Apartment Lega, with headquarters in Daruvar, Petra Preradovića 13, 435 00 Daruvar, owner Libor Bok OIB: 71832475521 (hereinafter: lessor), respects the privacy of every person whose personal data it collects.

We inform you about what personal data the lessor collects, how it is protected and what your rights are.

The lessor reserves all copyrights for the use of photographs, texts and other published materials, according to the legal regulations in the Republic of Croatia. Photos, texts and other material may not be published, sold, publicly or privately published or used in any other way without the consent of the renter. Any non-compliance with the previous conditions entails responsibility and the obligation to compensate the lessor for non-material damage per violation for a particular material.

 Basic information Scope of application This Policy applies to any processing of the lessor’s personal data, unless otherwise stipulated by the lessor’s statement. Exceptionally, in relation to the processing of data of guests and users of the lessor’s services, this Policy takes precedence over other statements if rights and obligations regarding data processing are otherwise prescribed in those statements.

Data controller and legal framework The lessor, as the data controller, respects your privacy and undertakes to protect your personal data.The collection and storage of data is carried out in accordance with the provisions of Regulation EU 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals in connection with the processing of personal data and on the free movement of such data (General Data Protection Regulation), the Law on Implementation General Regulation on Data Protection (Official Gazette 42/2018) and other regulations governing the subject area, which are applicable in the Republic of Croatia.     Data Protection Officer The lessor is a personal data protection officer who can be contacted at any time via the e-mail address:info@apartmanlega.comor by mail to the address:Apartment LegaLibor BokPetar Preradovića 13HR-435 00 DaruvarREPUBLIC OF CROATIA

Data protection principles

Within the framework of the application of this Policy, the Lessor pays particular attention to compliance with the principles of data processing and processes data:

• Legal – processing will be possible if it is permitted by law and within the limits permitted by law.
• Fair – respecting the specifics of each relationship, applying all adequate measures to protect personal data and privacy in general, and not preventing the respondent from exercising their rights.
• Transparent – ​​informing respondents about the processing of personal data. From the very collection of data, when respondents are informed about all aspects of data processing until the end of data processing, respondents are provided with simple and quick access to their own data, which includes the possibility of viewing and obtaining a copy in accordance with the provisions of the Regulation. Certain information may be restricted only when required by law or when it is necessary to protect third parties.
• With purpose limitation – processing personal data for the purposes for which they were collected, and for other purposes if the conditions from the Regulation are met. Data may be processed for matching purposes only taking into account: (a) any connection between the purposes of collecting personal data and the purposes of the intended continuation of processing; (b) the context in which the personal data was collected, especially with regard to the relationship between the data subject and the lessor; (c) the nature of personal data, in particular whether special categories of personal data are processed in accordance with Article 9 of the Regulation or personal data related to criminal convictions and criminal offenses in accordance with Article 10 of the Regulation; (d) possible consequences of the intended continuation of processing for the data subjects; and (e) the existence of appropriate protective measures.
• With storage limitation – storing data in a form that enables the identification of the data subject only for as long as is necessary for the purposes for which the personal data is processed, and longer only if permitted by the Regulation.
• By reducing the amount of data – processing data if it is appropriate, relevant and limited to what is necessary. Special care is taken not to collect data for which there is no justified need for processing.
• Taking care of accuracy – taking care of the accuracy and up-to-dateness of the data and deleting inaccurate data as far as possible.
• Taking into account the integrity and confidentiality – providing adequate security of personal data with technical and organizational measures, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage by applying appropriate technical or organizational measures. Relevant measures are applied taking into account the riskiness of each type of data processing.

Delivery of data to third parties

If necessary and to a limited extent, third parties, processors (for example, associates of the lessor who provide IT services or other services, e.g. RENTLIO, STRIPE), who store them in their databases until the end of the processing, may also have access to the guests’ personal data. A detailed contract is concluded with such subjects regarding their powers and obligations in the processing of personal data, in accordance with the requirements of the Regulation.

In certain situations, it is possible for external entities together with the Renter to jointly determine the purposes and methods of personal data processing, in which case these external partners and the Renter are joint processing managers. In these relationships, the joint processing managers transparently determine their responsibilities for compliance with the obligations from the Regulation, especially with regard to the exercise of the data subject’s rights and their duties to respect the transparency of the processing, unless the responsibilities are determined by law.

If data is transferred to third countries as part of data processing, the lessor ensures compliance with high protection standards in order to comply with the highest possible standard of personal data protection, in accordance with the strict requirements of the Regulation. In this sense, when international transfers of personal data are in effect, the lessor will inform the respondent about the intention to transfer personal data to a third country or international organization and about the existence or non-existence of the decision of the European Commission on adequacy. At the same time, the respondent will be directed to suitable or appropriate protective measures and ways of obtaining their copy or the place where they are made available if the transfer is subject to appropriate protective measures according to Article 46 of the Regulation, the application of binding corporate rules according to Article 47 of the Regulation or if it is applicable Article 49, paragraph 1, subparagraph 2 of the Regulation. Any transfer of personal data to third countries will be carried out in accordance with Chapter V of the Regulation.

Purpose of collection

The lessor is obliged to collect some of your personal data due to the fulfillment of the accommodation contract and due to the regulations governing hospitality activities, but the lessor may collect some other or the same data for other purposes, primarily for contact purposes, namely:

• fulfillment of accommodation contracts,
• meeting the requirements of the law and other valid positive regulations governing the hospitality industry,
• for direct marketing purposes,
• sending offers,
• for the purpose of holding prize games,
• for the purpose of improving and personalizing the service to you as a guest,
• for the purpose of protecting property and the safety of individuals by applying video surveillance measures.

The lessor guarantees that the collected data will be used only for the stated purposes.

The lessor may use depersonalized data for statistical purposes.

Legal basis of collection

The legal basis for the stated collection purposes are:

• legal,
• contractual,
• key interests of the respondents,
• a legitimate interest that is stronger than the interest of the respondent or
• consent or express consent of the respondent, depending on the purpose of the processing and the type of personal data.

Data collection

The lessor collects your data during:

• accommodation reservations (reservations via the Internet or reservations by phone),
• when completing the accommodation contract – logging into the e-visitor,
• registration for free WiFi in the apartment from the lessor,
• participation in the prize game by filling out the survey form,
• in a place under a video surveillance system.

Data retention time

Data that the lessor collects on the basis of the law, he is obliged to keep as long as determined by a specific law or other positive regulation.

Data that the lessor collects on the basis of the contractual relationship will be kept only as long as necessary for the purpose of fulfilling the contract or providing the service.

Data on name, surname and e-mail address collected by the lessor based on legitimate interest for direct marketing purposes will be kept in its guest database for 10 years.

Other data that the lessor collects based on the express consent of the guest (cell phone number, number of children, marital status, pets, interests, method of travel, accommodation preference and destination preference) will be stored in its guest database for 5 years.

Rights of respondents

Regardless of the basis of data collection, you can request free of charge at any time:

• access, modification or addition of data in all personal data bases, on the basis of which the lessor will enable access or change your data in all its databases depending on your request,
• erasure (“right to be forgotten”) of personal data in all personal data databases, based on which the lessor will delete you from all its databases, except from databases that the lessor is obliged to have and keep on the basis of positive regulations, and if there are no stronger legitimate reasons for processing or if the processing is not necessary for establishing, exercising or defending legal claims,
• limiting the processing of your data or objecting to the processing of such data,
• that the data we have collected about you be transferred to you or to third parties (“right to data portability”), in accordance with positive legal regulations,
• if the data was given on the basis of consent, you can always withdraw that consent without negative consequences,
• the right to submit a complaint to the supervisory authority – the Agency for the Protection of Personal Data

 (more on this at www.azop.hr).

Send your written request to the lessor’s contact e-mail address:

info@apartmanlega.com

or by mail to the address:

Apartment Lega

Libor Bok

Petar Preradovića 13

HR-435 00 Daruvar

REPUBLIC OF CROATIA

Personal data collected from persons who have booked accommodation and guests

Your personal data, which you must submit in order to provide you with the accommodation service, is stored by the lessor as a processing manager in its database exclusively for the purpose of fulfilling the accommodation contract and fulfilling legal delivery obligations, as well as collecting personal data related to the catering business, and may use them and for other purposes provided by positive regulations. In the event that you do not provide the lessor with the minimum data required for guest registration in all competent registers, the lessor will not be able to provide you with accommodation services in accordance with the contract and the law.

The personal data recorded by the lessor already at the time of reservation and on the registration card when arriving at the facility, were collected based on the laws governing the hospitality industry, and for the purpose of providing services to guests. These are the following data (which can be changed due to positive regulations):

• name and surname,
• residential address (Croatian citizens),
• date of birth,
• number, type of identification document and place of issue,
• citizenship,
• object name,
• accommodation unit number,
• date of arrival and departure of the guest,
• gender

The lessor keeps the above data in its guest database and sends it to the E-visitor system (electronic system for guest registration) to the competent authorities of the Republic of Croatia, and the above data must be kept in the system for 10 years. Also, the lessor is obliged to keep all invoices issued to guests with the guest’s personal data for 11 years, in accordance with legal regulations.

Furthermore, in order to fulfill the contractual obligation, the lessor collects the following information during the reservation, as well as on the registration card when arriving at the facility:

• e-mail,
• language,
• telephone

Other data related to the circumstances of your stay, such as: method of travel, with whom you travel, marital status, number of children, pets, other interests, will also be collected if they have a direct connection with the provision of accommodation services, and will be deleted after of your departure from the accommodation facility.

Your personal data (name and surname, e-mail address), the lessor, as a data controller, has the right, on the basis of legitimate interest, to collect it in its guest database and use it for the purpose of direct marketing, and exclusively for the purpose of informing about the lessor’s offers and news via e-mail. In this case, you have the right to request deletion (right to be forgotten) from the database for this purpose at any time and free of charge.

During and after your stay, the lessor sends you, as a guest, a satisfaction questionnaire via the e-mail we received from you, which, if you want to fill it in, only with your consent. The primary purpose of the satisfaction questionnaire is to collect data about the service in order to improve the service provided by the lessor, and the lessor depersonalizes and processes the data from the questionnaire for statistical purposes.

Additionally, the person booking the accommodation or the guest can give special permission, consent, to the lessor, that all his data, such as:

• name,
• surname,
• e-mail,
• date of birth,
• the state,
• other personal data collected during the stay (e.g. mobile phone number, phone number, gender, number of children, marital status, language, pets, interests and activities during the stay, method of travel, accommodation preference, destination preference, etc.),
• other personal data collected when browsing internet pages (so-called cookies), including IP address, collects and uses for further profiling of respondents and for the purpose of contacting and informing about special and personalized offers, news and events organized by the lessor via online channels (e-mail, internet promotion). In this case, the subject has the right to withdraw the given consent at any time, which includes processing for the purposes of profiling to the extent that it is related to such direct marketing, either in relation to initial or further processing, at any time and free of charge, as well as the right at any the era of data change and the right to be forgotten

Data is stored in the lessor’s guest database for 5 years.

The lessor also collects personal data through the video surveillance system.

Cookies and Internet technologies

As is the case with many other portals, ours can be used with “cookies” (small files that we save on your computer when you access our websites in order to enable the basic or additional functionality of those websites) and other technologies that make it easier for us to deliver content depending on your areas of interest, processing reservations or requests, and/or analyzing the characteristics of your visits. Cookies cannot be used to reveal your personal identity. When you access our websites, this information identifies your browser to our servers, but not you.

We use different types of cookies:

• Necessary cookies – they are necessary for the functioning of the website, which cannot function without them. This means that the website cannot be opened or displayed without these cookies. These cookies are used for the purpose of transmission of communication or are necessary for providing an information society service that is expressly required from the user of such service. Also, these cookies will enable us to perform a basic analysis of websites with the aim of improving the website’s performance through data that is completely anonymized, i.e. not based on your personal data or data that can be linked to you in any way. For these cookies, your consent is not required and we do not ask for it.
• Functional cookies – we use them to carry out a more advanced analysis of the operation of internet pages. These cookies are used to analyze user behavior, and based on the obtained anonymous data, we can determine what website visitors want and view most, so we are then able to adjust the website and make its content and functionality as easy to use as possible. We ask for your consent for these cookies.
• Advertising cookies – we use them to analyze your interests and wishes, and they serve us to market information that is interesting to you and create offers tailored to your use of the lessor‘s website. We ask for your consent for these cookies.

If you have changed your mind about the cookie settings on the lessor’s website at any time you can delete the cookies that are saved on your computer, thereby preventing the further processing of your personal data through such technology.

Each internet browser has its own procedure for deleting cookies, and here are the procedures for the most popular internet browsers:

• Google Chrome:

https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3DDesktop&hl=en,

• Mozilla Firefox:

https://support.mozilla.org/hr/kb/Brisanje%20kola%C4%8Di%C4%87a,

• Microsoft Edge:

https://privacy.microsoft.com/en-us/windows-10-microsoft-edge-and-privacy,

• Internet Explorer:

https://support.microsoft.com/hr-hr/help/17442/windows-internet-explorer-delete-manage-cookies,

• Safari:

https://support.apple.com/hr-hr/HT201265.

Video surveillance system

The lessor as a processing manager has a legitimate interest in implementing video surveillance measures for the protection of property and persons, and in relation to certain work positions and the legal duty to install surveillance cameras that record employees and all persons who move in the field of view of the surveillance camera.

The lessor marks all places where video surveillance is installed in the prescribed manner.

The lessor is aware that the videos contain personal data of all persons moving in the camera’s field of view, and therefore preserves them with special care, has an organized system of security, availability and their deletion policy, which is regulated by the lessor‘s internal security rules.

Videos are automatically deleted after a maximum of 7 days from the day of recording. Exceptionally, videos are kept longer if they are evidence in proceedings before competent state authorities. Exempted videos will be stored in a central reporting system with extremely limited access.

In case of judicial and/or criminal proceedings, the lessor may use the said videos. Personal data on videos can also be viewed by third parties, processors, contractual partners of the lessor registered and expert in providing services for the protection of persons and property, who in no way use the given data independently, but take care of the security of central monitoring and notification systems. Special regulations governing that area apply to all other details related to video surveillance.

Video surveillance processing manager:

info@apartmanlega.com

Libor Bok

+420 732 732 616

Protection of children’s personal data

The lessor advises parents and guardians to teach children about safe and responsible handling of personal information on the Internet. The lessor does not want and has no intention of collecting personal data of children, will not use it in any way or give it to third parties. A child can give his consent exclusively in relation to possible services of the information society, and that child is over 18 years old. Any other processing of the data of children under the specified age limit and other processing than expressly stated here, for children up to 18 years of age, is permitted to the lessor only with the prior consent of the parents.

Data change

You can contact us at any time to review your personal data, as well as to update, correct or delete it. Until that moment, we use your previously recorded data for the stated purposes.

Your consent

When providing information to the lessor, in any way (reservation, registration card…) you guarantee us that the information you have attached is correct, that you are legally competent and authorized to dispose of the information provided, and that you fully agree that the lessor uses and collects your data in accordance with the law and the terms of this Policy.

Technical and integrated data protection

The lessor, as the processing manager, takes care of the highest organizational and technical data protection standards. Therefore, taking into account the latest achievements, the cost of implementation and the nature, scope, context and purposes of processing, as well as risks of different levels of probability and severity for the rights and freedoms of individuals arising from data processing, at the time of determining the means of processing and at the time of the processing itself, appropriate technical and organizational measures to enable effective application of data protection principles.

Also, the lessor implements appropriate technical and organizational measures to ensure that only personal data that is necessary for each specific processing purpose is processed in an integrated manner. The lessor applies this measure to the amount of personal data collected, the scope of their processing, the period of storage and their availability. More precisely, such measures ensure that personal data are not automatically, without individual intervention, available to an unlimited number of individuals.

Records of processing activities

The lessor, as a processing manager, keeps records of processing activities with the following data:

• the name and contact details of the controller, if applicable, the joint controller, and the data protection officer;
• processing purposes;
• description of respondent categories and categories of personal data;
• categories of recipients to whom personal data has been disclosed or will be disclosed, including recipients in third countries or international organizations;
• if applicable, transfers of personal data to a third country or international organization, including identification of that third country or international organization and, in the case of transfer from Article 49, paragraph 1, second subparagraph, documentation on appropriate protective measures;
• if possible, scheduled deadlines for deleting different categories of data;
• if possible, a general description of technical and organizational security measures.

Handling of personal data breaches

The lessor, as a data controller, ensures that in the event of a breach of personal data, without undue delay and, if feasible, no later than 72 hours after becoming aware of the breach, the competent supervisory authority reports the breach of personal data, unless it is likely that the breach of personal data will cause a risk to the rights and freedom of individuals.

The report submitted to the supervisory authority contains all the information in accordance with the Regulation.

In the event of a personal data breach that is likely to cause a high risk for the rights and freedoms of individuals, the lessor, as a data controller, shall notify the respondent of the personal data breach without undue delay. Respondents will not be notified in cases where the Regulation stipulates that the same is not mandatory.

Data Protection Impact Assessment

If it is likely that some type of processing, especially through new technologies and taking into account the nature, scope, context and purposes of the processing, will cause a high risk to the rights and freedoms of the data subject, the lessor as the controller of the processing, before the processing, carries out an assessment of the impact of the intended processing procedures on the protection personal data.

A single assessment may refer to a number of similar processing operations that pose similar high risks.

The lessor carries out an assessment of the impact on data protection in the event of:

• systematic and comprehensive assessments of personal aspects relating to individuals based on automated processing, including profiling, and on the basis of which decisions are made that produce legal effects that relate to the individual or similarly significantly affect the individual;
• extensive processing of special categories of personal data from Article 9, paragraph 1 or data related to criminal convictions and punishable offenses from Article 10 of the Regulation;
• systematic monitoring of the publicly accessible area to a large extent,
• in other situations determined by the competent supervisory authority.

The lessor ensures the adequate involvement of the data protection officer in the performance assessment process.

In accordance with the provisions of the Regulation, if necessary, after the impact assessment procedure, a preliminary consultation procedure with the supervisory authority will be carried out.

Transparency

This Policy is available on the website www.apartmanlega.com.

If we decide to change this Policy, we will post the changes on the website.

In Daruvar, 22/10/2022.