PRIVACY POLICY

DATA CONTROLLER
Rudan d.o.o.
9. rujan 1/H
52341 Žminj
Croatia
OIB: 84430586938
Tel. 052 845 500
e-mail: info@rudan.com
www.rudan.com

TOURIST FACILITIES OF THE DATA CONTROLLER
Hotel Pagus, Pag
www.hotel-pagus.hr
Villa Arausana & Antonina, Vodice
www.arausana-antonina.com
Vila Radin, Vodice
www.hotelvillaradin.com
Camp Galeb, Omiš
www.kamp.galeb.hr
Camp and Hotel Terme Jezerčice, Donja Stubica
www.terme-jezercica.hr

DATA PROTECTION OFFICER
The data controller has appointed a data protection officer (DPO) who you can contact at any time
via email: info@rudan.com or by mail to the address of the data controller regarding all questions
related to the protection of personal data and the exercise of all rights guaranteed by the
Regulation.

LEGAL FRAMEWORK
The data controller respects the privacy of every individual whose personal data it collects
(hereinafter: Data Subject) and undertakes to protect your personal data. In the Privacy Policy, we
want to inform you about what personal data we collect and for what purpose, how we protect it,
and what your rights as a Data Subject are.

Data processing is carried out in accordance with the provisions of EU Regulation 2016/679 of the
European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard
to the processing of personal data and on the free movement of such data (hereinafter: Regulation,
GDPR), the Law on the Implementation of the General Data Protection Regulation (NN 42/2018), and
other regulations governing the subject matter, applicable in the Republic of Croatia.

SCOPE OF APPLICATION
This Privacy Policy applies to all processing of personal data carried out by the Data Controller. The
Data Controller processes personal data of the following categories of Data Subjects:
Employees of the Data Controller and members of their families (children),
Potential employees of the Data Controller,
Business partners and employees of the Data Controller's business partners,
Customers/service users of the Data Controller,
Guests in the tourist facilities of the Data Controller,
Students who have a contract with the Data Controller.

PRINCIPLES OF PERSONAL DATA PROCESSING
We process personal data exclusively in accordance with the General Data Protection Regulation.
Therefore, personal data must be (Article 5 of the Regulation):
Processed lawfully, fairly, and transparently with respect to the Data Subject ("lawfulness, fairness,
transparency");
Collected for specified, explicit, and legitimate purposes and not further processed in a manner that
is incompatible with those purposes; further processing for archiving purposes in the public interest,
scientific or historical research purposes, or statistical purposes, in accordance with Article 89(1), is
not considered incompatible with the initial purposes ("purpose limitation");
Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are
processed ("data minimization");
Accurate and kept up to date as necessary; every reasonable step must be taken to ensure that
personal data that are inaccurate, having regard to the purposes for which they are processed, are
erased or rectified without delay ("accuracy");
Kept in a form which permits identification of Data Subjects for no longer than is necessary for the
purposes for which the personal data are processed; personal data may be stored for longer periods
insofar as the personal data will be processed solely for archiving purposes in the public interest,
scientific or historical research purposes, or statistical purposes in accordance with Article 89(1),
subject to the implementation of appropriate technical and organizational measures required by this
Regulation in order to safeguard the rights and freedoms of Data Subjects ("storage limitation");
Processed in a manner that ensures appropriate security of personal data, including protection
against unauthorized or unlawful processing and against accidental loss, destruction, or damage,
using appropriate technical or organizational measures ("integrity and confidentiality").

LAWFULNESS OF PERSONAL DATA PROCESSING
Particular attention must be paid to the lawfulness of processing. Processing is lawful only if and to
the extent that at least one of the following applies (Article 6 of the Regulation):
The Data Subject has given consent to the processing of their personal data for one or more specific
purposes;
Processing is necessary for the performance of a contract to which the Data Subject is party or in
order to take steps at the request of the Data Subject prior to entering into a contract;
Processing is necessary for compliance with a legal obligation to which the Data Controller is subject;
Processing is necessary in order to protect the vital interests of the Data Subject or of another
natural person;
Processing is necessary for the performance of a task carried out in the public interest or in the
exercise of official authority vested in the Data Controller;
Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or
by a third party, except where such interests are overridden by the interests or fundamental rights
and freedoms of the Data Subject which require protection of personal data, in particular where the
Data Subject is a child.
The legitimate interests of the Data Controller may constitute a legal basis for processing, provided
that the interests or fundamental rights and freedoms of the Data Subject do not override, taking
into account the reasonable expectations of the Data Subject based on their relationship with the
Data Controller. Such legitimate interest could, for example, exist in the case of a relevant and
appropriate relationship between the Data Subject and the Data Controller in situations such as
when the Data Subject is a client of the Data Controller or in their service.

RIGHTS OF DATA SUBJECTS
In its regular business operations, the Data Controller enables Data Subjects to exercise all their
rights related to the processing of personal data. Additionally, a Data Subject may submit a request
to exercise their rights to the Data Controller or send it to the email address of the Data Protection
Officer.
The rights of Data Subjects include:
Right to access – The Data Subject has the right to obtain confirmation from the Data Controller
whether personal data concerning them are being processed, and to access their personal data.
Right to rectification – The Data Subject has the right to obtain from the Data Controller without
undue delay the rectification of inaccurate personal data concerning them. Taking into account the
purposes of processing, the Data Subject has the right to complete incomplete personal data,
including by providing a supplementary statement.
Right to erasure ("right to be forgotten") – The Data Subject has the right to obtain from the Data
Controller the erasure of personal data concerning them, and the Data Controller is obliged to erase
personal data without undue delay unless there is a legitimate reason (e.g., a legal obligation of the
Data Controller).
Right to restriction of processing – The Data Subject has the right to obtain from the Data Controller
restriction of processing where the conditions set out in Article 18 of the Regulation are met.

Right to data portability – The Data Subject has the right to receive the personal data concerning
them, which they have provided to the Data Controller, in a structured, commonly used, and
machine-readable format and has the right to transmit those data to another Data Controller
without hindrance from the Data Controller to which the personal data have been provided.
Right to object – The Data Subject has the right, on grounds relating to their particular situation, to
object at any time to processing of personal data concerning them under Article 6(1)(e) or (f),
including profiling based on those provisions (see Lawfulness of processing).
Automated individual decision-making, including profiling – The Data Subject has the right not to be
subject to a decision based solely on automated processing, including profiling, which produces legal
effects concerning them or similarly significantly affects them.

CATEGORIES OF PERSONAL DATA PROCESSED
The Data Controller typically processes personal data of Data Subjects that Data Subjects themselves
provide to the extent necessary to fulfill their legal and contractual obligations. Based on the
legitimate interest, the Data Controller processes personal data of Data Subjects provided that the
interests or fundamental rights and freedoms of the Data Subject do not override, taking into
account the reasonable expectations of the Data Subject based on their relationship with the Data
Controller.
The Data Controller does not process special categories of personal data unless it is necessary for the
purpose of processing and if the conditions set out in Article 9 of the Regulation are met. The Data
Controller processes data of employees that fall into special categories of personal data, such as
data on union membership (e.g., when exercising special rights according to relevant regulations),
religious or philosophical beliefs (e.g., when exercising the right to additional days off for religious
holidays if the individual voluntarily disclosed such information for that purpose), or health-related
data (e.g., according to special regulations on occupational health and safety or keeping records of
employees or when certain jobs require special health certificates) etc. In case of need, the Data
Controller also processes personal data related to criminal convictions and offenses, such as
certificates of no criminal record for employees, for example.

DATA TRANSFER TO THIRD PARTIES
The Data Controller shares personal data with others only when permitted.
As part of fulfilling legal obligations, the Data Controller is obliged to provide data to third parties.
For example, providing guest data through the eVisitor system, providing employee data to relevant
authorities: Croatian Pension Insurance Institute, Croatian Health Insurance Institute, Tax
Administration, and Central Registry of Insured Persons and pension companies. In certain cases, the
Data Controller is obliged to provide or make data available for inspection concerning employment
to the Croatian Employment Service, e.g., for including employees in active employment policy
measures, to relevant police stations or the ministry responsible for internal affairs, e.g., in the case
of high-ranking state officials staying at the facilities of the Data Controller, as well as for issuing
work permits, to the ministry responsible for tourism in the case of employing scholarship recipients,
to the ministry responsible for economy and entrepreneurship when it comes to using investment
subsidies, insurance companies, banks, and in other cases as required by regulations.
Additionally, certain employee data are sent to banks or pension funds for salary payments, and
data may be sent to creditors in accordance with enforcement regulations. Data may sometimes be

provided due to contractual obligations (e.g., with interns, data is exchanged with
schools/universities).
Certain personal data are also provided to business entities for specific service purposes, e.g.,
employee health examination services (occupational health), institutions organizing legally required
education (occupational safety, hygiene minimum, toxicology), or auditing companies during
mandatory audits, notaries when certifications are required, Financial Agency for the purpose of
obtaining business certificates, public procurement entities when the Data Controller applies for
public procurement tenders, for the purpose of allocating and using official cards, official mobile
devices, or for fuel purchases.
Data may be transferred to business entities (data processors) processing data on behalf of the Data
Controller. These are typically business partners of the Data Controller providing IT services, storing
data in their databases, or having access to personal data until processing is completed. Data
processing agreements (DPAs) are concluded with such entities regarding their powers and
obligations in data processing, in line with Regulation requirements.
In certain situations, external parties may jointly determine the purposes and methods of personal
data processing with the Data Controller, in which case these external partners and the Data
Controller are joint Data Controllers. In these relationships, joint Data Controllers transparently
define their responsibilities for complying with the Regulation obligations, especially concerning the
exercise of Data Subjects' rights and their duties regarding processing transparency, unless
responsibilities are legally determined.
A specific case of data transfer to third parties is that the Data Controller has concluded
entrepreneurial contracts with companies based on which it manages the tourism part of the
business. This means that in certain cases, guests of the Data Controller may receive offers
containing information about other hotels and facilities managed by the Data Controller. Also, based
on entrepreneurial contracts, the Data Controller has certain rights and obligations related to human
resources. In these cases, the Data Controller has the right to process personal data of Data Subjects
of those companies. All principles from this Policy apply to Data Subjects of those companies in
segments where the Data Controller is involved, however, those companies are also responsible as
Controllers of their data processing. If data transfer to third countries occurs within data processing,
the Data Controller ensures compliance with high standards of protection to respect the highest
possible standard of personal data protection, in line with strict Regulation requirements. In this
regard, when international transfers of personal data are applicable, the Data Controller will inform
the Data Subject about the intention to transfer personal data to a third country or international
organization, as well as the existence or absence of a European Commission decision on adequacy.
Any transfer of personal data to third countries will be carried out in accordance with Chapter V of
the Regulation.

PERIOD OF RETENTION OF PERSONAL DATA
Data of Data Subjects are processed and stored in accordance with applicable legal regulations when
the obligation to retain is prescribed (e.g., employee personal data and payroll data are retained
permanently, and accounting documents based on which data are entered in the journal, general
ledger, and auxiliary books are kept for eleven years), and in situations where the Data Controller is
authorized to determine data retention periods, data are kept for as long as necessary for the
purposes for which personal data are processed.

SOURCES OF PERSONAL DATA

The Data Controller most commonly collects personal data directly from Data Subjects. When
providing personal data in any way (accommodation reservations, job applications, etc.), the Data
Subject is responsible for the accuracy of the data and agrees that the Data Controller uses and
collects data in accordance with positive regulations and the terms of this Privacy Policy.
Additionally, the Data Controller may obtain personal data of Data Subjects from other individuals
and legal entities, e.g., from tourist agencies forwarding guest data for accommodation purposes,
guests booking accommodation for persons they will be staying with at the facilities, employment
agencies, and worker leasing agencies.

DATA PROTECTION MEASURES
Taking into account the latest developments, the cost of implementation, and the nature, scope,
context, and purposes of processing, as well as the risks arising from data processing, the Data
Controller implements appropriate technical and organizational measures to protect data.

HANDLING OF PERSONAL DATA BREACHES
The Data Controller ensures that in the event of a personal data breach, without undue delay and, if
feasible, no later than 72 hours after becoming aware of the breach, it will inform the competent
supervisory authority/Data Subjects about the personal data breach, unless it is unlikely that the
personal data breach will result in a risk to the rights and freedoms of individuals.

STAY IN DATA CONTROLLER'S TOURIST FACILITIES
The Data Controller collects and processes personal data of Data Subjects who are guests in the Data
Controller's tourist facilities for various purposes with the ultimate goal of providing quality
accommodation and related services in accordance with the highest standards of tourism
companies.
Personal data that you must provide to receive accommodation services are stored by the Data
Controller in their database for the purpose of fulfilling accommodation contracts and complying
with legal obligations related to hospitality activities. If you do not provide the minimum data
necessary for accommodation reservation and registration with all relevant registries, the Data
Controller will not be able to provide you with accommodation reservation services or
accommodation services according to the contract and the law.
Certain data are necessary to take actions at the request of the Data Subject before concluding an
accommodation contract. For example, before making a reservation, accommodation offers are sent
to potential guests, for which the Data Controller needs personal data (name, email address) to send
the offer.
The personal data collected by the Data Controller when making accommodation reservations
(booking via the web, phone call, or accepting an offer via email) for the purpose of fulfilling the
reservation obligation are:

name and surname of the reservation holder,
address of residence (Croatian citizens),

date of birth,
number, type of identification document, and place of issue,
nationality,
facility name,
accommodation unit number, type of accommodation unit (room type),
arrival and departure dates,
number of persons for whom accommodation is reserved and room distribution,
information about minor persons.
Other specific details depending on the accommodation reservation request may include:
email address,
language of communication,
phone number,
payment method,
any additional information necessary for transaction execution or payment security.
In case of reservation cancellation, your data must be kept for the purpose of proving the
reservation or its cancellation.
Upon arrival at the facility, guests usually check-in at the reception, and the data are entered into
the guest database from which the data are sent to the eVisitor system (a unique online information
system for guest check-in and check-out) to comply with the legal obligations of the Data Controller.
The data collected include:
name and surname,
place, country, and date of birth,
nationality,
number and type of identification document,
residence (domicile) and address,
date and time of arrival or departure from the facility,
gender,
basis for exemption from tourist tax payment or reduction of tourist tax payment.
These data are processed by tourist boards and public authorities of the Republic of Croatia for the
following lawful purposes:
monitoring compliance with the obligation to register and deregister tourists by reporting entities
(accommodation providers),
recording, calculating, and collecting tourist tax,
keeping a guest book or list by accommodation providers and monitoring compliance with this
obligation by inspection bodies,

reporting foreigners to the ministry responsible for internal affairs and monitoring compliance with
this obligation by inspection bodies,
keeping a list of tourists by tourist boards for statistical processing and reporting,
supervision of the operation of accommodation providers concerning the legality of performing
activities or providing registered services and compliance with tax and other public contribution
regulations.
As it is prescribed that guest registration data are entered based on data from an identity card or
some other identity document, the guest is obliged to present such a document to the Data
Controller and provide any other necessary information for data entry that is not contained in such a
document.
For data entry from an identity card or another appropriate document, the Data Controller may use
a scanner. In this case, the document image is not stored, only the necessary data are extracted and
stored from the document in accordance with the processing purpose.
Other data related to guest stay circumstances, such as travel method, accompanying persons,
marital status, number of children, pets, other interests, may also be collected and processed during
the stay when directly related to providing accommodation services.
Before, during, and after the stay, based on legitimate interest, the Data Controller has the right to
send you service messages via email, such as reservation confirmations, stay reminders, and other
notifications closely related to the specific reservation you made.
Also, during and after the stay, based on legitimate interest, the Data Controller has the right to send
satisfaction surveys to you via email, SMS, and/or instant messages (Viber, WhatsApp, etc.) for
processing by themselves or through partners. The primary purpose of satisfaction surveys is to
collect service-related data for the legitimate interest of improving the service by the Data
Controller, and the Data Controller may depersonalize and process survey data for statistical
purposes.
Based on legitimate interest, the Data Controller has the right to collect certain data and use them
for direct marketing purposes.

CANDIDATES FOR EMPLOYMENT AND EMPLOYEES
The data controller as an employer handles personal data related to employment for a large number
of individuals. In this regard, Data Subjects include current and former employees, potential
employees, individuals on internships (apprentices), professional training, students working under
student contracts, scholarship recipients, and other individuals whose data are processed within the
framework of employment and related relationships.
As a potential employer, the data controller collects, processes, and stores candidate data for
employment with the data controller in a candidate database based on their voluntary application,
in the following ways:
Candidate application through the web application form,
Application via email,
Attending organized auditions and completing application forms,
Any other method.

The data typically collected include: name, surname, date of birth, address, nationality, Personal
Identification Number (OIB), mobile phone number, email address (for contact purposes), gender,
education level, language, preferred method of communication.
The data controller may indirectly obtain candidate data from domestic and foreign employment
agencies, in which case these agencies are obliged to inform the candidates about the processing of
their personal data by the data controller.

Candidates submit their job applications:
As open applications, in which case we process data for contacting candidates regarding
employment for five years,
As applications for specific job openings with a specified deadline, in which case we process data
until the end of the recruitment process. In case candidates applying for a specific job opening with a
specified deadline provide specific consent, we process data for contacting candidates regarding
employment for five years for potential future job openings.

EMPLOYMENT RELATIONSHIP AND OTHER COMPARABLE RELATIONSHIPS
As an employer, the data controller processes all employee data in the employee database
maintained in the information system and in physical employee files. Data are collected in
accordance with the Labor Law, Regulations on the Content and Manner of Keeping Records of
Employees, Regulations on the Content of Salary Calculations, Compensation, Severance Pay, and
Unused Annual Leave Compensation, and other legal acts regulating employment relationships.

The following personal data of employees are collected and processed:
Name and surname
Personal Identification Number (OIB)
Gender
Date of birth
Place of birth
Country of birth
Nationality
Address of residence/domicile
Phone/mobile number
Email
Education level
Occupation
Data on completed education and professional training (copies of diplomas and certificates)
Pension insurance record (e-record)

Place/municipality of work
Contracted working hours
Job position
Date of employment
Insurance numbers in the Croatian Pension Insurance Institute (HZMO) and Croatian Institute for
Health Insurance (HZZO)
IBAN for salary payment
Protected account IBAN (if the employee owns one)
Second pillar pension insurance participant
Personal tax deduction from the tax card
Data on children and dependents
Birth certificate if the child is under 15 years old
Data on wage deductions
Access card number
Data on health examinations for employees in workplaces with special working conditions
Trade union membership
Work permit data (if the employee is a foreigner)
Performance evaluations, assessments, warnings
Date of termination of employment
Reason for termination of employment
Application and resume
Results of health and psychological examinations conducted during candidate selection for the job (if
conducted).
The necessary data for concluding student contracts usually include:
Confirmation from the university for the current academic year as proof of student status or a copy
of the student index for the enrolled academic year,
Data from the identity card (identity card for inspection),
Confirmation/card from the Student Center,
OIB.
In addition to this data, the data controller may keep other data collected during the hiring process
and during the employment relationship, as well as other data collected during the employment
relationship specified by regulations (awards, warnings, certificates, etc.).
All employee data are stored in the employee database from the start of the employment
relationship and are kept up to date until the termination of the employment relationship. They are
then preserved as permanent documentation in accordance with relevant regulations.

The data controller also keeps data of other individuals in employment relationships comparable to
employment relationships or individuals on internships and professional training in their database,
starting from the beginning of the employment and keeping them up to date until the termination of
the employment, in compliance with relevant regulations. Special attention is given to data of
apprentices who may be minors, and their data are collected and stored in accordance with special
regulations with the consent of the school and parents.

BUSINESS PARTNERS
In its operations, the data controller processes personal data of employees of business partners or
potential business partners, as well as individuals with whom the data controller has or may have a
business relationship.
The categories of personal data of the data subjects collected are:
first and last name,
email address,
phone/mobile number,
data on the position within the legal entity represented,
profession when the data subject is an individual with whom a contractual relationship is established
(e.g., singer, painter, photographer, lawyer, doctor, etc.),
if necessary, references and brief CVs,
data listed on blank promissory note forms, promissory notes, bills of exchange,
bank account number (IBAN) when the business partner is an individual with whom a contractual
relationship is established,
other data depending on the nature of the business relationship.
Methods of collecting personal data of data subjects:
received offers/requests from data subjects for business cooperation,
received data from data subjects in the context of sales of products/services of the data controller or
purchase of products/services from a business partner (e.g., fairs, congresses, etc.),
business correspondence related to a specific previous or current business cooperation (e.g.,
correspondence conducted as part of contract execution),
publicly available data (e.g., court register, websites of business partners, magazines, bulletins, etc.).
In addition to the mentioned types of data and collection locations, personal data processing may be
carried out for other specific purposes, but always within the framework prescribed by law or if
processing is necessary for the exercise of rights and obligations from the business relationship.
Data of data subjects who are individuals in a business relationship with the data controller are
stored in accordance with applicable legal regulations (e.g., the data controller is obliged to keep all
invoices, as well as invoice receipts, for 11 years in accordance with legal regulations).
In situations where the data controller is authorized to determine the data retention periods, they
are determined taking into account the purpose of processing and the interests of the data subjects.

PUBLIC DISCLOSURES
The data controller publishes information for promotional purposes through its websites, social
media profiles, etc. Such disclosures may contain a limited set of personal data, such as names,
positions, professional data, videos, statements, and photographs.
The legal basis for processing is the legitimate interest of the data controller, and in doing so, the
interest of the data subjects is always taken into account, so personal data is not disclosed if it is
determined that the interest of the data subject outweighs the interest of the data controller in
disclosing the information. In some cases, the disclosure of information may be based on consent in
accordance with the Regulation.
The disclosures are permanent to ensure information about current events and insight into past
activities.
Processing will cease if, based on the objection of the data subject, it is determined that such
objection is justified or if the data subject withdraws consent in situations where consent is
applicable and in a manner that can be implemented.

MARKETING MESSAGES (NEWSLETTERS)
The data controller has a legitimate interest in processing personal data carried out for the purpose
of direct marketing, primarily for sending marketing messages (newsletters) by email, SMS, and/or
instant messaging (Viber, WhatsApp, etc.). Based on the legitimate interest, the data controller can
send various newsletters depending on the relationship that data subjects have with the data
controller.
The personal data collected primarily include name, email address, phone/mobile number, address,
gender, country/language of communication, as well as basic data related to that relationship with
us.
Data subjects can request restriction of processing at any time.
On some of its websites, the data controller has the option for users to subscribe to newsletters via
email. To ensure that there has been no error or abuse when entering the email, we use the so-
called Double-Opt-in process: after the email address is entered in the subscription field, the data
controller sends a confirmation link to the email address. Only after clicking on the confirmation link
is your email address added to the database for sending a specific newsletter. Such newsletters are
sent based on your consent provided by completing and confirming the form on the websites. The
content and purpose of the newsletter will be stated during your subscription.
At any time, the data subject can unsubscribe from the list, and the data controller will immediately
cease sending newsletters.

USE OF COOKIES
Cookies are small files that a website visited by the user stores on the user's computer for its own
purposes. These purposes can vary, so data such as the language chosen by the user, list of items in
the shopping cart in an online store, user's IP address, username and password, email address, user's
geolocation, etc., can be stored.
Cookies are divided by duration, source, and function.

According to duration, cookies can be:
Persistent cookies: these cookies remain on the computer even after closing the Internet browser.
They are used by websites to store data, such as login name and password, language settings, or
cookie settings, so that the user does not have to enter them again during each subsequent visit.
Persistent cookies can remain on the computer for days, months, or even years.
Session cookies: these cookies are removed from the computer upon closing the Internet browser.
They are used by websites to store temporary data, such as the last few pages the user opened on
the website they are visiting or items in the shopping cart if it is an online store.
According to the source, cookies can be:
First-party cookies: these are cookies stored by the website that the user primarily visits.
Third-party cookies: these are cookies stored by other websites or Internet services that are part of
the primary website the user visits. They are usually used to track user habits on the primary website
or can be used by web services to provide that service effectively.

According to function, there are several types of cookies:
Technical/essential cookies: these cookies are necessary for the functionality of the website as well
as its basic functionalities, such as the session identifier of the user's current visit or the content of
the shopping cart filled by the user during product purchase through an online store.
Functional cookies: these cookies enable the website to provide enhanced functionality and
personalization, such as remembering the language in which the content of the website is displayed.
Statistical cookies: these cookies collect information about how users visit the website. Generally,
data is collected in aggregate form without identifying the user.
Marketing cookies: these cookies collect information about user habits and behavior on the website
for the purpose of displaying personalized advertisements.
Only technical/essential cookies will be used without the consent of the data subject. For all other
cookies, consent of the data subject will be sought.

VIDEO SURVEILLANCE
The data controller has a legitimate interest in implementing video surveillance measures to protect
property and individuals, and in certain cases (e.g., currency exchange offices located at reception
desks of facilities), there is a legal obligation to install surveillance cameras that record all persons
moving within the camera's perimeter (guests, employees, business partners, etc.).
Processing of personal data of employees through the video surveillance system is conducted under
conditions prescribed by regulations governing occupational safety, and in accordance with the Data
Controller's Video Surveillance Policy.
The data controller marks all locations where video surveillance is installed in the prescribed
manner.
The data controller is aware that video recordings contain personal data of all individuals moving
within the camera's perimeter and therefore stores them with special care, has established a

security system, availability, and a deletion policy regulated by the Data Controller's internal security
rules.
Video surveillance recordings are kept for a maximum of 30 days from the date of recording. In case
of need for extraction (copying), video recordings are kept for a maximum of six months, unless a
longer storage period is prescribed by another law or if they are evidence in judicial, administrative,
arbitration, or other equivalent proceedings.
In case of conducting judicial and/or criminal proceedings, the data controller may use the
aforementioned video recordings. Third parties, data processors, contractual partners of the data
controller registered and qualified to provide security services for persons and property protection,
may have access to personal data in the video recordings, but they do not independently use the
aforementioned data and are responsible for the security of central surveillance and alarm systems.
Special regulations governing this area apply to all other details related to video surveillance.

FINAL PROVISIONS
We regularly update the privacy policy to ensure its accuracy and timeliness, and reserve the right to
change its content if deemed necessary. You will be promptly informed of any changes and
amendments through our website in accordance with the principle of transparency.

In Žminj, June 15, 2023.