Privacy policy

KRIŠTO TURIZAM d.o.o. for Hotel managment, Prosenička ulica 14, Zagreb, OIB: 74581693165

1. Preliminary provisions

This Policy establishes a responsible and transparent framework to ensure compliance with the General Data Protection Regulation (GDPR).
The Policy applies to all organizational units of KRIŠTO TURIZAM d.o.o. (hereinafter referred to as the DATA CONTROLLER), as well as to all employees, including freelance staff and temporary workers, and all external associates acting on behalf of the data controller.

2. Policy Statement

The data controller is committed to operating in accordance with all applicable laws, regulations, and the highest standards of ethical business conduct.
This Policy outlines the expected behavior of the data controller’s employees and external associates in relation to the collection, use, storage, transfer, disclosure, or destruction of any personal data belonging to employees, business partners, or other individuals.
The purpose of this Policy is to standardize the protection of the rights and freedoms of data subjects by preserving the privacy of their personal data in all areas of the data controller’s operations that involve personal data.
This Policy establishes that the data controller will not unlawfully disclose personal data to third parties nor act in ways that could jeopardize such data.

3. Principles of Personal Data Processing

LAWFULNESS, FAIRNESS, AND TRANSPARENCY
Personal data shall be processed lawfully, fairly, and transparently with respect to the data subject. This means the data controller will, in all relevant circumstances, inform the data subject of how their data will be processed (transparency), the processing will occur strictly in accordance with that explanation (fairness), and only for purposes established under applicable data protection law (lawfulness).

PURPOSE LIMITATION
Personal data shall be collected for specific and legitimate purposes and not processed in a manner inconsistent with those purposes. This means the data controller must clearly specify the intended use of the data and restrict processing activities strictly to what is necessary to achieve those purposes.

DATA MINIMIZATION
Personal data collected shall be relevant and limited to what is necessary in relation to the purposes for which they are processed. This means the data controller will not collect, process, or store more personal data than is strictly necessary.

DATA ACCURACY
Personal data collected shall be accurate and kept up to date. This means the data controller shall have procedures in place to detect and correct outdated, inaccurate, or unnecessary personal data.

STORAGE LIMITATION
Personal data shall not be stored in a form that permits identification of data subjects longer than is necessary. This means the controller shall, wherever possible, store personal data in a way that limits or prevents identification of data subjects.

DATA SECURITY
Personal data shall be processed and stored in a way that ensures adequate protection against breaches such as unauthorized or unlawful processing, and accidental loss, destruction, or damage. The data controller shall implement appropriate technological and organizational measures as described in the Personal Data Security Policy to ensure the integrity and confidentiality of personal data at all times.

PRIVACY BY DESIGN
When designing new systems or reviewing and expanding existing ones, the controller shall consider the application of all of these principles to maximize data subject privacy.

4. Personal Data Collected and Legal Basis for Processing

4.1. Reasons for Collecting and Processing Your Personal Data
We collect and process your personal data in accordance with legal obligations and for the provision of services you request or consent to. These reasons include:

  • Communication with you: When you contact us with an inquiry, request, or complaint, we use the information you provide to respond and act accordingly.
  • Booking accommodation and other services: We collect information needed to manage hotel capacity and organize requested services, including reservations, event coordination, and billing.
  • Guest check-in and check-out: We are legally obliged to collect certain data to record your arrival and stay.
  • Provision and billing of hotel services: We collect data related to your preferences and consumption to ensure accurate billing, including use of the bar, minibar, à la carte services, transportation, and others.
  • Event organization: We collect personal data of event organizers to fulfill contractual obligations.
  • Service quality monitoring and improvement: We use feedback surveys that you may choose to fill out with personal data.
  • Benefit usage: We offer benefits based on contracts with partners, which may require information from your card.
  • Security and property protection: Parts of the hotel premises are monitored by video cameras for safety.

4.2. Types of Personal Data Collected
We collect only the data necessary to fulfill the purposes above, including contact data, reservation or stay details, preferences, ID details, card numbers, and other voluntarily submitted or third-party-provided data. Sensitive data, such as health information, is collected only with your explicit consent.

4.3. Video Surveillance

For the purpose of ensuring the safety of staff, clients, and protecting the legitimate interests of the data controller, video surveillance may be in place at the entrance and around the perimeter of the hotel. Recordings are stored locally on a standalone hard drive and are accessible only to management or with the explicit approval of the data controller’s management.

Access to personal data collected via video surveillance is granted to the authorized data controller’s personnel or individuals specifically designated by a formal decision published on the controller’s notice board.

All authorized individuals responsible for video surveillance data processing are strictly prohibited from using footage in any manner inconsistent with the intended and justified purpose of protecting persons and property, and only if the data subject’s interests do not override such processing. All activities must comply with the Occupational Health and Safety Act (NN 71/14, 118/14, 154/14, 94/18, 96/18) and the Data Protection Act (NN 42/2018).

The video surveillance system is protected against unauthorized access by physical barriers (e.g., locked doors) and access control measures to the system interface, which is restricted to authorized personnel only.

Authorized state authorities may access the data as part of their legally defined duties.
The data controller has established an automated log system to record access to video surveillance footage, including timestamps, access locations, and identification of the individuals who accessed the data.

Footage obtained through video surveillance may be retained for up to one month, unless a longer period is required by law or if the footage is needed as evidence in judicial, administrative, arbitration, or similar proceedings.

Video surveillance is further governed by the Video Surveillance Rulebook.

4.4. Sources of Personal Data
We collect data directly from you or from others, including your travel companions, travel agencies, online platforms, event organizers, and other contractual partners.
You are responsible for ensuring that individuals whose data you provide are aware of and accept this use.

4.5. Disclosure of Personal Data

We share data only with recipients necessary to fulfill the stated purposes, in accordance with contractual confidentiality obligations. This may include cooperation with external partners providing specific services, under contractual terms that comply with data protection standards.

Personal data is generally stored on servers within the European Union, except for data exchanged via the website, which is stored in the United States under signed standard contractual clauses.

4.6. Data Retention Period

We retain data only for as long as necessary, depending on the type of data and the purpose of processing. Exceptionally, data may be retained for a longer period if required for the exercise of legal claims. Data is securely destroyed once the retention period expires.

The retention periods for certain types of personal data may be prescribed by law (e.g., employee records, tax and accounting data) or defined internally (e.g., keeping CVs of potential candidates).
In all cases, the Data Controller does not retain personal data longer than necessary for the purpose for which it was collected, except in the following situations:

  • Data processing is required for ongoing or potential legal proceedings, in which case data will be kept until the final resolution of such proceedings or the expiration of the relevant limitation period.
  • Data retention is required to fulfill a legal obligation of the Data Controller, in which case data is kept for as long as necessary to meet that obligation.

Regardless of the retention period, access to personal data is restricted to authorized personnel only. This applies to both paper-based records and digital data stored within the IT system.

5. Personal Data Protection Measures

Provisions regarding personal data protection measures are contained in the internal document Technical and Organizational Measures.

6. Cookies

Our website uses only the two cookies listed below.
By clicking “Accept All” on the website form, you consent to the use of ALL cookies. However, you may visit “Cookie Settings” to provide controlled consent for how your data is stored and used.

7. Business Partners

In order to contact our business partners and suppliers regarding the conclusion and execution of contracts (e.g., arrangements for goods delivery or service execution), we collect the contact details of partners who are natural persons and their employees (e.g., name and surname, work phone/mobile number, and email address).
This data is retained until the end of the business relationship and is not shared with third parties nor transferred outside the country. We do not collect any private data—only information related to the fulfillment of job-related tasks.

8. Job Applicants

You may send us an open job application via email at delminivm@hotel-delminivm.hr or by mail to our address. Providing data is voluntary. Personal data received in this way is processed solely for employment purposes and is not transferred abroad or shared with third parties outside our company.
CVs are retained for up to one year, and we will delete them earlier upon your request.
If you applied for a posted job ad and were not selected, your data will be deleted after the recruitment process ends, unless you explicitly agreed to a longer retention period for future job opportunities.

9. Cross-Border Data Transfers

The Data Controller does not transfer data outside the EU or the Republic of Croatia.

10. Data Confidentiality

Client data, along with any information obtained during the provision of services or during business activities with clients, is considered a trade secret and may be disclosed only in legally prescribed cases.
The Data Controller is obliged to forward personal data collected under legal obligations to relevant state authorities within the scope of their legal authority. This may include: the Ministry of Finance, the Tax Administration, the Office for the Prevention of Money Laundering, and other public authorities.

11. Data Subject Rights

The Data Controller ensures that all rights under Articles 16–22 of the GDPR are fulfilled.

Requests and inquiries sent to the Data Controller are processed without undue delay and in accordance with legal obligations. Data subjects are informed of all measures taken to fulfill their requests.

Contact for exercising rights: delminivm@hotel-delminivm.hr

Data subject rights are exercised according to the scheme described below:

DATA SUBJECT RIGHTS OVERVIEW

Right Description
Right to Withdraw Consent Data subjects, if the processing is based on consent, may withdraw it at any time, free of charge. Withdrawal does not affect the lawfulness of processing prior to the withdrawal.
Right of Access Data subjects may request confirmation of data processing and access to personal data and related information, including data transfers outside the EU and applied safeguards.
Right to Erasure Data subjects can request erasure of personal data without undue delay if there is no legal basis for further processing. If such a basis exists, it will be communicated in response to the request.
Right to Rectification If personal data is inaccurate or incomplete, data subjects may request its correction or completion without undue delay.
Right to Object If processing is based on legitimate interests, data subjects may object at any time. The Controller will stop processing unless there are compelling legitimate grounds or legal claims.
Right to Restrict Processing

Data subjects have the right to obtain a copy of their data for transfer to another data controller.
In certain situations, the personal data of data subjects processed by the Controller may be transferred to third parties. The GDPR allows the transfer of personal data only if there is a valid legal basis for such transfer.
The Controller ensures that each individual transfer of personal data is based on a valid legal ground, that appropriate personal data protection measures have been applied, and that the data subject has been informed of the transfer. This is especially relevant when data is transferred to service providers located outside the EU/EEA.
The security of data transfers and the existence of a valid legal basis is ensured, among other things, by contracts between KRIŠTO TURIZAM as the data controller and service providers as processors (see above). In situations where data is transferred to third parties who are not data processors (nor public or other authorities with a legal obligation to access the data), the security of personal data is ensured by entering into data confidentiality agreements with such third parties.

Right to Data Portability Data subjects may receive their personal data in a portable format and transmit it to another controller where applicable.
Right to Lodge a Complaint Data subjects may submit complaints to the supervisory authority. In Croatia, this is the Croatian Personal Data Protection Agency (AZOP): http://azop.hr

Contact for exercising rights: delminivm@hotel-delminivm.hr

12. Legal Basis

The legal bases for the collection and processing of data subjects’ personal data are the following:

LEGAL OBLIGATION

Laws governing the business operations of the Data Controller prescribe the sets of data necessary for the fulfilment of legal obligations. For the collection and processing of data prescribed by law, the Data Controller will not seek the data subject’s consent, but will collect only the data required by law and will not use them for other purposes. This especially applies to data collected under the following laws and corresponding regulations, including but not limited to:

  • Law on the Implementation of the General Data Protection Regulation
  • Tourist Tax Act
  • Ordinance on the eVisitor System
  • Accounting Act
  • Value Added Tax Act
  • Income Tax Act
  • Labour Act
  • Ordinance on the Content and Manner of Keeping Records of Employees

CONTRACTUAL OBLIGATION

The Data Controller shall collect personal data necessary for fulfilling contractual obligations without the data subject’s consent, in the minimum scope required for the fulfilment of said obligation.

LEGITIMATE INTEREST

The Data Controller shall subsequently publish a list of its legitimate interests on the basis of which it collects and processes personal data to enable and/or improve its services or products.

PROTECTION OF VITAL INTERESTS OF THE DATA SUBJECT

The Data Controller may collect and process personal data without the data subject’s consent when it is necessary to protect their vital interests.

PUBLIC INTEREST OR EXERCISE OF OFFICIAL AUTHORITY

If the Data Controller operates in the public interest or under an official authority, it is not always necessary to inform the data subject about the data collection.

CONSENT

In all other cases, the Data Controller will request the data subject’s consent for the collection and processing of personal data, clearly stating the purpose. The data subject may withdraw their consent at any time, after which the data must be deleted and processing ceased. The Data Controller will maintain records of all active and withdrawn consents to ensure compliance.

Consents

In specific cases, the Data Controller will use the following consents:

EMPLOYEE REGISTRATION DATA RECORD

Data subjects have the right to withdraw their consent at any time, and the Data Controller shall maintain an up-to-date record of all collected and withdrawn consents.

Terms and Definitions

GENERAL DATA PROTECTION REGULATION (GDPR)

This regulation (Regulation (EU) 2016/679) is aimed at strengthening and unifying data protection for all individuals within the European Union. It also regulates the export of personal data outside the EU.

DATA CONTROLLER

A person or body that determines the purpose, conditions, and means of the processing of personal data.

DATA PROCESSOR

A person or body that processes personal data on behalf of the Data Controller.

AGENCY FOR THE PROTECTION OF PERSONAL DATA

A state agency responsible for data and privacy protection, overseeing GDPR implementation and enforcement within the EU.

DATA PROTECTION OFFICER (DPO)

A data protection expert who acts independently to ensure the organisation's compliance with data protection policies and procedures based on GDPR.

DATA SUBJECT

An individual whose personal data is processed by the Data Controller or Processor.

PERSONAL DATA

Any information relating to an identified or identifiable natural person that can be used directly or indirectly to identify the individual.

PROCESSING OF PERSONAL DATA

Any operation performed on personal data, whether automated or not, including collection, use, recording, and more.

PROFILING

Any form of automated processing of personal data to evaluate, analyze, or predict aspects of a data subject’s behavior.

RIGHT OF ACCESS

Known as the “right of access,” this allows the data subject to obtain access to personal data concerning them that is held by the Data Controller.

Legal Framework

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals regarding the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

Act on the Implementation of the General Data Protection Regulation

KRIŠTO TURIZAM D.O.O.

Director:

__________________________

                 Pavo Batinić