERTAUERN, 5562 Obertauern, Gamsleitenstrasse 6.

All requests not related to data protection, which are delivered to this address, e.g. offers of job candidates, booking inquiries in Hotel Valamar Obertauern 4*, etc. will be provided directly to the relevant departments.

PERSONAL DATA PROTECTION PRINCIPLES

OBERTAUERN has recognized the principles of data processing as basic values that must be respected throughout the cycle of personal data processing, from their collection to their destruction or other cessation of processing. OBERTAUERN processes data:

  • Lawfully - by processing data only if allowed by law and within the limits prescribed by law.
  • Fairly - by considering the specifics of each relationship, applying all appropriate measures to protect personal information and privacy in general and not impeding data subjects in exercising their rights.
  • Transparently - by informing data subjects about the processing of personal data. From the start of the data collection process, when data subjects are informed about all aspects of data processing, until its termination, data subjects are provided easy and fast access to their own data.
  • Purpose limitation - by processing personal data for the purposes they were collected for and for other purposes only if the conditions of the Regulation are met. Data may be processed for matching purposes only considering (a) any link between the purposes of the collection of personal data and the purposes of the intended continuation of the processing; (b) the context in which the personal data was collected, in particular concerning the relationship between the data subjects and OBERTAUERN; (c) the nature of the personal data; (d) the possible consequences of the intended continuation of processing for the data subjects; and (e) the existence of appropriate protection measures.
  • Storage limitation - by storing data in a form which permits identification of data subjects for no longer than is necessary for the initial purposes, and longer only if permitted by the Regulation.
  • Data minimization - by processing data if it is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Particular attention is given to not collecting data for which there is no justifiable reason for processing.
  • Accuracy - by keeping data accurate and up-to-date, and erasing inaccurate data in the scope of possibility.
  • Integrity and Confidentiality - by using appropriate technical and organisational measures to ensure appropriate personal data protection, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. Relevant measures are applied considering the risk of each type of data processing.

LEGALITY OF PERSONAL DATA PROCESSING

In order to respect the lawfulness of processing personal data, OBERTAUERN processes personal data only if and to the extent that at least one of the following is met:

  • Processing is necessary for the performance of the contract to which the data subject is a party or in order to act at the request of the data subject prior to the conclusion of the contract; this is the most common purpose of data processing with an existing contractual relationship or a contractual relationship in negotiations as its basis.
  • Processing is necessary to comply with the legal obligations of the data controller. As a legal entity, OBERTAUERN has a number of obligations prescribed by various regulations. This obligation includes the collection and often the submission of data to public authorities.
  • Processing is necessary for the legitimate interests of the data controller or a third party, except where those interests are stronger than the interests or fundamental rights and freedoms of data subjects requiring the protection of personal data, considering reasonable expectations of data subjects based on their relationship with the data controller, especially if the data subject is a child. In applying this legal basis, OBERTAUERN assesses that the processing is appropriate to business needs, that it is the least invasive as possible and that the interests of the data subjects do not exceed the legitimate interests of OBERTAUERN or a third party. Examples of such processing are processing for administrative purposes, the purposes of maintaining computer network security. The data subject always has the right to object to such processing in these situations.
  • Processing is necessary to protect key interests of the data subject or other natural person.The right to personal data protection is not an absolute right and OBERTAUERN equates it with other fundamental rights in accordance with the principle of proportionality.
  • The data subject has consented to the processing of his or her personal data for one or more specific purposes. When processing personal data on the basis of consent, OBERTAUERN provides that these are situations in which there are no, formal or informal, consequences for giving, refusing or denying consent. When processing is based on consent, the data subject may withdraw consent at any time without negative consequences. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

TYPES OF PERSONAL DATA PROCESSED

Specific categories of personal data: shall be processed only if the conditions set out in Article 9 of the Regulation are met.

Data relating to criminal convictions and offenses: shall be processed only under the control of official authority and in accordance with Article 10 of the Regulation.

Personal data that are not included in the previous two groups: that kind of data makes most of the processed data. The most common types of data are identification and contact data such as name, surname, e-mail address and data that are related with your relation with us (accommodation etc.).

Most of the personal data that we collect is provided by the data subjects themselves. Therefore, we kindly ask you that you do not provide sensitive information (such as race or ethnic origin, political opinions, religious or philosophical beliefs, etc.) when this is not necessary. If you nevertheless provide sensitive information for any reason, you hereby give your express consent to the collection and use of such information in the ways described in these Policy or in the manner described at the time of disclosure of that information.

THE ROLE OF VALAMAR RIVIERA d.d.

OBERTAUERN concluded with the company Valamar Riviera d.d. with its registered office in Poreč, Stancija Kaligari 1 OIB: 36201212847 (hereinafter: Valamar) Contract in relation to the management of hotel and tourist facilities and contents (hereinafter: Management contract) based on which Valamar manages certain business segments of OBERTAUERN.

Due to such Management contract, when managing Hotel Valamar Obertauern 4*, Valamar sometimes directly manages certain activities, including the management of some of the activities described in the Special Section of this Privacy Policy, in particular Valamar can process the personal data of the guests for providing the sales and marketing services. In addition, Valamar sometimes receives data from OBERTAUERN and has a right of access to relevant data base to perform certain activities where it subsequently comes to personal data processing.

For example, Valamar can manage the reservation function through the Valamar reservation center (call center) and via the websites www.valamar.com, and in these cases Valamar is an independent data controller (and data subjects will be informed on the spot about that fact) however, all this information related to Hotel Valamar Obertauern 4* are and have to be also processed by OBERTAUERN as an owner and independent data controller.

Furthermore, Valamar has a legitimate interest in processing of personal data carried out for the purposes of direct marketing, primarily for the purpose of sending marketing messages (newsletters) by e-mail, SMS and / or instant messaging platform (Viber, Whatsapp, etc.). Based on a legitimate interest, Valamar may send different newsletters depending on the relationship that respondents have with Valamar or the facilities under Valamar's management. For this purpose, personal data is collected from guests and persons who have asked for an offer or booked accommodation, persons who have participated in the prize game (if there will be any), joined the Valamar`s loyalty program, filled out a satisfaction questionnaire about accommodation in or otherwise had a relationship with Valamar.

Following the above, in certain cases Hotel Valamar Obertauern 4* guests can expect to receive from Valamar newsletters containing information about all other hotels and facilities managed by Valamar, as well as accommodation quality questionnaires and other service e-mails. For Hotel Valamar Obertauern 4* guests, prize games can be organized from time to time, which can be organized by Valamar, in which case guests personal data will be collected only if guests decide to participate in the prize game.

Valamar's Plus Club Loyalty Program can be applied for the OBERTAUERN. The conditions of membership are contained in Valamar's loyalty programme terms and conditions, which can be found at https://www.valamar.com/cmsmedia/loyalty/terms-conditions-en.pdf .

Also, based on the Management contract, Valamar has certain rights and obligations related to human resources, so in these cases Valamar has the right to process personal data of employees and candidates for employment in OBERTAUERN for the purpose of managing the business processes in the Hospitality Operations.

When Valamar acts as the data controller, the Valamar Privacy Policy applies, which can be found at: https://www.valamar.com/en/privacy-policy / https://www.valamar.com/hr/izjava-o-privatnosti.

DATA DELIVERY TO THIRD ENTITIES

OBERTAUERN shares personal information with others only when permitted.

OBERTAUERN is obliged by law to provide data to third parties. For example, delivering guest data and employee data to the competent institutions.

It is possible to deliver data to business entities, processors, who process the data upon instruction of OBERTAUERN, which acts as the data processor. Most often, these are OBERTAUERN's business partners who provide IT services, who store certain data in their databases or have the possibility of accessing personal data until the end of processing. In that cases a detailed contract shall be concluded with such subjects regarding their powers and obligations in the processing of personal data, in accordance with the requirements of the Regulation.

In certain situations, it is possible for external entities and OBERTAUERN to jointly determine the purposes and methods of personal data processing, in which case these external partners and OBERTAUERN are joint data controllers. In these relations, the joint data controllers shall transparently determine their responsibilities for complying with the obligations under the Regulation, in particular with regard to the exercise of data subject`s rights and their duties to respect the transparency of processing, unless responsibilities are established by law.

A special case of data delivery to third parties is the fact that OBERTAUERN has the Management contract with Valamar (see chapter: ROLE OF VALAMAR RIVIERA d.d.).

If data are transferred to third countries as part of data processing, OBERTAUERN ensures compliance with high protection standards in order to comply with the highest possible standard of personal data protection, in accordance with the strict requirements of the Regulation. Any transfer of personal data to third countries will be carried out in accordance with Chapter V of the Regulation.

DATA STORAGE RETENTION

Personal data are processed and stored for the period in accordance with applicable legal regulations when the retention obligation is prescribed (for example, accounting documents), and in situations where OBERTAUERN is authorized to set retention periods, data is stored as long as necessary for the purposes for which personal data is processed taking into account the purpose of processing, the legitimate interests of OBERTAUERN and the interests of the data subjects to delete the data.

RIGHTS OF THE DATA SUBJECTS

Regardless of the basis for data collection, all data subjects can exercise the following rights free of charge within the limits prescribed by the Regulation:

Right to information: The data subject has the right to be informed about the processing and its purposes. OBERTAUERN provides the data subjects with all the information necessary to ensure fair and transparent processing, considering the context of processing.

Right to erasure (“right to be forgotten”): The data subject has the right to request to delete personal data relating to him/her, without undue delay in accordance with the terms of the Regulation. To do so, please send your request to us in writing, including an electronic form of communication. Please note that the request needs to specify what you wish to be deleted, since we can store your data on different legal bases. You have the right to request the deletion of personal data relating to you where one of the following grounds applies:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
  • the data subject objects to the processing pursuant and there are no overriding legitimate grounds for the processing, or the data subject objects;
  • the personal data have been unlawfully processed;
  • the personal data have to be erased for compliance with a legal obligation;
  • the personal data have been collected in relation to the offer of information society services.

In some cases, it will not be possible to fully comply with the deletion request, for example when there is a legal obligation for retention, when the legitimate interest of the controller is stronger than the interest of the data subjects, when there is an interest of the data controller to set, enforce or defend legal claims.

Right of access: The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • where the personal data are not collected from the data subject, any available information as to their source;
  • the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. The right to obtain a copy shall not adversely affect the rights and freedoms of others.

Right to rectification: The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Considering the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to data portability: The data subject has the right to receive personal data relating to him in a structured, commonly used and machine-readable format in accordance with the requirements of the Article 20 of Regulation.

Right to object: The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on public interest and legitimate interests, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Right to restriction of processing: The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

  • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
  • the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.

In any case, data subjects also have the right to:

  • to submit a complaint time via e-mail: dsgvo.obertauern@valamar.at or by mail to the address OBERTAUERN Gmbh, Gamsleitenstrasse 6, 5562 Obertauern, Austria
  • to lodge a complaint with a supervisory authority (Austrian Data Protection Authority) if they believe that their rights to data protection have been violated.

OBERTAUERN as the data controller has the right to protect the interests of the data controller as well as the protection of the data subjects and accordingly has the right to carry out the activities of establishing the identity of the applicant. OBERTAUERN has the right to publish a form that will be used to submit a request in order to process the request as efficiently as possible.

On request, OBERTAUERN provides information on the actions taken in relation to the exercise of data subject's rights without undue delay and in any case within one month from the date of receipt of the request. This period may be extended by an additional two months, considering the complexity and number of applications. OBERTAUERN shall notify the data subject of any such extension within one month from the date of receipt of the request, together with the reasons for the postponement.

If the data subject submits the request electronically, OBERTAUERN provides the information electronically if possible, unless the data subject requests otherwise.

The data subject's request is generally free of charge, but if the data subject's request is manifestly unfounded or excessive, and in particular because of their frequent repetition, OBERTAUERN is entitled to charge a reasonable fee based on administrative costs or refuse to act on the request.

PROTECTION OF PERSONAL DATA OF CHILDREN

OBERTAUERN advises parents and guardians to teach children about safe and responsible handling of personal data, especially on the Internet. In relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

PERSONAL DATA SOURCES

OBERTAUERN receives personal data most often from data subjects. When providing personal data to OBERTAUERN, in any way (booking accommodation, job application…) you guarantee that the information you have provided is correct, that you are legally capable and authorized to dispose of the given information and that you fully agree that OBERTAUERN collects and uses your data in accordance with the regulations and terms of this Privacy Policy.

Also, OBERTAUERN receives personal data from other natural and legal persons, for example: from Valamar as a company that manages certain business aspects of business, from travel agencies that forward guest data for accommodation, guests who book accommodation for people with whom they will stay in hotel, agency for employment mediation and assignment of workers, from the holder of accommodation reservations for others guests for whom the reservation is made.

When providing personal data of other persons to OBERTAUERN, you guarantee that the information you provide is accurate, that you are legally capable and authorized to dispose of the information, that respondents whose personal data you forward to us agree that OBERTAUERN uses and collects their data in accordance with positive regulations and the terms of this Privacy Policy.

TECHNICAL AND INTEGRATED DATA PROTECTION

OBERTAUERN, as data controller, provides the highest organizational and technical standards of data protection. Therefore, considering the latest developments, the cost of implementation and the nature, scope, context and purposes of processing, as well as risks of different levels of probability and seriousness for the rights and freedoms of individuals arising from data processing, at the time of processing, appropriate technical and organizational measures to enable the effective application of the principles of data protection are applied.

Also, OBERTAUERN implements appropriate technical and organizational measures to ensure that only personal data necessary for each specific purpose of processing are processed in an integrated manner. OBERTAUERN applies this measure to the amount of personal data collected, the scope of their processing, the retention period and their availability. Specifically, such measures ensure that personal data is not automatically, without the intervention of an individual, available to an unlimited number of individuals.

DATA BREACH

In the case of a personal data breach, as the data controller, OBERTAUERN shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

The report submitted to the supervisory authority shall contain all information prescribed by the Regulation.

In the event of a personal data breach that is likely to pose a high risk to the rights and freedoms of individuals, OBERTAUERN, as the data controller, shall inform the data subjects of the personal data breach without undue delay. Sometimes, in cases where the Regulation prescribes, informing data subjects is not mandatory.

Special section

ACCOMMODATION

OBERTAUERN'S main business activity is the provision of accommodation services in its Hotel Valamar Obertauern 4*. Therefore, OBERTAUERN collects and processes your personal data for various purposes with the ultimate goal of providing quality accommodation and related services all according to the highest standards of tourism companies.

OBERTAUERN, as the data controller, stores your personal data that you must provide for accommodation services in its database for the purpose of fulfilling accommodation contracts and fulfilling legal obligations related to the hospitality business. In case you do not provide OBERTAUERN with the minimum data required for booking accommodation and for the registration to all competent registers, OBERTAUERN will not be able to provide you with booking services or accommodation services in accordance with the contract and law.

Certain information is necessary in order to act at the request of the data subject before concluding the accommodation contract. For example, before booking accommodation at the request of potential guests, you have to receive offer, for which personal data is needed, at least name, surname and e-mail address in order to be able to send an offer.

The personal data that OBERTAUERN collects when booking in order to fulfil the reservation obligation usually are:

  • Name and surname of the reservation holder
  • Date of birth
  • Number, type of identification document and place of issue
  • Citizenship
  • Number of accommodation units, type of accommodation unit (room type)
  • Date of arrival and departure
  • Number of persons per accommodation unit
  • Minors
  • Possibly other specifics depending on the request of the person booking the accommodation
  • e-mail if the person has one
  • Language
  • Phone number
  • Membership in the Valamar`s Loyalty program, if it affects the price of accommodation or collecting points
  • Payment method and possible additional information needed to execute the transaction or secure payment. In case of cancellation, we must save your data for the purpose of proving the reservation or cancellation.

Upon arrival at the Hotel OBERTAUERN 4*, guests have to check in and confirm data.

In addition, OBERTAUERN is obliged to keep all invoices, as well as the basis for issuing invoices issued to guests with personal data of the guest in accordance with legal regulations.

Other data related to the circumstances of your stay such as: mode of travel, who you are traveling with, marital status, number of children, pets, other interests, will also be collected and processed during your stay only when they have a direct connection with the accommodation service.

Before, during and after the stay OBERTAUERN as the data controller has the right based on the legitimate interest to send you so-called service messages – booking confirmations, reminders and other information closely related to the specific stay you have booked. Also, during and after the stay, OBERTAUERN as the data controller has the right based on the legitimate interest to send to you guest questionnaires about service satisfaction via e-mail, sms and/or instant messaging platforms (viber, whatsapp, etc.) which will be processed by us or through associates. The primary purpose of the service satisfaction questionnaire is to collect service data for the legitimate interest of service improvement by OBERTAUERN, and OBERTAUERN may depersonalize and process this data from the questionnaire for statistical purposes.

OBERTAUERN has the right, based on a legitimate interest, to collect certain data and use it for direct marketing.

Service messages and messages with service satisfaction questionnaires related to a specific stay of the guest are not considered newsletters for the purpose of sending OBERTAUERN marketing offers and news.

VIDEO SURVEILLANCE

OBERTAUERN as the data controller, has a legitimate interest in implementing video surveillance measures to protect property and persons. We marked all places where video surveillance is installed in the prescribed manner. We are aware that the videos contain personal data of all persons moving around the perimeter of the camera, and therefore we keep them with special care, we have a regulated system of security, availability and our internal safety rules. Special regulations governing the area apply to all other details related to video surveillance.

GETTING IN CONTACT WITH US

When you contact us via email or via one of the forms on our website, data are processed and stored, in accordance with the purpose of processing.

FINAL PROVISIONS

This Privacy Policy is available at Valamar Riviera d.d. website https://www.valamar.com/en/privacy-policy-valamar-obertauern and also at reception of Hotel Valamar Obertauern 4*, (when hotel is operating).

Kesselspitze GmbH & Co KG privacy policy

GENERAL SECTION

DATA CONTROLLER AND LEGAL FRAMEWORK

As the data controller, KESSELSPITZE, is committed to protecting your personal data. The collection and storage of data is carried out in accordance with the provisions of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: “the Regulation”), TKG (Telecommunications Law 2021) and other regulations governing the subject area, which are applied in the Republic of Austria.

SCOPE OF APPLICATION

This Policy applies to any processing of personal data performed by KESSELSPITZE as the data controller, unless another policy or other KESSELSPITZE document prescribes otherwise for particular processing.

This Policy is divided into two parts: the General Section and the Specific Section.

The basic principles of personal data processing, contact details and other provisions specified in the General Section of this Policy are applied without exception to any personal data processing, regardless of whether such processing is specifically processed in the Specific Section of this Policy or not.

The Specific Section of the Policy deals, in more detail, with specific cases of data processing that represent the majority of all processing by KESSELSPITZE.

CONTACT FOR DATA PROTECTION REQUESTS

Regarding issues related to personal data protection and for the exercising of rights guaranteed by the Regulation, please contact KESSELSPITZE at any time via e-mail: dsgvo.kesselspitze@valamar.at or by mail to the address Kesselspitze GmbH & Co KG, 5562 Obertauern, Alpenstraße 1.

All requests not related to data protection that are delivered to this address, e.g. offers of job candidates, booking inquiries for Hotel Kesselspitze 5*, etc. will be forwarded directly to the relevant departments.

PERSONAL DATA PROTECTION PRINCIPLES

KESSELSPITZE has recognised the principles of data processing as basic values that must be respected throughout the cycle of personal data processing, from their collection to their destruction or other cessation of processing. KESSELSPITZE processes data observing:

  • Lawfulness - by processing data only if allowed by law and within the limits prescribed by law.
  • Fairness – by considering the specifics of each relationship, applying all appropriate measures to protect personal information and privacy in general and not impeding data subjects in exercising their rights.
  • Transparency – by informing data subjects about the processing of personal data. From the start of the data collection process, when data subjects are informed about all aspects of data processing, until its termination, data subjects are provided easy and fast access to their own data.
  • Purpose limitation – by processing personal data for the purposes for which they were collected and for other purposes only if the conditions of the Regulation have been met. Data may be processed for matching purposes only considering (a) any link between the purposes of the collection of personal data and the purposes of the intended continuation of the processing; (b) the context in which the personal data was collected, in particular concerning the relationship between the data subjects and KESSELSPITZE; (c) the nature of the personal data; (d) the possible consequences for the data subjects of the intended continuation of processing; and (e) the existence of appropriate protection measures.
  • Storage limitation – by storing data in a form which permits identification of data subjects for no longer than is necessary for the initial purposes, and longer only if permitted by the Regulation.
  • Data minimisation – by processing data if adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Particular attention is given to not collecting data for whose processing there is no justifiable reason.
  • Accuracy – by keeping data accurate and up to date, and erasing inaccurate data within the scope of possibility.
  • Integrity and Confidentiality – by using appropriate technical and organisational measures to ensure appropriate personal data protection, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. Relevant measures are applied considering the risk of each type of data processing.

LEGALITY OF PERSONAL DATA PROCESSING

In order to respect the lawfulness of processing personal data, KESSELSPITZE processes personal data only if and to the extent that at least one of the following criteria is met:

  • Processing is necessary for the performance of the contract to which the data subject is a party or in order to act at the request of the data subject prior to the conclusion of the contract; this is the most common purpose of data processing, with an existing contractual relationship or a contractual relationship in negotiation as its basis.
  • Processing is necessary to comply with the legal obligations of the data controller. As a legal entity, KESSELSPITZE has a number of obligations prescribed by various regulations. These obligations include the collection and often the submission of data to public authorities.
  • Processing is necessary for the legitimate interests of the data controller or a third party, except where those interests take precedence over the interests or fundamental rights and freedoms of data subjects requiring the protection of personal data, considering reasonable expectations of data subjects based on their relationship with the data controller, especially if the data subject is a child. In applying this legal basis, KESSELSPITZE assesses that the processing is appropriate to business needs, that it is the least invasive possible and that the interests of the data subjects do not exceed the legitimate interests of KESSELSPITZE or a third party. Examples of such processing are processing for administrative purposes, or the purposes of maintaining computer network security. The data subject always has the right to object to such processing in these situations.
  • Processing is necessary to protect key interests of the data subject or other natural person. The right to personal data protection is not an absolute right and KESSELSPITZE equates it with other fundamental rights in accordance with the principle of proportionality.
  • The data subject has consented to the processing of his or her personal data for one or more specific purposes. When processing personal data on the basis of consent, KESSELSPITZE provides that these are situations in which there are no formal or informal consequences for giving, refusing or denying consent. When processing is based on consent, the data subject may withdraw consent at any time without negative consequences. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

TYPES OF PERSONAL DATA PROCESSED

Special categories of personal data: shall be processed only if the conditions set out in Article 9 of the Regulation are met.

Data relating to criminal convictions and offences shall be processed only under the control of an official authority and in accordance with Article 10 of the Regulation.

Personal data that are not included in the previous two groups: the kind of data that makes up most processed data. The most common types of data are identification and contact data such as name, surname, e-mail address and data that are related to your relation with us (accommodation etc.).

Most of the personal data that we collect is provided by the data subjects themselves. Therefore, we kindly ask you that you do not provide sensitive information (such as race or ethnic origin, political opinions, religious or philosophical beliefs, etc.) when this is not necessary. If you nevertheless provide sensitive information for any reason, you thereby give your express consent to the collection and use of such information in the ways described in this Policy or in the manner described at the time of disclosure of that information.

THE ROLE OF VALAMAR RIVIERA d.d.

KESSELSPITZE concluded with the company Valamar Riviera d.d. with its registered office in Poreč, Stancija Kaligari 1 OIB: 36201212847 (hereinafter: “Valamar”) a Contract in relation to the management of hotel and tourist facilities and contents (hereinafter: “Management Contract”) on the basis of which Valamar manages certain business segments of KESSELSPITZE.

As a result of the said Management Contract, when managing Hotel Kesselspitze 5*, Valamar sometimes directly manages certain activities, including the management of some of the activities described in the Special Section of this Privacy Policy, and in particular Valamar may process the personal data of the guests for providing sales and marketing services. In addition, Valamar sometimes receives data from KESSELSPITZE and has a right of access to relevant data bases to perform certain activities where it subsequently comes to personal data processing.

For example, Valamar may manage the reservation function through the Valamar reservation centre (call centre) and via the website www.valamar.com, and in these cases Valamar is an independent data controller (and data subjects will be informed on the spot about that fact); however, all this information related to Hotel Kesselspitze 5* is and has to be also processed by KESSELSPITZE as owner and an independent data controller.

Furthermore, Valamar has a legitimate interest in the processing of personal data carried out for the purposes of direct marketing, primarily for the purpose of sending marketing messages (newsletters) by email, SMS and/or instant messaging platform (Viber, Whatsapp, etc.). On the basis of legitimate interest, Valamar may send different newsletters depending on the relationship that respondents have with Valamar or the facilities under Valamar’s management. For this purpose, personal data is collected from guests and persons who have asked for an offer or booked accommodation, persons who have participated in a prize game (should there be one), joined the Valamar loyalty programme, filled out a satisfaction questionnaire about accommodation or otherwise had a relationship with Valamar.

Following the above, in certain cases Hotel Kesselspitze 5* guests can expect to receive from Valamar newsletters containing information about all other hotels and facilities managed by Valamar, as well as accommodation quality questionnaires and other service emails. For Hotel Kesselspitze 5* guests, prize games can be organised from time to time by Valamar, in which case guests’ personal data will be collected only if guests decide to participate in the prize game.

Valamar’s Plus Club Loyalty Programme can be applied for KESSELSPITZE. The conditions of membership are contained in Valamar’s loyalty programme terms and conditions, which can be found at https://www.valamar.com/cmsmedia/loyalty/terms-conditions-en.pdf .

Also, on the basis of the Management Contract, Valamar has certain rights and obligations related to human resources, so in these cases Valamar has the right to process personal data of employees and candidates for employment in KESSELSPITZE for the purpose of managing the business processes in its hospitality operations.

When Valamar acts as the data controller, the Valamar Privacy Policy applies, which can be found at: https://www.valamar.com/en/privacy-policy / https://www.valamar.com/hr/izjava-o-privatnosti.

DATA DELIVERY TO THIRD ENTITIES

KESSELSPITZE shares personal information with others only when permitted.

KESSELSPITZE is obliged by law to provide data to third parties, for example, delivering guest data and employee data to the competent institutions.

It is possible to deliver data to business entities – processors – who process the data upon the instruction of KESSELSPITZE, which acts as the data processor. Most often, these are KESSELSPITZE’s business partners who provide IT services, and who store certain data in their databases or have the opportunity to access personal data until the end of processing. In these cases a detailed contract shall be concluded with such subjects regarding their powers and obligations in the processing of personal data, in accordance with the requirements of the Regulation.

In certain situations, it is possible for external entities and KESSELSPITZE to jointly determine the purposes and methods of personal data processing, in which cases these external partners and KESSELSPITZE are joint data controllers. In these relations, the joint data controllers shall determine their responsibilities for complying with their obligations under the Regulation transparently, in particular with regard to the exercise of data subjects’ rights and their duties to respect the transparency of processing, unless such responsibilities are established by law.

A special case of data delivery to third parties is the fact that KESSELSPITZE has the Management Contract with Valamar (see chapter: ROLE OF VALAMAR RIVIERA d.d.).

If data are transferred to third countries as part of data processing, KESSELSPITZE ensures compliance with high protection standards in order to comply with the highest possible standard of personal data protection, in accordance with the strict requirements of the Regulation. Any transfer of personal data to third countries will be carried out in accordance with Chapter V of the Regulation.

DATA STORAGE PERIOD

Personal data are processed and stored for the period in accordance with applicable legal regulations when the retention obligation is prescribed (for example, accounting documents), and in situations where KESSELSPITZE is authorised to set retention periods, data is stored as long as necessary for the purposes for which personal data is processed taking into account the purpose of processing, the legitimate interests of KESSELSPITZE and the interests of the data subjects in the deletion of the data.

RIGHTS OF THE DATA SUBJECTS

Regardless of the basis for data collection, all data subjects can exercise the following rights free of charge within the limits prescribed by the Regulation:

Right to information: The data subject has the right to be informed about the processing and its purposes. KESSELSPITZE provides the data subjects with all the information necessary to ensure fair and transparent processing, considering the context of processing.

Right to erasure („right to be forgotten“): The data subject has the right to request the deletion of personal data relating to him/her, without undue delay, in accordance with the terms of the Regulation. Should you wish this to take place, please send your request to us in writing, including an electronic form of communication. Please note that the request needs to specify what you wish to be deleted, since we can store your data on different legal bases. You have the right to request the deletion of personal data relating to you where one of the following grounds applies:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • the data subject withdraws the consent upon which the processing is based, and where there is no other legal ground for the processing;
  • the data subject objects to the processing pursuant and there are no overriding legitimate grounds for the processing, or the data subject objects ;
  • the personal data have been unlawfully processed;
  • the personal data must be erased for compliance with a legal obligation;
  • the personal data have been collected in relation to the offer of information society services.

In some cases, it will not be possible to fully comply with the deletion request, for example when there is a legal obligation for retention, when the legitimate interest of the controller takes precedence over the interest of the data subjects or when there is an interest of the data controller to set, enforce or defend legal claims.

Right of access: The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  • where possible, the envisaged period for which the personal data will be stored, or, if that is not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • where the personal data have not been collected from the data subject, any available information as to their source;
  • the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. The right to obtain a copy shall not adversely affect the rights and freedoms of others

Right to rectification: The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Considering the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to data portability: The data subject has the right to receive personal data relating to him or her in a structured, commonly used and machine-readable format in accordance with the requirements of Article 20 of the Regulation.

Right to object: The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time, to the processing of personal data concerning him or her that is based on public interest and legitimate interests, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Right to restriction of processing: The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

  • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the controller no longer needs the personal data for the purposes of processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
  • the data subject has objected to processing pending the verification of whether the legitimate grounds of the controller override those of the data subject.

In any case, data subjects also have the right:

  • to submit a complaint time via email: dsgvo.kesselspitze@valamar.at or by mail to the address Kesselspitze GmbH & Co KG, 5562 Obertauern, Alpenstraße 1
  • to lodge a complaint with a supervisory authority (Austrian Data Protection Authority) if they believe that their rights to data protection have been violated.

KESSELSPITZE as the data controller has the right to protect the interests of the data controller as well as maintain the protection of the data subjects and accordingly has the right to carry out the activities of establishing the identity of the applicant. KESSELSPITZE has the right to publish a form that will be used to submit a request in order to process the request as efficiently as possible.

On request, KESSELSPITZE provides information on the actions taken in relation to the exercise of data subject’s rights without undue delay and in any case within one month from the date of receipt of the request. This period may be extended by an additional two months, considering the complexity and number of applications. KESSELSPITZE shall notify the data subject of any such extension within one month of the date of receipt of the request, together with the reasons for the postponement.

If the data subject submits the request electronically, KESSELSPITZE provides the information electronically if possible, unless the data subject requests otherwise.

The data subject’s request is generally not charged, but if the data subject’s request is manifestly unfounded or excessive, and in particular in the event of its frequent repetition, KESSELSPITZE is entitled to charge a reasonable fee based on administrative costs or refuse to act on the request.

PROTECTION OF PERSONAL DATA OF CHILDREN

KESSELSPITZE advises parents and guardians to teach children about safe and responsible handling of personal data, especially on the internet. In relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

PERSONAL DATA SOURCES

KESSELSPITZE receives personal data most often from data subjects. When providing personal data to KESSELSPITZE in any way (booking accommodation, job application, etc.), you guarantee that the information you have provided is correct, that you are legally capable and authorised to dispose of the given information and that you fully agree that KESSELSPITZE may collect and use your data in accordance with the regulations and terms of this Privacy Policy.

Also, KESSELSPITZE receives personal data from other natural and legal persons, for example from Valamar as a company that manages certain commercial aspects of business, from travel agencies that forward guest data for accommodation, guests who book accommodation for people with whom they will stay in the hotel, agencies for employment mediation and the assignment of workers, and from the holder of accommodation reservations for others’ guests, for whom the reservation is made.

When providing the personal data of other persons to KESSELSPITZE, you guarantee that the information you provide is accurate, that you are legally capable and authorised to dispose of the information, and that the respondents whose personal data you forward to us agree that KESSELSPITZE may use and collect their data in accordance with positive regulations and the terms of this Privacy Policy.

TECHNICAL AND INTEGRATED DATA PROTECTION

KESSELSPITZE, as data controller, provides the highest organisational and technical standards of data protection. Therefore, considering the latest developments, the cost of implementation and the nature, scope, context and purposes of processing, as well as risks of different levels of probability and seriousness for the rights and freedoms of individuals arising from data processing, at the time of processing, appropriate technical and organisational measures to enable the effective application of the principles of data protection are applied.

Also, KESSELSPITZE implements appropriate technical and organisational measures to ensure that only personal data necessary for each specific processing purpose are processed in an integrated manner. KESSELSPITZE applies this measure to the amount of personal data collected, the scope of their processing, the retention period and their availability. Specifically, such measures ensure that personal data is not automatically, without the intervention of an individual, available to an unlimited number of individuals.

DATA BREACH

In the case of a personal data breach, as the data controller, KESSELSPITZE shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, unless the personal data breach is unlikely to result in risk to the rights and freedoms of natural persons.

The report submitted to the supervisory authority shall contain all information prescribed by the Regulation.

In the event of a personal data breach that is likely to pose a high risk to the rights and freedoms of individuals, KESSELSPITZE, as the data controller, shall inform the data subjects of the personal data breach without undue delay. Sometimes, in cases where the Regulation prescribes, informing data subjects is not mandatory.

SPECIAL SECTION


ACCOMMODATION

KESSELSPITZE’s main business activity is the provision of accommodation services in its Hotel Kesselspitze 5*. Therefore, KESSELSPITZE collects and processes your personal data for various purposes with the ultimate goal of providing quality accommodation and related services all according to the highest standards of tourism companies.

KESSELSPITZE, as the data controller, stores the personal data that you must provide for accommodation services in its database for the purpose of fulfilling accommodation contracts and fulfilling legal obligations related to the hospitality business. In the event you do not provide KESSELSPITZE with the minimum data required for booking accommodation and for the registration to all competent registers, KESSELSPITZE will not be able to provide you with booking services or accommodation services in accordance with the contract and law.

Certain information is necessary in order to act at the request of the data subject before concluding the accommodation contract. For example, before booking accommodation at the request of potential guests, you have to receive an offer, for which personal data is needed: at least name, surname and e-mail address.

The personal data that KESSELSPITZE collects when booking in order to fulfil the reservation obligation usually are:

  • Name and surname of the reservation holder
  • Date of birth
  • Number, type and place of issue of identification document
  • Citizenship
  • Number of accommodation units and type of accommodation unit (room type)
  • Date of arrival and departure
  • Number of persons per accommodation unit
  • Minors
  • Possibly other specifics depending on the request of the person booking the accommodation
  • email address, if the person has one
  • Language
  • Phone number
  • membership in the Loyalty program, if it affects the price of accommodation or collecting points
  • Payment method and possible additional information needed to execute the transaction or secure payment. In case of cancellation, we must save your data for the purpose of proving the reservation or cancellation.

Upon arrival at the Hotel Kesselspitze 5*, guests have to check in and confirm data.

In addition, KESSELSPITZE is obliged to keep all invoices, as well as the basis for issuing invoices issued to guests with the personal data of each guest in accordance with legal regulations.

Other data related to the circumstances of your stay, such as mode of travel, with whom you are travelling, marital status, number of children, pets, and other interests, will also be collected and processed during your stay only when they have a direct connection with the accommodation service.

Before, during and after your stay KESSELSPITZE as the data controller has the right based on legitimate interest to send you so-called service messages – booking confirmations, reminders and other information closely related to the specific stay you have booked. Also, during and after the stay, KESSELSPITZE as the data controller has the right based on legitimate interest to send to you guest questionnaires about service satisfaction via email, SMS and/or instant messaging platforms (Viber, Whatsapp, etc.) which will be processed by us or through associates. The primary purpose of the service satisfaction questionnaire is to collect service data for the legitimate interest of service improvement by KESSELSPITZE, and KESSELSPITZE may depersonalise and process this data from the questionnaire for statistical purposes.

KESSELSPITZE has the right, based on legitimate interest, to collect certain data and use it for direct marketing.

Service messages and messages with service satisfaction questionnaires related to a specific stay of the guest are not considered newsletters for the purpose of sending KESSELSPITZE marketing offers and news.

VIDEO SURVEILLANCE

KESSELSPITZE as the data controller has a legitimate interest in implementing video surveillance measures to protect property and persons. We have marked all places where video surveillance is installed in the prescribed manner. We are aware that the videos contain personal data of all persons moving around the perimeter of the camera, and therefore we keep them with special care: we have a regulated system of security, availability and our internal safety rules. Special regulations governing the area apply to all other details related to video surveillance.

GETTING IN CONTACT WITH US

When you contact us via email or via one of the forms on our website, data are processed and stored in accordance with the processing purpose.

WEBSITE, COOKIES AND INTERNET TECHNOLOGIES

Our website uses so-called cookies. A cookie is a small text file that is saved to your browser on your computer or mobile device, and retrieved from it on subsequent visits. They do not cause any damage. Cookies cannot be used to reveal your personal identity, that is your name and surname. We use cookies to provide you with the best usability. Some cookies remain stored on your device until you delete them. They enable us to recognise your browser during subsequent visits.

If you do not agree with this practice, you can adjust your browser settings so that it will inform you before cookies are set. This will also enable you to permit specific cookies.

We use different types of cookies:

Cookies by function

  • Essential cookies - they are necessary for the operation of the website, which cannot function without them. This means that a website cannot be opened or displayed without these cookies. These cookies are used for the purpose of transmitting communication or are necessary to provide an information society service that is explicitly required by the user of such a service. These cookies do not need and do not require your consent.
  • Statistics cookies - these cookies enable basic analysis of web pages with the aim of improving the work of web pages through data that is completely anonymised, i.e. not based on your personal data or data that can be linked to you in any way. These cookies are used to analyse user behaviour and, on the basis of the anonymous data, can determine what website visitors view and want, so KESSELSPITZE is then able to customise the website and make its content and functionality as easy to use. These cookies require your consent.
  • Marketing cookies - they are used to analyse your interests and wishes, and they serve the purpose of informing you about special and personalised offers, news and events organised through online channels (e-mail, internet, internet promotion). These cookies require your consent.

Cookies by source

  • First party cookies come from the internet site you are viewing, and can be permanent or temporary. With these cookies, internet sites can store data that will be used again upon the next visit to the internet site.
  • Third party cookies come from other internet sites, which are located on the internet site you are viewing. With these cookies, other internet sites can track internet usage on the internet site you are viewing for marketing or analytical purposes.

Cookies by duration

  • Persistent cookies - Persistent or saved cookies remain on your computer after you close your internet browser program. They help internet sites store information, such as login and password, language settings, or cookie settings, so you do not have to re-enter them each time you visit. Persistent cookies can stay on your computer or mobile device for days, months, even years.
  • Temporary cookies Temporary cookies or session cookies are removed from your computer when you close your internet browser. They use internet sites to store temporary information, such as the last few pages you opened on the internet site you visited, or items in your shopping cart if you are on an internet site that specialises in internet sales.

Cookies are stored in the user’s browser for a maximum of 2 years.

If you have changed your mind about the cookie settings on our website, you can alter them at any time.

You can always delete cookies stored on your computer, thus preventing further processing of your personal data through such technology. Each web browser has its own procedure for deleting cookies, and below are links to deletion procedures in the most popular web browsers:

Google Chrome: https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3DDesktop&hl=en

Mozilla Firefox: https://support.mozilla.org/en-US/kb/clear-cookies-and-site-data-firefox

Microsoft Edge: https://support.microsoft.com/en-us/windows/microsoft-edge-browsing-data-and-privacy-bb8174ba-9d73-dcf2-9b4a-c582b4e640dd

You can find more about cookies on the following pages:

  • http://www.allaboutcookies.org/
  • http://www.youronlinechoices.com/en/
  • http://www.aboutads.info/choices/

Valamar Marietta GmbH privacy policy

Valamar Marietta GmbHwith its headquarters in Ringstraße 8, AT-5562 Obertauern (hereinafter: MARIETTA or we or our or controller) as owner of Obertauern Places hotel by Valamar – ex Marietta hotel (hereinafter: the Hotel), respects the privacy of every person from whom collects personal data. We would like to inform you about what personal data we collect as the data controller, for what purpose, how we protect the data and what your rights are.

DATA CONTROLLER AND LEGAL FRAMEWORK

As the data controller, MARIETTA is committed to protect your personal data. The collection and storage of data is carried out in accordance with the provisions of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: Regulation), TKG (Telecommunications Law 2021) and other regulations governing the subject area, which are applied in the Republic of Austria.

SCOPE OF APPLICATION

This Policy applies to any processing of personal data performed by MARIETTA as the data controller, unless another policy or other MARIETTA document prescribes otherwise for a particular processing.

This Policy is divided into two parts: The General Section and the Specific section.

The basic principles of personal data processing, contact details and other provisions specified in the General Section of this Policy are applied without exception to any personal data processing regardless of whether such processing is specifically processed in the Specific Section of this Policy or not.

The Specific Section of the Policy deals, in more detail, with specific cases of data processing which represent the majority of all processing by MARIETTA.

CONTACT FOR DATA PROTECTION REQUESTS

Regarding issues related to personal data protection and for exercising their rights guaranteed by the Regulation please contact MARIETTA at any time via e-mail: dsgvo.obertauern.places@valamar.at or by mail to the address Valamar Marietta GmbH with its headquarters in Ringstraße 8, AT-5562 Obertauern.

All requests not related to data protection, which are delivered to this address, e.g. offers of job candidates, booking inquiries in the Hotel, etc. will be provided directly to the relevant departments.

PERSONAL DATA PROTECTION PRINCIPLES

MARIETTA has recognized the principles of data processing as basic values that must be respected throughout the cycle of personal data processing, from their collection to their destruction or other cessation of processing. MARIETTA processes data:

  • Lawfully - by processing data only if allowed by law and within the limits prescribed by law.
  • Fairly - by considering the specifics of each relationship, applying all appropriate measures to protect personal information and privacy in general and not impeding data subjects in exercising their rights.
  • Transparently - by informing data subjects about the processing of personal data. From the start of the data collection process, when data subjects are informed about all aspects of data processing, until its termination, data subjects are provided easy and fast access to their own data.
  • Purpose limitation - by processing personal data for the purposes they were collected for and for other purposes only if the conditions of the Regulation are met. Data may be processed for matching purposes only considering (a) any link between the purposes of the collection of personal data and the purposes of the intended continuation of the processing; (b) the context in which the personal data was collected, in particular concerning the relationship between the data subjects and MARIETTA; (c) the nature of the personal data; (d) the possible consequences of the intended continuation of processing for the data subjects; and (e) the existence of appropriate protection measures.
  • Storage limitation - by storing data in a form which permits identification of data subjects for no longer than is necessary for the initial purposes, and longer only if permitted by the Regulation.
  • Data minimization - by processing data if it is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Particular attention is given to not collecting data for which there is no justifiable reason for processing.
  • Accuracy - by keeping data accurate and up-to-date, and erasing inaccurate data in the scope of possibility.
  • Integrity and Confidentiality - by using appropriate technical and organisational measures to ensure appropriate personal data protection, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. Relevant measures are applied considering the risk of each type of data processing.

LEGALITY OF PERSONAL DATA PROCESSING

In order to respect the lawfulness of processing personal data, MARIETTA processes personal data only if and to the extent that at least one of the following is met:

  • Processing is necessary for the performance of the contract to which the data subject is a party or in order to act at the request of the data subject prior to the conclusion of the contract; this is the most common purpose of data processing with an existing contractual relationship or a contractual relationship in negotiations as its basis.
  • Processing is necessary to comply with the legal obligations of the data controller. As a legal entity, MARIETTA has a number of obligations prescribed by various regulations. This obligation includes the collection and often the submission of data to public authorities.
  • Processing is necessary for the legitimate interests of the data controller or a third party, except where those interests are stronger than the interests or fundamental rights and freedoms of data subjects requiring the protection of personal data, considering reasonable expectations of data subjects based on their relationship with the data controller, especially if the data subject is a child. In applying this legal basis, MARIETTA assesses that the processing is appropriate to business needs, that it is the least invasive as possible and that the interests of the data subjects do not exceed the legitimate interests of MARIETTA or a third party. Examples of such processing are processing for administrative purposes, the purposes of maintaining computer network security. The data subject always has the right to object to such processing in these situations.
  • Processing is necessary to protect key interests of the data subject or other natural person. The right to personal data protection is not an absolute right and MARIETTA equates it with other fundamental rights in accordance with the principle of proportionality.
  • The data subject has consented to the processing of his or her personal data for one or more specific purposes. When processing personal data on the basis of consent, MARIETTA provides that these are situations in which there are no, formal or informal, consequences for giving, refusing or denying consent. When processing is based on consent, the data subject may withdraw consent at any time without negative consequences. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

TYPES OF PERSONAL DATA PROCESSED

Special categories of personal data: shall be processed only if the conditions set out in Article 9 of the Regulation are met.

Data relating to criminal convictions and offenses: shall be processed only under the control of official authority and in accordance with Article 10 of the Regulation.

Personal data that are not included in the previous two groups: that kind of data makes most of the processed data. The most common types of data are identification and contact data such as name, surname, e-mail address and data that are related with your relation with us (accommodation etc.).

Most of the personal data that we collect is provided by the data subjects themselves. Therefore, we kindly ask you that you do not provide sensitive information (such as race or ethnic origin, political opinions, religious or philosophical beliefs, etc.) when this is not necessary. If you nevertheless provide sensitive information for any reason, you hereby give your express consent to the collection and use of such information in the ways described in these Policy or in the manner described at the time of disclosure of that information.

THE ROLE OF VALAMAR RIVIERA d.d.

MARIETTA concluded with the company Valamar Riviera d.d. with its registered office in Poreč, Stancija Kaligari 1 OIB: 36201212847 (hereinafter: Valamar) Contract in relation to the management of hotel and tourist facilities and contents (hereinafter: Management contract) based on which Valamar manages certain business segments of MARIETTA.

Due to such Management contract, when managing the Hotel, Valamar sometimes directly manages certain activities, including the management of some of the activities described in the Special Section of this Privacy Policy, in particular Valamar can process the personal data of the guests for providing the sales and marketing services. In addition, Valamar sometimes receives data from MARIETTA and has a right of access to relevant data base to perform certain activities where it subsequently comes to personal data processing.

For example, Valamar can manage the reservation function through the Valamar reservation center (call center) and via the websites www.valamar.com, and in these cases Valamar is an independent data controller (and data subjects will be informed on the spot about that fact) however, all this information related to Hotel are and have to be also processed by MARIETTA as an owner and independent data controller.

Furthermore, Valamar has a legitimate interest in processing of personal data carried out for the purposes of direct marketing, primarily for the purpose of sending marketing messages (newsletters) by e-mail, SMS and / or instant messaging platform (Viber, Whatsapp, etc.). Based on a legitimate interest, Valamar may send different newsletters depending on the relationship that respondents have with Valamar or the facilities under Valamar's management. For this purpose, personal data is collected from guests and persons who have asked for an offer or booked accommodation, persons who have participated in the prize game (if there will be any), joined the Valamar`s loyalty program, filled out a satisfaction questionnaire about accommodation in or otherwise had a relationship with Valamar.

Following the above, in certain cases Hotel guests can expect to receive from Valamar newsletters containing information about all other hotels and facilities managed by Valamar, as well as accommodation quality questionnaires and other service e-mails. For Hotel guests, prize games can be organized from time to time, which can be organized by Valamar, in which case guests personal data will be collected only if guests decide to participate in the prize game.

Valamar's Plus Club Loyalty Program can be applied for the MARIETTA. The conditions of membership are contained in Valamar's loyalty programme terms and conditions, which can be found at https://www.valamar.com/cmsmedia/loyalty/terms-conditions-en.pdf.

Also, based on the Management contract, Valamar has certain rights and obligations related to human resources, so in these cases Valamar has the right to process personal data of employees and candidates for employment in MARIETTA for the purpose of managing the business processes in the Hospitality Operations.

When Valamar acts as the data controller, the Valamar Privacy Policy applies, which can be found at: https://www.valamar.com/en/privacy-policy / https://www.valamar.com/hr/izjava-o-privatnosti.

DATA DELIVERY TO THIRD ENTITIES

MARIETTA shares personal information with others only when permitted.

MARIETTA is obliged by law to provide data to third parties. For example, delivering guest data and employee data to the competent institutions.

It is possible to deliver data to business entities, processors, who process the data upon instruction of MARIETTA, which acts as the data processor. Most often, these are MARIETTA's business partners who provide IT services, who store certain data in their databases or have the possibility of accessing personal data until the end of processing. In that cases a detailed contract shall be concluded with such subjects regarding their powers and obligations in the processing of personal data, in accordance with the requirements of the Regulation.

In certain situations, it is possible for external entities and MARIETTA to jointly determine the purposes and methods of personal data processing, in which case these external partners and MARIETTA are joint data controllers. In these relations, the joint data controllers shall transparently determine their responsibilities for complying with the obligations under the Regulation, in particular with regard to the exercise of data subject`s rights and their duties to respect the transparency of processing, unless responsibilities are established by law.

A special case of data delivery to third parties is the fact that MARIETTA has the Management contract with Valamar (see chapter: ROLE OF VALAMAR RIVIERA d.d.).

If data are transferred to third countries as part of data processing, MARIETTA ensures compliance with high protection standards in order to comply with the highest possible standard of personal data protection, in accordance with the strict requirements of the Regulation. Any transfer of personal data to third countries will be carried out in accordance with Chapter V of the Regulation.

DATA STORAGE PERIOD

Personal data are processed and stored for the period in accordance with applicable legal regulations when the retention obligation is prescribed (for example, accounting documents), and in situations where MARIETTA is authorized to set retention periods, data is stored as long as necessary for the purposes for which personal data is processed taking into account the purpose of processing, the legitimate interests of MARIETTA and the interests of the data subjects to delete the data.

RIGHTS OF THE DATA SUBJECTS

Regardless of the basis for data collection, all data subjects can exercise the following rights free of charge within the limits prescribed by the Regulation:

Right to information: The data subject has the right to be informed about the processing and its purposes. MARIETTA provides the data subjects with all the information necessary to ensure fair and transparent processing, considering the context of processing.

Right to erasure (“right to be forgotten”): The data subject has the right to request to delete personal data relating to him/her, without undue delay in accordance with the terms of the Regulation. To do so, please send your request to us in writing, including an electronic form of communication. Please note that the request needs to specify what you wish to be deleted, since we can store your data on different legal bases. You have the right to request the deletion of personal data relating to you where one of the following grounds applies:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
  • the data subject objects to the processing pursuant and there are no overriding legitimate grounds for the processing, or the data subject objects;
  • the personal data have been unlawfully processed;
  • the personal data have to be erased for compliance with a legal obligation;
  • the personal data have been collected in relation to the offer of information society services.

In some cases, it will not be possible to fully comply with the deletion request, for example when there is a legal obligation for retention, when the legitimate interest of the controller is stronger than the interest of the data subjects, when there is an interest of the data controller to set, enforce or defend legal claims.

Right of access: The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • where the personal data are not collected from the data subject, any available information as to their source;
  • the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. The right to obtain a copy shall not adversely affect the rights and freedoms of others.

Right to rectification: The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Considering the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to data portability: The data subject has the right to receive personal data relating to him in a structured, commonly used and machine-readable format in accordance with the requirements of the Article 20 of Regulation.

Right to object: The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on public interest and legitimate interests, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Right to restriction of processing: The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

  • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
  • the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.

In any case, data subjects also have the right to:

  • to submit a complaint time via e-mail: dsgvo.obertauern.places@valamar.at or by mail to the address Valamar Marietta GmbH with its headquarters in Ringstraße 8, AT-5562 Obertauern
  • to lodge a complaint with a supervisory authority (Austrian Data Protection Authority) if they believe that their rights to data protection have been violated.

MARIETTA as the data controller has the right to protect the interests of the data controller as well as the protection of the data subjects and accordingly has the right to carry out the activities of establishing the identity of the applicant. MARIETTA has the right to publish a form that will be used to submit a request in order to process the request as efficiently as possible.

On request, MARIETTA provides information on the actions taken in relation to the exercise of data subject's rights without undue delay and in any case within one month from the date of receipt of the request. This period may be extended by an additional two months, considering the complexity and number of applications. MARIETTA shall notify the data subject of any such extension within one month from the date of receipt of the request, together with the reasons for the postponement.

If the data subject submits the request electronically, MARIETTA provides the information electronically if possible, unless the data subject requests otherwise.

The data subject's request is generally free of charge, but if the data subject's request is manifestly unfounded or excessive, and in particular because of their frequent repetition, MARIETTA is entitled to charge a reasonable fee based on administrative costs or refuse to act on the request.

PROTECTION OF PERSONAL DATA OF CHILDREN

MARIETTA advises parents and guardians to teach children about safe and responsible handling of personal data, especially on the Internet. In relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

PERSONAL DATA SOURCES

MARIETTA receives personal data most often from data subjects. When providing personal data to MARIETTA, in any way (booking accommodation, job application…) you guarantee that the information you have provided is correct, that you are legally capable and authorized to dispose of the given information and that you fully agree that MARIETTA collects and uses your data in accordance with the regulations and terms of this Privacy Policy.

Also, MARIETTA receives personal data from other natural and legal persons, for example: from Valamar as a company that manages certain business aspects of business, from travel agencies that forward guest data for accommodation, guests who book accommodation for people with whom they will stay in hotel, agency for employment mediation and assignment of workers, from the holder of accommodation reservations for others guests for whom the reservation is made.

When providing personal data of other persons to MARIETTA, you guarantee that the information you provide is accurate, that you are legally capable and authorized to dispose of the information, that respondents whose personal data you forward to us agree that MARIETTA uses and collects their data in accordance with positive regulations and the terms of this Privacy Policy.

TECHNICAL AND INTEGRATED DATA PROTECTION

MARIETTA, as data controller, provides the highest organizational and technical standards of data protection. Therefore, considering the latest developments, the cost of implementation and the nature, scope, context and purposes of processing, as well as risks of different levels of probability and seriousness for the rights and freedoms of individuals arising from data processing, at the time of processing, appropriate technical and organizational measures to enable the effective application of the principles of data protection are applied.

Also, MARIETTA implements appropriate technical and organizational measures to ensure that only personal data necessary for each specific purpose of processing are processed in an integrated manner. MARIETTA applies this measure to the amount of personal data collected, the scope of their processing, the retention period and their availability. Specifically, such measures ensure that personal data is not automatically, without the intervention of an individual, available to an unlimited number of individuals.

DATA BREACH

In the case of a personal data breach, as the data controller, MARIETTA shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

The report submitted to the supervisory authority shall contain all information prescribed by the Regulation.

In the event of a personal data breach that is likely to pose a high risk to the rights and freedoms of individuals, MARIETTA, as the data controller, shall inform the data subjects of the personal data breach without undue delay. Sometimes, in cases where the Regulation prescribes, informing data subjects is not mandatory.

Special section


ACCOMMODATION

MARIETTA'S main business activity is the provision of accommodation services in its Hotel MARIETTA 5*. Therefore, MARIETTA collects and processes your personal data for various purposes with the ultimate goal of providing quality accommodation and related services all according to the highest standards of tourism companies.

MARIETTA, as the data controller, stores your personal data that you must provide for accommodation services in its database for the purpose of fulfilling accommodation contracts and fulfilling legal obligations related to the hospitality business. In case you do not provide MARIETTA with the minimum data required for booking accommodation and for the registration to all competent registers, MARIETTA will not be able to provide you with booking services or accommodation services in accordance with the contract and law.

Certain information is necessary in order to act at the request of the data subject before concluding the accommodation contract. For example, before booking accommodation at the request of potential guests, you have to receive offer, for which personal data is needed, at least name, surname and e-mail address in order to be able to send an offer.

The personal data that MARIETTA collects when booking in order to fulfil the reservation obligation usually are:

  • Name and surname of the reservation holder
  • Date of birth
  • Number, type of identification document and place of issue
  • Citizenship
  • Number of accommodation units, type of accommodation unit (room type)
  • Date of arrival and departure
  • Number of persons per accommodation unit
  • Minors
  • Possibly other specifics depending on the request of the person booking the accommodation
  • e-mail if the person has one
  • Language
  • Phone number
  • Membership in the Valamar`s Loyalty program, if it affects the price of accommodation or collecting points
  • Payment method and possible additional information needed to execute the transaction or secure payment. In case of cancellation, we must save your data for the purpose of proving the reservation or cancellation.

Upon arrival at the Hotel guests have to check in and confirm data.

In addition, MARIETTA is obliged to keep all invoices, as well as the basis for issuing invoices issued to guests with personal data of the guest in accordance with legal regulations.

Other data related to the circumstances of your stay such as: mode of travel, who you are traveling with, marital status, number of children, pets, other interests, will also be collected and processed during your stay only when they have a direct connection with the accommodation service.

Before, during and after the stay MARIETTA as the data controller has the right based on the legitimate interest to send you so-called service messages – booking confirmations, reminders and other information closely related to the specific stay you have booked. Also, during and after the stay, MARIETTA as the data controller has the right based on the legitimate interest to send to you guest questionnaires about service satisfaction via e-mail, sms and/or instant messaging platforms (viber, whatsapp, etc.) which will be processed by us or through associates. The primary purpose of the service satisfaction questionnaire is to collect service data for the legitimate interest of service improvement by MARIETTA, and MARIETTA may depersonalize and process this data from the questionnaire for statistical purposes.

MARIETTA has the right, based on a legitimate interest, to collect certain data and use it for direct marketing.

Service messages and messages with service satisfaction questionnaires related to a specific stay of the guest are not considered newsletters for the purpose of sending MARIETTA marketing offers and news.

VIDEO SURVEILLANCE

MARIETTA as the data controller, has a legitimate interest in implementing video surveillance measures to protect property and persons. We marked all places where video surveillance is installed in the prescribed manner. We are aware that the videos contain personal data of all persons moving around the perimeter of the camera, and therefore we keep them with special care, we have a regulated system of security, availability and our internal safety rules. Special regulations governing the area apply to all other details related to video surveillance.

GETTING IN CONTACT WITH US

When you contact us via email or via one of the forms on our website, data are processed and stored, in accordance with the purpose of processing.

WEBSITE, COOKIES AND INTERNET TECHNOLOGIES

Our website uses so-called cookies. A cookie is a small text file that is saved to your browser on your computer or mobile device, and retrieved from it on subsequent visits. They do not cause any damage. Cookies cannot be used to reveal your personal identity meaning your name and surname. We use cookies to provide you with the best usability. Some cookies remain stored on your device until you delete them. They enable us to recognize your browser during subsequent visits.

If you do not agree with this practice, you can adjust your browser settings so that it will inform before setting cookies. This will also enable you to permit specific cookies.

We use different types of cookies:

Cookies by function

  • Essential cookies - they are necessary for the operation of the website, which cannot function without them. This means that a website cannot be opened or displayed without these cookies. These cookies are used for the purpose of transmitting communication or are necessary to provide an information society service that is explicitly required by the user of such a service. These cookies do not need and do not require your consent.
  • Statistics cookies - these cookies enable basic analysis of web pages with the aim of improving the work of web pages through data that is completely anonymised, i.e. not based on your personal data or data that can be linked to you in any way. These cookies are used to analyse user behaviour and, on the basis of the anonymous data, can determine what website visitors view and want, so KESSELSPITZE is then able to customise the website and make its content and functionality as easy to use. These cookies require your consent.
  • Marketing cookies - they are used to analyse your interests and wishes, and they serve the purpose of informing you about special and personalised offers, news and events organised through online channels (e-mail, internet, internet promotion). These cookies require your consent.

Cookies by source

  • First party cookies come from the internet site you are viewing, and can be permanent or temporary. With these cookies, internet sites can store data that will be used again upon the next visit to the internet site.
  • Third party cookies come from other internet sites, which are located on the internet site you are viewing. With these cookies, other internet sites can track internet usage on the internet site you are viewing for marketing or analytical purposes.

Cookies by duration

  • Persistent cookies - Persistent or saved cookies remain on your computer after you close your internet browser program. They help internet sites store information, such as login and password, language settings, or cookie settings, so you do not have to re-enter them each time you visit. Persistent cookies can stay on your computer or mobile device for days, months, even years.
  • Temporary cookies Temporary cookies or session cookies are removed from your computer when you close your internet browser. They use internet sites to store temporary information, such as the last few pages you opened on the internet site you visited, or items in your shopping cart if you are on an internet site that specialises in internet sales.

Cookies are stored in the user’s browser for a maximum of 2 years.

If you have changed your mind about the cookie settings on our website, you can alter them at any time.

You can always delete cookies stored on your computer, thus preventing further processing of your personal data through such technology. Each web browser has its own procedure for deleting cookies, and below are links to deletion procedures in the most popular web browsers:

Google Chrome: https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3DDesktop&hl=en

Mozilla Firefox: https://support.mozilla.org/en-US/kb/clear-cookies-and-site-data-firefox

Microsoft Edge: https://support.microsoft.com/en-us/windows/microsoft-edge-browsing-data-and-privacy-bb8174ba-9d73-dcf2-9b4a-c582b4e640dd

You can find more about cookies on the following pages:

  • http://www.allaboutcookies.org/
  • http://www.youronlinechoices.com/en/
  • http://www.aboutads.info/choices/

In Obertauern, 01.07.2023.

Naročite se na posebne ponudbe

Prejemajte naše posebne ponudbe in popuste neposredno v svoj e-poštni predal.

Začetek