Valamar - Holiday as you are
  • Hotels & Resorts
  • Campsites
  • Destinations
  • Holiday deals
  • Valamar Rewards
  • Brands

Select language & currency

EUR (Euro)
CZK (Czech koruna)
PLN (Polish Zloty)
GBP (British pound)

Contact us

If you would like to make a reservation or require any reservation assistance, please contact us:

Call us +385 52 465 000 Monday - Sunday: 8 am - 8 pm
reservations@valamar.com
skiing@valamar.com
See FAQ
Need contact info for agencies, meetings & events and group bookings?
Click Here

Personal Data Protection and Security

This page provides information about personal data protection and the safe use of our online services.

In addition to information about the protection of personal data, it also sets out the procedures, policies and measures that are implemented to ensure a high level of security of personal data.

Current security notices and warnings are published here on a regular basis, along with information about any personal data breaches where applicable, notices of possible security threats, and useful advice on protecting personal data and using digital services more safely.

The aim of this page is to provide timely and transparent information that contributes to the safe and reliable use of our services.


For any questions relating to the protection of personal data, you may contact us at: dpo@valamar.com


For all other information on how we process personal data, please see our Privacy Policy. Details on the use of cookies are available in our Cookie Policy.


  • Personal Data Breach Notification (4 June 2026)

PERSONAL DATA BREACH NOTIFICATION

Reservation management system of the data processor Phobs d.o.o. – date of becoming aware: 4 June 2026

Following the notifications already sent to our guests, we would like to provide additional information and transparently inform all interested parties about the incident, as follows:

NATURE OF THE PERSONAL DATA BREACH

When?

The first reports from guests who had booked accommodation at Valamar properties were received on the morning of 4 June 2026. While processing incoming correspondence, staff of the Valamar Reservation Centre (VRC) identified enquiries and messages from guests relating to the event in question. This was also the moment when Valamar first became aware of a possible security incident involving a possible personal data breach. Later that same day, Valamar received further information about the incident, first verbally and then in writing, from PHOBS d.o.o. za informatičke usluge, with its registered office in Dubrovnik, Vukovarska 19, OIB: 09221756952 (hereinafter: Phobs).

How?

Valamar Riviera, as the controller of the personal data of guests who have made reservations for accommodation at Valamar properties, uses the reservation management system of the data processor Phobs, based on a business cooperation agreement and a personal data processing agreement. Phobs provides this service to a number of controllers, including hoteliers, and processes reservations for several independent controllers within the same system.

According to the notification received from Phobs, the incident occurred as a result of compromised user credentials for a single user account that does not belong to Valamar, followed by the malicious misuse of an existing functionality of the Phobs IT system, with the aim of stealing reservation data.

Which guests?

At this stage, it is not possible to determine which specific reservations were affected by the incident and, consequently, which guests or categories of personal data may be concerned. Based on the content of the messages received, the incident appears to concern guests who made reservations for accommodation at Valamar properties during this year.

Which data?

We have received information from Phobs regarding the categories of data that may have been affected by the incident:

  • identification and contact details of the reservation holder and guests (full name, address, postal code, city, country, email address, telephone number and mobile phone number);
  • reservation and accommodation details (reservation code and source, property, arrival and departure dates, number of nights, meal plan, special requests, number of adults and children and names of guests included in the reservation);
  • financial details related to reservations (currency, discounts, additional fees and total amount);
  • transaction details and certain payment card details.

Payment card details include the card type, the last four digits of the card number, the card expiry date, and the cardholder’s name. The full card number (PAN) and security code (CVV) were not exposed.


Based on the information currently available, there is no immediate risk of unauthorised card use using only these details. However, since complete payment card details were not exposed, attackers may attempt to obtain them through fraudulent messages (smishing/phishing) that encourage recipients to click on a fraudulent link and then enter their full payment card details.

LIKELY CONSEQUENCES OF THE PERSONAL DATA BREACH

The likely consequences are the possibility of receiving fraudulent messages (so-called smishing/phishing messages) that may appear credible at first glance and increase the possibility of fraud. In addition, the risk of unauthorised use of personal data cannot be entirely excluded, even where such use may not be directly related to the initial incident.

MEASURES TAKEN OR PROPOSED TO BE TAKEN BY THE CONTROLLER TO ADDRESS THE PERSONAL DATA BREACH, INCLUDING, WHERE APPROPRIATE, MEASURES TO MITIGATE ITS POSSIBLE ADVERSE EFFECTS.

Valamar has taken a number of measures to reduce the risk and protect guests. In addition to responding individually to enquiries received, we have sent warnings and notifications to guests whose reservations may potentially have been affected, with the aim of preventing and reducing the risk of their falling victim to fraudulent messages.

Our internal IT department, in cooperation with external IT partners, is carrying out additional checks and analyses of the IT infrastructure, during which no irregularities or indications of any compromise of Valamar’s internal systems have been identified. At the same time, Valamar remains in close contact with the data processor and continues to monitor the measures it is implementing.

According to the information provided to us, the data processor took immediate steps to prevent any further unauthorised access after the incident was identified. These included identifying the compromised user account, resetting access credentials, blocking the IP addresses used to send malicious requests, and disabling data export functionality. Additional technical protective measures have also been implemented, including rate limiting on relevant scripts and additional security authentication mechanisms. At the same time, a detailed system analysis is being carried out, with the involvement of external cybersecurity experts, to determine the scope of the incident.

USEFUL ADVICE FOR PROTECTING PERSONAL DATA AND USING DIGITAL SERVICES MORE SAFELY

  • For your security, please exercise additional caution when receiving electronic messages, especially those that contain links, attachments or payment requests. Before taking any action, we recommend that you verify the identity of the sender and the authenticity of the message. Do not open suspicious links, download attachments from unverified sources, or share personal or financial data through channels that have not been verified.
  • If you have any doubts about a message received in connection with your reservation, please contact us. We will be glad to help you verify the authenticity of the communication and provide additional information.
  • For additional information on recognising phishing attacks, you can consult the official guidance of the Croatian Personal Data Protection Agency: Phishing attacks – how to recognise them and protect yourself – Personal Data Protection Agency (AZOP)

CONTACTS

If you have any questions regarding the authenticity of messages you receive in connection with your reservation, you may also contact us at reservations@valamar.com

For all enquiries relating to the personal data breach and the exercise of your rights, please contact us at dpo@valamar.com

Contact us

Online Check-in

Modify / Cancel Reservation

Valamar Quality Centre

FAQ

Terms & Conditions

Written Complaints

Prize winning games / competitions and other promotions

Health & Safety

Meetings & Events

Agencies

Gift Vouchers

Valamar Family & Friends

About us

Valamar careers

Press

Valamar Integrated Report

Newsletter

Download our Valamar app and start your carefree vacation!

Best price guaranteed

Cookie settings

Privacy Policy

Personal Data Protection and Security

Cookie Policy

Terms & Conditions

Sitemap

© Valamar 2026

Valamar Riviera d.d. has accommodation facilities in the Republic of Croatia and the Republic of Austria, where it operates through its branch Valamar Riviera d.d., Zweigniederlassung Austria, Gamsleitenstraße 6, 5563 Obertauern, FN 583355 a (Landesgericht Salzburg), VAT ID: ATU 78289647. Additionally, Valamar is a management company that, based on contracts, manages the tourism segment of the business and offers accommodation services in the facilities of Imperial Riviera d.d., Republic of Croatia, Rab, Jurja Barakovića 2, OIB: 90896496260 and HELIOS FAROS d.d., Republic of Croatia, Stari Grad, Naselje Helios 5, OIB: 48594515409. The term Valamar properties includes accommodation facilities of Valamar Riviera d.d., in Croatia and Austria, as well as accommodation facilities of other companies it manages.

Croatia Tourist Board
Istria Tourist BoardKvarner Tourist BoardPoreč Tourist BoardDubrovnik Tourist BoardDubrovnik and Neretva County Tourist BoardCroatia Tourist BoardKrk Island Tourist BoardBaška Tourist BoardRab Island Tourist BoardLopar Tourist BoardMakarska Tourist BoardCentral Dalmatia Tourist BoardObertauern Tourist Board