GRAND HOTEL LAV d.o.o., a company having its registered seat in Podstrana, Grljevačka 2/A, PIN (OIB): 44693068925, Reg.No.: 060185094 (hereinafter referred to as: GHL), for the purposes of the General Data Protection Regulation (EU) 2016/679 of 27 April 2016 (OJ L 119 of 04/05/2016, corr. L 127/2 of 23/05/2018; hereinafter referred to as: the GDPR) and the General Data Protection Regulation Implementation Act (Official Gazette No. 42/2018; hereinafter referred to as: the Act) is hereby considered as the data controller.
GHL provides hospitality services in Podstrana, primarily providing accommodation services in the Le Méridien Lav Hotel and food and beverage catering services.
This Privacy Statement serves to transparently and publicly explain which personal data is collected by GHL, how it is done and for what purposes, what are your rights and other details significant for processing and protection of personal data.
We process your data in accordance with the GDPR and the Act as well as other applicable laws and regulations.
If you have any questions, comments or requests for the exercise of your rights with regard to your personal data, you can contact us in any of the following ways:
- E-mail: firstname.lastname@example.org;
- Letter addressed to: GRAND HOTEL LAV d.o.o., Grljevačka 2/A, 21 312 Podstrana, marked with “n/r službenika za zaštitu osobnih podataka“ (“attn.: Data Protection Officer”).
The following terms used in the Privacy Statement shall have the following meaning according to the GDPR:
– ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
– ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
3 HOW WE COLLECT PERSONAL DATA
GHL can collect your personal data as follows:
- If you arrange for or use our services;
- If you contact us – e.g. if you fill out an application and/or reservation on website marriott.com, website www.recuperaspa.com or the website www.grandhotellav.com or if you send us a request for accommodation in the Le Méridien Lav Hotel or for any other service provided by GHL via e-mail or otherwise, or if you apply for a newsletter on the above websites or request a quote or an offer, etc. or if you ask for any other information, or if you contact us for any other reason;
- If you participate in one of GHL loyalty bonus programmes;
- If you participate in our polls, contests, marketing campaigns, etc., by answering questions, entering data, etc.;
- If you visit or browse our website as well as the website of the group we are a member of;
- If you use our mobile apps (i.e. Le Méridien Lav app);
- If you visit or follow our social networking pages, etc., or you perform a certain activity or interaction via social networking sites, e.g. Facebook, Twitter, Instagram, YouTube, LinkedIn, Tripadvisor, Tumblr, etc.;
- If third parties lawfully forwarded your personal data to us, e.g. travel agencies, booking agencies or other companies, or we collect them from public registers or other databases;
- If you consent to us using your photographs through social networking sites, etc., e.g. Facebook, Twitter, Instagram, YouTube, LinkedIn, Tripadvisor, Tumblr, etc.;
- If you find yourself within the perimeter of security cameras, i.e. video surveillance inside and around the Le Méridien Lav Hotel.
If you provide personal data of other individuals to us, you shall guarantee that you have obtained the necessary authorisation and/or consent for such a disclosure or delivery of data from the person whose data you deliver.
We also process your personal data through video surveillance, i.e. security cameras installed inside and around the Le Méridien Lav Hotel for security purposes and for the purpose of ensuring the protection of individuals and property during their stay at the Le Méridien Lav Hotel and for the purpose of preventing and discovering crimes and offences, thefts and damage to property. We may process the video recording of you, which may also include other persons in your vicinity that are within the perimeter of the recording.
Only authorised personnel of GHL, primarily the security department and the human resources department, have access to video recordings and, in exceptional circumstances, access to video recordings may be granted to our business partner in charge of physical and technical protection of persons and property, which is why there is a possibility that such business partner should also have access to the video recording.
In cases prescribed by applicable laws and regulations, competent bodies of the Republic of Croatia may also have access to video recordings.
4 TYPES OF PERSONAL DATA WE COLLECT
Within the scope of its business activities, GHL, on a case by case basis, collects and processes personal data of its clients or contracting parties and other individuals, such as:
- Full name, domicile/residence address (street, number, city, postal code, country), telephone number and/or mobile phone number and/or fax number, e-mail;
- Passport, ID card or other identification document issued by a foreign competent body and its number;
- Personal identification number (OIB) or other identification number;
- Place, country and date of birth, citizenship, sex, internal application number;
- Number and control number of a credit or other type of card;
- Other required data with regard to payment (terms of payment, account numbers, any approved discounts, etc.);
- Data collected through security cameras installed inside and around the Le Méridien Lav Hotel;
- Location data, if applicable, and if you allowed it;
- IP address;
- Technical data (number of visits to our website, etc.);
- History of used services.
We try to collect only the data necessary for achieving a lawful processing purpose.
5 PURPOSE OF DATA PROCESSING
We collect and process your personal data in order to:
- Meet our contractual obligations and provide you with services you ordered or arranged for;
- Meet our obligations prescribed by applicable laws and regulations:
- Manage our bonus programmes;
- Deliver information and/or offers and/or other you requested from us;
- Deliver newsletters;
- Manage and carry out polls and/or contests and/or marketing campaigns, etc.;
- Manage, analyse and run our website;
- Manage, analyse and run our social networking websites;
- Ensure security and protection of persons and property and for other security purposes on the property of Le Méridien Lav Hotel.
6 LEGAL GROUNDS FOR DATA PROCESSING
If you arrange for or use our services, we will collect and process the above personal data for the purpose of providing accommodation services at the Le Méridien Lav Hotel or other services we provide and for the purpose of carrying out business processes that include managing clients’ and users’ requests. If you have arranged for or use our services, it is necessary to collect personal data concerning you so that we are able to meet our contractual obligations and provide you with the services you ordered or arranged for.
Complying with and meeting legal obligations
Laws and regulations applicable on the territory of the Republic of Croatia prescribe and impose on us as the processor and the data controller processing certain obligations that require of us to collect and process certain personal data for legally prescribed purposes and that in certain cases we deliver such data to competent bodies.
For example, your full name, sex, location, country and date of birth, type and number of identification document, domicile/residence address are all needed in order to register and deregister your stay within the prescribed time to the appropriate tourist board, which is one of our legal obligations.
In certain cases we have a legitimate interest in collecting and processing your personal data.
We collect and process your IP address because we believe our legitimate interest is to protect ourselves from fraud and to protect and ensure safety, but we also use the data to analyse, for statistic purposes among other things, our web traffic and usage.
We also process your personal data through video surveillance, i.e. security cameras installed inside and around the Le Méridien Lav Hotel, since we have legitimate interest in ensuring the protection of individuals and (your) property and in the prevention and discovery of crimes and offences, thefts and damage to property.
If you are our client, i.e. user of our services or if you are our business partner, we use your full name, telephone number and/or mobile phone number and/or fax number and e-mail for the purpose of sending newsletters, advertisements, notifications for services and/or bonuses, since we believe we have legitimate interest in doing so. It is important to note that you can unsubscribe from the list of subscribers at any time.
In certain cases we can collect and process your personal data only if you provide us with your consent. It is important to note that you can withdraw your consent at any time by contacting us as specified in Article 1 of this Privacy Statement (Introduction and our contact data).
We use your full name, telephone number and/or mobile phone number and/or fax number and e-mail for the purpose of sending newsletters, advertisements, notifications for services and/or bonuses if you subscribed to such contents, i.e. if you have provided us with your consent.
7 SHARING YOUR PERSONAL DATA
Certain personal data we collect may be disclosed to those subjects that perform certain activities on our behalf or provide us with certain services, e.g. accounting, lawyers, etc., which are considered to be data processors within the meaning of the GDPR.
The data processor can include a subject that sufficiently guarantees the implementation of appropriate technical and organisational measures in such a manner that the processing is in accordance with the requirements of the GDPR and ensures the protection of the data subject rights. Therefore, in the above cases, these subjects, i.e. data processors have contractual obligations and restrictions with regard to data processing from contracts they signed with us, which determine which of your personal data an individual processor can or may process and for which purpose.
For more information and the members of the Marriott Group, visit https://www.marriott.com/about/privacy.mi.
We may disclose your data to reliable business partners, whose services are vital for providing some of our services, e.g. real time authorisation of credit and debit cards.
We are obligated to disclose certain personal data we collect to competent authorities when such an obligation is prescribed by applicable laws and regulations or it is necessary in order to protect our rights, property or security.
The right to access personal data collected through video surveillance is granted only to authorised GHL personnel, i.e. data processor acting on behalf and in favour of GHL.
9 COOKIES AND IP ADRESSES
Cookies can also be placed if you use social networking sites, if you visit or follow our social networking pages, etc., or if you perform certain activities or interactions (e.g. like, comment, share) on them, i.e. Facebook, Twitter, Instagram, YouTube, etc.
We collect data on your IP address primarily for security and technical purposes, but also for statistics and analysis and for improving the quality of our provided services.
General data on how Google uses data collected on our website can be found at https://policies.google.com/privacy/google-partners?hl=en.
10 PERSONAL DATA STORAGE AND RETENTION
Your personal data will not be kept longer than necessary to fulfil the purpose for which it was collected. As a rule, we permanently keep personal data of the contracting parties, personal data of persons who subscribe to our newsletter – until they unsubscribe from the list of subscribers or withdraw their consent, personal data of persons who contacted us for any reason – until the end of communication, etc.
When your personal data stops being relevant or the grounds for processing cease, we will delete it from our system and destroy the documents containing it, as needed.
The above does not apply if applicable laws and/or regulations for a particular purpose prescribe a longer period for personal data retention or if it is necessary and/or allowed for any other reason.
With regard to security and protection of your personal data, we strive to implement appropriate technical and organisational measures to protect it. However, unfortunately, no one can guarantee that the transfer or storage or any other system or measure regarding personal data is 100% secure.
GHL does not apply automated decision making or automated profiling and decision making in its systems.
12 NEWSLETTERS AND ADVERTISEMENTS
Newsletters and advertisements will be sent to you if you provide us with your consent or if it is in accordance with our legitimate interest in order to notify you about our products and services. You can withdraw your consent at any time by contacting us as specified in Article 1 of this Privacy Statement (Introduction and our contact data) or you can simply ‘unsubscribe’ from our list of subscribers or ‘opt out’ on our website.
13 YOUR PERSONAL DATA RIGHTS
Under the GDPR you have certain rights with regard to your personal data, which are listed below. You can exercise your rights at any time by contacting us as specified in Article 1 of this Privacy Statement (Introduction and our contact data).
Right of access
You have the right to request and receive confirmation on whether we as the data controller process your personal data and, if we do, you have the right to access the personal data and information in accordance with Article 15 of the GDPR.
Right to rectification
You have the right to demand of us as the data controller to rectify any personal data concerning you if the data is incorrect or incomplete.
Right to erasure (right to be forgotten)
You have the right to demand of us as the data controller to erase any personal data concerning you, and we will erase it without undue delay if any of the grounds from Article 17(1) of the GDPR apply.
The right to erasure of personal data is not an absolute right and does not override our obligations that arise from applicable laws and regulations. Therefore, in certain situations we will not be able to erase personal data to the extent that processing is necessary.
Right to restriction of processing
You have the right to demand of us as the data controller to restrict the processing of your personal data if:
- The accuracy of the personal data is contested, for a period enabling us as the controller to verify the accuracy of the personal data; or
- The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; or
- We as the controller no longer need the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims; or
- You have objected to processing, pending the verification whether the legitimate grounds of us as the controller override your own.
Right to data portability
You have the right to demand and receive from us as the data controller personal data concerning you, which you have provided to us in a structured, commonly used and machine-readable format and you have the right to transmit the data to another controller if the terms from Article 20(1) of the GDPR are met.
Right to object
You have the right to object at any time to processing of your personal data based on legitimate interests due to your specific situation, unless the grounds for the processing override the rights to personal data protection.
Right to lodge a complaint to the supervisory authority
We will process your data in accordance with the GDPR, other applicable laws and regulations and implement organisational and technical measures for personal data protection.
However, if you believe that we process your personal data unlawfully and if you feel that a mutual solution for your situation is improbable, you have the right to lodge a complaint to the supervisory authority, i.e. the Croatian Personal Data Protection Agency in Zagreb, Martićeva 14.
For more information visit the official website of the Agency www.azop.hr.
14 INSTRUCTIONS FOR THE EXERCISE OF DATA SUBJECTS RIGHTS
If you have any questions, comments and requests concerning the exercise of your rights with regard to your personal data, especially rights listed under Article 13 of this Privacy Statement, you can contact us as specified in Article 1 of this Privacy Statement (Introduction and our contact data).
When submitting a request for the exercise of any of your rights from Article 13 of this Privacy Statement, please be sure to clearly state the subject of your request and the personal data it involves. Please bear in mind that we will have to confirm your identity before we proceed with your request, primarily due to our security as well as yours, which is why it is possible that we will contact you with regard to your request.
We will consider each request and try to act on it within a reasonable time. Please bear in mind that certain circumstances may cause a delay in the procedure, e.g. if we receive a larger number of requests at a given time.
If you submitted a request for the exercise of any of your rights, such as erasure, or you withdrew your consent, it is possible that we keep the collected personal data or a part of it if the laws and obligations oblige us to do so or if this is necessary due to other reasons, e.g. to complete a transaction that started before the request was made.
If you have any questions and require information with regard to the processing of your personal data and your rights, you can also contact our Data Protection Officer by:
- E-mail: email@example.com;
- Letter addressed to: GRAND HOTEL LAV d.o.o., Grljevačka 2/A, 21 312 Podstrana, marked as “n/r službenika za zaštitu osobnih podataka“ (“attn.: Data Protection Officer”).
15 AMENDMENTS TO THE PRIVACY STATEMENT
As the data controller we will monitor the status of personal data protection and if necessary improve the protection measures and other relevant issues, which is why we retain the right to occasionally amend and/or supplement this Privacy Statement.
We will notify you about any amendment and/or supplement to this Privacy Statement by announcing it on our website, where you can find the current version of the document.
Podstrana, 24 May 2018