We respect your privacy, and we are committed to protecting your personal data. In this document (“Privacy Notice”), we would like to provide you with clear and transparent information about which personal data we collect, as well as the legal basis we rely on when processing your personal data.
Please read this document carefully; it contains our Privacy Policy and information on how we use your personal data when you visit our website, book accommodations, stay in one of our facilities or if you communicate with us for other reasons.
This Privacy Notice applies in all cases of processing of your personal data, except in certain particular cases of processing of your personal data, in which cases we will inform you about the way your personal data is processed by providing you with a special Privacy Notice on the processing of personal data, which will contain a Privacy Policy relating to those cases of personal data processing.
If you have any questions do not hesitate to contact us, as is described below in paragraph 4 - Contact information.
We will update this Privacy Notice from time to time to provide you with timely accurate and reliable information about how we collect and use your personal data. We will notify you of any changes to the way we process your personal data by updating our Privacy Policy and this Privacy Notice on the processing of personal data.
This Privacy Notice was updated on 22 December 2021.
For the purposes of this Privacy Notice and applicable personal data protection provisions, including the General Data Protection Regulation (EU) 2016/679 (hereinafter: “GDPR”), the data controller and the company responsible for processing your personal data is MAISTRA d.d., with a registered seat in Rovinj, Obala Vladimira Nazora 6, PIN (OIB): 25190869349 (hereinafter: “Maistra” or “we”).
Based on a Business Cooperation Agreement, Maistra also provides the service of booking accommodation in HUP-ZAGREB d.d. company’s facilities, namely:
This means that if you book accommodation in one of the HUP-Zagreb Facilities, in addition to Maistra, HUP-ZAGREB d.d. will also be responsible for the processing of your personal data as an independent data controller, with a registered seat in Zagreb, Trg Krešimira Ćosića 9, PIN (OIB): 66859264899 (hereinafter: “HUP” or “we”).
This Privacy Notice applies accordingly to the guests of Maistra and the HUP-Zagreb Facilities
In case you have any questions related to the protection of your personal data, you can contact us by:
In case you are staying in one of the HUP-Zagreb Facilities, you can also contact us by e-mail at [email protected] or by mail at Trg Krešimira Ćosića 9, 10 000 Zagreb, attn. DPO.
MAISTRA d.d. is a company that, among other things, provides hospitality services.
We collect different types of personal data about you, depending on your relationship with us and the reasons for our communication.
We collect your personal data directly from you, indirectly or automatically.
For example, in the following cases, we collect your personal data directly from you:
We collect your personal data indirectly when it is provided to us by another legal or natural person, for example, in the following cases:
We collect your personal data through automated systems, for the purpose of improving the service or for security, for example, in the following cases:
Personal data includes any data relating to an identified natural person or other data by which a person can be identified. The data we collect and process about you depends on your relationship with us and the reasons for our communication.
Examples of personal data we collect are:
Special categories of personal data are data on race, ethnicity, religious or philosophical beliefs, sexual orientation, political views, union membership, data about your health, genetic and biometric data.
As a rule, we do not collect these types of data, as well as data on criminal offences, except in the following exceptional cases:
We process your personal data only if we have a valid legal basis for it. The most common legal bases we rely on, will be the following:
We collect different types of personal data about you, depending on your relationship with us and the services you use. In any case, we collect and process your personal data for legitimate purposes and on a valid legal basis.
By booking an accommodation, you enter into an agreement on the provision of accommodation services with Maistra or HUP-Zagreb. We collect the information we need about you in order to establish a contractual relationship and to process a booking. Before your arrival, we will collect and process the information we need in order to provide you with the best and highest quality service and prepare for your arrival.
We also collect some data during check-in into the facilities in order to fulfill our legal obligations.
In addition to collecting data to fulfill a contract and comply with our legal obligations, we process data because it is in our legitimate interest to do so, but only when our legitimate interest - based on the assessment we have made - does not prevail over the obligation to protect your privacy. Such situations are, for example, direct marketing or video-surveillance over common spaces, such as reception area.
We rely on consent as a legal basis in exceptional cases, for example, when we ask you to provide your consent to join our loyalty program.
For some types of data processing, several legal bases for data processing are applicable, depending on the circumstances and context. For example, when we process your personal data for the purpose of issuing invoices and billing accommodation, we do so both on a contractual basis and in order to comply with our obligations arising from accounting regulations.
We have listed some basic ways in which we collect your personal data in the table below.
Processing activity | Data type | Legal basis |
---|---|---|
Accommodation booking Booking the date of stay, choice of facility and terms of payment, credit card guarantee or advance payment, making a booking, accepting the booking and sending a booking confirmation Booking management Preparation of documentation in accordance with accounting regulations |
Identification data, contact information, payment information |
Entering into a contract and providing a contractual service Legitimate interest (managing the business and managing products and services) Compliance with a legal obligation |
Check-in/check-out Registration and check-out of a guest,, room allocation Guest registration in internal systems, pairing the guest with requested offers and services, data entry in the e-Visitor system Entering data on guest preferences and requirements, and further communication options. |
Identification data, contact information, preference data, marketing data |
Compliance with a legal obligation Providing a contractual service Legitimate interest (guest record keeping, communication and business management) Explicit consent (health and allergy data) |
Booking services during the stay Choosing dates and ordering additional services during the stay – restaurants and bars, spa and wellness |
Identification data, contact information, transaction data, marketing data |
Providing contractual services. Legitimate interest (guest record keeping, communication and business management) Explicit consent (health data) |
Use of services during the stay Use of additional services during the stay – restaurants and bars, spa and wellness Monitoring the use of accommodation services during the stay (TV, minibar, room service) |
Identification data, contact information, transaction data, marketing data |
Providing contractual services. Legitimate interest (guest record keeping, communication and business management) Explicit consent (health data) |
Complaints/requests Making additional requests at the reception during the stay (special wishes, deliveries and similar services) Using concierge services Complaints |
Identification data, transaction data, preference data |
Providing contractual services. Legitimate interest (managing the business, managing staff and improving the service provided) |
Answering queries Sending answers to guest inquiries |
Identification data, contact information |
Providing contractual services. Legitimate interest (managing the business, managing staff, improving services, analytics) |
Property security Surveillance cameras Electronic cards/keys |
Identification data (recording, entrance to the room) |
Legitimate interest (protection of security of property and persons) |
Membership in the loyalty program Accessing the loyalty program, sending promotional offers, collecting information on preferences in order to adjust business and personalize offers |
Identification data, contact information, preference data, marketing data |
Consent Execution of contractual obligations related to your membership in the loyalty program. |
Direct marketing Contacting a guest at their e-mail address by sending offers for similar services in accordance with the provisions of the Electronic Communications Act. |
Identification data, contact information, preference data, marketing data |
Legitimate interest (managing the business, delivering information about our offers and services, personalization of offers and recommendations of similar services) |
Satisfaction surveys and questionnaires Contacting a guest at their e-mail address or delivering a flyer to request a guest to complete a guest satisfaction survey or questionnaire |
Contact information |
Legitimate interest (managing the business, informing about customer satisfaction in order to improve the service) |
Payment, billing and refund Issuing invoices, payments, billing of receivables and refund to guests |
Identification data, contact information, financial data, transaction data |
Providing contractual services
Acting in accordance with a legal obligation |
Participation in a prize game or prize contest Participation in a prize game or competition in accordance with defined rules |
Contact information, identification data |
Consent |
Advertising Preparing and sending ads, monitoring the effectiveness of submitted ads. |
Identification data, contact information, usage data, marketing data, technical data, preference data |
Consent (for re-targeting)
Legitimate interest monitoring the effectiveness of ads business planning, developing marketing campaigns and business strategies) |
Giving recommendations on accommodation and services Recommendation of accommodation and services to guests, personalization of the service |
Identification data, contact information, preference data |
Providing contractual services Legitimate interest (personalization of the service and ameliorating guest experience) |
Enabling the use of internet Connecting the guest to the internet |
Technical data, usage data |
Providing contractual services Legitimate interest (maintaining the security of IT systems) |
Using the hotel app Using the hotel app to manage the services used during the stay Overview of invoices, transactions, food and beverage consumption |
Contact information, identification data, usage data, transaction data, technical data |
Legitimate interest (managing the business, enabling the guest to use all the functionalities of the stay in a clear manner and have an insight into the overview of costs and security protection of the system) |
Analytics and business planning Guest segmentation and analysis of guest behavior regarding past stays and indicated preferences. Developing models for further planning, analysis and reports |
Transaction data, contact information, preference data, marketing data |
Legitimate interest (improving the service, creating bids, strategic business planning) |
Incident monitoring Internal lists of guests who caused incidents and are undesirable guests in our facilities due to inappropriate behavior (unpaid services, aggressive incidents towards staff or other guests, theft, vandalism) |
Identity data, behavior description |
Legitimate interest (protection of security of property and persons) Establishment and defense of legal claims |
Compensation claims Keeping records of guest compensation claims, incident description, communication with third parties |
Identification data, contact information, incident data |
Legitimate interest (protection of property and reputation) Establishment and defense of legal claims |
COVID-19 testing Organizing antigen and PCR testing of guests in cooperation with the epidemiological service |
Identification data, contact information, health data |
Providing contractual services Legitimate interest (protection of safety and health of others) Explicit consent Protection of public interest in terms of public health (obligation to disinfect premises and organize isolation) |
BABY and MINI club / KIDS zone Organizing animation of children and stay of children in rooms with communal games |
Parent identification data, parent contact information, child age data, child health data |
Providing contractual services Explicit consent |
Website security protection Protection of our business and website security (debugging, data analysis, testing, system maintenance, support, reports) |
Technical data, usage data |
Legitimate interest (maintaining service continuity, network security and protection) |
Analytical website monitoring Improving website functionality, recognizing interests, service optimization and marketing strategies |
Technical data, usage data |
Legitimate interest (business development, marketing strategy, strategic planning) |
Social networks Communication through social media profiles |
Identification data, contact information |
Providing contractual services Legitimate interest (communication with guests, management of guest expectations, marketing strategy) |
Restaurant Bookings Restaurant table reservations. Online platform bookings at select Maistra restaurants (Cap Aureo Signature Restaurant, Wine Vault Restaurant and Agli Amici Rovinj). |
Identification data, contact information, form of address, preferences and allergies, payment data |
Actions required to enter into a contract. Legitimate interest (personalization of a service in order to provide guests with a better restaurant experience). Explicit consent (allergy and health data). |
Our website collects cookies that contain certain information about how and in what way you use our website. Cookies are small text files that contain a unique identification and reference code that the web browser saves on your device and with which we can recognize you again when you access our website.
We do not use this data to identify you nor do we use third party cookies for this purpose. Some cookies we collect last only during your use of our site, and some last a little longer, so that we can recognize you again when you access our site again.
More information about cookies can be found here.
Direct marketing is the sending of promotional offers by which we offer you similar services to your address or e-mail address. We communicate with you in this way based on a legitimate interest.
With each such communication, we will inform you about the possibility to easily (by clicking on the link) unsubscribe and ask us not to contact you in this way again. In addition, you can contact us in writing at our e-mail address [email protected].
For the purpose of personalizing the service, we use identification data, contact information and transaction data. At a general level, we may analyze the behavior of our users and try to assess their specific interest. Based on this, we may group users, and based on such segmentation, we show personalized ads.
Just because you see one of our ads, it does not mean that Maistra created your profile, it is possible that we just rented advertising space and you happened to come across one of our ads. In cases where we send targeted ads, we do so on a retargeting basis, in collaboration with partners. Even then, this is not confirmation that Maistra has created your profile, but it is possible that our partner – e.g. Facebook or Google – based on other options and your use of other websites that Maistra does not have access to, estimated that you belong to a target group that might be interested in our ads.
Automatic data processing for advertising purposes does not affect your rights or our services that you may use.
For the needs of our business, strategic planning and making important business decisions, we use statistical data analysis. This means that, based on a legitimate interest, we will process the data we have collected and processed about you on another legal basis, for example to comply with legal obligations or fulfill a contractual obligation, such as your age, nationality or language you speak.
When we process your data for statistical purposes, we continue to use it exclusively in an aggregated, depersonalized form. This means that this data can no longer be linked to you in any way and no longer represents your personal data.
We do not share your personal data with third parties for the purpose of advertising their services. We will not sell your personal data to third parties.
In certain cases, we will share your personal data with other recipients, as follows:
We want to ensure that your personal data is stored and transferred securely. Therefore, outside the European Economic Area (hereinafter: EEA), we will only transfer data if that complies with the applicable data protection regulations and if the means of transmission ensure an adequate level of security for your data, for example:
When we transfer your data outside the EEA and in cases where the country or territory to which the data is transferred does not ensure an adequate level of data protection, we will take all reasonable steps to ensure that your data is treated securely and in accordance with the privacy policy contained in this Privacy Notice.
We apply technical and organizational measures to ensure that your data is secure and to protect it from accidental or intentional unauthorized access, loss or modification. We have ensured that your data can be accessed only by those persons who have a business need for it, solely for the purposes that are permitted and of which you have been notified, and that these persons are obliged to keep your data confidential.
If you suspect any unauthorized use, loss or unauthorized access to your personal data, please notify us.
We store your data as long as it may be necessary in accordance with the purpose for which it was collected, including in order to comply with legal obligations. After the expiration of the retention period, we will delete the data, and in cases where this is not technically possible, we will make the data unreadable. In the event that we still need some data for legitimate business purposes after the retention period has expired, we will take appropriate steps to anonymize that data.
According to the law, we keep data on guests for at least two years after the year of stay, and we must keep data in the e-Visitor system for 10 years.
We keep data related to accounting regulations for 11 years. This includes invoices and bills that may contain your personal data.
If we use your credit card data for the purpose of guaranteeing your reservation, we will keep this information in our systems for a maximum period of 30 days after your check-out. If the guarantee is used and we charge your card, this information will be retained for a longer time period, in line with accounting regulations.
We store data based on our legitimate interest in accordance with justified and reasonable business needs.
We keep data related to surveillance videos for up to six months.
We store the data we collect on the basis of consent, until the consent is withdrawn.
Access. You have the right to access your personal data at any time by sending a request requesting that we provide you with all your personal data that we process.
Restriction of processing. You have the right to object to certain processing activities, for example, if we process your personal data on the basis of a legitimate interest.
Portability. You have the right to request a transfer of personal data to another service provider – in practice, this means that you have the right to request that we provide you with all personal data that we process in a machine-readable format or to request that we provide it directly to another company.
Rectification. You have the right to request an update, rectification or supplementation of your personal data at any time.
Erasure. You have the right to request the deletion of your personal data. We will comply with your request if we do not have a legal obligation or a valid reason of a legal or business nature for which we should continue to keep them.
Withdrawal of consent. In the event that we process your data on the basis of consent, you are entitled to withdraw your consent at any time. We will stop processing personal data collected on this legal basis without delay.
You can make all requests by sending a written request at the business address MAISTRA d.d. in Rovinj, Obala Vladimira Nazora 6 (attn. DPO) or by e-mail at [email protected]. If you are staying in facilities in Zagreb or Dubrovnik, you can also send a written request by e-mail at [email protected] or by mail at the address HUP-ZAGREB d.d., in Zagreb, Trg Krešimira Ćosića 9 (attn. DPO.
Complaint. You are also entitled to submit a complaint to the local supervisory authority for data protection – the Croatian Personal Data Protection Agency, at the address:
Agencija za zaštitu osobnih podataka
Selska cesta 136
HR – 10 000 Zagreb
Tel. +385 (01) 4609-000
Fax. + 385 (01) 4609-099
E-mail: [email protected]
Web: www.azop.hr
We inform you that we will keep records of our communication, so that we can resolve any issue you contact us about as efficiently as possible.
We process your rights free of charge, and we will only exceptionally charge you the administrative cost of processing the request, in accordance with the provisions of the GDPR. In that case, we will notify you before the cost is incurred.