Information on personal data protection

This Information contains amendments to the Privacy Policy based on which Maistra d.d. regulated the protection of your personal data. These amendments are motivated by the entry into force of Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter: General Regulation - GDPR).

This Information applies to all cases of processing of your personal data by Maistra d.d. Rovinj as the Controller, unless any other Information, Privacy Policy or similar documents irrespective of their name need to be applied in special cases of processing and take precedence over this Information or supplement it (e.g. data processing cases specific to individual Maistra facilities).

CONTROLLER

Maistra d.d., joint stock company for hotel management and tourism, Rovinj, Obala Vladimira Nazora 6 is the controller of your personal data within the meaning of the General Regulation (GDPR).

Regarding the processing of your personal data, you can contact us through our Data Protection Officer by:

• sending a query via email to: [email protected];
• sending post to the following postal address: Obala Vladimira Nazora 6, 52210 Rovinj (Croatia), Attn: Data Protection Officer.

PURPOSE AND LEGAL BASIS FOR PROCESSING

We provide the purposes and legal bases for the processing of your personal data in point 1 of this Information.

CATEGORIES OF RECIPIENTS

We provide more information on the categories of recipients of your personal data in point 2 of this Information.

PERIOD OF STORAGE

For more information on the period of storage of your personal data see point 3 of this Information.

YOUR RIGHTS

We remind you of your rights in point 4 of this Information.

AUTOMATED DECISION-MAKING AND PROFILING

You can read more about the automated decision-making, including profiling, in point 5 of this Information.

1. PURPOSE AND LEGAL BASIS FOR PROCESSING

We collect, store and in other permitted ways process your personal data for the following purposes.

Booking

• At the time of booking accommodation and other services, we collect your personal data in order to conclude an agreement for accommodation and other services, especially to contact you (e.g. phone/mobile phone number, email address) or unambiguously link the booking with you and other guests traveling with you (e.g. name and surname, date of birth, number of guests, date of arrival, date of departure).

Without these data we cannot conclude an agreement for accommodation and other services.

As an exception, when the booking is made on our partners' website, we collect the above-mentioned data and other data that our partner determines to be mandatory and without which the contract cannot be concluded.

Check-in

• At the time of your check-in at the facility, we collect and process your personal data in order to comply with our legal obligations under the regulations on the manner of keeping tourist registers and the form of tourist registration.

According to the currently valid regulations, we are obliged to collect the following data: surname and name, place, country and date of birth, citizenship, type and number of identity document, place of residence (temporary residence) and address, date and time of arrival to and departure from the facility, gender, note (basis for exemption from the sojourn tax payment, i.e. for reducing the sojourn tax payment).

We cannot provide the accommodation service without these data.

Booking and check-in

• At the time of booking and check-in, you can also provide us with additional data that will help us personalise the service we provide and further arrange your contractual relationship regarding accommodation and other services.

For this purpose, we collect and process data which are marked as optional on our websites and our partners' websites advertising our facilities, such as the flight number, accommodation preferences (e.g. smoking room), vegetarian menu, allergies, bed preferences, pillow preferences, etc.

Without these data, accommodation and other services will be provided, but the provided accommodation and services will not necessarily have additional quality and content that depend on these data.

Technical and security measures

• During your stay at our facility, we apply technical and security measures (e.g. video surveillance in the public areas of the facility that can record you, card keys that can show your location, etc.) to protect you and your property, other guests and their property, our employees and our property.

The application of technical and security measures that exist in some of our facilities cannot be discontinued at the request of a particular guest.

Loyalty programmes

• The collected data regarding your membership in our Loyalty Programmes are processed based in accordance with your consent on our contractual relationship which arises in these programmes in order to gain the benefits described in the following links: https://www.maistra.com/loyalty and https://www.maistra.com/loyalty/general-terms.
• In addition, we use your data for direct marketing purposes (e.g., sending newsletters), which includes profiling for direct marketing needs.
• Membership in Loyalty Programmes is voluntary and you may at any time terminate your participation in the programmes as described in the links listed above.

Marketing and customer satisfaction surveys

• We collect and process your data so that we can contact you for promotional (marketing) purposes or for the purpose of assessing customer satisfaction concerning our services (surveys and such), in accordance with your consent.
• Promotion, for example, implies making special and personalised offers and services (e.g. newsletters).

Competitions

• When you participate in our competitions, we collect dana, in accordance with your consent, required by the rules of the competition as a precondition for participation and data which are necessary for the fulfilment of your contractual rights and our contractual obligations in the event of you winning a prize.

Statistical analysis for internal purposes

• We process your personal data for statistical purposes in order to collect information about our business and our services. Data are processed so as not to allow your identification (so-called depersonalised data).

Legitimate interest

The General Regulation (GDPR) provides for our right (legitimate interest) to process your personal data for the purpose of direct marketing and profiling regarding such marketing, to the extent which is not contrary to your interests, freedoms and rights.

However, in order to ensure a more complete protection of your personal data, rights and interests, before processing your personal data for the purpose of direct marketing, we will seek to ask your explicit consent for such processing.

2. CATEGORIES OF PERSONAL DATA RECIPIENTS

The personal data we are obliged to collect at the time of a guest’s check-in is sent electronically to the eVisitor system, according to the regulations on the manner of keeping tourist registers and the form of tourist registration.

Your personal data are sent to our contractual processors that provide us with service management computer programs that have access to these data only to the extent necessary for the proper functioning of the program and to other processors that enable us to provide hospitality and tourist services. Also, your data are sent to other Controllers if it is necessary for the provision of accommodation services or other services (e.g. if you have booked a travel transfer service provided by our contracting partner with the accommodation service).

Your personal data are communicated or made available to third parties in other cases as well, but only when we are obliged to do so under the General Regulation (GDPR), for example at the request of a competent judicial or administrative body.

3. PERIOD OF DATA STORAGE

We store your data:

• for the period prescribed by the applicable regulations, if such data are collected solely for the purpose of fulfilling our legal obligations:
  - for example, the data from the guestbook must be kept at least 2 years after the expiration of the calendar year during which the guest stayed at our facility, and such data must be kept for 10 years in the eVisitor system;
  - in addition, according to accounting regulations we are obliged to keep the issued invoices and the personal data contained therein for 11 years.
• for the duration required for the expiry of statutory limitation period (three or five years) and for an additional reasonable period needed for your request submitted to a judicial or administrative body to be delivered to us, provided that such data are obtained solely in connection with the contracts we have concluded with you or about which we have negotiated (for example, data contained in booking requests/reservation inquiries and booking confirmations, data regarding loyalty programme membership, participation in competitions, etc.);
• until you withdraw your consent if we base the processing of your data on your consent;
• 10 years if the processing is based on our legitimate interests;
• 6 months (tapes - surveilance).

4. YOUR RIGHTS UNDER THE GENERAL DATA PROTECTION REGULATION

Users of our services have the following rights under the General Regulation (GDPR):

a. RIGHT OF ACCESS

At any time, you can request confirmation of whether your personal data are being processed and, if processed, you have the right to request access to such data and information as referred to in Article 15. of the General Regulation (GDPR).

Upon your request to exercise your right of access, we will provide you with the data and information electronically (via email), unless you did not specify your email address in your request or you explicitly requested postal delivery.

b. RIGHT TO RECTIFICATION

You have the right to ask us to rectify inaccurate personal data and to complete missing personal data without delay.

c. RIGHT TO ERASURE

If you feel that we have collected or otherwise processed your data contrary to the General Regulation (GDPR), you have the right to request erasure of such data. In case the request is well founded, the data will be erased without undue delay.

If there are reasons that prevent us from or limit us in complying with your request, we will notify you in response to your request.

d. RIGHT TO RESTRICTION OF PROCESSING

You have the right to ask us to restrict the processing of your personal data if you dispute the accuracy of these data, for a period enabling the controller to verify the accuracy of the personal dana, if the processing is illegal and you are opposed to erasure of such data, if you have filed an objection against the processing of your data, and if the data are no longer needed but are necessary for the establishment, exercise or defence of legal claims.

e. RIGHT TO DATA PORTABILITY

You have the right to receive the personal data you provided us in a structured, commonly used and machine-readable format and to transfer them to another controller if the processing of these data are based on consent or agreement and is carried out automatically.

f. RIGHT TO WITHDRAW CONSENT

If your data are processed based on your consent, you can withdraw such consent at any time without affecting the legitimacy of the processing that was based on such consent.

g. ADMINISTRATIVE COST

Your rights are exercised free of charge, and only exceptionally an administrative cost is charged.
We will notify you of the administrative cost that we have the right to charge under the General Regulation (GDPR) before it occurs and if the requirements for its payment are met.

h. RIGHT TO COMPLAINE AND OBJECT

Based on your particular situation, you have the right to file an objection at any time against the processing of personal data we conduct based on our legitimate interests under point 2 of this Information, including the right to file an objection against profiling related to such legitimate interests.

If you believe that by processing your personal data we are in violation of the General Regulation (GDPR), please contact us.

You have the right to file a complaint with the supervisory authority if you believe that by processing your personal data we are in violation of the General Regulation (GDPR). You can file a complaint with, for example, a supervisory body in the EU member state of your normal residence or workplace or in the Republic of Croatia (Personal Data Protection Agency).

The controller shall provide information on action taken on a request to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

5. PROFILING AND AUTOMATED DECISION-MAKING

We use your data (name and surname, email) to personalise our services and marketing materials and tailor them according to your preferences. We personalise services and materials by profiling (e.g. segmentation) that help us better understand your interests. Profiling does not limit your choice of services we provide.

We apply automated decision-making in such a way that, depending on the profiling or data you provide, a computer program sends you an offer and/or promotional (marketing) material without any human intervention. The described automated decision-making does not limit your choice of services we provide.

To facilitate browsing functions on our websites, our global network server uses cookies. These are small text files that a server places on the user’s computer to enable monitoring of the selection of individual language versions on our websites, as well as when visiting those parts of our sites that require user login and password. Cookies cannot be used to start programs or plant viruses on your computer. Certain cookies placed by our web server are automatically deleted from your computer at the end of the session, i.e. the moment you leave our website. You can view our website without the use of cookies if your browser has the required settings.

To make our website work properly, in order to further improve our website and your browsing experience, this site has to save a small amount of information in the form of cookies on your computer. Over 90% of all websites use this practice but under the current regulations, especially the Electronic Communications Act and the Personal Data Protection Act, we are obliged to ask for your consent before storing cookies. By using the website you agree to use of cookies. By blocking the cookies you can still browse the website, but some of its features will not be available.

What are cookies?

Cookies are the information stored on your computer by the website you have visited. Cookies usually store your settings, as well as website settings, such as the preferred language. Later, when you visit the same website again, the web browser sends back the cookies belonging to that website. This allows the website to show the information adjusted to your needs.

Cookies can store a wide range of information, including your personal information (such as your name or email address). However, this information can only be stored if you enable it – websites cannot get access to the information you did not provide and cannot access other files on your computer or mobile device. The default options of storing and sending cookies are not visible to you. However, you can change the settings of your internet browser, so you can decide for yourself whether to approve or deny requests for storing cookies, as well as delete the stored cookies automatically when closing your internet browser, etc.

How to disable cookies?

By disabling cookies you decide whether you wish to allow storage of cookies on your computer or mobile device. You can control and configure your cookies settings in your web browser. If you disable cookies, you may not be able to use some features on our website.

What are permanent cookies?

Permanent or saved cookies remain on your computer after you close the web browser. These cookies allow websites to store data, such as login name and password, so that you do not have to sign in each time you visit a specific site. Permanent cookies will remain on your computer or mobile device for days, months, even years.

What are temporary cookies?

Temporary cookies are automatically removed from the computer once the Internet browser has been closed. Websites use them to store temporary information, such as shopping cart items.

What are first-party cookies?

First-party cookies come from the website that you are viewing and can be either persistent or temporary. Websites might use these cookies to store information that they will reuse the next time you visit that website.

What are third-party cookies?

Third-party cookies come from other websites’ advertisements (such as pop up or other ads) on the website you are viewing. Websites use these cookies to track your web use for marketing purposes.

Who places data collection systems?

Data collection systems are placed by Maistra d.d. or one of its partners.

Data collection systems that we place are:

- Data collection systems strictly necessary for website operation and provision of our services. We use them to save information on your log-ins or access to our website and use of services in order to implement security measures or adapt the website to the settings of your device (language, operating system, etc.). These data collection systems also allow you to access your personal account on the website.

- Analytical data collection systems. We use them to produce statistics on website views and use of its various parts (pages visited and content viewed, user’s manner of use) which help us improve the content of the website and the quality of our services.

- Data collection systems for advertising. These data collection systems enable us to analyse your use of the website and of the advertisements displayed on the website in order to offer you advertisements adapted to your areas of interest on our website or on our partners’ websites. These data collection systems allow us (i) to count and identify the advertisements displayed, (ii) to count the number of users who clicked on each advertisement and (iii), where applicable, to monitor the subsequent actions taken by these users on the pages to which these advertisements are linked.

We can also share with our partners some of the data collected through a data collection system to enable them to conduct visitor behaviour research.

Data collection systems placed by third parties:

- Some of our business partners are authorised to place data collection systems on our website for the aforementioned purposes. The placement and usage of such data collection systems are subject to the third party’s Privacy Policy.

How can I change my settings?

You can view and change settings regarding data collection systems at any time. You can set whether you want to accept or discard data collection systems occasionally or permanently in your web browser settings. Bear in mind that these settings may affect the functioning of your internet browser and your usage of certain website services which require data collection systems to be used.

Manage your settings on this site depending on the web browser you use:

Internet Explorer™: http://windows.microsoft.com/hr-hR/windows-vista/B...

Safari™: http://www.apple.com/support/mac-apps/safari/

Chrome™: http://support.google.com/chrome/bin/answer.py?hl=...

Firefox™: http://support.mozilla.org/hr/kb/Uključivanje%20i%...

Opera™: https://help.opera.com/en/latest/security-and-privacy/

We use Google Analytics. If you do not want us to use Google Analytics to collect
or use your information, click the following link:
https://tools.google.com/dlpage/gaoptout?hl=en

We use AdRoll to serve ads for retargeting and advertising. To view more information about how your personal data is used, click the following link: https://www.adrollgroup.com/privacy

Maistra d.d.