Privacy policy

We value your privacy and attach particular importance to the protection of your personal data. Therefore, with this document, we wish to explain how we handle the personal data we process.

Introduction

We collect and process your data solely for the purpose of providing high-quality services, in a lawful, fair and transparent manner. We process only the data necessary for the provision of a particular service, while ensuring that such data is appropriately protected.

Such personal data primarily relates to natural persons with whom the Opatija Tourist Board has a business relationship or a legitimate interest in contacting, including clients, suppliers, business contacts, employees and similar persons.

When there is no longer a need to process your personal data, we delete all personal data or anonymise it by applying appropriate technical solutions, so that it may be used exclusively for statistical purposes.

We collect and process personal data in accordance with our values and principles, this Privacy Policy, and the applicable European and Croatian regulations concerning the protection of personal data.

This Privacy Policy applies equally to personal data in digital or electronic form and to personal data in printed, paper form, regardless of whether the printed document originates from a digital or electronic record.

Terms used in this Privacy Policy that have a gender-specific meaning apply equally to both the male and female gender.

Principles

When processing personal data, we are guided by the principles and rules established by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC—the General Data Protection Regulation.

When processing personal data, we comply with the obligation to maintain professional secrecy as regulated by the law of the European Union and the Republic of Croatia.

We process personal data:

  • lawfully, fairly and transparently;

  • for specific, clearly defined and lawful purposes;

  • using only accurate, up-to-date, appropriate and relevant data limited to what is necessary for the purpose for which it is processed;

  • only for as long as necessary to fulfil the purpose of the processing; and

  • protecting it against any unauthorised or unlawful processing and against accidental loss, destruction or damage.

We process the personal data of persons under the age of 16 only on the basis of the consent of a parent or guardian and only to the extent and within the scope for which such consent has been given.

Confidentiality and Security

We treat all personal data as confidential, while ensuring an appropriate level of security and protection. We do not collect, process or otherwise use personal data in any unauthorised manner.

Employees protect personal data as a business secret, including after the termination of their employment.

Employees process only the data they are authorised to process, in the manner and within the limits of their authorisation, and exclusively for the purpose for which the data was collected or is being processed.

Before introducing new technologies that may be used to process personal data, we conduct a thorough analysis and adapt the relevant technical and organisational measures in order to ensure the application of the highest standards of personal data protection.

Guidelines for Employee Conduct

In their daily work, employees comply with this Privacy Policy and the applicable regulations concerning the protection of personal data.

Access to personal data is granted exclusively to employees who require such access in order to perform their work or carry out their duties. Personal data shall not be shared informally among employees. Each request for access must be submitted to the person responsible for the relevant task or to the person who issued the instruction.

The Opatija Tourist Board ensures the application of good data-protection practices in accordance with the recommendations of the Croatian Personal Data Protection Agency and other authorities responsible for data protection in the European Union and Croatia.

Employees implement appropriate organisational and technical safeguards in order to minimise risks to personal data to the greatest possible extent. In particular, they:

  • use strong passwords that are known only to them and are not shared with third parties;

  • regularly review the accuracy, relevance and continued necessity of personal data. If personal data is no longer required or is outdated and cannot be updated, it is deleted or anonymised;

  • lock computers on which they work with personal data whenever they leave them unattended;

  • take particular care not to disclose or provide personal data to unauthorised persons, regardless of whether such persons are employees or not; and

  • seek advice or assistance from the responsible person whenever they are uncertain about any aspect of personal data protection.

Data Storage

We pay particular attention to the manner in which data is stored, regardless of whether it is stored on paper, in digital or electronic form, or in any other format.

Personal data in paper form, including printed copies of data otherwise stored in digital or electronic form:

  • is stored, when not in use, in a locked drawer or filing cabinet accessible exclusively to authorised persons;

  • must not be left by employees in a visible place or in any location where unauthorised persons could gain access to the personal data; and

  • is destroyed using a paper shredder or another technically appropriate method and properly disposed of when it is no longer required.

Personal data in digital or electronic form is protected against unauthorised access, accidental alteration or deletion, and unauthorised intrusion into the system by:

  • using strong passwords that are changed regularly, are known only to authorised persons and are not shared with third parties;

  • storing portable media containing personal data, such as CDs, DVDs, USB drives or portable hard drives, in a secure location accessible exclusively to authorised persons;

  • using exclusively official storage media and servers, or a selected cloud service that applies appropriate organisational and technical safeguards;

  • locating servers on which personal data is stored in a secure location accessible exclusively to authorised persons;

  • regularly creating data backups in order to ensure the integrity, authenticity and accuracy of the data, in accordance with this Privacy Policy and the applicable personal data protection regulations;

  • not storing personal data directly on mobile devices, such as tablets or smartphones, unless this is necessary for the performance of a contract or the provision of an agreed service, and then only for the duration and to the extent contractually agreed or necessary;

  • prohibiting employees from storing personal data on their own personal computers or other personal devices or media that they use or may use for work purposes; and

  • protecting all servers and computers containing personal data with appropriate technical security measures.

Data Processing

We process all personal data lawfully and in accordance with the conditions, principles and standards of the General Data Protection Regulation and national legislation. Processing is primarily based on specific consent, the performance of a contractual relationship or compliance with legal obligations.

We do not process special categories of personal data, except for special categories of employees’ personal data for which employees have given their explicit consent, or where such processing is necessary to protect and exercise the rights and interests of employees in the fields of employment law, social security and social protection law.

We endeavour to collect personal data primarily from the data subject to whom the data relates. When collecting personal data, the data subject is always informed of the reason and purpose of the processing and of the legal basis for such processing.

Whenever personal data is transferred, we apply appropriate safeguards corresponding to the categories of personal data and the risks arising from such categorisation, taking into account the specific circumstances of each individual transfer.

Personal data may be transmitted digitally or electronically, with due regard to the application of appropriate security measures, available technical capabilities, the categories of personal data concerned and the relevant risk assessment. We implement special measures to prevent unauthorised access to personal data.

We will never disclose your data to third parties without your explicit request and your freely given, specific, unambiguous and clearly defined consent.

Exceptionally, we may disclose your personal data to competent international, state and public authorities where this is necessary to comply with legal obligations or to protect your vital interests or the vital interests of other natural persons. We may also disclose your personal data at the request of a court for the purposes of judicial proceedings, irrespective of the stage of such proceedings, within the scope and limits of the relevant court order.

When the Opatija Tourist Board acts as a processor on behalf of a controller, it guarantees the implementation of appropriate technical and organisational measures in accordance with the General Data Protection Regulation and this Privacy Policy, while ensuring the protection of the rights of data subjects.

Such processing of personal data is governed by a written contract or another legal act under European Union law or the law of the Republic of Croatia. The controller shall specify the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the controller’s obligations and rights.

In such cases, the Opatija Tourist Board processes personal data only in accordance with the controller’s explicit and clearly defined instructions or orders. In its capacity as a processor, the Opatija Tourist Board does not process personal data, regardless of whether it is able to access such data, unless explicitly requested to do so by the controller, and then only in the manner and to the extent requested by the controller.

We apply the same principle when providing services such as the maintenance or updating of websites, applications or other systems that may contain or do contain personal data.

By using technical protection methods, such as encryption, and by complying with and implementing this Privacy Policy, we ensure that our employees do not access or otherwise come into contact with personal data that is not necessary for the provision of the contracted service.

International Transfers of Personal Data

We do not transfer personal data to third countries or international organisations, except in exceptional cases prescribed by law or at your explicit request and on the basis of your freely given, specific, unambiguous and precise consent.

Any transfer of personal data to a third country or international organisation shall be based exclusively on:

  • the list of countries and international organisations that ensure an adequate level of protection, in accordance with a publicly available decision of the European Commission;

  • appropriate safeguards, such as binding corporate rules, instruments adopted by public authorities, or an approved code of conduct together with binding and enforceable commitments by the controller or processor in the third country concerning the consistent application of appropriate safeguards; and

  • the existence of appropriate institutional legal protection for data subjects in the third country.

Any judgment of a court or decision of an administrative authority of a third country requiring the transfer or disclosure of personal data shall not be binding upon us, and we shall not act upon it unless it is based on an international agreement binding upon the Republic of Croatia, such as a treaty on mutual legal assistance.

Accuracy and Updating of Personal Data

The accuracy and currency of personal data are of particular importance, both for the fulfilment of the purpose of the processing and for the exercise of your rights and the protection of personal data. We implement appropriate technical and organisational measures to ensure the accuracy and currency of personal data, taking into account the relevant categories of personal data and their importance for the fulfilment of the purpose of the processing.

In their daily work, employees take reasonable, proportionate and justified steps to ensure that the personal data they process is as accurate and up to date as possible.

In order to ensure the accuracy and currency of personal data, such data shall be stored in as few locations as possible, and only in locations where storage is necessary. Employees shall not create or use unnecessary copies, additional databases, datasets or other forms of grouping personal data.

Retention and Deletion of Personal Data

In accordance with the principles underlying our Privacy Policy, we process your personal data only for as long as necessary to fulfil the purpose of the processing or for as long as required by law or subordinate legislation. Once the personal data is no longer required, we delete or anonymise it.

Where we are unable to determine a precise retention period, we retain personal data indefinitely or until it is deleted, and access to such data is granted exclusively to an authorised person.

Twice a year, we conduct a review and audit of the personal data we process in order to ensure that all personal data whose purpose has been fulfilled, or which is no longer required, is deleted or anonymised. This applies in particular to data retained indefinitely or until deletion.

The review is carried out by an authorised employee, who is required to prepare a report and, where appropriate, recommendations if personal data is identified for which there is no longer a valid reason for retention.

Exceptionally, we may retain your personal data for longer than stated where this is necessary to comply with a court order or an order issued by an authorised body, to fulfil legal obligations, or to protect your vital interests or the vital interests of other natural persons.

Exercise of Data Subject Rights

The exercise of data subject rights is of particular importance to us. We therefore treat every request concerning the exercise of such rights with the utmost seriousness, in accordance with the requirements of the General Data Protection Regulation and the principles underlying this Privacy Policy.

The overview of your rights provided in this Privacy Policy has been simplified for clarity and ease of reference. The General Data Protection Regulation and national legislation regulate the complex procedure for exercising these rights in detail. We therefore recommend that you familiarise yourself more closely with the applicable regulations, which provide a comprehensive description of your rights and the manner in which they may be exercised.

A data subject has the right to obtain confirmation as to whether or not their personal data is being processed. Where their personal data is being processed, the data subject may request access to their personal data, together with information on the purposes of the processing, the categories of personal data concerned and any recipients to whom the personal data has been or will be disclosed on the basis of a valid legal ground.

A data subject has the right to request the rectification or erasure of their personal data or the restriction of its processing.

A request to exercise these rights may be submitted by email to alida@visitOpatija.com.

A request submitted in this manner shall be received by an authorised employee or another authorised person, such as a contracted data protection officer. Before providing any information relating to personal data, the authorised person shall take appropriate steps to establish the identity of the person submitting the request beyond doubt.

Information relating to the exercise of rights shall be provided electronically and free of charge.

You may withdraw your consent at any time in a simple and transparent manner and request that we cease processing your personal data for marketing and promotional purposes.

You may also request the erasure of your personal data without undue delay where the personal data is no longer necessary in relation to the purposes for which it was collected or where it must be erased in order to comply with European Union or Croatian legislation.

If you believe that we are not handling your personal data appropriately or that the processing of your data is contrary to the General Data Protection Regulation or national legislation, you have the right to contact the Croatian Personal Data Protection Agency.

This Privacy Policy is updated as necessary and at least once a year, taking into account examples of good practice and developments in the field of data protection.