ZURÜCK

DATENSCHUTZERKLÄRUNG

January, 2024

Valamar Riviera, a joint-stock company for tourism, with a registered seat in the Republic of Croatia, in Poreč, Stancija Kaligari 1, is a leading Croatian tourism company that manages hotels, resorts and camping resorts in well-known tourist destinations – in Istria, on the islands of Krk, Rab and Hvar, in Makarska and Dubrovnik, and in Obertauern in Austria. Valamar Riviera respects the privacy of every person whose personal data it processes. As part of this Privacy Policy, we would like to inform you about which personal data Valamar Riviera, as a data controller, collects and processes, for what purpose, how we protect it and what your rights are.

For easier navigation and faster retrieval of the information you are looking for, we have made it possible to click on the title in the contents to get to the topic you are interested in more quickly. The general part contains our general rules that apply to all personal data processing, while the specific part lists our most common cases of personal data processing that represent the majority of all our processing.

Inhalt

General Part

DATA CONTROLLER AND LEGAL FRAMEWORK

Valamar Riviera, with its registered seat in the Republic of Croatia, in Poreč, Stancija Kaligari 1, OIB (PID): 36201212847 (hereinafter: Valamar Riviera or us or our), as data controller, shall undertake to protect your personal data. The collection and retention of data is carried out in accordance with the provisions of EU Regulation 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter: the Regulation), the Act on Implementation of General Data Protection Regulation (Official Gazette, No. 42/2018) and other regulations governing the area concerned, which are applicable in the Republic of Croatia.

SCOPE

This Privacy Policy applies to any processing of personal data carried out by Valamar Riviera as a data controller, unless another Valamar Riviera’s policy or other document stipulates otherwise for a particular processing. In some cases, Valamar Riviera acts as a data controller for data subjects who are also data subjects of companies with which Valamar Riviera has concluded agreements for the management of tourist accommodation properties and facilities within the scope of its powers based on those agreements.

This Privacy Policy is divided into two parts: General Part and Specific Part. The basic principles of personal data processing, contact details of the personal data protection officer and other provisions specified in the General Part of the Privacy Policy apply without exception to any processing of personal data, regardless of whether such processing is specifically processed in the specific part of the Privacy Policy or not. Specific cases of data processing, which represent the majority of all our processing, are covered in more detail in the specific part of the Privacy Policy.

DATA PROTECTION OFFICER

Valamar Riviera has appointed a personal data protection officer who can be contacted at any time for questions related to the protection of personal data and exercising the rights guaranteed by the Regulation at dpo@valamar.com or by mail to the address: Valamar Riviera d.d., Stancija Kaligari 1, Poreč, Republic of Croatia – for DPO.

PRINCIPLES OF PERSONAL DATA PROTECTION

Valamar Riviera recognized the principles of data processing as basic values that must be respected during the entire cycle of personal data processing, from their collection to their destruction or other end of processing. We process data:

  • Lawfully – processing will be possible if it is permitted by law and within the limits permitted by law.
  • Fairly – respecting the specifics of each relationship, applying all adequate measures for protecting personal data and not preventing data subjects from exercising their rights.
  • Transparently – informing data subjects about personal data processing. From the collection of data itself, when data subjects are informed about all aspects of data processing, right until the end of data processing, data subjects are provided with simple and quick access to their own data. Certain information may be restricted only when required by law or when it is necessary to protect third parties.
  • With purpose limitation – processing personal data for the purposes for which they have been collected, and for other purposes if the requirements laid down in the Regulation are fulfilled. Data can be processed for the corresponding purposes only taking into account: (a) any link between the purposes for which the personal data has been collected and the purposes of the intended further processing; (b) the context in which the personal data has been collected, in particular regarding the relationship between us and the data subject; (c) the nature of the personal data, in particular the fact whether special categories of personal data are processed, pursuant to Article 9 of the Regulation, or personal data relating to criminal convictions and offences are processed, pursuant to Article 10 of the Regulation; (d) possible consequences of the intended further processing for data subjects; and (e) existence of appropriate safeguards.
  • With storage limitation – storing data in a form that enables the identification of the data subject only for as long as necessary for the purposes for which the personal data is processed, and longer only if permitted by regulations.
  • With data minimization – processing data if it is adequate, relevant and limited to what is necessary. Particular care is taken not to collect data for which there is no justified need for processing.
  • Taking into account accuracy – taking into account that data is accurate and current and deleting inaccurate data as possible.
  • Taking into account integrity and confidentiality – providing adequate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures. Relevant measures are applied taking into account the risk of each type of data processing.

LAWFULNESS OF PERSONAL DATA PROCESSING

In order to respect the lawfulness of personal data processing, we process personal data only if and to the extent that at least one of the following legal bases is met:​

The processing is necessary for the execution of an agreement to which a data subject is a party or in order to take actions at the request of a data subject before concluding the agreement; this is the most common purpose of processing data subjects’ data with the basis of an existing contractual relationship or a pursued contractual relationship.

Processing is necessary to comply with controller’s legal obligations. Valamar Riviera as a legal entity has numerous obligations prescribed by various regulations. This obligation includes the collection and, often, providing data to national authorities. For example, processing personal data of shareholders who apply for the General Assembly, processing personal data of guests and forwarding through the eVisitor system.

Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, taking into account the reasonable expectations of the data subject based on their relationship with the data controller, in particular where the data subject is a child. When applying this legal basis, we assess that the processing is appropriate for business needs, that it is as minimally invasive as possible, and that the interests of the data subject do not override our legitimate interests or the legitimate interests of a third party. Examples of this type of processing are processing for administrative purposes, the purposes of maintaining the security of computer networks, the purposes of direct marketing and the improvement of our business. In these situations, the data subject always has the right to object to such processing.

Processing is necessary to protect key interests of the data subject or other natural persons. The right to personal data protection is not an absolute right and we equate it with other fundamental rights in accordance with the principle of proportionality. Valamar Riviera recognizes the possibility that in some situations it is necessary to process personal data in order to protect key interests of the data subject or other natural persons. An example of this type of data processing is exceptional cases of illness, injury of a guest or other natural person, for which it is sometimes necessary to request the guest’s identification document and to request health data that fall under a special category of personal data. In some extraordinary situations, for example, in case of epidemics, we can also process data based on the recommendations of the Croatian Institute of Public Health.

The data subject has given their consent for the processing of their personal data for one or more specific purposes. When processing personal data on the basis of consent, we take special care that these situations have no formal or informal consequences for giving, refusing to give or withholding consent. When processing is based on consent, the data subject can withdraw consent at any time without negative consequences. Withdrawal of consent does not affect the lawfulness of processing based on consent prior to its withdrawal.

TYPES OF PERSONAL DATA PROCESSED

Special categories of personal data: special categories of personal data are processed only if the requirements laid down in Article 9 of the Regulation are fulfilled. For example, we process the workers’ data that fall under special categories of personal data, such as data on union membership (for example, when exercising special rights according to relevant regulations), religious or philosophical beliefs (for example, when exercising the right to additional non-work days for religious holidays if an individual voluntarily disclosed such data for the stated purpose) or data related to health (for example, according to special regulations on occupational safety or keeping records of workers or when special health certificates are required for certain jobs).

Data on criminal convictions and offences: when there is a legal authorization to do so, we also process personal data relating to criminal convictions and offences, such as, for example, certificates of no criminal record for workers when applying for public tenders, if this is a requirement of such a tender.

Personal data that does not fall under the previous two groups: such personal data makes up the largest part of the processed data, which are most often identification data and contact data such as first and last name, OIB (PID), data generated based on movement on premises under video surveillance.

Most of the personal data we collect is provided by the data subjects themselves and we ask that you do not provide sensitive information (for example, race or ethnic origin, political opinions, religious or philosophical beliefs, etc.) when it is not necessary. If you do provide sensitive information for any reason, by doing so, you expressly consent to the collection and use of that information in the ways described in this Privacy Policy or in the manner described at the time the information is disclosed.

PROVIDING DATA TO THIRD PARTY ENTITIES

Valamar Riviera shares personal data with others only when there is a legal basis for doing so.

It is possible that in certain cases personal data may be transferred outside the European Union (EU) and the European Economic Area (EEA) to countries for which there is no decision of the European Commission on adequacy. In these cases, we ensure compliance with high standards of personal data protection, and in accordance with the strict requirements of the Regulation, any transfer of personal data to third countries will be carried out in accordance with Chapter V of the Regulation. The most common transfer models in these cases are the application of standard contractual clauses approved by the European Commission and the express consent of the data subjects.

1.1. Legal obligations

As part of fulfilling our legal obligations, we are obliged to provide data to third parties. For example, providing guest data via the eVisitor system, providing workers’ data to competent institutes: the Croatian Pension Insurance Institute, the Croatian Health Insurance Fund, the Tax Administration and the Central Register of Insured Persons and pension companies. We are also obliged in certain cases to submit or make available data related to employment to the Croatian Employment Service; for example, in order to include workers in active employment policy measures, to the competent police stations or to the ministry responsible for internal affairs; for example in the case of a stay of senior government officials in the facilities, as well as for issuing work permits, to the ministry responsible for tourism in the case of employing scholarship holders, to the ministry responsible for economy and entrepreneurship when it comes to the use of investment grants, insurance companies, banks and in other cases when the regulations require it. Certain workers’ data is also sent to banks or pension funds as part of salary payments, and data can also be sent to creditors in accordance with enforcement regulations. Data is sometimes sent with regard to contractual obligations; for example, when it comes to students who do work-based learning (practical work), data is exchanged with schools and/or faculties.

Certain personal data is also provided to business entities for the purpose of providing specific services, such as employee medical examinations services (contracted occupational medicine); furthermore, to institutions that organize legally required education (occupational safety, minimum hygiene, toxicology) or audit companies when conducting mandatory audits, to public notaries when certifications are required, to the Financial Agency for the purposes of obtaining business certificates, to public procurement obliged entities when we respond to public procurement tenders, and for the purpose of awarding and using official cards, official mobile devices or for buying fuel.

1.2. Valamar Riviera as a management company

A special case of providing data to third parties refers to the fact that Valamar Riviera has concluded long-term agreements for the management of tourist accommodation properties and facilities with several tourism companies. This means that we manage Valamar’s facilities, which include our accommodation facilities (owned by us or used on some other basis) as well as the accommodation facilities of the companies we manage. Management services primarily include services related to guests of Valamar facilities, but also human resources. In view of the aforementioned, we sometimes share personal data of guests, job candidates, or workers at Valamar facilities with the companies we manage, i.e. data subjects of those companies are also our data subjects, all for the purpose of developing business and services of Valamar facilities, informing about the offers of Valamar facilities, identifying data subjects with similar needs and analytics related to market developments. All principles from this Policy also apply to data subjects of those companies in the segments in which we are involved as a data controller; however, these companies are also responsible as data controllers of their data subjects’ data processing. The privacy policies of all the companies we manage can be found at https://www.valamar.com/hr/izjava-o-privatnosti.

1.3. Valamar Riviera as a travel agency

Considering that we are also a travel agency, we forward data to third parties when this is necessary for the realization of the agreed services. For example, we forward the data of a guest who booked accommodation to the company that provides specific accommodation services, or we forward the data of customers for an experience to the organizer of that experience.

1.4. Valamarovi partners – data processors

It is possible to provide data to business entities, data processors, who process data on our behalf as a data controller. Most often, these are our business associates who provide us with certain services, such as IT, marketing, payment processing, and protection services. We conclude a detailed agreement with all partners regarding their powers and obligations in processing personal data, in accordance with the requirements of the Regulation. They are also obliged to use the data entrusted to them exclusively in accordance with our agreements and strictly for the purpose we have specified. They are also obliged to appropriately protect your data and keep it confidential.

DATA RETENTION PERIOD

Data subjects’ data is processed and retained, in accordance with the applicable legal regulations, when the retention obligation is prescribed.

In cases where Valamar Riviera is authorized to determine its own data retention periods, the data is retained as long as necessary to achieve the purpose for which the personal data is processed, taking into account the purpose of processing, the legitimate interests of Valamar Riviera and the interests of the data subject. When we have not stated the data retention period in this Privacy Policy or elsewhere for a specific processing, the retention period is 5 years.

After the expiration of the stipulated data retention period, we will delete the data, and in cases where that is not possible, we will make the data unreadable.

CHILDREN’S PERSONAL DATA PROCESSING

We process children’s personal data when it is related to our services; for example, when children are guests of our facilities, visitors to the Maro playrooms, but also in other cases; for example, when minor students do work-based learning (practical work) with us. Sometimes we cannot influence the use of our services; for example, in the case when children appear as followers of our profiles on social networks. We advise parents and guardians to teach children about safe and responsible handling of personal data, especially on the internet.

SOURCES OF PERSONAL DATA

We usually receive personal data from you. When providing personal data, in any way (booking accommodation, applying for a job, using a mobile application, using a restaurant, wellness services, etc.), you guarantee that the information you have provided is correct, that you are legally competent and authorized to handle the information provided, and that you fully agree that we use and collect your data in accordance with the positive regulations and conditions of this Privacy Policy.

We also receive your personal data indirectly, from other natural and legal persons, for example: from travel agencies that forward guest data for accommodation purposes, from guests who book accommodation for people with whom they will stay in the facilities, from agencies for employment mediation and assignment of workers, from business partners about their workers who will participate in the execution of certain agreements, etc. When providing personal data of other persons, you guarantee that the information you have attached is correct, that you are legally competent and authorized to handle the information provided, that the data subjects whose personal data you forward to us consent to us processing their data. If you provide data of other persons, you are obliged to acquaint them with our Privacy Policy.

In certain cases, we also receive personal data from public sources; for example, court register, your web pages, advertisements, etc.

TECHNICAL AND INTEGRATED DATA PROTECTION

We take into account the highest organizational and technical data protection standards. Therefore, taking into account the latest developments, the cost of implementation and the nature, scope, context and purposes of processing, as well as risks of different levels of probability and severity for the rights and freedoms of individuals arising from data processing, at the time of determining the means of processing and at the time of the processing itself, we carry out appropriate technical and organizational measures to enable effective application of data protection principles.

We also implement appropriate technical and organizational measures to ensure that only personal data that is necessary for each specific processing purpose is processed in an integrated manner. We apply this measure to the amount of personal data collected, the scope of their processing, the period of storage and their availability. More specifically, such measures ensure that personal data is not automatically, without individual intervention, available to an unlimited number of individuals.

In order to ensure a high level of security when processing personal data and to protect it from accidental or intentional unauthorized access, loss or modification, we provide access to the systems in which the largest number of personal data of individuals is stored only to authorized persons to the extent necessary for the execution of their work tasks and through a multiple authentication system, which is secured against unauthorized access and use and regularly updated.

PERSONAL DATA BREACHES

We have implemented appropriate technical and organizational measures to minimize the risk of a breach; however, if you do notice that there has been a breach of personal data, please report any such breach to us without delay by e-mail at: dpo@valamar.com. We have established internal mechanisms in order to react in a timely and appropriate manner in such cases.

In accordance with the Regulation, but also to internal regulations, in the event of a personal data breach, without undue delay and if feasible, no later than 72 hours after becoming aware of the breach, we report the personal data breach to the competent supervisory authority, unless it is unlikely that the personal data breach will cause risk to the rights and freedoms of individuals.

The report submitted to the supervisory authority contains all information in accordance with the Regulation.

In the event of a personal data breach that is likely to cause a high risk to the rights and freedoms of individuals, we notify the data subject about the personal data breach without undue delay. Sometimes, in cases where the Regulation stipulates, informing the data subject is not mandatory.

RIGHTS OF THE DATA SUBJECT

Regardless of the basis of data collection, data subjects can exercise the following rights free of charge within the limits prescribed by the Regulation:

Right to information: you have the right to be informed about the processing and its purposes. We make sure to provide all information to the data subject that is necessary to ensure fair and transparent processing, taking into account the context of the processing.

Right to erasure (“right to be forgotten”): you have the right to request the erasure of personal data concerning you, without undue delay, in accordance with the terms of the Regulation.

To do this, send your request to us as the data controller in writing, including electronic form of communication. Please note that it is necessary to specify in the request what exactly you want to be deleted, because we can retain your data based on different legal bases; for example, a data subject can be both our guest and a job candidate. You have the right to request the deletion of personal data concerning you if one of the following conditions is met:

  • Your personal data is no longer necessary in relation to the purpose for which we collected or processed it;
  • You have withdrawn your consent on which the processing is based and if there is no other legal basis for the processing;
  • You have objected to the processing of your personal data, and there are no overriding legitimate reasons for the processing;
  • Personal data was illegally processed;
  • Personal data must be deleted to comply with legal obligations.

In some cases, it will not be possible to fully fulfill the request for deletion; for example, when there is a legal obligation to retain the data, when the legitimate interest of the data controller overrides the interest of the data subject, when there is an interest of the data controller to establish, exercise or defend legal claims.

Right to access data: you have the right to access your personal data that we process and you can request detailed information, in particular, about the purpose of its processing, about the type/categories of personal data that is processed, including insight into your personal data, about recipients or categories of recipients, and about the expected period in which the personal data will be stored. Access to personal data can be limited only in cases prescribed by law, or when such a limitation respects the essence of the fundamental rights and freedoms of others.

Right to rectification: you have the right to rectify or supplement personal data if your data is not accurate, complete and up to date. To do this, send your request to us as the data controller in writing, including electronic form of communication. Please note that it is necessary to specify in the request what exactly is not accurate, complete or up to date and in what sense it should be rectified, and to submit the necessary documentation in support of your claims.

Right to data portability: you have the right to receive personal data concerning you in a structured, commonly used and machine-readable format – and the right to transmit this data to another data controller without interference from the data controller to which the personal data has been provided, all in accordance with the requirements of the Regulation.

Right to restriction of processing: you have the right to request the realization of the right to restriction of processing in the following cases:

  • If you contest their accuracy;
  • If the processing is unlawful and you oppose the erasure;
  • If the data controller no longer needs the personal data, but you have requested it for the establishment, exercise or defense of legal claims;
  • If you have objected to processing of your personal data and are waiting for verification whether the legitimate grounds of the controller override those of the data subject.

Right to object to the processing of personal data: when we process data on the basis of our legitimate interests that override the interests of the data subject, then the data subject has the right, based on their particular situation, to object at any time to the processing of personal data concerning them.

In any case, data subjects have the right to:

  1. lodge an objection to the Data Protection Officer

Valamar Riviera d.d.,

for DPO

Stancija Kaligari 1, Poreč

e-mail: dpo@valamar.com

2. submit a complaint with a supervisory authority if you believe that your data protection rights have been breached.

Personal Data Protection Agency

Selska cesta 136, HR – 10 000 Zagreb

e-mail: azop@azop.hr

We, as a data controller, have the right to protect our interests, as well as to protect data subjects, and we accordingly have the right to carry out activities to establish the identity of the applicant.

We have the right to publish the form that will be used to submit the request in order to process the request as efficiently as possible.

In the event of a request, we will provide you with information on the actions taken in connection with the exercise of your rights without undue delay and, in any case, within one month from the date of receiving the request. This period can be extended by an additional two months if necessary, taking into account the complexity and number of requests. In this case, we will notify you within one month from the date of receiving the request, along with the reasons for the delay.

If you submit a request electronically, we will provide the information electronically, if possible, unless you request otherwise.

Please note that in the event of a request, we keep all requests and accompanying correspondence for the purpose of demonstrating conduct.

As a rule, handling data subjects’ requests is free, but if the data subjects’ requests are manifestly unfounded or excessive, in particular because of their repetitive character, we have the right to charge a reasonable fee based on administrative costs or refuse to act on the request.

All requests that are not related to the protection of personal data and are delivered to the address of the data protection officer, e.g. offers of job candidates, inquiries for bookings in Valamar’s facilities, will be forwarded directly to the relevant departments within Valamar Riviera, without a specific response to the sender by the data protection officer. Moreover, if necessary, all requests related to the protection of personal data received by our other departments at some of our other e-mail addresses can be forwarded to our data protection officer.

Specific Part

STAY AT VALAMAR’S FACILITIES (hotels, apartments, camps)

The main subject of our business is providing accommodation services at Valamar’s facilities. For this purpose,

we conclude agreements with you on hospitality services (on hotel services, on accommodation in tourist apartments and on camping services). Therefore, we collect and process your personal data for various purposes with the ultimate goal of providing quality accommodation and accompanying services according to the highest standards of tourism companies.

Valamar’s facilities are our accommodation facilities (owned by us or used on some other basis) as well as accommodation facilities of companies managed by Valamar.

Valamar’s facilities are:

  • Hotels and apartments (villas, apartments, suites, houses, rooms);
  • Pitches in camping grounds;
  • Mobile homes in camping grounds (villas, suites and camping homes, glamping tents).

In the case of booking accommodations through our sales channels (bookings via the website, mobile application or bookings by calling the Valamar call center (based on a legitimate interest, we keep records of calls) or booking by accepting an offer by e-mail), your data controller is Valamar Riviera, but also other companies depending on which facility you are staying at.

We store your personal data, which you must submit in order to provide you with accommodation services, in our database for the purpose of fulfilling agreements on hospitality services and fulfilling legal obligations related to the hospitality industry. In the event that you do not provide us with the minimum data required for booking accommodation and during your stay for registration to all relevant registers, we will not be able to provide accommodation booking services or accommodation services in accordance with the agreement and the law.

Certain data is necessary in order to take actions at the request of the data subject before concluding the agreement on accommodation. For example, before the accommodation booking itself, at the request of potential guests, offers for accommodation are sent, for the creation and sending of which we need personal data, at least first name, last name and e-mail address, as well as information about the desired stay.

The personal data we collect in order to fulfill the booking obligation are:

  • first and last name of the booking holder;
  • address of domicile (Croatian citizens);
  • date of birth;
  • number, type of identification document and place of issue;
  • nationality;
  • facility name;
  • number of accommodation units, type of accommodation unit (room type);
  • date of arrival and departure;
  • the number of persons for whom accommodation is booked and room allocation;
  • which persons are minors;
  • potentially other specifics, depending on the request of the person booking the accommodation;
  • e-mail address if the person has one;
  • language;
  • telephone number;
  • membership in the Loyalty Program if it affects the price of accommodation or collection of points;
  • method of payment and potentially additional data necessary for the execution of transactions or ensuring payment.

Given that it is stipulated that guest registration data is entered on the basis of data from an identity card or a travel or other identity document, the guest is obliged to provide us with such a document and provide all other information necessary for data entry that are not contained in such a document. Moreover, in order to exercise certain rights and benefits, it is necessary to attach (copies of) appropriate papers, certificates and documents that prove and exercise such rights and benefits.

When arriving at Valamar’s facility, guests usually register at the facility’s reception desk using a registration card that the guest fills out or they review and confirm the accuracy of its data.

We also make it possible for guests to check-in independently via the Check-in application, through which the guest independently enters their personal data by uploading a photo of their identification document, The photo is not saved, the application only loads the necessary personal data from it.

In any case, the data is entered into the guest database, from which the data is automatically sent to the eVisitor system (the unique online information system for guest registration and deregistration) in order to comply with our legal obligations. The data that is collected is as follows (the data may change due to changes in positive regulations):

  • first and last name;
  • place, country and date of birth;
  • nationality;
  • number and type of identification document;
  • place of domicile (residence) and address;
  • date and time of arrival or departure from the facility;
  • gender;
  • the basis for exemption from payment of tourist tax or for the reduction of the payment of the tourist tax.

The aforementioned data is processed by tourist boards and public authorities of the Republic of Croatia for the following legal purposes:

  1. monitoring the execution of tourist registration and deregistration obligations by those obliged to register and deregister (accommodation service providers);
  2. records, calculations and collection of tourist tax;
  3. keeping a book or list of guests by the accommodation service provider and monitoring the execution of the aforementioned obligation by the inspection bodies;
  4. reporting foreigners to the ministry responsible for internal affairs and monitoring the execution of the aforementioned obligation by the inspection bodies;
  5. keeping a list of tourists by tourist boards and statistical processing and reporting;
  6. supervision over the business of accommodation service providers in the part that relates to the lawfulness of performing the activity or providing registered services and compliance with tax and other regulations on public contributions.

Data about guests in the guestbook, which is kept in electronic form, is retained for two years in accordance with the regulations. We will retain certain data from persons who requested an offer, booked accommodation, canceled accommodation, guest data for the purpose of proving the content of the relationship with the data subject, or for the purpose of establishing, exercising or defending legal claims for a period of five years from the last stay at Valamar’s facilities. For the stated purposes, we will retain the data necessary for the booking itself, as well as other data, depending on the individual case, for example: the date of receipt of the guest’s complaint and the content of the complaint, correspondence, etc. We are also obliged to keep all invoices, as well as the basis for issuing invoices issued to guests with the guest’s personal data in accordance with legal regulations.

Other data related to the circumstances of your stay, such as requests for a baby crib, will also be collected and processed only during your stay when they are directly related to the provision of a specific accommodation service.

MARO PLAYROOMS

In some of Valamar’s facilities, we allow the use of children’s playrooms for our guests. For your child to be able to use the MARO playroom, it is necessary to fill out a registration form/card, the so-called children’s passport in which you will state: the name and age of the child, the period of stay in the Valamar facility, first name, last name and mobile phone number of the parent/guardian, the name of the Valamar facility where you are staying and the number of the accommodation unit, and whether the child has allergies. We will also ask for a signature on the arrival/departure list.

The purpose is the protection and record of children’s stay, and the legal basis is your consent. The Valamar passport with data is kept for the duration of the specific stay at the Valamar facility.

CURRENCY EXCHANGE OFFICE

We also provide currency exchange services at our exchange offices, usually at the reception desks of Valamar facilities. Valamar Riviera is obliged, in accordance with the current regulations on the prevention of money laundering and terrorist financing, in some cases, to determine and verify the identity of persons who use the services of an exchange office by inspecting the party’s official identification document in their presence and to perform due diligence. In the event that we cannot carry out due diligence measures when there is an obligation to do so, we must not establish a business relationship or carry out a transaction, that is, we must terminate an already established business relationship and consider whether a notification about suspicious transactions, funds and persons should be submitted to the competent national authority.

Moreover, in accordance with regulations, video surveillance of exchange offices is also mandatory. Data is retained in accordance with regulations based on our legal obligation.

LOYALTY PROGRAM MEMBERSHIP

Valamar Riviera is the holder of the Valamar Plus Club Loyalty Program (hereinafter: Loyalty Program). Membership conditions are contained in the Loyalty Program Rules which can be found at www.valamar.com/hr/program-vjernosti/valamar-plus-club/pravilnik-programa. Enrollment into the Loyalty Program is done solely on the basis of a request from a data subject, primarily guests of Valamar’s facilities. Each member of the Loyalty Program (hereinafter: loyalty member) has their own user account for which certain data is required.

By accepting the membership, you confirm that you are familiar with the processing of personal data and the creation of your profile as a member of the Loyalty Program by Valamar as the data controller.

In the process of creating a profile, Valamar will process personal data:

- collected when filling out the membership application or opening a user account (first name, last name, gender, date of birth, e-mail address, mobile phone number, address (street, house number, postal code, city and country));

- about all bookings and stays (arrival and departure dates, facilities, type of accommodation unit);

- collected during the stay (e.g. facility, number of children, marital status, language, pets, interests and activities during the stay, travel method, accommodation preference, destination preference, spending, etc.);

- collected by completing a satisfaction survey;

- related to the membership itself (identification number of the membership card, number of points, number of used points, membership level, method of using points, use of benefits, language of communication, title, all data that you fill in by updating your profile in the user account, such as: interests, travelling method, pets, desired accommodation facility, desired category of accommodation facility, desired destination, connection to social networks).

All these categories of personal data are considered important and expected, because we use them to be able to fulfill our tasks assumed through the Loyalty Program (for example, the date of birth is important for potentially sending information about a benefit at the time of your birthday in the form of a discount, etc.), to propose other products and inform you about events we believe you will be interested in.

The member is not obliged to provide all of the aforementioned data, without any consequences with regard to the membership. However, some personal data is necessary for membership and the exercise of the right to benefits, for example: first name, last name, data on stays on the basis of which points are collected, etc. Furthermore, in the event that we do not have some data, it is possible that our newsletters sent to you will be less relevant to your interests, for example: if we do not have the information that you are interested in cycling, there are no consequences with regard to the membership; however, you may not receive a newsletter with some information about benefits for cycling enthusiasts.

The aforementioned data is stored in the Valamar guest database for ten years from the date of becoming a member or from the last stay at Valamar’s facilities.

The purpose of processing the aforementioned data is:

- exercising the rights that you get as a member of the Loyalty Program;

- sending service messages to inform about important membership conditions (point status and membership level, need to change the password, news with regard to the Loyalty Program, rule changes, etc.);

- a better understanding of your needs and preferences in order to send you personalized marketing messages informing you of special benefits, special offers on our products and services that you may be interested in, which you can find more about in the MARKETING MESSAGES section.

We especially point out that a member has the right to object to such processing of personal data, either in relation to initial or further processing, at any time and free of charge.

A member can terminate their membership in the Loyalty Program at any time and without providing a reason, with a written notification to the e-mail address info-loyalty@valamar.com or by telephone to the number +385 52 408 222.

VALAMAR EXPERIENCE CONCIERGE (VEC)

Valamar Riviera is also a travel agency that promotes, recommends, but also books and/or sells goods, services and experiences to guests of Valamar’s facilities and other people, for example: wellness services, rental of sports equipment and sports fields, restaurant seats, excursions, concert tickets, transport services, ski services (collectively hereinafter: VEC services).

VEC services can be purchased or booked via

  • website www.valamar-experience.com (hereinafter: VEC website);
  • sales points (guest relations and info desks and hospitality desks) in Valamar’s facilities;
  • telephone;
  • e-mail;
  • My Valamar and Places applications [PLACESAPP].

Depending on the type of VEC service you want to buy or book, we will ask you for different data, for example:

- when purchasing goods, services and experiences, we will ask for your first name, last name, e-mail address, address, city, postal code, country, mobile phone number;

- if you are looking for a transfer service from the airport to the Valamar facility or vice versa or a transfer service within the Republic of Croatia, we will ask for your first name, last name, mobile phone number, information about the accommodation booking number, flight number and date, and in the case of a cross-border transfer, your nationality;

- if you want to purchase a cross-border excursion, we will also ask for your date of birth, type and number of the identification document;

- in case you want to book ski services and/or equipment, we will ask for your first name, last name, gender, date of birth, e-mail, phone number, height, weight, head circumference and foot size.

We will include some of the aforementioned information on vouchers and booking confirmations when applicable.

The purpose of data processing is to successfully respond to your request, then to identify you as a customer, and to conclude and fulfill an agreement and, if necessary, contact you for delivery to the requested address. The legal basis is primarily the fulfillment of legal obligations and the execution of the agreement, that is, the processing is necessary in order to take actions at the request of the data subject before concluding the agreement.

If you use the VEC website, you can open your VEC user account, in which case we ask for the following data: first name, last name, e-mail, and password. You will receive a confirmation of registration by e-mail. The purpose of creating a profile is to enable you to view bookings, purchase history, wish lists and valid or expired vouchers. The legal basis for creating a VEC profile is your consent. Creating a user profile is not a condition for purchasing/booking services on the VEC website.

In the case of a telephone call, based on legitimate interest, we keep a record of the call.

If necessary, for the purpose of executing the agreement, we will deliver some of your personal data to our companies and partners that offer certain services and goods, or organize experiences that you have purchased or booked, and to delivery services in the case of delivery of goods. In this case, they are the data controllers and we advise you to familiarize yourself with their privacy policies.

We will keep the data we collect during the provision of VEC services for a maximum of five years for the purpose of potential complaints about the services provided, and longer only if required by special regulations (accounting, etc.).

In case of filling out a questionnaire about the quality of the experience and publishing comments on the website, only with your consent, the aforementioned data is kept for one year.

We have the right based on legitimate interest to collect certain customer data and use it for direct marketing purposes as described in the MARKETING MESSAGES section.

VALFRESCO

Valfresco Direkt is our website www.valfresco.com (hereinafter: Valfresco website) intended to provide web store services for food and other products and for ordering food and drinks from Valamar’s facilities. When making a purchase via the Valfresco website, we process personal data you have entered into the web form for your user account (first name, last name, e-mail address, telephone number, address, delivery address) for the purpose of identifying the data subject as a customer, concluding and fulfilling a one-time distance sales and purchase agreement and contacting for delivery. The legal basis is the agreement, or the fulfillment of the sales and purchase agreement in which the customer is a contracting party. Furthermore, processing is necessary to comply with our legal obligations.

In order to fulfill the agreement, but also to fulfill the legal obligation, we have the right to send so-called service messages – confirmations of the concluded agreement, invoices, order confirmations and other notifications closely related to a specific purchase to the customer by e-mail, SMS and/or via an instant messaging platform.

Moreover, after purchase, we have the right based on a legitimate interest to send satisfaction questionnaires to customers by e-mail, SMS and/or via an instant messaging platform and ask customers to rate our service and products if they wish. The primary purpose of the satisfaction questionnaire is to collect data about the service for the legitimate interest of improving our services. We can depersonalize and process this data from the questionnaire for statistical purposes for our own needs of analyzing business and improving the service.

By calling the phone number of the web-shop, we can collect data related to the purpose of the call; for example, if it is about a completed purchase, we will collect the first name, last name, and order number in order to be able to respond to the request. On the basis of a legitimate interest, we also keep records of calls.

We have the right based on legitimate interest to collect certain customer data and use it for direct marketing purposes as described in the MARKETING MESSAGES section.

PRIZE GAMES AND PRIZE CONTESTS

Valamar Riviera may occasionally organize prize games and prize contests, in which case it will collect your personal data only if you decide to participate in the prize game or contest. The data that will be collected this way and that is necessary for participation in the prize game/contest will be determined in the rules of the prize game/contest, and may be different. It is possible that the data of the awardees or winners will be made public.

The data collected this way, based on a kind of contractual obligation, will be used for the purpose of conducting the prize game/contest, in accordance with the published rules of the prize game, and will be deleted within five years after its end.

It will often be the case that guests who fill out a survey form for assessing the quality of service in Valamar’s facilities can also participate in a prize game, which will be clearly indicated on the form itself.

We have the right based on legitimate interest to collect certain data from participants in our prize games and contests and use it for direct marketing purposes as described in the MARKETING MESSAGES section.

PUBLIC ANNOUNCEMENTS

Valamar Riviera through its websites, media, profiles on social networks, the internal VIV magazine (either in print or e-edition), video walls and bulletin boards in the facilities, publishes information that is of interest to existing and potential workers, guests, business partners; thus, the public. Such announcements may contain a limited set of personal data, such as first and last name, positions, professional data, videos, statements and photographs.

The legal basis for processing is the legitimate interest of informing the public, but also marketing. During processing, the interest of the data subject is always taken into account, so personal data is not published if it is determined that the interest of the data subject that certain personal data should not be published overrides the interest of Valamar Riviera for its publication. In some situations, publication of information may be based on consent in accordance with the highest standards.

Announcements have a permanent character, which ensures information about current events, as well as insight into previous activities.

Processing will stop if, based on the objection of the data subject, it is established that such objection is justified or if the data subject has withdrawn consent in situations where consent is applicable and in a manner that can be implemented.

MARKETING MESSAGES

We have an interest in the processing of personal data that is carried out for the purposes of direct marketing for sending marketing messages, and for this purpose Valamar uses different methods:

- e-mail marketing (including SMS and/or instant messaging platforms (Viber, WhatsApp, etc.)), which means sending marketing messages (newsletter);

- the so-called web and mobile app push messages/notifications (short and simple messages sent from the browser or application to your device);

- remarketing that allows ads to be shown to users who have previously visited one of Valamar’s websites or mobile apps, which you can find more about in the Cookie Policy found on each website.

The legal bases for processing personal data for direct marketing are:

- LEGITIMATE INTEREST in the case of a relevant and appropriate relationship between the data subject and Valamar in accordance with point 70 of the introductory provisions of the Regulation, namely:

- CONSENT for:

Basic newsletters (messages) that are sent based on legitimate interest are sent only to data subjects who have a relationship with Valamar or Valamar’s facilities. The data processed is first and last name, e-mail, mobile phone number, address, gender, country/language of communication and basic data related to the specific relationship with Valamar Riviera (for example: facility, destination where you are staying, data on the purchase, purchased experience, etc.). All these categories of personal data are considered important because they enable the meaningful creation of a newsletter that is in line with the interests of the data subjects.

Basic newsletters (messages) that are sent based on the consent given by signing up for the newsletter. Signing up for the newsletter is possible via a web form on some of our websites. In order to ensure that there is no error or misuse when entering an e-mail address, we use the so-called Double-Opt in process (double verification): after the address is entered in the registration field, Valamar Riviera sends a confirmation link to the e-mail. Only after you have clicked on the confirmation link, your e-mail address is added to the database for sending a particular newsletter. Such newsletters are sent based on your consent, which you give us by filling out and confirming the form on the website. The content of the newsletter and its purpose will be specified when you register (for example: notifications about current special offers in our facilities, job offers, etc.). If you have updated your profile and provided some other data, this data will also be processed.

Messages (newsletters) designed just for you are messages that are sent to all loyal members as well as to people who have given special consent for this type of messages.​ To send messages designed just for you, Valamar uses data subject profiling for the purpose of contacting and informing you about offers designed just for you. For these newsletters, a wide range of personal data is processed, which may include the following: first and last name, e-mail, mobile phone number, address, city, country, postal code, gender, language of communication, title, date of birth, wedding anniversary, marital status, number of children and their age, interests (e.g. diving, cycling, etc.), data on requests for offers, bookings and stays (destination, facility, type of accommodation unit, dates of arrival and departure, number of nights, number of adults, number of children), pets, interests, travelling method, accommodation preference and destination preference, connection to social networks, data on purchases made on Valamar’s websites, purchased experience, data collected by completing a satisfaction survey, and for loyal members data collected related to loyal membership, which includes data collected when filling out the Loyal Program membership application form and related to member status (membership card identification number, number of points, number of points used, membership level, method of using points, use of benefits, data related to activities in the Ambassador Program).

The result of profiling is exclusively the best possible design of messages and offers that match your interests, because if we do not have some data, it is possible that our newsletters sent to you will be less relevant to your interests; for example, if we do not have the information that you are interested in cycling, you may not receive a newsletter with some information about benefits for cycling enthusiasts.

The period of processing personal data for the purpose of sending the newsletter is 10 years, counting:

- from the day of the last stay or other business relationship with us when newsletters are sent based on legitimate interest;

- from the date of your consent, when newsletters are sent based on your consent.

It is possible that in certain cases we also use the services of a campaign management platform (e.g. Oracle Responsys) for multi-channel campaign management, which enables the creation of personalized messages based on the individual interests and preferences of guests and potential clients. In these cases, it is about automated data processing and we enter into appropriate agreements with these partners.

The processing period for data collected through cookies depends on the type of cookies and is described on each website where they are used.

In all cases where the data subject has given consent, the data subject has the right to withdraw the given consent at any time, free of charge and without explanation. Withdrawal of consent does not affect the lawfulness of processing based on consent before the withdrawal.

In all cases where the processing is based on a legitimate interest, data subjects have the right to object any time, free of charge and without explanation.

Withdrawal of consent, as well as a complaint, can be sent by e-mail to newsletter@valamar.com.

At any time, without explanation and without compensation, and regardless of the legal basis for receiving marketing messages (newsletters), you can unsubscribe from receiving any newsletter by clicking on the link at the bottom of each newsletter, or by blocking the sender in accordance with the rules of the online channel you use and, in that case, you will no longer receive the newsletter, but the data will remain archived.

Unsubscribing from the newsletter is not related to Valamar Riviera’s legitimate interest in sending service messages and satisfaction questionnaires related to a specific stay, purchased experience, etc. to data subjects for whom there is also some other legal basis (for example, guests of facilities, job candidates), as well as other service messages.

The withdrawal of the consent given for cookies can also be given at any time, without explanation and without compensation, and is described in the Cookie Policy.

SERVICE MESSAGES AND SATISFACTION QUESTIONNAIRES

Service messages are messages that we can send by e-mail, SMS, mobile app push messages and/or via instant messaging platforms (Viber, WhatsApp, etc.) which are related to a certain relationship we have with you, that we send based on a legitimate interest, that is, consent when we ask for it, for example:

- before, during and after your stay at Valamar’s facilities, we can send messages related to booking confirmations, reminders about your stay and other information closely related to the specific stay you have booked;

- when purchasing/booking goods, services or experiences on one of our sales websites, we may send confirmations of the concluded agreement, invoices, order confirmations, vouchers and other information closely related to the specific purchase or booking.

We send satisfaction questionnaires, which are related to a specific relationship we have with you, based on a legitimate interest, for example:

- during and after the stay at Valamar’s facilities, we have the right to send questionnaires about satisfaction with the service provided at Valamar’s facilities,

- after the purchase/booking of goods, services or experiences that you have purchased through our sales channels, we have the right to send questionnaires about satisfaction with the service provided or the goods purchased.

The primary purpose of the satisfaction questionnaire is to collect data for the legitimate interest of improving the service. We can process the results ourselves or through associates.

Service messages and messages with satisfaction questionnaires are not considered marketing messages, and please note that if you have requested that we not send you marketing messages, and you have booked accommodation after that, it is possible that you will receive service messages and satisfaction questionnaires.

In any case, when we send you messages based on legitimate interest, you have the right to object.

WEBSITES

In order to provide you with the best possible service and with easier and faster access to the content that interests you, we have several websites, such as: www.valamar-riviera.com, www.valamar.com, www.camping-adriatic.com, www.places-hotels.com, www.valamarlovesbike.com, www.blog.valamar.com, www.maroworld.valamar.com, www.valamar-experience.com, www.dobarposaouvalamaru.com, www.valfresco.com. This Privacy Policy applies to all of our sites and all subdomains.

We may collect personal data from visitors to our websites that is used for the purposes for which it was provided, all in accordance with the information provided at the time of collection (or an obvious purpose that can be derived from the context of collection).

Users have control over the personal data they enter in web forms. For example, on some of our websites you are given the opportunity to sign up for our newsletters in order to receive information or offers. Furthermore, on some websites you are offered the possibility of booking accommodation, buying excursions and goods, applying for a job, applying for various events, etc. In each case, you provide the data we need to fulfill the purpose of each individual case. Information on the processing of personal data can be found on every website at every place where data is collected.

We may also use a wide range of new tools on our websites to improve the user experience, and we use cookies and various other ways to track visitors, such as Google ads, META ads, Dynamic Yield, Google Analytics, Hotjar and others. We also use the Usercentrics Consent Management Platform for managing consent for cookies. Please read more about cookies and other technologies in our Cookie Policy, which can be found on each of our websites.

The legal basis for processing personal data of visitors to our website is a legitimate interest, execution of an agreement or consent if the data subject is asked to give consent.

Visitors have all the rights described in the RIGHTS OF THE DATA SUBJECT section.

This Privacy Policy does not cover the ways of handling information of other companies and organizations that in some cases are connected to our website, and that may use cookies and other technologies, and we advise you to familiarize yourself with their privacy policies and terms of business. Furthermore, the collection of data on websites open for events in which we are listed only as a sponsor, partner, etc., is not our responsibility.

MOBILE APPLICATIONS

We have MyValamar and PLACES mobile applications to make our services more accessible to users.

Considering that you can only use the mobile application using Google play or the App store (depending on your device type), please note that Google and Apple automatically record certain data such as: country, language, age of the user, type of device, duration of using the application, and through our interfaces with Google and Apple, we can get an analysis of this data, but we cannot connect this data to a specific person. This Privacy Policy does not apply to Google and Apple, which have separate privacy policies. More information about Google Play can be found at the link https://policies.google.com/privacy, and about the Apple store at https://www.apple.com/legal/privacy/data/en/app-store/.

When using the application, you can share data, but only with consent:

- I have a booking;

- I’m already staying at the facility;

- Valamar+club membership.

In these cases, we will connect you as a user of the application with the data we have about that booking and then we can identify you.

However, it is not necessary to enter this information to use the application, and you can skip that step and view our posts.

You can also sign up for Valamar’s loyalty program, in which case we refer you to the LOYALTY PROGRAM MEMBERSHIP section.

In case you want to book your stay, we will redirect you to our relevant website.

In case you allow us to send notifications, so-called push messages, so only with your consent, we will be able to send you service messages as well as promotional messages.

SOCIAL NETWORKS

In order to be able to better communicate with social network users and streaming platforms and inform them about our offers, we have profiles/pages on social networks Facebook, Instagram, YouTube, Pinterest, Tik Tok and Spotify (collectively hereinafter: social networks).

By using social networks, you accept their rules, among others, and the rules related to the processing of personal data, and we advise you to familiarize yourself with them. You use social networks and their functions at your own risk. Please note that with every interaction on our profiles on social networks and on other profiles, social networks record your behavior through cookies and other technologies, that is, the type, scope and purposes of data processing on social networks are primarily determined by social network operators.

Accordingly, some data (e.g. total number of visitors or visits to the page, activities on the page and data left by visitors, interactions (e.g. commenting, sharing, rating)) are processed and delivered to us by social networks. We have no influence on the creation and display of this data.

We can process personal data related to your user activities on social networks for marketing purposes exclusively based on your consent for cookies that you give on our websites. You can find exactly what kind of cookies they are and their purpose in the cookie settings for each website. Please find more information about cookies in the Cookie Policy.

In addition, we collect data for statistical purposes, for further development and optimization of content and more attractive design of our offer. This especially applies to the use of interactive functions.

In order to better manage social networks, we also use the services of partners with whom we have concluded appropriate agreements.

In case we want to use one of your comments or a picture that you have published on our profile, we will ask for your consent.

If you are a member of a social network, and you do not want that network to collect data about you through our pages on that network and merge it with your membership data stored on the respective network,

  • before visiting our page on the network in question, log out of that network;
  • delete cookies from your computer;
  • close your browser and restart it.

After re-login, you are again recognizable to the network as a specific user.

As we do not have full access to your personal data on social networks, if you wish to exercise your rights, please contact the social network service providers directly, as each has access to the personal data of its users and can implement appropriate measures and provide information.

Since we use social network services that do not operate in the European Union, we are obliged to inform you how these third parties that manage social networks can transfer your data to the USA.

Below are links to the privacy policies of companies that run social networks:

Facebook and (Meta Platforms Inc.) https://www.facebook.com/privacy/policy/

Instagram (Meta Platforms Inc.) https://privacycenter.instagram.com/policy/

Youtube (Google LLC) https://policies.google.com/privacy?hl=hr

TikTok (TikTok Ireland, TikTok UK) https://www.tiktok.com/legal/page/eea/privacy-policy/en

Pinterest (Pinterest Europe Ltd. i Pinterest, Inc.) https://policy.pinterest.com/hr/privacy-policy

Spotify (Spotify AB) https://www.spotify.com/at/legal/privacy-policy/

JOB CANDIDATES AND EMPLOYEES

This part of the Privacy Policy governs the protection of personal data primarily in processes related to employment, development and education. In this sense, the data subjects are primarily former and current workers, job seekers, persons who do work-based learning (students), persons undergoing professional training, students working on the basis of the so-called student contract, scholarship students who work on the basis of the so-called student contract, agency workers and interim workers, and other persons whose data is processed within the scope of employment and related relations.

Within the framework of data processing carried out in connection with employment, we have identified the following processing purposes.

1.Personnel selection: includes the collection and further processing of relevant tender documents of applied job candidates, testing (including the possibility of online psychological testing) and evaluation, collection and analysis of information about candidates from publicly available sources, including information that the candidate themselves has made public only if it is important because of the risks that a particular workplace entails. The legal basis is the performance of previous actions for concluding an agreement, as well as consent.

2.Mitigating reputational risk: collecting and analyzing information about employees and peers from publicly available sources, including self-disclosed information, only if relevant to the risks inherent to the particular position. The legal basis is a legitimate interest.

3.Conclusion and fulfillment of an agreement: processing for the purpose of concluding an employment contract, student contract, work-based learning (practice) or professional training, scholarship contract with persons who are not employed or any other comparable relationship. The legal basis is also compliance with legal obligations and in order to take actions at the request of the data subject before concluding the agreement as well as the execution of the agreement.

4.Keeping records of employees, persons in a comparable relationship or other persons (e.g. children, spouses or insurance beneficiaries). The legal basis is compliance with legal obligations.

5.Calculation and payment of wages and exercise of material and other rights: processing is necessary in order to exercise material and other rights; for example, to exercise the right to enter into active employment policy measures (permanent seasonal employee and others), to exercise additional rights of workers under the collective agreement (for example: birth of a child) and others. The legal basis is compliance with legal obligations.

6.Registration of accommodation: data processing is necessary in case the data subjects stay at facilities for personal accommodation of workers in order to register their stay with the competent authorities. The legal basis is the performance of legal obligations.

7.Work performance management: this purpose also includes information on the achievement of previously established goals, on-time fulfillment of goals, and further analysis to determine future goals, human resources management, determination of reward amounts, and other relevant measures. The legal basis is a legitimate interest.

8.Remuneration: processing includes remuneration, or compensation payments, whereby such processing may also include data on violations of ethical and other internal rules, data from the work performance management system, on attended trainings, as well as all other relevant data. The legal basis is a legitimate interest.

9.Training: processing for the purposes of training employees and persons in a comparable relationship of persons, including calling for mandatory and optional training, knowledge tests, which includes all necessary actions for the analysis of acquired knowledge and all other relevant information for organization, implementation and further action after implementing training. The legal basis is a legitimate interest and consent when requested.

10.Drafting various reports on workers: legal basis can be the fulfillment of legal obligations, but also a legitimate interest (for example, when making plans for future periods, etc.).

11.Instructions related to work and providing information: collection and processing of data for the purpose of providing quality and timely information to candidates about open positions and tenders, i.e. employment opportunities. Collection and processing of data of all employees, persons in a comparable relationship for the purpose of quality and timely information about:

- instructions related to the performance of work obligations (for example: work schedule, warnings about hacker attacks, etc.);

- information about compulsory and optional training;

- information on exercising rights from the employment relationship;

- Information on employee benefits;

- information about our business, employees, awards, key activities and initiatives;

- other information related to the employment relationship.

For these purposes, for the sake of speed and better information, we can send information via SMS, e-mail and/or via an instant messaging platform (Viber, WhatsApp, etc.) and through special applications (which workers install on their mobile devices). The legal basis is the execution of the agreement, a legitimate interest and consent when we request it.

12.Benefits for employees: we may decide to introduce the use of various tools in order to achieve various benefits; for example, issuing ID cards to employees that provide discounts at Valamar’s facilities and with our partners. The legal basis is a legitimate interest.

13.Protection of property and persons: includes recording of entry/exit from business premises, the possibility of recording and checking the use of official mobile devices, computer equipment, internet and telephone traffic, official vehicles, premises and other of our property. The legal basis is a legitimate interest.

14.Termination of employment: data processing due to the termination of an employment contract or other comparable contract. The legal basis is the fulfillment of legal and contractual obligations.

15.Ethical conduct monitoring: processing includes all procedures in which compliance with ethical conduct regulations or regulations related to the protection of dignity is investigated, or within the framework of any other disciplinary procedure, regardless of whether the data subject is a reported person or a reporter. The legal basis is a legitimate interest, and in some cases also our legal obligation.

16.Occupational safety: data processing may also be necessary in cases where it is necessary to fulfill the purpose of special regulations on occupational safety, including alcohol testing in accordance with regulations. The legal basis is a legitimate interest, and in some cases also our legal obligation.

In addition to the stated purposes, it is possible to process personal data for other specific purposes, but always within the framework prescribed by law or if the processing is necessary to exercise rights and obligations from the employment relationship, i.e. in connection with the employment relationship and any comparable relationship.

1.1. Personnel selection

We collect, process and retain the data of job candidates in the candidate database based on their voluntary application:

- application of the candidate via the web application form on the page www.dobarposaouvalamaru.com which serves as a kind of resume (CV);

- application via e-mail;

- by coming to organized auditions and filling out application forms;

- another way.

Data that is usually collected: first name, last name, date of birth, address, nationality, OIB (PID) (for Croatian citizens, given that OIB is the most reliable data used to distinguish candidates), telephone number, e-mail address (for the purpose of contacting), gender, vocational education, language, preferred method of communication.

As a rule, we receive data about candidates directly from candidates, but we can receive them indirectly, from domestic and foreign employment agencies, in which case these agencies are obliged to inform candidates about the processing of their personal data by us.

Candidates send their job applications:

- as open applications, in which case we process data for the purpose of contacting the candidate in connection with employment for three years (if the person is not employed by us);

- as applications for specific tenders that have a specified end date, in which case we process data for the duration of the tender and five months from the end of the tender in order to contact candidates regarding employment, and these applications are archived for three years. In the event that candidates who apply for a specific tender that has a specified deadline give special consent, we process the data for the purpose of contacting the candidate regarding employment for three years, as well as open applications (if the person is not employed with us).

We have a legitimate interest in using the obtained private e-mail addresses, as well as other provided contact information, to contact candidates regarding employment. For example, after applying, candidates can receive an automatic response that their application has been received and that candidates whose qualifications and experience match those required for individual positions will be contacted. Furthermore, after applying, candidates can receive a message to the phone number with the proposed date of the interview, a message in which the documentation required for employment is specified, etc. In addition, we have a legitimate interest in contacting people who have worked for a certain period of time, mostly seasonal jobs, for the purpose of informing them about information important for business and key activities at Valamar Riviera and our companies that we manage, and in order to maintain contact for the purpose of possible further cooperation.

You can unsubscribe at any time for free from the list of recipients of our employment-related news by e-mail at ljudski.potencijali@valamar.com.

The retained data is provided by the candidates themselves, but we, based on our legitimate interest in securing the best candidates, ourselves create personal data in connection with recruitment activities, such as the results of job interviews, tests (including online psychological testing) and assessments, and collect personal data from third parties, primarily by checking data obtained during the recruitment process by contacting relevant third parties (for example: employment agencies, education and training service providers) or by using publicly available sources.

1.2. Employment and other comparable relationships

As an employer, we collect, process and retain all employee data in the employee database, which is maintained in the IT program and in the employee’s physical files. The data that is collected is listed in the Rulebook on the content and method of keeping records on workers published by the ministry responsible for work and the pension system.

The necessary data to establish an employment relationship is, as a rule, a copy of an identity card, a copy of a current account or payment instruction from a bank, a copy of a protected account (if the employee has one), OIB (PID), proof of formal qualifications (copy of a certificate or diploma), e-book: certificate of pensionable service (obtained from the Croatian Pension Insurance Institute or through the e-Citizens service), electronic record of the tax card form, the so-called PK form (obtained from the Tax Administration or through the e-Citizens service, persons who are employed for the first time do not have an electronic record of the tax card form and must open it at the Tax Administration), birth certificate of the child if they are under 15 years old. Furthermore, according to the Labor Act, workers must provide a certificate of no criminal record and consent to obtaining a certificate of non-conviction for them, in the case of employment in workplaces that are in regular contact with minors.

The necessary data for concluding student contracts are, as a rule: certificate from the faculty for the current year as proof of student status or a copy of the index for the current year enrolled, a copy of the identity card, confirmation of the enrollment fee for the Student Center (not the case with all student centers), one photograph or student ID, OIB (PID).

In addition to this data, we can store in the worker’s file other data collected during the employment process, as well as other data collected during the employment relationship determined by our regulations (for example: awards, warnings, certificates, etc.).

All employee data is stored in the employee database from the date of establishment of the employment relationship and is kept up-to-date until the termination of the employment relationship, and the same is kept as documentation of permanent value in accordance with the relevant regulations.

In our database, we also store the data of other persons in a business relationship comparable to an employment relationship and professional development, namely from the beginning of work and keep it up-to-date until the end of work, and they are kept in accordance with relevant regulations. A special case is the data of students who may be minors, which are subject to special care and whose data is collected and stored in accordance with special regulations with the approval of the school and parents.

Salary data and payroll are subject to special regulations on retention. In any case, all workers and other persons in a business relationship comparable to an employment relationship and professional training have all the rights of the data subject.

BUSINESS PARTNERS

In its operations, Valamar Riviera also processes the data of business partners or potential business partners, namely:

  • natural persons who are, may become or have been business partners of Valamar Riviera, e.g. artisans, persons who are self-employed (e.g. lawyers, doctors, etc.), persons with whom service contracts are concluded (e.g. singers, painters, photographers, etc.) and other natural persons who have the position of an entrepreneur;
  • natural persons who, in some part of the business, represent legal persons with whom Valamar Riviera has, may have or had a business relationship (e.g. persons who carry out deliveries for their employer, a company, persons to whom invoices are sent for their employer, a legal person, signatories of contracts for a company represented by persons who perform handover for the company, persons who organize congresses for their legal entity, etc.).

In the context of processing data subjects’ data, Valamar Riviera has identified the following processing purposes:

a) Conclusion of an agreement: processing for the purpose of concluding an agreement from any area of our activity (for example: sending inquiries, sending special offers, searching for information about the signatories of the agreement, sending tenders for legal entities represented by data subjects, etc.). It is possible that we use applications created for bidders who wish to participate in Valamar’s tenders, in which case we will ask you to regress.

b) Fulfillment of the agreement: data processing is necessary for the purpose of fulfilling the agreement, which includes the fulfillment of obligations, monitoring their execution and ensuring all relevant measures for their execution (for example: to agree on the time and place of delivery of equipment based on the agreement, to send invoices, etc. for which cases, we will exchange the employee’s contact information (e-mail, mobile phone number) solely for the purpose of fulfilling the agreement).

c) Information: the collection and processing of data is necessary for the purpose of quality and timely information, therefore Valamar Riviera has the right based on a legitimate interest to collect certain data and use it for direct marketing purposes as described in the MARKETING MESSAGE section.

In addition to the stated purposes, it is possible to process personal data for other specific purposes, but always within the framework prescribed by law or if the processing is necessary to exercise rights and obligations from a business relationship.

The type of data subjects’ personal data that is collected are:

  • first and last name;
  • e-mail;
  • telephone number;
  • data on the position within the legal entity it represents (e.g. sales officer, management secretary, etc.);
  • occupation when the data subject is a natural person with whom a contractual relationship is entered into (for example: singer, painter, photographer, lawyer, doctor...);
  • sometimes references and short CVs (especially for consultants);
  • data specified on blank promissory note, promissory note, drafts;
  • bank account number (IBAN) when the business partner is a natural person with whom a contractual relationship is entered into;
  • other data depending on the nature of the business relationship.

Places where personal data of data subjects is collected:

  • received offers of data subjects for business cooperation;
  • data received from data subjects in the context of the sale of products/services or the purchase of products/services from a business partner (for example: fairs, congresses, etc.);
  • business correspondence related to certain previous or current business cooperation (for example, correspondence carried out as part of the execution of an agreement);
  • publicly published data (for example: court register, websites of business partners, magazines, newsletters, etc.).

In addition to the aforementioned types of data and the place of collection, it is possible to process personal data for other specific purposes, but always within the framework prescribed by law or if the processing is necessary to exercise rights and obligations from a business relationship.

VIDEO SURVEILLANCE

As a data controller, Valamar Riviera has a legitimate interest in implementing video surveillance measures to protect property and persons, and in certain cases (for example: exchange offices located at the reception desks of the facilities) it also has a legal obligation to install surveillance cameras that record all persons moving within the perimeter of the surveillance camera (guests, employees, business partners, etc.).

The processing of personal data of employees through the video surveillance system is also carried out under the conditions established by the regulations governing occupational safety.

In the prescribed manner, we mark all places where video surveillance is installed.

We are aware that videos contain personal data of all the people who move around the perimeter of the camera, and therefore keep them with special care, we have a regulated system of security and availability and deletion policy, which is governed by our internal security rules.

Videos are automatically deleted after a maximum of 15 days from the day of recording. In the case of the need for exemption (duplication), the videos are kept for a maximum of six months, unless another law prescribes a longer storage period or if they are evidence in a judicial, administrative, arbitration or other equivalent procedure. Excluded videos will be stored in a central reporting system with extremely limited access.

In the event of judicial and/or criminal proceedings, we may use the aforementioned videos. Personal data on videos can also be viewed by third parties, data processors, our contractual partners registered and expert in the provision of services for the protection of persons and property, who in no way use the stated data independently, but take care of the security of central monitoring and reporting systems. Special regulations governing that area apply to all other details related to video surveillance.

FINAL PROVISIONS

This Privacy Policy is available on https://valamar-riviera.com/en/gdpr-privacy-policies/, https://www.valamar.com/en/privacy-policy, as well as other Valamar web-pages, and also in human resources offices and at the receptions of Valamar facilities.

Due to transparency requirements, we will regularly revise this Privacy Policy.

This Privacy Policy was published on 1 January 2024.