Information on Personal Data Protection (GDPR) for Property Owners

1. Roles in Data Processing

Turistička agencija "Šiloturist”, vl. Dragan Brnić, Na vodici 2, 51515 Šilo, OIB: 58439980214, may assume different roles under the General Data Protection Regulation (EU) 2016/679 (GDPR), depending on the type of service provided:

a) Šiloturist as Data Controller

Šiloturist acts as a Data Controller when it independently determines the purposes and means of processing personal data, for example in cases of:
- communication with guests
- managing the reservation system
- issuing invoices
- marketing activities (where applicable)

b) Šiloturist as Data Processor

Šiloturist acts as a Data Processor when it processes guests’ personal data on behalf of and for the account of the property owner, for example:
- guest registration and deregistration in the eVisitor system
- maintaining legally required records
- administrative reservation processin
- collecting payments on behalf of the property owner

In such cases, the property owner acts as the Data Controller, and Šiloturist processes data exclusively in accordance with the owner’s instructions and applicable regulations.

2. Personal Data We Process

Depending on the type of service, the following data may be processed:
- guest’s full name
- date of birth
- nationality
- residential address / place of stay
- ID document number (for legal registration purposes)
- stay-related information
- contact details (email, phone)
- payment data (exclusively via certified payment service providers)

Šiloturist does not store credit card data. Payments are processed exclusively via secure and certified payment providers.

3. Legal Basis for Processing

Personal data processing is based on:
- compliance with legal obligations (Hospitality Act, eVisitor regulations, accounting and tax regulations)
- performance of a contract with the guest
- legitimate interest for proper business operations
- consent (where applicable, e.g. marketing)

4. Data Security

Šiloturist applies appropriate technical and organizational protection measures, including:
- encrypted data transmission (SSL/TLS)
- access control via individual user accounts
- IT system protection (antivirus, firewall)
- regular backups
- physical protection of business premises
- employee training on data protection

Personal data is accessible only to authorized persons who require access to perform their duties.

5. Sub-Processors and External Partners

Šiloturist may engage reliable external partners (e.g. IT providers, online payment systems, SMS services) who process personal data in compliance with GDPR and subject to appropriate contractual safeguards.

All partners are required to apply adequate data protection standards.

6. Transfer of Data Outside the EU/EEA

Personal data is not transferred to third countries outside the EU/EEA unless necessary for the use of specific systems or services, and only with appropriate safeguards in accordance with Chapter V of the GDPR (e.g. Standard Contractual Clauses or an adequacy decision).

7. Data Retention Periods

Personal data is stored:
- as long as necessary to fulfill contractual obligations
- within the retention periods prescribed by specific laws (tourism, accounting, tax regulations)
- until statutory limitation periods expire

After expiry of these periods, data is deleted or anonymized.

8. Data Subject Rights

Property owners and guests have the right to:
- request access to their data
- request correction of inaccurate data
- request erasure (if conditions are met)
- restrict processing
- object to processing
- request data portability (where applicable)

Requests can be sent to:
info@siloturist.hr
or in writing to the company’s address.

If they believe their rights have been violated, they may file a complaint with the Croatian Personal Data Protection Agency (AZOP).

9. Contact for Data Protection

Tourist Agency “Šiloturist”, owned by Dragan Brnić
Na vodici 2, 51515 Šilo, Croatia
OIB: 58439980214
E-mail: info@siloturist.com
Tel: +385 98 211 630