Information on collecting and processing of personal data
Croatia Holidays Ltd. (hereinafter: “the Agency”) dedicates a lot of attention to the protection and processing of personal data. The Agency processes personal data in scope of its registered activities and in respect of all applicable rules and regulations.
(1) The responsible party for data processing is the Controller:
Croatia Holidays Ltd. for tourism and services, travel agency,
Dubrovnik, Liechtensteinov put 3, OIB/PIN 36948406604,
(2) If we use the services of external providers for the processing of your personal data (Data Processors), we are then reffering to processing of personal data on demand. We are in that case also responsible for the protection of your personal data. However, there is also a possibility that the before mentioned personal data is going to be transferred and processed outside of the EU. The forementioned transfer shall be performed only if we have contracted appropriate guarantees with the service provider as the processor, or if the client has provided us with explicit consent.
The purpose of this Information on collecting and processing of personal data (hereinafter: “Information”) is to inform you about all the relevant features of the collection of your personal data, as well as its processing and storage. The listed applies to all personal data you have transferred to us via this web-page, electronic, written or verbal communication or that we have received through a travel agency and other businesses with whom you are in a contractual or other similar relationship, as well as data collected from other sources.
Upon making the reservation or offer, we request the personal data necessary for the reservation or offer. The client can provide us with the personal data personally, or via reservation form or mail, or it can be provided by a third person, in name of the client.
Personal data that we collect
We process the following personal data:
The purpose of collecting personal data and period during which the personal dana will be stored
The Agency determines the purpose of the processing of personal data and is therefore considered to bet the Data Controller. Upon written request based on applicable regulations, the Agency shall deliver or give access to certain personal data of clients to competent state authorities (such as police, tourist inspection, courst etc.). The legal basis for processing the data for these purposes is fulfilling the legal obligations of the Agency.
The basic purpose of collecting personal data is concluding and executing contracts on travel organization or intermediary travel organization and providing touristic services or so that actions may be taken at your request before and during the contract. The scope of the personal data collected depends on the purpose of the contract that you intend to conclude or that you are concluding, or the request to exercise rights (the type of service provided and price). Actions at your request before the conclusion of the contract mean checking your requests and needs, checking the appropriateness or applicability of our products and services to your special circumstances, as needed, all with the goal of creating an offer and/or an informative price figure. In this case, the scope of the personal data collected by us depends on the type of the request we received, and the information necessary to fulfil the request. The purpose of the processing of the personal data may be the obligation to fulfil contracted services with such a service provider. In that case the collecting of personal data upon that defined purpose may represent a contractual obligation and a condition necessary for the execution of the contract. If you refuse to provide certain personal data, we shall not be able to fulfill our contractual obligations, which shall result in the inability to execute the contract and touristic service. The personal data required for the the execution of contractual obligations are necessary due to internal Agency regulations, and it is not possible to make a reservation or execute the forementioned contract without disclosing personal data, which are stored until contract expiry.
The credit card number is collected because it is required for concluding and executing the contract with the client. It is used as insurance for the payment of accommodation costs and costs of other services that might be incurred if the client does not settle his or her debt towards the Agency. The mentioned data is also used for service payment.
Emergency contact information are processed on the basis of legitimate interest, i.e. potential situations where it is necessary and urgent to transmit certain relevant information to your close ones (in case of extraordinary circumstances, such as sickness, accidents, etc.). Other required data, i.e. email address, is processed based on a legitimate interest in good communication between the contractual parties for the purpose of fulfilling all aspects of the contract, i.e. easier communication in the sense of organising your arrival and reserving the accommodation itself, and this data is also erased when the accommodation service contract expires.
The personal data from the clients is being stored to protect the clients’ legitimate interests or our legitimate interests, in accordance with applicable regulations. That can for instance include storage of clients data so we can respond to eventual complaints in the best possible manner, use of clients data in order of prevention, detection and processing the misuse and possible damage conducted to the clients or the Agency, providing security of employees, clients, products and services of Agency, creating services and offers which are adequate in regards of the needs and wishes of clients, providing great user experience, personalized user support, research and analysis of the market, optimization of sales channels. The legal basis for the processing in these purposes is the legitimate interest of the Agency, except when the interest of the client or basic rights and liberties in regard of data protection prevail. The exception is when the legal basis is consent.
Special personal data categories
Due to the nature of the travel services, special categories of personal data in regards of clients’ health may need to be processed, for the sole purpose of executing the contract between the Agency and client, or between the travel organizers in case of travel packages, or in regard of activities which precede the execution of the contract. If the client provided the Agency with special personal data categories, it is deemed that the client gave his explicit consent in regard of that data.
In principle, the following types of personal data are not processed: data related to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of the unique identification of individuals, and data related to health, sex life and an individual’s sexual orientation. The above-mentioned personal data categories are nevertheless processed by the Agency in the following situations: 1) if the client has provided explicit consent to the processing of this personal data, and for one or several determined purposes, except if applicable regulations state that such a consent does not have an effect; 2) processing is important for the protection of a vitally important interest for the client or another individual, if the guest cannot physically or legally provide consent; 3) processing is related to personal data obviously made public by the client, 4) processing is required for the establishment, fulfilment, or defence of legal requirements, or whenever courts act in their capacity as courts; 5) processing is necessary for the purpose of significant public interest, on the basis of applicable regulations and in proportion to the desired goal, with respect to the essence of data protection rights, and ensured appropriate and special measures for the protection of the Subject’s basic rights and interests; 6) processing is required for the purpose of preventive medicine, medical diagnosis, the provision of health or social care or treatment, or management of health or social systems and services, pursuant to applicable regulations. All your personal data transferred to us by you or by a Third Party is processed in accordance with the goal of their processing (whereby we mention that, if you are travelling with children under 16 years of age, their personal data, regardless of the basis, is only processed with your explicit consent).
Links to websites and Third Party services
Our website and our mobile programmes and Wi-Fi network record your usage data and contain links to Third Party websites. Bear in mind that we are not responsible for the collection, usage, maintenance, exchange or publishing of data and information by these Third Parties. If you provide data to Third Party websites i.e. use them, the privacy rules and terms and conditions of these websites apply. We recommend that you read the privacy rules of the website you are visiting before providing personal data.
The Agency will conduct all reasonable measures to protect your personal data from unauthorised access, disclosure, modification or erasure, and will keep the personal data precise and updated as far as possible. We request our partners and service providers with whom we share personal data to invest reasonable efforts into maintaining the confidentiality of your personal data. For network transactions, we apply a reasonable level of technological measures in order to protect the personal data you share with us via our website. However, it should be noted that no security system or internet data transfer system can guarantee complete safety.
Legitimate interests of the Company as the purpose of processing personal data
Your personal data will be processed for the purpose of our legitimate interests, except when your interests or your basic rights and freedoms, requiring personal data protection, take precedence. The legitimate interest of the Agency in that sense is processing personal data so that our service may completely adapt to your needs and wishes (e.g. special family packages etc.). The mentioned data may also be used for our internal statistical and analytical purposes.
You can object to this legitimate interest of the Agency at any moment and, in that case, we will no longer process your data for that purpose, which will not affect the legality of the processing until the day of withdrawal. In any case, we require your explicit consent for direct marketing.
Consent is the legal basis for collecting personal data on monitoring the quality of our travel arrangements. The Agency cares about your opinion on the services provided and, for that purpose, we ask you to fill in so-called quality surveys so that you can rate us. This allows us to analyze various aspects of our service, so that we can develop it and improve it even more.
The survey informs the client that providing any personal data is voluntary. The clients decide for themselves whether or not they will fill in the survey, and they decide for themselves whether they will list personal data and, if so, which ones. If the processing of the previously mentioned data is based on your consent, the data mentioned is processed until you withdraw your consent or request its erasure. In accordance with the above, based on your consent, we may also process other personal data outside of those listed in this Information. Related to the above, please note that, in accordance with the applicable regulations, the Agency nevertheless does not conduct erasure, despite the request of the Subject, if the processing of this personal data is necessary: a) to comply with a legal obligation that requires processing, and the Agency being subject to this obligation, b) to exercise the right to freedom of expression and information; c) for a public interest in the area of public health; d) for the purpose of public interest, historical or scientific research, or for statistical purposes, i.e. for compliance with or defence of legal requirements.
In processing your personal data based on your consent, we partially apply automated processes for processing or profiling, so that contact with you may be of a more individual nature and so that we can adapt our service completely to your needs and wishes (e.g. special family packages etc.).
In case of providing marketing consent, for which we request your explicit approval, your personal data may, in exceptional cases, be involved in automated processing, based on which your profile will be created for the purpose of analysing the services provided and your rights, as well as for the purpose of improving the quality of the business relationship. Automated decision-making, including profile creation, will be conducted in cases of creating your client profile for the purpose of analysing the services provided and your rights, as well as to improve the quality of the business relationship and to process data based on an approval for marketing purposes, with the goal being to improve the quality of the business relationship and marketing, and so that we can specifically inform you about benefits and new features of our offer. If such processing of personal data is not required for the conclusion or execution of the contract, you have the right to request that a person employed by the Agency decides on the outcome of the processing, the right to express your own viewpoint, and the right to object to a decision made through automated processing. We also hereby mention that the usage of your personal data for marketing purposes is only possible pursuant to your explicit consent. Should you provide such consent to us, we will duly provide information about all benefits, discounts, events and associated services that we believe might be of interest to you. You can withdraw this consent at any moment by notifying us via the contact information listed in the introductory section of this Information.
To whom will your personal data be disclosed
The Agency ensures that your personal data is processed exclusively for the purposes listed in this document. The purpose of personal data processing will require that your personal data is disclosed and that, in addition to the Agency, other companies and persons process it as processors. Processor categories receiving your data include: government and public authorities, in accordance with the Company’s legal obligations, health care institutions, information or legal services providers, delivery service providers etc.
Personal data processors, with the exception of government and public authorities, process data exclusively according the Company’s instructions, thereby abiding by the technical and organisational measures in order to ensure the protection of your rights.
The Agency transfers the personal data to Third parties when it is necessary to provide the contractual services or requested information to the client (aeroplane schedule, buses, insurance, banks, accommodation, other touristic agencies, embassies or visa offices), as well as when the Agency acts as an intermediary in package travels. In that case we transfer the forementioned personal data to the organizer, so the client may receive the contractual service.
Where will your personal data be processed
Processing of your personal data may be conducted within or outside of the European Economic Area, but will in any case be performed by processors whose responsibilities and obligations to protect personal data, as well as applicable technical and organisational security measures prescribed by the contractual relationship, are in conformity with all legal regulations governing the protection of personal data. However, the Agency cannot guarantee that the level of data protection in third countries shall be the same as in the EU. The before mentioned shall be conducted only when it is necessary in regards of the contract, and if appropriate guarantees regarding data protection have been contracted, or if the client provided his explicit consent, upon understanding the risks of processing data outside the EU.
Period during which the personal data will be stored
Your personal data will be stored only for as long as necessary to fulfil the purpose of its processing. The period of storing personal data depends on the aim of the collection. If it is contract or providing tourism services, this period shall be defined by the duration of the contract itself, i.e. by charging for these services, in the sense of legal obligations to keep records. An extension of this period is prescribed by the internal rules of the Agency, which in turn depend on legally prescribed statutes of limitations for claims, or this time may be extended considering the legally defined storage periods, such as in the case of accounting documents.
Rights related to the collected personal data
In relation to the data you have disclosed to us, you have (I) the right to access the personal data being processed, (II) the right to modify or erase personal data, (III) the right to limit processing, (IV) the right to object to processing, (V) the right to transfer data to another controller, (VI) the right to withdraw consent, (VII) the right to submit a complaint to a supervisory authority. To exercise all of the rights listed herein, simply inform us in accordance with the contact information from the introduction to this Information.
The right to submit a complaint to a supervisory authority
At any moment, you may submit a complaint concerning the processing of your personal data to the competent supervisory authority, in accordance with the Act on the Implementation of the General Data Protection Regulation, or other legislation governing the protection of personal data and defining supervisory authorities regarding the processing of personal data.
This Information may change from time to time. When significant changes are made to this Information, we will publish a link to the modified Information on the homepage of our website. All changes to the Information will enter into force after the publication of the modified Information on the website.
This Information on collecting and processing personal data is applied as of 25 May 2018 in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation – GDPR)
(“Croatia Holidays d.o.o. “) (hereafter referred to as ´Croatia Holidays´) operates https://www.elaphiteislandsdubrovnik.com and may operate other websites. It is Croatia Holidays´s policy to respect your privacy regarding any information we may collect while operating our websites. We do comply with General Data Protection Regulation (GDPR) (EU) 2016/679.
Like most website operators, Croatia Holidays collects non-personally-identifying information of the sort that web browsers and servers typically make available, such as the browser type, language preference, referring site, and the date and time of each visitor request. Croatia Holidays´s purpose in collecting non-personally identifying information is to better understand how Croatia Holidays´s visitors use its website. From time to time, Croatia Holidays may release non-personally-identifying information in the aggregate, e.g., by publishing a report on trends in the usage of its website.
Croatia Holidays is the controller of any personally-identifiable-information gathered by www.elaphiteislandsdubrovnik.com
Contact us at any time to:
If you have any additional questions about Croatia Holidays´s collection and storage of data, please contact us at: firstname.lastname@example.org
Collection of personal information from site users of our Website
Where practical we will collect personal information directly from you. Generally this will be collected by us when you deal with us either in person, by telephone, letter, facsimile, email or when you visit our Website. Without limitation, we may collect your personal information as follows:
A) We collect and/or track (1) the home server domain names, e-mail addresses, IP addresses, type of computer, and type of web browser of visitors to the Website, (2) the e-mail addresses of visitors that communicate with us or the Website via e-mail, (3) information knowingly provided by the visitor in online forms (including travel preferences, such as seat selection, meal requests, frequent flyer/hotel/car rental program information), registration forms, surveys, and contest entries (including name, address, e-mail and other personal profile data), (4) aggregate and user-specific information regarding page views and other online activities, and (5) other information gathered through our weblogs or other interactive forums. You can choose not to provide information to us, but in general, some information about you is required in order for you to utilize the Website and/or to purchase products or services; complete a traveler profile; participate in a survey, contest, or sweepstakes; or initiate other transactions on the Website. When you make travel or other arrangements for someone else through the Website, we will request personal information and travel preferences about that individual. You should obtain the consent of other individuals prior to providing us with their personal information and travel preferences.
B) We place “cookies” on visitors’ hard drives. Cookies save data about individual visitors, such as the visitor’s name, password, username, screen preferences, the pages of a site viewed by the visitor, and the advertisements viewed or clicked by the visitor. When the visitor revisits the Website, we may recognize the visitor by the cookie and customize the visitor’s experience accordingly. Visitors may decline cookies, if any, by using the appropriate feature of their web client software, if available; however, this may impair certain features of the Website.
C) When a visitor performs a search within the Website, we may record information identifying the visitor or linking the visitor to the search performed. We may also record limited information associated with every search request made by the visitor and use that information to, among other things, solve technical problems with the service and to calculate overall usage statistics.+
D) Facebook Pixel is a Cookie placed by Facebook. It enables Croatia Holidays Ltd. to measure, optimize and build audiences for advertising campaigns served on Facebook. For further information about the Facebook Pixel please see: The Facebook Pixel
We are required by law to obtain your consent to the collection of sensitive information. We will assume that you have consented to the collection of all information which is provided to us for use in accordance with this Policy unless you tell us otherwise.
Use of personal information collected
We will only collect personal information that is relevant for the purposes for which it is to be used. We will take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current. We may use personally identifiable information in a number of ways, such as:
A) To communicate with you about your account, or to communicate information about the Website.
B) To build higher quality, more useful services such as by analysing usage trends, and by measuring demographics and interests regarding specific areas of the Website.
C) To provide you with prompt and effective customer service.
D) To support the operation of the Website (such as account maintenance and record keeping), troubleshoot problems, resolve disputes, and to enforce our terms and conditions.
E) To inform you about our services.
F) Ancillary purpose such as any one or more of the following purposes:
• Identification of fraud or error;
• Regulatory reporting and compliance;
• Developing, improving and marketing our products and services;
• Servicing our relationship with you by, among other things, providing updates on promotions and services we think may interest you;
• Involving you in market research gauging customer satisfaction and seeking feedback regarding our relationship with you;
• To facilitate your participation in loyalty programs;
• To analyse trends in sales and travel destinations;
• For marketing activities; and
• Internal accounting and administration.
Disclosure of personal information to Third Parties
We may disclose personally identifiable information about you to Third Parties as follows:
A) With your consent.
B) To facilitate a transaction or communication with a Third Party that you have initiated.
C) To our agents and advisors (such as our accountants or attorneys). We only disclose the personal information necessary for them to provide their services to you or to us, and only under strict confidentiality restrictions.
D) As we believe necessary to: (1) comply with law (including court and government orders, and civil subpoenas); (2) enforce or apply our terms and conditions and rules and regulations and other agreements; or (3) protect the rights, property, or safety of our users, or others.
E) If you partake (or we reasonably suspect that you are partaking) in any illegal or potentially illegal activity. We may disclose personal information even without a subpoena, warrant, or other court order, to the extent we feel is necessary to inform and cooperate with law enforcement agencies or other appropriate authorities.
F) In aggregated form, i.e., information about multiple users collectively without identifying any individual user, such as the total number of visitors to the Website in a given week.
G) Due to circumstances beyond our control. We shall take reasonable steps to protect the Information from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. We have put in place appropriate physical, electronic, and managerial procedures to safeguard and secure the personal information from loss, misuse, unauthorized access or disclosure, alteration, or destruction. Despite the precautions we take to protect your personal information, the unfortunate fact is that there is simply no such thing as a perfect security system. Also, we have no control over the security of the internet in general. As a result, we cannot guarantee that unauthorized persons will never gain access to your transmissions or information, or that personal information will never be disclosed in ways not covered by this Policy.
H) In connection with a transfer, reorganization or otherwise, to a successor-in-interest to our organization or its other material assets. When a Third Party acts as our agent, we will ensure that the Third Party is willing to enter into a written agreement requiring the Third Party to provide at least the same level of privacy protection as is required by the relevant principles.
Trans-Border data flows
In providing our services to you it may be necessary for us to forward personal information to relevant overseas Third Party service providers or our affiliates, licensees overseas. Please let us know if you have any objections to such transfers.
Security of information
We have implemented appropriate physical, electronic and managerial security procedures in order to protect personal information from loss, misuse, alteration or destruction. We use advanced technology to ensure security on all data transmitted via the Website. Secure Sockets Layer (SSL) technology is used to transmit all data between browsers and our web server where applicable.
Visitors may opt-out of having their personal information collected or used by us for secondary purposes, or used by us to send promotional correspondence to the visitor, by us via email at: email@example.com.
To the extent you choose to continue using the Website, however, we may use your personal information as may be reasonably necessary in connection with such use. For sensitive information (other than for the sensitive information to be used purpose for which it was provided), we will give you affirmative or explicit (opt in) choice if the information is to be disclosed to a Third Party or used for a purpose other than those for which it was originally collected or subsequently authorized.
Third Party sites
The Website may contain links to other websites that we believe may offer useful information to visitors. Unless we explicitly state otherwise, we have no control over these Third Party sites and their privacy practices, and this Policy applies only to information you supply (or that we collect) in connection with use of the Website. You should review Third Party privacy policies in connection with visiting the sites.
Access to and ability to correct personal information
Upon request via postal mail or e-mail, we will, within a reasonable time period, provide to visitors a summary of any personally identifiable information retained by us regarding the visitor, except where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question or where the rights of persons other than the individual would be violated. Visitors may modify, correct, change or update personally identifiable information that we have collected through the Website or may cause their personal record to be removed from our database, except where the burden or expense of providing these services would be disproportionate to the risks to the privacy of the individual in the case in question or where the rights of persons other than the individual would be violated, by contacting us via postal mail or e-mail indicated below.
Feedback and complaints
We welcome your inquiries or comments about our Policy. Should you have any comments or complaints please contact us at firstname.lastname@example.org. We will investigate and attempt to resolve any complaints and disputes regarding use and disclosure of personal information in accordance with this Policy.
For a more detailed explanation of GDPR and your rights, please click here.
Policy Amended 24th May 2018.