Privacy Policy | Hotel Venturo Split
1. Introduction
ONYX d.o.o.(Boutique Hotel Venturo) respects your privacy and is committed to protecting the personal data of all data subjects whose personal data it processes in accordance with applicable regulations, including Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) and the Croatian Act on the Implementation of the General Data Protection Regulation.
This Privacy Policy describes which personal data we collect, the purposes for which we process them, the legal bases for processing, retention periods, your rights and how you may exercise them.
2. Data Controller and Contact Details
ONYX d.o.o. (Boutique Hotel Venturo)
Ulica Domovinskog rata 61A
21 000 Split
Croatia
OIB: 62531840630
Data Protection Officer: Petar Vušković
E-mail: info@qnorma.com
3. Collection and Types of Personal Data
ONYX d.o.o. collects guests' personal data through the following channels:
- directly from the guest at the hotel reception desk,
- through the website(s) or via e-mail,
- directly by telephone,
- through CCTV (video surveillance) recordings.
What Personal Data Do We Collect?
- data required for registration in the eVisitor system (first name, last name, date of birth, nationality, identity card or passport number, address, arrival and departure dates),
- reservation and communication data (first name, last name, e-mail address, telephone number, requests relating to your stay),
- billing and payment information (invoices and payment details),
- any complaints, requests or enquiries you submit to us,
- data provided when subscribing to our newsletter or marketing communications,
- data collected through cookies on our website (please refer to our Cookie Policy for more information),
- photographs or video recordings, processed solely with your explicit consent (e.g. for publication on our website or social media channels),
- data recorded through CCTV (video surveillance).
For What Purposes Do We Use Your Personal Data?
- to comply with legal obligations (including registration in the eVisitor system, maintaining guest records, and fiscal invoicing),
- to process reservations and provide accommodation services,
- to communicate with you before, during and after your stay,
- to process payments and issue invoices,
- to ensure the safety and security of individuals and property (through CCTV/video surveillance),
- for marketing purposes only with your explicit consent (e.g. newsletters and the publication of photographs).
4. Legal Bases for the Processing of Personal Data
- Legal Obligation (Article 6(1)(c) of the GDPR) – Personal data are processed where such processing is necessary for compliance with a legal obligation to which ONYX d.o.o. is subject. Example: entering guests' personal data into the eVisitor system (the central electronic system in Croatia for the registration and deregistration of tourists). Guests' personal data are collected and processed for registration in the eVisitor system as part of our statutory legal obligations.
- Legitimate Interest (Article 6(1)(f) of the GDPR) – Personal data are processed where such processing is necessary for the purposes of the legitimate interests pursued by ONYX d.o.o., provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject. A legitimate interest assessment has been carried out. Example: CCTV (video surveillance) is used for the protection of persons and property. Visitors are informed about the use of CCTV through GDPR-compliant signage displayed at the entrances to the hotel, which also provides information on how data subjects may exercise their rights under the GDPR.
- Consent (Article 6(1)(a) of the GDPR) – Personal data are processed where the data subject has given freely given, specific, informed and explicit consent for one or more specific purposes.Example: photographing and/or filming guests or employees for publication on the hotel's website, social media channels or promotional materials. Consent may be withdrawn at any time, after which all personal data processed solely on the basis of that consent will be permanently erased or anonymised, unless another legal basis for processing applies.
5. Collection of Guests' Personal Data During Online Reservations and at Reception
Guests may visit our website without disclosing any personal data. This means that we do not process guests' personal data unless they voluntarily provide such information, for example by making an accommodation reservation. Upon arrival at the hotel, guests' identification documents are scanned in accordance with applicable legal requirements and the rules governing the Croatian eVisitor system.
Retention of Personal Data
In certain cases, ONYX d.o.o. (Boutique Hotel Venturo) is legally required to retain personal data for the period prescribed by the applicable laws and regulations for a specific purpose. Where no statutory retention period applies, personal data will be retained only for as long as necessary to fulfil the purpose for which they were collected.
Disclosure of Personal Data to Third Parties or Transfers to Third Countries
The personal data collected will not be transferred to third parties or to third countries unless such disclosure is required by applicable law. We disclose personal data to third parties only where there is a legal obligation or another lawful basis for doing so.
Processing of Personal Data Based on Consent
Personal data processed solely on the basis of the data subject's consent (for example, photographs and video recordings used for publication on our website or for marketing purposes) will be retained until such consent is withdrawn.
Once consent has been withdrawn, all personal data processed on that basis will be promptly erased, anonymised, or otherwise permanently rendered unavailable for any further processing, unless another legal basis for processing applies.
7. Rights of Data Subjects
As a data subject (guest), you have the right, at any time, to:
- request access to your personal data,
- request the rectification of inaccurate personal data or the completion of incomplete personal data,
- request the erasure of your personal data ("the right to be forgotten") where the data are no longer necessary for the purposes for which they were collected, or where you have withdrawn your consent,
- request the restriction of processing in the circumstances provided for by the GDPR,
- receive your personal data in a structured, commonly used and machine-readable format and request its portability,
- object to the processing of your personal data where such processing is based on the legitimate interests of the data controller,
- withdraw your consent at any time, without any adverse consequences and without affecting the lawfulness of processing carried out on the basis of your consent before its withdrawal,
- lodge a complaint with the Croatian Personal Data Protection Agency (AZOP), Ulica Metela Ožegovića 16, 10000 Zagreb, Croatia, e-mail: azop@azop.hr.
8. Data Protection Officer
If you have any questions, require further information, or wish to exercise your rights regarding the processing of your personal data, you may contact our Data Protection Officer.
The Data Protection Officer is available to provide information about how personal data are collected and processed, as well as to receive and handle requests relating to the exercise of your rights, including the right of access, rectification, erasure, restriction of processing, or withdrawal of consent.
Contact details of the Data Protection Officer:
Petar Vušković
E-mail: info@qnorma.com
9. Exercising Your Rights
To exercise any of your rights under the GDPR (including the right of access, rectification, erasure, restriction of processing, data portability, objection, or withdrawal of consent), you should submit a written request by either:
- e-mail to: info@qnorma.com, or
- post to the registered office of ONYX d.o.o. at:
Ulica Domovinskog rata 61A
21000 Split
Croatia
ONYX d.o.o. (Boutique Hotel Venturo) will respond to every request within 30 days of its receipt, in accordance with Article 12 of the GDPR.
Where a request is particularly complex or where multiple requests have been submitted, this period may be extended by up to an additional two months. In such cases, the data subject will be informed of the extension and the reasons for the delay within the initial 30-day period.
10. Data Protection Principles
ONYX d.o.o. (Boutique Hotel Venturo) processes personal data in accordance with the fundamental principles of the General Data Protection Regulation (GDPR), namely: lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability.
Appropriate technical and organisational measures are implemented to protect personal data against unauthorised access, misuse, loss, alteration or destruction.
11. Security Measures for the Processing of Personal Data
ONYX d.o.o. (Boutique Hotel Venturo) implements appropriate technical and organisational measures to ensure the security, confidentiality and availability of personal data, in accordance with Article 32 of the General Data Protection Regulation (GDPR).
The measures implemented include, but are not limited to:
- the use of password protection for computers and business information systems,
- restricting access to personal data exclusively to authorised employees,
- requiring employees to maintain confidentiality and handle personal data in accordance with applicable data protection requirements,
- entering into Data Processing Agreements (DPAs) with data processors (such as accounting service providers, IT support providers and similar service providers),
- the regular maintenance and updating of antivirus software and other security systems,
- the physical protection of business premises and paper documentation,
- the use of paper shredders and other secure methods for the disposal of documents containing personal data,
- conducting regular internal audits of the data protection management system to assess the effectiveness of the implemented security measures. Where necessary, ONYX d.o.o. also engages the services of an external data protection consultant (external Data Protection Officer) to provide additional professional support and an independent assessment of GDPR compliance.
12. Cookie Policy
Our website uses cookies to ensure the proper functioning of the website, enhance the user experience, and analyse website traffic and usage.
Users are provided with the option to accept, reject, or customise their cookie preferences. By default, non-essential cookies remain disabled until the user provides their explicit consent through an active action.
Cookies are used for the following purposes:
- Essential Cookies – required for the basic functionality of the website (e.g. session management and user authentication),
- Analytical Cookies – used to generate statistical information and better understand how visitors use the website,
- Marketing / Targeting Cookies – used to display personalised content and advertisements.
When visiting the website for the first time, users are presented with a cookie banner containing clear information and a choice to accept all cookies, reject all cookies, or customise their cookie preferences. Non-essential cookies will not be activated until the user has provided their consent, with the exception of strictly necessary cookies.
Users may change or withdraw their consent at any time through the cookie settings available on the website or in the website footer.
Stored cookies and the data collected through them are deleted after the applicable retention period in accordance with our internal policies and applicable legal requirements.
Cookies are stored on your device for different periods of time, depending on their type and purpose:
- Essential Cookies – are stored only for the duration of your browser session and are automatically deleted once you close your browser. Where features such as "Remember Me" are used, cookies may be retained for up to 30 days.
- Analytical Cookies – are used to generate statistical information and understand how the website is used. Depending on the settings of the analytics tool (e.g. Google Analytics), these cookies may be stored for up to 24 months. Wherever possible, we seek to minimise their retention period, which is typically up to 12 months.
- Marketing / Targeting Cookies – are used to display personalised advertisements and content. These cookies are generally stored for 3 to 6 months, and for no longer than 12 months.
Once the applicable retention period has expired, cookies are automatically deleted.
Users may also delete cookies manually at any time through their browser settings or withdraw their consent by using the cookie preference options available on our website.
Additional Information
If you choose to reject our cookies, certain features and functionalities of our website may not operate properly or may become unavailable.
13. Effective Date and Amendments to the Privacy Policy
ONYX d.o.o. (Boutique Hotel Venturo) may amend or update this Privacy Policy from time to time to ensure its continued compliance with applicable legislation, regulatory requirements, and business practices. Data subjects will be informed of any amendments through our official communication channels.
This Privacy Policy enters into force on 13 March 2026 and shall remain in effect until amended or revoked.
ONYX d.o.o. (Boutique Hotel Venturo) reserves the right to amend or supplement this Privacy Policy in accordance with applicable laws, recommendations issued by the competent supervisory authorities, or changes to its business processes. Any such amendments will be communicated to data subjects through the official communication channels.
