Data Protection Policy
-
Personal Data Controller
The controller of personal data is Dobrovita d.o.o., Tbilisijska ulica 87, 1000 Ljubljana (hereinafter referred to as the controller).
-
Purpose of Collecting Personal Data
The controller processes individuals' personal data for the following purposes:
- Execution of contractual relationships, including order management and contractual activities.
- Information tourism activities, including informing tourists, collecting visitor data for informational purposes, assessing visitor opinions on the quality of tourism offerings, and handling suggestions and complaints.
- Marketing activities, including database management and sending offers through direct mail, email, phone, or in-person.
- Advertising through various communication channels such as direct mail, email, phone calls, website, social media, etc.
- Sending periodic newsletters via email.
- Conducting customer satisfaction surveys and other marketing research.
- Organizing and conducting prize draws and processing personal data obtained at professional conferences and promotional events.
-
Types of Personal Data Processed
The controller may obtain and process the following personal data about individuals:
- Citizenship
- Type and number of identification document
- Personal identification number
- Credit card or individual's transaction account data
- Personal name
- Gender
- Permanent or temporary address
- Date and place of birth
- Employment information
- Email address
- Phone number
The controller may obtain this data directly from the individuals concerned
-
Methods of Obtaining Personal Data
Personal data is obtained when individuals identify themselves while using services or making purchases, contacting via email, phone, written communication, or through social media, filling out any input forms, ordering services, using the website and its features, or through any other means where individuals provide personal data. The controller also collects data on website usage through cookies and similar technologies.
-
Record of Processing Activities
Personal data is processed only within legal frameworks and chosen purposes. The detailed processing activities are presented below.
Name, Surname, and Contact Information (Address, Email, Phone)
Offer Preparation and Contract Conclusion: Execution of contractual obligations, including sending offers, confirming offers, delivering ordered products (e.g., gift vouchers), and contacting for all matters related to the purchase or use of services. Legal basis: Accommodation or service contract - Article 6(1)(b) of the General Data Protection Regulation.
Sending Emails Before and After Stay: Reminding the customer of reserved accommodation, providing details of the reservation before arrival, and checking customer satisfaction after the stay. Legal basis: Legitimate interest of the controller to provide excellent service, present additional services available during the stay, and appropriately respond in cases of customer dissatisfaction - Article 6(1)(f) of the General Data Protection Regulation.
Sending Mail, Emails, or SMS with Current Offers and News: Keeping the customer informed about offers. Postal mail is sent periodically to existing customers based on the legitimate interest (Article 6(1)(f) of the GDPR) or with consent. Emails are sent based on the Law on Electronic Communications, and SMS is sent only with explicit consent. Customers have the option to reject data usage for these purposes at any time. Legal basis: Legitimate interest, Article 6(1)(f) of the GDPR; Law on Electronic Communications - 226/2 Article; Consent (SMS).
Date of Birth, Citizenship, Type and Number of Identification Document:
Registration of temporary residence for guests, age verification, and compliance with legal obligations for daily reporting to AJPES (Agency of the Republic of Slovenia for Public Legal Records and Related Services). Legal basis: Law on Residence Registration in connection with Article 6(1)(c) of the General Data Protection Regulation.
Payment Information (Including Credit Card Data): Handling payments and refunds to fulfill contractual obligations. Legal basis: Accommodation or service contract - Article 6(1)(b) of the General Data Protection Regulation, and for invoicing purposes according to the laws on value-added tax, prevention of money laundering and terrorist financing, payment services, electronic money issuance, payment systems, and tax procedures - Article 6(1)(c) of the GDPR.
-
Storage of Personal Data
The controller stores and protects personal data to prevent unauthorized disclosures. The retention period depends on the purpose for which the data is collected or processed.
- Most personal data collected for service or product usage is retained for the duration of the business relationship plus the period for legal claims (usually 5 years).
- Invoice data is retained for 10 years from the invoice issuance date.
- Data related to residence registration is stored for one year after the last day of the deregistration year.
In cases of explicit consent, personal data is retained for the duration specified in the consent or until the consent is withdrawn.
-
Access to Personal Data
The controller does not disclose customers' personal data to third parties except to external contracted processors and, when necessary, to state authorities based on their legitimate written requests for specific proceedings.
-
Protection of Personal Data
Adequate data protection measures, including organizational, physical, and technical measures, are implemented to safeguard personal data from unintentional or unlawful destruction, loss, alteration, unauthorized disclosure, or access
-
Exercising Data Protection Rights
Individuals have the right to request access to, correction, and/or deletion of their personal data, subject to certain conditions. They may also exercise the right to restrict the processing of their data, object to processing, and request data portability. For any requests related to data protection rights, individuals can contact the controller using the provided contact information.
-
Withdrawal of Consent
Individuals can withdraw their consent at any time after providing it. To withdraw consent, individuals should contact the controller using the provided contact information.
-
Complaints
If individuals wish to file a complaint about the controller's handling of personal data, they can do so through the provided contact information.
-
Contact Information
Hiške slovenske Istre, Truške 1b, 6273 Marezige, Slovenia
info@hiske.si
00386 (0)41 551 665