The purpose of this Privacy Policy is to inform individuals, clients, service users, and other persons (hereinafter referred to as “individuals”) who engage with the company about the purposes, legal grounds, security measures, and rights regarding the processing of personal data carried out by the company.
We value your privacy, and we always carefully protect your data.
Personal data is processed in accordance with applicable data protection legislation and other laws that provide a legal basis for processing personal data.
Any changes to this document will be published on our website. By using the website, you confirm that you are familiar with the entire content of the Privacy Policy.
Data Controller:
Vila Sabrina
Stjepana Brozovića St. 12, 51266 SELCE, Croatia
Email: apartma@vila-sabrina.si
Data Protection Officer:
In accordance with Article 37 of the General Data Protection Regulation, we have not appointed a Data Protection Officer. However, if you have any questions regarding the processing of your personal data, you can always contact us.
Personal Data
Personal data refers to any information relating to an identified or identifiable individual. An identifiable individual is one who can be identified directly or indirectly, particularly by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.
Purposes and Legal Bases for Data Processing
The company collects and processes personal data on the following legal grounds:
Processing is necessary for compliance with a legal obligation to which the controller is subject;
Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
Processing is necessary for the legitimate interests pursued by the controller or by a third party;
The data subject has given consent to the processing of their personal data for one or more specific purposes;
Processing is necessary to protect the vital interests of the data subject or another natural person.
Notification of Individuals via Email (e.g., Newsletters)
The company may, based on legitimate activity, notify clients, customers, and users of its services about its services, events, training sessions, offers, and other content via their email address. An individual can request to stop such communication and data processing at any time by unsubscribing through a link in the received message or by sending a request via email or regular mail to the company’s address.
The legal bases for data processing are legitimate interest and consent. Data will be processed until the individual withdraws their consent or until the purpose of processing is fulfilled. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
Contract Execution
When an individual enters into a contract with the company, the contract serves as the legal basis for personal data processing. The company may process personal data to conclude and execute the contract, such as the sale of goods or services and the preparation of offers. If an individual does not provide personal data, the company cannot conclude the contract, nor can it provide the service or deliver the goods or products under the agreed contract. On this basis, the company processes only the personal data necessary for concluding and properly performing contractual obligations.
The legal basis for data processing is the contract. Data retention is until the purpose of the contract is fulfilled or up to 6 years after the contract ends, except in cases where a dispute arises between the individual and the company concerning the contract. In such cases, the company retains the data for 10 years following the final resolution of the dispute through court decisions, arbitration, or amicable settlement, or 6 years from the day of peaceful dispute resolution if no legal proceedings occur.
Legitimate Interest
The company may also process personal data based on legitimate interest. This is not allowed where such interests are overridden by the interests or fundamental rights and freedoms of the data subject requiring data protection. In cases of using legitimate interest, the company conducts an assessment in accordance with the law. Processing personal data for direct marketing purposes is considered performed under legitimate interest.
An individual can request to stop such communication and data processing at any time by unsubscribing through a link in the received message or by sending a request via email or regular mail to the company’s address.
The legal basis for data processing is legitimate interest. Data will be processed until the individual withdraws their consent or until the purpose of processing is fulfilled. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.
Processing Based on Consent
If the company does not have a legal basis established under the law, contractual obligations, legitimate interest, or the protection of life, it may ask the individual for consent. In such cases, it may process certain personal data for the following purposes upon receiving consent:
Residential address and email address (for notification and communication purposes);
Photographs, videos, and other content relating to the individual (e.g., publication of individual images on the website for documenting activities and informing the public about the company’s operations and events).
If an individual gives consent for the processing of personal data and later wishes to withdraw it, they can request the cessation of processing by sending a request via email or regular mail to the company’s address. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Upon receiving the withdrawal or deletion request, the data will be deleted within 15 days.
The legal basis for data processing is consent. Data will be processed until the individual withdraws their consent or until the purpose of processing is fulfilled.
Data Retention Period
The company keeps personal data only for as long as necessary to fulfill the purposes for which it was collected and processed. Retention periods depend on the legal basis of data processing and the nature of the legal or contractual relationship involved.
Once the retention period expires, the company permanently deletes or anonymizes personal data, ensuring it can no longer be linked to a specific individual.
Data Security
The company implements appropriate technical and organizational measures to ensure a level of security suitable for the risks associated with data processing. These measures protect personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
Employees are regularly trained on data protection, and access to personal data is restricted to only those personnel who require it to perform their duties.
Data Sharing and Transfers
The company may share personal data with the following parties:
Service providers and contractual partners: When external service providers are involved in delivering a service to the individual.
Authorities and institutions: When the company is required by law to disclose data to regulatory bodies, government agencies, or other institutions.
The company ensures that all recipients of personal data comply with applicable data protection regulations.
Personal data is not transferred to countries outside the European Economic Area unless adequate safeguards are in place.
Individual Rights
Under applicable data protection laws, individuals have the following rights:
Right to access: The individual can request confirmation as to whether their personal data is being processed and obtain a copy of their personal data.
Right to rectification: If the personal data is inaccurate or incomplete, the individual can request its correction.
Right to erasure (“right to be forgotten”): The individual can request the deletion of personal data under certain conditions.
Right to restriction of processing: The individual can request the temporary suspension of data processing under specific circumstances.
Right to data portability: The individual can request their data in a structured, commonly used, and machine-readable format to transfer it to another controller.
Right to object: The individual can object to processing based on legitimate interest or direct marketing.
Right to withdraw consent: Where processing is based on consent, the individual can withdraw consent at any time.
Requests can be submitted via email or postal mail to the company’s contact address.
Breaches and Complaints
In case of a data breach that poses a risk to the individual’s rights and freedoms, the company will notify the relevant supervisory authority and, where required, the individual as well.
If an individual believes their rights under data protection laws have been violated, they can file a complaint with the competent supervisory authority in their country.
Cookies and Online Tracking
The company uses cookies and similar technologies to improve user experience, analyze website performance, and deliver personalized content. For more details, please refer to our Cookie Policy on the website.
Individuals can manage their cookie preferences through browser settings or the cookie banner provided on the website.
Final Provisions
This Privacy Policy is regularly reviewed and updated to reflect changes in legal requirements or company practices.
The current version of the Privacy Policy is published on the company’s website.
For questions or additional information about this Privacy Policy, please contact us via email at apartma@vila-sabrina.si.