Sunce Hoteli d.d. (hereinafter: Bluesun hotels & resorts) respects your privacy and is bound to protect your personal data. The data shall be collected and kept in accordance with the provisions of the General Data Protection Regulation.
Who is the data controller?
Bluesun hotels & resorts (Trpinska 9, 10000 Zagreb, Hrvatska) as the Controller of your data, respects your privacy and undertakes to protect your personal data. The collection and storage of data is carried out in accordance with the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), the Act on Implementation of the General Data Protection Regulation (Official Gazette, No. 42/2018) and other regulations governing this area that are applicable in Republic of Croatia.
Data Protection Officer
In accordance with the relevant regulations, Bluesun hotels & resorts has appointed a Data Protection Officer for you to contact if you have any questions or concerns related to the processing of your personal data or exercising your rights to personal data protection. Contact information: [email protected]
Implementation of data-protection principles
Bluesun hotels & resorts, within the framework of the implementation of this Policy, pays special attention to respecting the principles of data processing and processes data:
Lawfully – data processing is made possible when it is permitted by law and only within the limits permitted by law.
Fairly – by taking into account the specifics of each relationship, applying all appropriate measures for the protection of personal data and privacy in general, and allowing data subjects to exercise their rights.
In a transparent manner – by informing data subjects about the processing of personal data. From the beginning of data collection itself, when data subjects are informed about all aspects of data processing, until the end of data processing, data subjects are in accordance with the provisions of the Regulation granted a simple and quick access to their own data, including the ability to inspect and obtain a copy thereof. The access to certain information may be restricted only when this is required by law or necessary for the protection of third parties.
By ensuring purpose limitation – personal data is processed for the purposes for which they are collected and may be processed for other purposes only when the requirements laid down in the Regulation are fulfilled. Data may be processed for duplicate purposes only by taking into account (a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing; (b) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and Bluesun hotels & resorts; (c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9 of the Regulation, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10 of the Regulation; (d) the possible consequences of the intended further processing for data subjects; and (e) the existence of appropriate safeguards.
By ensuring storage limitation – data must be stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed and may be stored longer only when this is allowed by the Regulation.
By ensuring data minimisation – data is processed only when they are adequate, relevant and limited to what is necessary. A special attention is given not to collect data for which there is no justified need for processing. By ensuring accountability – data must be accurate and kept up to date, and every reasonable step must be taken to erase inaccurate data.
With integrity and confidentiality – processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Relevant measures are applied taking into account the risk related to each type of data processing.
Transfer of data to third parties
The access to the personal data of guests, where necessary and to a limited extent, may also be granted to third party processors (for example, associates of Bluesun hotels & resorts that provide IT), who store such data in their databases until due processing of such data is completed. We will conclude a detailed contract with such parties regarding their powers and obligations during the processing of personal data, in accordance with the requirements of the Regulation.
Under certain circumstances, external parties and Bluesun hotels & resorts may jointly determine the purpose and manner of personal data processing. In that event, such external partners and Bluesun hotels & resorts will be considered joint data controllers. Joint data controllers, in their mutual relationship, determine their own responsibilities for acting in compliance with obligations prescribed by the Regulation in a transparent manner, especially with regard to the exercise of rights held by data subjects and their duty to process data in a transparent manner, unless their responsibilities are already established by law.
What kind of data do we collect?
We collect only the data required for us to fulfil the purpose of collection.
The kinds of data we collect include:
• Date of stay from (date of arrival)
• Time from (arrival time)
• Date of stay up to (scheduled departure date)
• Duration of stay up to (expected time of departure)
• Type of document
• Number of document
• Last name
• First name
• Country of birth
• Date of birth
Classification of taxpayer
Type of service
E-mail (Optional, with your consent)
Purpose of collection
The collected data shall be used exclusively for:
1. Legal obligations a. Sojourn Tax Act (»Official gazette«, number 152/08., 59/09. – isp. and 30/14.) b. eVisitor – Information system for check-in and check-out of tourists
2. Marketing purposes (Optional, with your consent)
• more efficient response to your inquiry
• registration in our prize draw system
• promotion of our services (newsletter) • our internal statistical data processing
• possibility to send publications, brochures and other promotion materials
• you can choose to opt out from our mailing list anytime by an expressed declaration, after which Bluesun hotels & resorts will no longer use your data for promotion purposes.
Sunce Hoteli d.d. gurantees that all companies of the Bluesun hotels & resorts brand (WOT Hotels Adriatic Asset Company d.o.o., Salve Regina - Marija Bistrica d.o.o.) shall use the collected data only for the indicated purposes.
Legal basis for collection
The legal basis for the stated collection purposes may be:
• Key interests of data subjects
• Legitimate interest overridden by interests of data subjects; or
• Consent or explicit consent of data subject, depending on the purpose of processing and the type of personal data.
Points of data collection
Bluesun hotels & resorts collects your data at:
• Booking of accommodation (booking through website or booking by phone call to our call centre);
• Conclusion of accommodation contract – registration at the reception desk, filling in the registration card;
• Completion of survey form for participation in survey prize draw;
• Places under video surveillance.
Data storage period
Data that was lawfully collected by Bluesun hotels & resorts is stored for a period of time prescribed by a particular law or other positive regulation.
Data that was contractually collected by Bluesun hotels & resorts is stored only for a period of time necessary to fulfil the contract or provide a service.
Information about the name, surname and e-mail address collected by Bluesun hotels & resorts on the basis of legitimate interest for direct marketing purposes is stored in its guest database for a period of 10 years.
Other information collected by Bluesun hotels & resorts on the basis of guest's explicit consent (mobile phone number, number of children, marital status, pets, interests, manner of travel, accommodation and destination preferences) is stored in its guest database for a period of 5 years.
Rights of the data subjects
Bluesun hotels & resort will provide the data subject upon his/her request with the following information: the identity and contact details of the controller; contact details of the data protection officer; the purpose of the processing for which the data are intended as well as the legal basis for the processing; the legitimate interests, pursued; the recipients or categories of recipients of the personal data; where applicable, the fact that the controller intends to transfer the personal data to third countries; the period for which the personal data will be stores or the criteria used to determine that period; the rights related to the consents; the existence of automated decision-making, including profiling (meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject) and the existence of the rights set forth below. If the data are not collected directly from the data subject, the information shall also include the source of the personal data.
Bluesun hotels & resorts processes personal data in accordance with the Regulation, respecting the rights of the data subject set forth below:
1. Right to erasure (“right to be forgotten”) – the data subject shall have the right to obtain from the controller the erasure of the personal data concerning him/her and Bluesun hotels & resorts shall have the obligation to erase the personal data without undue delay where one of the following grounds applies:
• the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
• the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing
• the data subject objects to the processing and there are legitimate grounds for exercising the right to erasure that override the legitimate interests of Bluesun hotels & resorts for the processing or storage of personal data
• the personal data have been unlawfully processed
• the personal data have to be erased for compliance with a legal obligation
2. Right of access - the data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the information o the access to his/her data and the purpose of the processing, the categories of personal data, the potential recipients to whom the personal data will be disclosed etc.
3. Right to rectification - the data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. In addition, the data subject shall have the obligation to update the personal data in the business relation with Bluesun hotels & resorts.
4. Right to data portability - the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to Bluesun hotels & resorts, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller. It should be taken into account that the right to data portability refers only to the personal data of the data subjects.
5. Right to object - the data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her. In this case, Bluesun hotels & resorts shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. The data subject have the right to to lodge a complaint with a supervisory authority – Personal Data Protection Agency (for more information, please visit www.azop.hr).
6. Right to restriction of processing – the data subject shall have the right to obtain restriction of processing when he/she contests the accuracy of the personal data, when he believes that the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead or when the data subject objected to processing.
The data subject shall have the right to exercise one of the aforesaid rights at any time. Upon his/her request, the data subject shall be provided with the information concerning the measures taken in relation to the aforesaid rights within not more than three months from receipt of the request (depending on the number and complexity of the requests). We will endeavour to reply to requests within a period of one month; if necessary, such term shall be extended for a maximum of two additional months. In the case Bluesun hotels & resorts fails to respond to the request of the data subject, it shall inform the data subject of the reasons for not acting according to the request. Such reasons include the existence of lawfulness of the processing that prevents Bluesun hotels & resorts from acting.
In addition, the data subject shall have the right not to be subject to a decision solely based on automated processing that significantly affects him/her, including profiling, unless such decision:
- is necessary for the entering or performance of a contract between the data subject and Bluesun hotels & resorts
- is permitted by law
- is based on the consent of the data subject.
Protection of children's personal data
Bluesun hotels & resorts does not want and does not intend to collect personal information from persons under the age of 16 and shall not in any way use or disclose them to third parties. We do not collect personal data for contacts outside the Internet, except for the awards assignment, and even then only with the permission of parents. We do not make available to third parties any personally identifiable information without prior parental consent. We do not allow children, without parental consent, to publish or otherwise distribute personally identifiable information or other materials sent by means of which they can be contacted, nor encourages children to, in order to participate in contests, or any other activity, reveal more data than it is needed to participate in the relevant activity. In cases where children under the age of 16 years are allowed to participate in giveaways, we require the child to first ask for permission to participate from their parents or legal guardians, and to enter the e-mail address of their parents or legal guardians. If a child under 16 wins a prize, the parents or guardians will be notified by e-mail, telephone or in writing. Personal data of the child and the parents are deleted from our database if the parents request so. As a parent or guardian, you always have the right to request access to any personal information about your child that we received on one of our sites, or request such data to be removed (if the data is still kept in our database), and / or prohibit future collection and use of the information about your child. If you are a parent and wish to exercise this right, please contact us. Besides the above mentioned, Bluesun hotels & resorts guarantees the protection of personal data of children foreseen by special laws that regulate this matter.
Video surveillance system
Bluesun hotels & resorts, as the data controller, has the legitimate interest to implement video surveillance measures to protect property and persons in relation to certain workplace positions and statutory duty to install surveillance cameras that record employees and anyone moving within the surveillance camera field of view. Bluesun hotels & resorts indicates all places where video surveillance system is installed in the prescribed manner.
Bluesun hotels & resorts is aware that the video recordings contain personal data of all the persons moving within the surveillance camera field of view, and therefore handles them with special care. Furthermore, we have implemented a security system and introduced availability and erasure policy regulated by internal Bluesun hotels & resorts rules on safety. Video recordings are regularly rewritten and thus automatically deleted after a maximum of 30 days after they are recorded. Exceptionally, video recordings are kept longer when they serve as evidence in proceedings before competent state authorities. Extracted video recordings are stored in a centralised messaging system with extremely limited access. In the event of judicial and/or criminal proceedings, Bluesun hotels & resorts may use such video recordings. Access to personal data captured on video recordings may be granted to third parties, data processors and contractual partners of Bluesun hotels & resorts who are registered and qualified to provide services of personal and property protection and who do not use any of these data independently but participate in activities related to the security of central supervisory and alarm systems. All other details regarding video surveillance are subject to special regulations that govern that area.
Personal data breach
Bluesun hotels & resorts, as the data controller, ensures that in the event of personal data breach, the competent supervisory authority is notified of personal data breach without further delays and, if possible, at least 72 hours after such breach has occurred, unless it is not likely that such personal data breach will pose a risk to rights and freedoms of natural persons.
The report submitted to the supervisory authority must contain all information prescribed by the Regulation. In the event of personal data breach that is likely to pose high risk to rights and freedoms of natural persons, Bluesun hotels & resorts, as the data controller, will notify the data subject of such personal data breach without further delays. Data subjects will not be notified where the Regulation stipulates that such notification is not mandatory.
Data protection impact assessment
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of data subjects, Bluesun hotels & resorts will, as the data controller, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.
Bluesun hotels & resorts performs a data protection impact assessment in the event of:
• Systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
• Processing on a large scale of special categories of data referred to in Article 9, paragraph 1, or of personal data relating to criminal convictions and offences referred to in Article 10 of the Regulation;
• Systematic monitoring of a publicly accessible area on a large scale;
• Any other situation defined by the competent supervisory authority.
Bluesun hotels & resorts ensures an adequate involvement of data protection officers in the performance of impact assessment. In accordance with the provisions of the Regulation and, when necessary, after the performance impact assessment, we will consult the supervisory authority prior to processing.
Marketing purposes (Optional, with your consent)
When you send us an e-mail with personal data by which you can be identified, this being either an e-mail with an inquiry or comment, or a form delivered to us via e-mail, we shall such data only in order to meet your demands.
For the purpose of security of data collected through this website and to ensure that this services is accessible to all customers, this computer system uses a software that monitors the visits to the website and identifies any unauthorised attempt of dispatch or change of data as well as those that might otherwise cause damage. Unauthorised attempts of data dispatch and change are strictly prohibited on this site.
Data collected through online surveys shall be used exclusively for the purpose of improving the service within the hotels of Bluesun hotels & resorts. You will be asked to give your consent for the use of your e-mail address for surveys.
How cookies are used
Cookies are used for various purposes. They are used to identify you as the same user of all sites within one website, between more than one website or when using an application. The types of information we collected with the cookies include IP address; ID of the device; visited sites; type of browser; browse information; operational system; type of browser; provider of web services; time stamp; information on whether you opened an add; URL referral; use of preference or activity within a website/application.
Technical cookies: we are trying to provide to our visitors an advanced and simple website and applications that automatically adjust to their needs and requirements. In order to achieve this, we use technical cookies for displaying our website and for accurate functioning, as well as for creating your user account, log-in and edit reservations. Technical cookies are absolutely necessary for the proper operation of our site.
Analytical cookies: we use these cookies to find out how our users use the Bluesun hotels & resorts website. In this way we can find out what is and what is not successful and optimize and improve the website and apps, understand the efficiency of advertising and communication and ensure that we remain interesting and relevant. The data we collect includes information about the websites you visited, the pages from which you have been redirected to our site, as well as the pages from which you left our site, which platform you used, which e-mails you opened and replied to and the date and time of visit.
Commercial cookies: we use third party cookies, as well as our own, to display personalized ads on our site and on other websites. This process is called "retargeting" and is based on your searches such as the destinations you've been looking for, the accommodation facilities you've viewed and the prices shown to you.
Which options are available?
Change of data
At any time, you can request to review your personal data, as well as update, correct or delete data. Until that moment, we will use your old data for the indicated purposes.
Any changes of the privacy statement shall be published www.bluesunhotels.com made accessible to everyone.