Villa Perla’s privacy policy

Villa Perla

+385 91 989 9678
Contact@villaperla.info
Jurja Barakovića 35, Vrsi, Zadarska, 23235

Introductory Provisions

This Policy establishes a responsible and transparent framework for ensuring compliance with the General Data Protection Regulation.

The Policy applies to all organizational parts of Villa Maris (hereinafter referred to as the CONTROLLER) and to all employees, including part-time and temporary workers as well as to all external collaborators acting on behalf of the Controller.

Policy Statement

The Controller is committed to operating in accordance with all laws, regulations and the highest standards of ethical business practices.

This Policy sets out the provisions of the expected conduct of the Controller’s employees and its external collaborators who are involved in the collection, use, storage, transfer, disclosure or destruction of any personal data belonging to the Controller’s employees, business partners and other natural persons. The purpose of the policy is to standardize the protection of the rights and freedoms of data subjects by preserving the privacy of their personal data in all aspects of the controller’s business operations that include personal data. This policy establishes that the CONTROLLER will not disclose personal data to a third party without authorization, nor act in a manner that endangers them.

Principles of personal data processing

The controller adopts the following principles that will be adhered to when collecting, using, retaining, transferring and destroying personal data:

LEGITIMITY, FAIRNESS AND TRANSPARENCY

Personal data will be processed legitimately, fairly and transparently towards the data subject. This means that the controller will inform the data subject in all relevant situations about how the data will be processed (transparency), and the processing will be carried out exclusively in accordance with what has been said (fairness) and in accordance with the purpose prescribed in the applicable law on the protection of personal data (legitimacy).

PURPOSE LIMITATION

Personal data will be collected for clearly defined and legitimate purposes and will not be processed in any way that is incompatible with those purposes. This means that the controller must clearly state what the collected data will be used for and limit the processing of personal data to only those processes that are necessary to achieve those purposes.

DATA MINIMIZATION

The collected personal data will be relevant and limited to what is necessary to achieve the purpose of their processing. This means that the controller will not collect, process or store more personal data than is strictly necessary.

DATA ACCURACY

The collected personal data will be accurate and up-to-date, which means that the controller will have developed procedures for detecting and resolving outdated, inaccurate and unnecessary personal data.

CAREFUL DATA STORAGE

Personal data will not be kept in a form that allows identification of data subjects for longer than is necessary for the purpose of the processing. This means that the controller will, wherever possible, keep personal data in a way that limits or prevents the identification of the data subject.

DATA SECURITY

Personal data will be processed and stored in a way that ensures adequate protection against violations such as unauthorized and unlawful processing and accidental loss, destruction or damage to data. The controller will implement appropriate technological and organizational measures described in the Personal Data Security Policy to ensure the integrity and confidentiality of personal data at all times.

PRIVACY BUILT INTO SYSTEM DESIGN

When designing new and when reviewing and expanding the controller’s existing systems and processes, care will be taken to apply all of these principles in order to maximally protect the privacy of the data subject.

Rights of the data subject

All data subjects whose data are collected and processed by the controller have the following rights:

RIGHT OF ACCESS TO INFORMATION

Each data subject has the right to a copy of the data that the controller holds in its archives for the purpose of inspection. In addition to the right to access their own data,

the data subject also has the right to information about:

the purpose of the processing and the legal basis for the processing
the legitimate interest, if the processing is based on it
the types and categories of personal data collected
the third parties to whom the data is forwarded
the period of data retention
the source of the personal data, if not collected from the data subject
All information should be provided to the data subject in clear and plain language, to ensure understanding, and must be clearly indicated and visible so that the data subject cannot overlook it.

There is a possibility that providing the requested information to the data subject may reveal information about another person. In such cases, it is necessary to anonymize such data or completely withhold it in order to protect the rights of that person.

RIGHT TO CORRECTION OF DATA

Each data subject has the right to have inaccurate or incomplete data held by the controller corrected in its archives.

RIGHT TO BE FORGOTTEN

Respondents may request that their data be removed from the archive. The request will be considered and will be granted if it does not contradict the legal basis for processing personal data.

RIGHT TO RESTRICTION OF PROCESSING

Respondents have the right to restrict the scope of processing, where applicable.

RIGHT TO DATA TRANSFER

Respondents have the right to a copy of their data for transfer to another controller.

RIGHT TO OBJECT

Respondents have the right to object, in particular where the processing is based on the legitimate interest of the controller. In such cases, it is necessary to review the purpose of the processing and establish its legal basis and, where applicable, enable the data subject to withdraw consent to data processing and/or to cease processing their data.

RIGHT TO ASSESSMENT:

Respondents have the right to request an assessment by the supervisory authority of a breach of the provisions of the Regulation and the internal policies of the controller.

RIGHT TO OBJECT TO PROFILING

Respondents have the right to object to automated profiling and other forms of automated decision-making.

In the event that the controller rejects the request of the data subject, the reason for the rejection will be stated in the response, which the data subject may appeal to the competent authority for personal data protection (AZOP).

Legal basis

The legal basis for collecting and processing personal data of the data subject is as follows:

LEGAL OBLIGATION

The laws governing the business of the obliged entity prescribe sets of data that are necessary for the performance of a legal obligation. For the collection and processing of data prescribed by law, the controller will not seek consent from the data subject, but will only collect data prescribed by law and will not use it for other purposes. This especially applies to data collected on the basis of the following laws and regulations pertaining to them, among which we single out:

Law on Accounting
Value Added Tax Law
Law on income tax
Labor Law
Rulebook on the content and method of keeping records on workers

PERFORMANCE OF CONTRACTUAL OBLIGATION

Personal data necessary for the fulfillment of the contractual obligation will be collected by the processing manager without the consent of the respondent, in the minimum amount necessary for the fulfillment of the obligation.

LEGITIMATE INTEREST

In the following text, the data controller will publish a list of its legitimate interests based on which it collects and processes personal data for the purpose of enabling and/or improving its services or products.

PROTECTION OF VITAL INTERESTS OF RESPONDENTS

The controller may collect and process personal data without the consent of the subject if it is for the purpose of protecting his vital interests.

PUBLIC INTEREST OR EXERCISE OF THE DATA CONTROLLER’S OFFICIAL AUTHORITY:

In cases where the controller’s activity involves acting in the public interest or the data processing is based on another type of official authority, it is not always necessary to inform the data subject about the collection of personal data.

CONSENT:

In all other cases, the data controller will request the data subject’s consent to collect and process personal data, in which the purpose of the processing will be clearly stated. The data subject may withdraw consent at any time, and their data must be automatically removed and the processing stopped.

The data controller will keep a record of active and withdrawn consents for the purpose of ensuring the correctness of the business.

Legitimate interest

The data controller declares the following legitimate interests:

PERSONAL DATA PROTECTION GDPR

Data subjects have the right to object to the processing of personal data based on these legitimate interests.

Terms and definitions

GENERAL DATA PROTECTION REGULATION (GDPR)

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify the processes for protecting the personal data of all individuals within the European Union (EU). The regulation also applies to the transfer of personal data outside the EU.

CONTROLLER

An entity that determines the purposes, conditions and means of processing personal data.

PROCESSOR

An entity that carries out data processing on behalf of the controller.

DATA PROTECTION AGENCY

A government agency tasked with protecting data and privacy, overseeing the application of the Regulation, and actively enforcing the Regulation within the European Union.

DATA PROTECTION OFFICER

A data protection officer who acts independently to ensure that a business entity operates in accordance with the policies and procedures set out in the Regulation.

RESPONDENT

A natural person whose personal data are processed by a data controller or processor.

PERSONAL DATA

Any information relating to a natural person, i.e. the data subject, which can be used to directly or indirectly identify that person.

PROCESSING OF PERSONAL DATA

Any activity which is performed on personal data, whether or not by automated means, which includes the collection, use, creation of records, etc.

PROFILING

Any automated processing of data for the purpose of evaluating, analysing or predicting the behaviour of the data subject

THE RIGHT OF ACCESS OF THE DATA SUBJECT

Known as the ‘right of access’, it allows the data subject to access personal data concerning him or her held by the controller.

Legislation

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

The Act on the Implementation of the General Data Protection Regulation.