1. Scope of this Privacy Policy

1.1 Introduction

This Privacy Policy establishes the rules and principles applied by Hotel Osijek when collecting, processing, and protecting your personal data, in compliance with applicable laws and regulations, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: the “GDPR”) and the Act on the Implementation of the General Data Protection Regulation (Official Gazette of the Republic of Croatia No. 42/18).

1.2 Data controller

The data controller and the company responsible for processing your personal data is Hotel Osijek d.o.o. za turizam, with its registered seat in Osijek, Šamačka 4, registered in the court registry of the Commercial Court in Osijek under registration number (MBS): 030168420, PIN (OIB): 58839546584 (previously and hereinafter: “Hotel Osijek”).

1.3 Application of this Privacy Policy

This Privacy Policy applies to all guests staying at Hotel Osijek, Šamačka 4, Osijek, including those using services provided by Hotel Osijek, as well as visitors to this website.

1.4 Collection and processing of personal data

We process your personal data collected during registration and use of accommodation and other services, as well as during your use of our website. In specific cases of personal data processing, we may offer you the option to provide additional consent. If this occurs, you will be informed of the terms of processing, and any consent provided will include specific details about these terms and the purpose of processing personal data.

1.5 Principles of personal data processing

When processing your personal data, Hotel Osijek adheres to the following principles:

lawfulness: personal data is processed solely on legal grounds prescribed by applicable legislation, including the GDPR;

fairness: we ensure that all relevant information regarding the processing of personal data is made available to data subjects;

transparency: all relevant information is provided to data subjects in a clear, understandable, and easily accessible manner, in compliance with the GDPR;

purpose limitation: personal data is collected solely for explicit and lawful purposes, and is not processed in a manner that is incompatible with those purposes;

data minimization: only personal data necessary to achieve the specific purposes of processing is collected; and

accuracy and updating: personal data must be accurate and, where necessary, updated, and data that is inaccurate or no longer needed will be corrected or deleted without delay.

1.6 Privacy protection and informing data subjects

We respect your privacy and want to provide you with clear and transparent information in this document about the personal data we collect, as well as the legal grounds on which we process your personal data. By using the services of Hotel Osijek or visiting this website, we will consider that you are familiar with the terms of this Privacy Policy. If you have any questions regarding the processing of your personal data, feel free to contact us using the details provided in Section 9.1.

2. Types of personal data we process

Depending on the purpose of processing, during your stay and use of our services, we may process the following types of personal data:

identification data: name and surname, residence, date and place of birth, nationality, type and number of identity document, personal identification number (OIB), gender, time of arrival and departure, basis for exemption or reduction of the tourist tax

contact information: email, telephone number;

financial data: payment details, including card number and expiration date, and additional data necessary for executing transactions or securing payments;

technical and website usage data: IP address, device information, browser type, browsing history on our website, cookies, and similar tracking technologies; and

recordings: video surveillance footage (you may be recorded by our cameras monitoring our business premises if you enter the recording perimeter of our cameras (which is clearly marked).

3. Purposes of personal data processing

Your personal data is processed for the following purposes:

performance of contractual obligations: to fulfil our contractual obligations to you and undertake other necessary actions related to the conclusion and execution of a contract. In this case, the legal basis for processing your personal data is the performance of our contract or the steps taken at your request prior to entering into a contract;

compliance with legal obligations: to comply with our legal obligations (e.g., collecting personal data due to the legal requirement to register guests in the e-Visitor system maintained by the Croatian National Tourist Board for the purpose of paying the tourist tax and registering stays in the Republic of Croatia). In this case, the legal basis for processing your personal data is the fulfilment of our legal obligations;

marketing activities: for sending marketing notifications or newsletters about our products and activities, based on your prior expressed interest. If you do not wish to receive notifications, you can always unsubscribe following the instructions in each message. In this case, the legal basis for processing your personal data will be your consent (if you have given it) or our legitimate interest where permitted by applicable law;

legitimate interest: for other purposes where we have a legitimate interest as your host (e.g., when necessary to secure payment for accommodation and other services that might be incurred in case the guest does not settle the debt, to determine your satisfaction with our products and services, to implement security measures, etc.). In this case, the legal basis for processing your personal data is our legitimate interest;

protection of people and property: to protect individuals (visitors and employees) and property through the use of video surveillance systems. In this case, the legal basis for processing your personal data is our legitimate interest in ensuring the protection of individuals and property;

consent: for specific purposes for which you have given us your consent to process your personal data. In this case, the legal basis for processing your personal data is your consent; and

use of the website: to process data regarding your interaction with our website, including technical data such as your IP address, device information, browser type, browsing history on our website, cookies, and similar tracking technologies. In this case, the legal basis for processing your personal data is our legitimate interest in improving the website's functionality and user experience.

If we intend to further process your personal data for a purpose different from the one for which it was originally collected, we will inform you of this new purpose and provide all relevant information.

4. Personal data retention period

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, unless a longer retention period is required by law.

Data collected based on a contractual relationship will be stored only as long as necessary to perform the contract or provide the service. For instance, video surveillance recordings are retained for up to six months, unless a longer period is stipulated by law or required as evidence in legal or other proceedings.

The retention period for personal data is strictly limited to the minimum necessary, with specified retention periods and periodic reviews to ensure that data is not retained longer than required. Should certain data still be needed for legitimate business purposes after the expiration of the retention period, appropriate measures will be taken to anonymize the data.

5. Technical and organizational measures

We implement appropriate technical and organizational measures to ensure the security of your personal data and protect it from unauthorized access, loss, or alteration, whether accidental or deliberate. Access to your data is strictly limited to authorized individuals with a business need to process the data for clearly defined purposes, about which you have been informed. These individuals are obligated to maintain confidentiality and handle your data in compliance with applicable regulations and our data protection standards.

6. Data subject rights

6.1 Your rights

In accordance with the GDPR, you have the following rights concerning the processing of your personal data:

right of access: you have the right to request access to the personal data we process at any time and receive information, including, among other, the purpose of processing, categories of data, and recipients to whom the data has been disclosed;

right to rectification: you can request the updating, correction, or completion of your personal data if it is inaccurate or incomplete;

right to erasure: you may request the deletion of your personal data, except where legal obligations require its retention;

right to restrict processing: you can request the restriction of processing your personal data, for example, if you dispute the accuracy of the data or object to processing based on legitimate interest;

right to data portability: you may request that we provide your personal data in a machine-readable format or transfer it to another service provider, where technically feasible;

right to lodge a complaint: you have the right to lodge a complaint regarding personal data processing with the Croatian Personal Data Protection Agency; and

right to withdraw consent: if the processing of your personal data is based on consent, you can withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

To exercise the above rights, you can contact our Data Protection Officer using the contact details provided in section 9.1.

6.2 Response timeframe

We are committed to responding to your request within one month of receipt. If the request is complex or if we receive a large number of requests in a short period, we reserve the right to extend the response period by an additional two months, in which case you will be promptly informed.

7. Automated decision-making and data transfers to third countries

7.1 Automated decision-making

Automated decision-making involves decisions that produce legal effects on the data subject or significantly affect them in a similar way, made solely through automated processes – including profiling – without prior review by a human.

Hotel Osijek does not use automated decision-making or engage in any profiling when processing your personal data.

7.2 Data transfers to third countries

Your personal data will not be transferred to third countries outside the European Union and the European Economic Area, nor to international organizations.

In exceptional cases where a transfer of personal data to a third country or international organization occurs, you will be notified, and the transfer will be conducted with appropriate safeguards. This includes, among other measures, the application of the European Commission’s standard contractual clauses for data transfers.

8. Use of Cookies

Our website uses cookies to enhance the user experience, analyse visitor behaviour, and tailor content to your interests. Cookies are small text files stored on your device during your visit to our website.

Cookies on our website (www.hotelosijek.hr) include:

temporary cookies: used for temporarily storing data during a session;

persistent cookies: used for long-term storage of user preferences.

In addition to cookies, we use Google Analytics to analyse website traffic and enhance the functionality of our website. Google processes data on behalf of Hotel Osijek, generates reports on website activity, and provides additional analytics services.

By using our website, you agree to the use of cookies in accordance with this Privacy Policy. If you disagree with the use of cookies, you may disable them in your browser settings, however, please note that this may affect website functionality.

9. Contact Information

9.1 Contacting the Data Protection Officer

All information or requests related to this Privacy Policy can be made:

by sending a written request to the business address of Hotel Osijek d.o.o. za turizam, Šamačka 4, Osijek (attn: Data Protection Officer);

emailing Hotel Osijek’s Data Protection Officer at gdpr@hotelosijek.hr.

9.2 Submitting a Complaint to the Supervisory Authority

You can submit a complaint regarding personal data processing to the Croatian Personal Data Protection Agency at Selska cesta 136, HR – 10 000 Zagreb. You may also contact them by phone at +385 (01) 4609-000, fax at +385 (01) 4609-099, email at azop@azop.hr, or via their website at www.azop.hr.

10. Changes to the Privacy Policy

Zadržavamo pravo izmjene ili ažuriranja ove Politike privatnosti u bilo kojem trenutku, u skladu s promjenama u zakonodavstvu ili našim poslovnim praksama. Sve promjene bit će objavljene na ovoj stranici s označenim datumom posljednje izmjene. Preporučujemo da redovito provjeravate ovu stranicu kako biste bili informirani o svim izmjenama. Korištenjem usluga Hotela Osijek ili naše web stranice nakon objave izmjena, smatra se da ste prihvatili nove uvjete Politike privatnosti. Ako bilo koja izmjena zahtijeva Vaš izričiti pristanak, tražit ćemo da ga ponovno date.

Scope of this Privacy Policy

Types of personal data we process

Purposes of personal data processing

Personal data retention period

Technical and organizational measures

Data subject rights

Automated decision-making and data transfers to third countries

Use of Cookies

Contact information

Changes to the Privacy Policy

DETAILS