PRIVACY STATEMENT
1. INTRODUCTION
GRAND HOTEL LAV d.o.o. is a company with its registered seat in Podstrana, Grljevačka 2/A, personal identification number (further in text: OIB): 44693068925, registration number: 060185094 (further in text: GHL), which is considered as a controller within the meaning of the General Data Protection Regulation (EU) 2016/679 dated 27.04.2016 (OJ EU L 119 dated 04.05.2016, Corrigendum L 127/2 dated 23.05.2018; further in text: GDPR) and Act on implementation of General Data Protection Act (Official Gazette 42/2018; further in text: the Act).
GHL is engaged in providing hospitality services within the hotel Le Méridien Lav, Split (further in text: hotel) and services of preparation and service of food and drinks. GHL is also engaged in tourism and providing hospitality services within harbor for nautical tourism – marina Lav in Podstrana (further in text: marina), whereby its focus is primarily on providing sea berths for vessels.
Herewith we want to clarify in transparent manner which personal data is collected by GHL, how and for what purposes is data being processed, what are your rights related to personal data, and other details significant for processing and protection of personal data.
We process your data in accordance with GDPR and the Act, as well as other applicable laws and regulations.
For all your questions, comments and requests for exercising your rights related to your personal data feel free to contact us by:
1) e-mail on address: dpo@lemeridiensplit.com;
2) letter on address: Grljevačka 2/A, 21 312 Podstrana;
3) contact form on our websites.
2. DEFINITIONS
The following expressions used in this statement, have the following meaning within GDPR:
– „personal data” – means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
– „processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
3. HOW WE COLLECT PERSONAL DATA
GHL can collect your personal data in the following ways:
1) if you contract i.e. use our services;
2) if you contact us – for example by completing a contact form/reservation on one of the websites (www.lemeridienlavsplit.com, www.recuperaspa.com or www.marinalav.hr), or if you submit a request for accommodation in hotel or accommodation of vessel in marina or for any other service provided by GHL by e-mail or in any other way, if you subscribe for receiving newsletter on our websites, if you request delivery of a pro forma invoice or an offer and similar or you request any other information or contact us for any other reason;
3) if you participate in one of the programs of rewarding clients organized by GHL;
4) if you participate in our survey, prize contest, marketing campaign or similar, for example by answering questions, entering data and other;
5) if you visit or browse/search our websites;
6) if you visit or follow our pages on social media, for example Facebook, Twitter, Instagram, YouTube, LinkedIn, tripadvisor, TumbIr and other or you perform certain activity or interaction on our social media (for example “like”, “comment“, “share“ or other);
7) if a third party has transferred your personal data to us in an allowed way, for example travel agencies, brokerage agencies for booking accommodation or other companies, or we collect such data from publicly available registers or other databases;
8) if you gave your consent to use your photos on social media, for example Facebook, Twitter, Instagram, YouTube, LinkedIn, tripadvisor, TumbIr and other;
9) if you park your vehicle within hotel complex
10) if you find yourself in the area of hotel and/or marina within the perimeter of recording of security cameras i.e. video surveillance.
If you provide us with personal data of another person, we assume that you have authorization and/or consent of the person whose data you deliver to us.
Your personal data is also being processed by means of video surveillance i.e. security cameras placed within the area of hotel and area of marina for securing protection and safety of persons and property during the stay in hotel and marina, as well as for prevention and detection of committed crimes and offences, alienation and damage of property.
If you find yourself in the perimeter of recording, we can process video recording on which you are recorded, which can also include other persons near you, and/or on or near your vessel, all within the perimeter of recording.
Access to video recordings is available only to the authorized persons of GHL, primarily to security department and human resources department and sailor’s service of GHL, and in extraordinary cases access can also be allowed to our business partner who provides the service of physical and technical protection of persons and property, so there is a possibility that such business partner is also granted access to video recording, if necessary.
In cases foreseen by applicable laws and regulations, competent authorities of the Republic of Croatia can also have access to video recordings.
4. TYPES OF PERSONAL DATA WE PROCESS
Within the scope of its business activities, GHL collects i.e. processes personal data of its clients and/or contractual parties and partners and other individuals, depending on the case, such as:
1) name and surname, address of primary/secondary residence (street and street number, city and postal number, state), telephone and/or mobile phone and/or telefax number, e-mail address;
2) passport, ID card or other identification document issued by the competent authority and its number;
3) Croatian personal identification number (OIB) or any other identification number;
4) place, state and date of birth, citizenship, gender, internal registration number;
5) number and control number of credit or other card;
6) other data regarding the payment (payment conditions, account numbers, possible discounts and similar);
7) data collected from security cameras placed within the area of hotel and marina;
8) data on location, if applicable and if you enabled collection of such data on your device(s);
9) IP address;
10) technical data (number of visits to our website and other);
11) history of services;
12) vehicle registration plates;
13) photograph of data subject.
Our policy is to collect only personal data necessary for achievement of a specific legitimate purpose of data processing.
5. PURPOSE OF PERSONAL DATA PROCESSING
We collect and process your personal data in order to:
1) fulfill our contractual obligations and provide you with services you ordered/contracted;
2) fulfill obligations prescribed by applicable laws and regulations;
3) manage our programs of rewarding clients;
4) provide you with information and/or offers and/or other you requested from us;
5) provide you with a newsletter;
6) manage and conduct surveys, prize contests, marketing campaigns or similar;
7) manage, analyze and administrate our websites;
8) manage, analyze and administrate our pages i.e. profiles on social media;
9) manage parking;
10) secure protection and safety of persons and property and for other safety reasons within the area of hotel and marina;
11) inform you on important news such as, for example, changes and/or amendments of our terms of contract and/or other changes or information important for our business or your stay in hotel or marina or other.
6. LEGAL BASIS FOR PERSONAL DATA PROCESSING
Performance of the contract
If you contract or use our services, we will collect and process personal data above stated for the purpose of providing the accommodation services in hotel or entering into and performing contract for usage of berth in marina or other contracts and/or services we provide.
If you have contracted or used our services, collection of certain personal data related to you is necessary in order to fulfill our contractual obligations and provide you with services you ordered or contracted.
Compliance with legal obligations
Laws and regulations applicable on the territory of the Republic of Croatia prescribe certain obligations which demand that we as controller i.e. processor collect and process certain personal data for purposes determined by the law and also, in certain cases, that we provide such data to the competent authorities. For example, data on your name and surname, gender, place, state and date of birth, type and number of identification document, address of primary/secondary residence, is required to register and deregister your stay with the competent tourist office, within prescribed deadlines, which is one of our legal obligations.
Legitimate interest
In certain cases, we have the legitimate interest for collecting and processing your personal data.
Your personal data is also being processed by means of video surveillance i.e. security cameras placed within the area of hotel and marina because we have legitimate interest to ensure protection and safety of persons and (your) property, preventing and detecting committed crimes and offences, alienation and/or damage of property.
We process vehicle registration plates for the purpose of parking management and securing parking lots.
If you are our client or you already use our services, your name and surname, telephone and/or mobile phone and/or telefax number, and e-mail address can be used for sending information on services and/or benefits related to the services you used, and all because we consider we have the legitimate interest therefor. It is important to emphasize that you can unsubscribe or deregister from this list of receivers at any time.
Consent
In certain cases, we can collect and process your personal data only if you gave consent. It is important to emphasize that you have a right to withdraw your consent at any time in a way that you contact us as is foreseen in Article 1 of this statement (Introduction).
Your name and surname, address of permanent residence/residence telephone number and/or mobile phone number and/or telefax number, and e-mail address are used for sending newsletters, marketing messages, notification on services and/or benefits, if you subscribed for receiving such content i.e. if you gave consent.
We also use the stated data if you joined one of our program of rewarding clients and gave consent for personal data processing, all in order to participate and use certain benefits from programs and receive information from us.
7. RECIPIENTS OF YOUR PERSONAL DATA
Certain personal data that we collect may be transferred or disclosed to individuals who are responsible for specific actions on our behalf or provide us with certain services, such as accounting services, lawyers, and others, who are considered processors under the GDPR. Processors must provide adequate guarantees to implement appropriate technical and organizational measures to ensure compliance with GDPR requirements and protect the data subject’s rights. These processors are bound by a data processing contract with us, specifying the personal data they can process and the purposes for which they can process it.
We may transfer certain personal data collected to the Marriott Group within our business under Marriott franchise and programs, as well as to Marriott servers. This transfer is based on our legitimate interest and may be necessary to enter into and fulfill contracts between us and Marriott, as certain data in GHL is stored and processed in these programs. The Marriott servers, located in Germany and the United States, are controlled by a company certified under the EU-U.S. Data Privacy Framework, ensuring compliance with GDPR requirements and Marriott’s privacy policies. For more information, please visit www.marriott.com/about/privacy.mi.
Your personal data may be shared with our trusted business partners to ensure the provision of our services, such as real-time authorization of credit and debit cards. Additionally, we may disclose personal data to competent authorities when required by law or to protect our rights, property, or safety. Access to personal data obtained through video surveillance is restricted to authorized individuals from GHL and designated processors.
We can transfer or disclose your personal data to our reliable business partners, without whose services we would not be able to provide our services or part of our services, for example real time authorization of your credit and debit cards or other. Certain personal data collected we can transfer i.e. disclose to those persons who undertake certain actions in our name or provide us with certain services, such as accounting service, lawyers and other, which are considered as processors within the meaning of GDPR.
Processor can only be a person providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of rights of the data subject. Therefore, in stated cases such processors are bound and limited by a contract on data processing, which they concluded with us and which determines which personal data certain processor can process and for which purposes.
When such obligation is foreseen by applicable laws and regulations or if necessary for protecting our rights, property or safety, we are obliged to transfer or disclose certain personal data we collect to the competent authorities.
Only authorized persons from GHL and processors who act in the name and on behalf of GHL have the right to access personal data collected by means of video surveillance.
8. LINKS
On our websites you can find links to the websites of third parties, which we place because we find them necessary or useful to our clients.
Please note that such third parties’ websites are out of the scope of this statement and we cannot bear any kind of responsibility for them because those websites are of third parties and therefore rules and terms of personal data protection of such third parties apply accordingly.
9. KEEPING OF PERSONAL DATA AND RETENTION
We will not keep your personal data longer than it is necessary for fulfilling or achieving the purpose for which such data is collected. Generally, we will keep personal data of our contracting parties permanently, personal data of persons who applied for receiving a newsletter – until they withdraw their consent or unsubscribe from the list of recipients, personal data of persons who contacted us for some reason – during the communication, etc.
When your personal data is no longer necessary or basis for processing no longer exists, we will erase such data from our system or destroy all documentation in which your data is contained, depending on the case.
Previous provisions of this Article do not apply if applicable laws and regulations prescribe longer period for keeping of personal data for a specific purpose or it is necessary and/or allowed due to some other reason.
10. SAFETY
With regard to safety and protection of your personal data, we strive to apply appropriate technical and organizational measures in order to protect them. Nevertheless, unfortunately, no one can guarantee that transfer or keeping or any other system or measure related to personal data is 100% safe.
There is no automated decision making in the GHL, i.e. GHL does not perform automated profiling and decision-making through its systems.
11. NEWSLETTER AND MARKETING MESSAGES
Newsletters and marketing messages will be sent to you if you gave consent for such purpose, all in order to inform you on our products and services. You can withdraw your consent at any time in a way that you contact us as is foreseen in Article 1 of this statement (Introduction) or by simply unsubscribing from our list of recipients with “unsubscribe” or “deregister” option on our websites.
12. YOUR RIGHTS RELATED TO PERSONAL DATA
According to GDPR you have certain rights related to your personal data as stated below. You can exercise your rights at any time by contacting us as foreseen in Article 1 of this statement (Introduction and our contact information).
Right of access
You have a right to request and receive from us as controller a confirmation as to whether or not personal data concerning you is being processed and which personal data is being processed, access to personal data and information, all in accordance with Article 15 of GDPR.
Right to correction
You have a right to request from us as controller a correction of personal data concerning you, and which data is incorrect or incomplete.
Right to erasure (Right to be forgotten)
You have a right to request from us as controller an erasure of personal data concerning you, and we will erase such data without undue delay if any of the conditions from Article 17 paragraph 1 of GDPR is fulfilled.
Right to erasure of personal data is not an absolute right and it does not supersede our obligations arising from applicable laws and regulations. Therefore, in certain cases we will not be able to erase personal data to the extent in which its processing is necessary.
Right to restriction of processing
You have a right to request from us as controller a restriction of processing of your personal data where one of the following applies:
1) you contest the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data; or
2) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; or
3) we as controller no longer need the personal data for the processing purposes, but you request them for the establishment, exercise or defense of legal claims; or
4) you have objected to processing expecting the verification whether the legitimate reasons of us as controller supersede your reasons.
Right to data portability
You have a right to request and receive from us as controller personal data concerning you, and which you provided to us in a structured, commonly used and machine-readable format and you have the right to transmit this data to another controller, if conditions from Article 20 Paragraph 1 of GDPR are fulfilled.
Right to object
You have the right to object at any time on your personal data processing, which is based on legitimate interest because of your specific situation, unless the reasons for such processing supersede the right of protection of personal data.
Right of complaint to the supervisory authority
We will process your data in accordance with GDPR, other applicable laws and regulations and apply technical and organizational measures for protection of personal data.
However, if you find that we process your data in an unlawful way and do not consider you can find a solution of your situation together with us, you have a right to file a complaint to the supervisory authority i.e. Croatian Personal Data Protection Agency with its registered seat in Zagreb, Selska cesta 136. For more information, please visit the official site www.azop.hr.
13. INSTRUCTIONS AND CONTACT DETAILS OF DATA PROTECTION OFFICER
For all your questions, comments and requests for exercising your rights from Article 12 of this statement, you can contact us in ways stated in Article 1 of this statement (Introduction).
When submitting a request for exercising any of your rights from Article 12 of this statement, please state a clearly what is the subject of your request and which personal data does it refer to. Please have in mind that we will have to verify your identity before acting upon your request, due to ours and yours safety reasons, therefore there is a possibility that we revert to you regarding your request.
We will consider your request and strive to act on it within a reasonable time period. Please have in mind that certain circumstances can cause a certain delay in action, such as large number of requests received within the same time period.
If you requested exercising of some right, for example erasure, or if you withdraw your consent, there is a possibility that we keep personal data or part of a personal data we collected because the need therefor arises from laws and obligations, or the necessity arises from certain other reasons, e.g. in order to finish a transaction which began before you submitted request.
For all questions and information regarding the personal data processing and exercising your rights, you can also contact our data protection officer by:
1) e-mail on address: dpo@lemeridiensplit.com;
2) letter on address: GRAND HOTEL LAV d.o.o., Grljevačka 2/A, 21 312 Podstrana, Croatia, with indication “Attn: Data protection officer“.
14. CHANGES AND AMENDMENTS OF PRIVACY STATEMENT
As controller, we will monitor the status of personal data protection and improve our protection measures and other important issues, if needed, therefore we reserve the right to change and/or amend this statement from time to time.
Information on changes and/or amendments of this statement will published on our websites where you can find applicable version of the statement.
In Podstrana on 22.08.2022.