Welcome to the website of Industrial Project d.o.o.
On this page we provide information pursuant to Article 13 of Regulation (EU) 2016/679 (“GDPR”) on the processing of personal data.
1. Data controller
The Data Controller is the company Industrial Project d.o.o. (hereinafter also referred to as the “Data Controller”), with its registered office in Fazana in Dragonja street 115 (HR), which can be contacted for matters relating to the protection of personal data at the email address email@example.com.
3. Recipients of the data controller’s services
The Website and the services offered on it by Industrial Project d.o.o. are intended for adults. Therefore, the Data Controller does not intentionally process personal data of persons under the age of 18.
4. Categories of personal data processed
The Data Controller may collect and process the following types of personal data: first and last name, gender, date and place of birth, nationality, passport data or other identification documents, address, telephone number, photos and video footage, email address, IP addresses and other data related to the browsing of the Website, financial data (such as credit/debit card number or other payment data), preferred language, vehicle licence plates, data relating to health status (for public health protection requirements or to meet specific user needs), information about personal preferences or special needs, data relating to membership of the loyalty programme (“BiCard”), employer’s data (for event or business travel bookings), information about activities carried out or services requested during previous stays, data concerning family members or other travel companions.
5. Purposes of the processing, legal basis and storage period
Personal data will be processed by Industrial Project d.o.o. for the purposes and under the conditions specified below.
a. Reception: for the preparation of quotes, the conclusion and execution of the purchase contract for the products and services offered by the Data Controller, the communication of any circumstances relating to the order and the processing of payments. The Data Controller may also use customer data to carry out activities associated with check-in and check-out; to provide recreational and entertainment activities within the facility; to provide reception services, luggage storage, parking or other services requested by customers; to handle any customer requests related to special needs, including health; to handle complaints and evaluations of services provided by customers. In order to speed up the registration of customers, if they have not checked in online before their arrival, they may receive text messages (SMS) reminding them of the possibility of using this service. These communications will not have any content of a commercial nature. The Data Controller may also use SMS or telephone communications to provide information to customers on the collection of shipments delivered on their behalf to the facility.
b. WiFi: to allow and manage customer access to the Wi-Fi network.
c. Website registration: to allow the creation of a personal account on the Website and access to and use of the services related to it.
d. Provision of services via App: for the booking and use of activities, events and services within the tourist facility. Registration credentials will be sent to users by email or given to them upon check-in.
e. Management of the “BiCard” programme: to enable the Joint Data Controllers to manage the technical and administrative aspects of the discount service provided to customers. The programme regulation can be viewed in the appropriate section of the website. The credentials for managing your personal account will be communicated to you by email.
f. The sending of personalised communications on the basis of the products and services purchased: for the sending by email of questionnaires or communications regarding products and services of the Joint Data Controllers similar to those purchased that could be of interest to the guests of the facilities (so-called soft spam).
g. Documentation of events organised in the accommodation facilities: to publicise, also through the Data Controller’s web and social channels, free participation events held in the facilities. The documentation produced on these occasions will not under any circumstances be used for advertising campaigns.
h. Access control: to ensure that only entitled persons and vehicles have access to tourist facilities and to be able to verify the presence of persons or vehicles in the accommodation in case of damage or emergency situations. This activity will also be carried out by means of automatic electronic number plate reading systems and electronic bracelets given to the guests.
i. Video surveillance: to protect the safety of individuals and safeguard property within accommodation facilities.
l. Fulfilment of legal obligations: for the fulfilment of legal obligations (in particular with regard to civil, tax, public security, banking and personal data protection). These obligations also include the transmission of customers’ details to the Police Headquarters.
m. Litigation and prevention of offences: to enforce the Data Controller’s rights and for the detection and prevention of fraud, crimes and offences.
n. Countering health emergencies: to enable compliance with regulations on epidemiological prevention (including those relating to the “Covid-19” pandemic).
a. Fulfilment of contractual obligations and pre-contractual measures.
b. Legitimate interest of the Data Controller to provide its customers with a connection service.
c. Fulfilment of contractual obligations.
d. Fulfilment of contractual obligations.
e. Fulfilment of contractual obligations.
f. Legitimate interest of the Data Controller to inform its customers about the services offered and to carry out initiatives to improve them.
g. Legitimate interest of the Data Controller to communicate the initiatives carried out in its accommodation facilities.
h. Legitimate interest of the Data Controller to prevent the entry of unauthorised persons and vehicles into its facilities and to be aware of the presence of vehicles or persons in its facilities in case of emergencies or damage claims.
i. Legitimate interest of the Data Controller in protecting the safety of persons and assets on its property.
l. Fulfilment of legal obligations.
m. Legitimate interest of the Data Controller to protect its rights.
n. Fulfilment of legal obligations.
Data storage period
a. For the time necessary to process the request and, subsequently, for a further 5 years from the date of the quote or the date of the last stay in the Data Controller’s facilities.
Data relating to services for recreational or entertainment activities will be stored for 30 days.
b. For the period necessary to manage the activities indicated alongside.
c. Until a request for cancellation of the account or termination of the service. However, the account and its data will be deleted after 3 years of non-use.
d.Until a request for cancellation of the account or termination of the service. However, the account and its data will be deleted after 5 years of non-use. If the customer does not activate the account after it has been created, the relevant data will be deleted within 30 days following the end of the stay at the facility.
e. For five years from the date of the first purchase of products and services offered by the Data Controller.
f. For a maximum period of 6 months after the end of the stay.
g. For the duration of the event and, if necessary, for the subsequent period deemed useful by the Data Controller for documenting the event.
h. Data will be deleted by the beginning of the season following the one in which the user stayed.
i. For 24 hours after registration.
l. For the period defined in the relevant legislation. Data on tax documents will be kept for 10 years.
m. For the period necessary for the purpose for which the data is collected, in accordance with applicable legislation (e.g. limitation periods of rights).
n. Unless otherwise provided for by law, data will be processed for a period of 15 days after their collection.
6. Necessity of data processing
The communication of personal data to Industrial Project d.o.o. for the purposes indicated in points A (Purchase of products and services), C (Registration to the Website), D (Provision of services via WebAPP), E (Management of the “BiCard” programme) is necessary for the fulfilment of contractual obligations or pre-contractual measures and to provide the services specified therein. Without this, the Data Controller would not be able to process the corresponding customer requests.
The processing of personal data necessary for the pursuit of the purposes indicated in points B (Wi-Fi), G (Documentation of events organised in the accommodation facilities), H (Access control), I (Video surveillance) and M (Litigation and prevention of offences) is based on the legitimate interests of the Data Controller and therefore does not require the consent of the customers. Should the customer refuse to allow such processing, Industrial Project d.o.o. may be forced to refuse to provide its services.
The processing indicated in point F (Personalised communications on the basis of purchased products and services) is based on a legitimate interest of the Data Controller (ex Art. 130, par. 4, Privacy Act), but the customer has the right to object to it at any time, with the sole consequence of not receiving further information on the services offered by Industrial Project d.o.o. .
The processing of personal data for the purposes specified in points L (Fulfilment of regulatory obligations) and N (Countering health emergencies) is necessary for the fulfilment by Industrial Project d.o.o. of obligations dictated by current legislation; consequently, the customer cannot oppose them, otherwise it will be impossible to use the Data Controller’s tourist services.
7. Automated decision-making
Industrial Project d.o.o. intends to pursue the aim stated at point G (Personalised communications on the basis of purchased products and services) by analysing the products and services requested by its customers, in order to send them only personalised communications which are of real interest to them.
8. Processing methods
Industrial Project d.o.o. and the Joint Data Controller have adopted specific security measures to prevent the loss of personal data, unlawful or incorrect use thereof and unauthorised access thereto.
9. Categories of recipients of personal data
For the fulfilment of the purposes indicated in point 5, Industrial Project d.o.o. may communicate, for its own needs or to comply with legal obligations, the data of its customers to the categories of subjects indicated below: Public authorities and supervisory and control bodies; IT service providers (such as internet service and cloud computing); subjects carrying out logistics activities; subjects carrying out customer service activities; professionals or companies providing the Data Controller with legal, fiscal, accounting, economic-financial, technical-organisational, data processing or communication services; subjects providing banking, financial, insurance and credit recovery services; subjects carrying out anti-fraud payment control activities; animation companies . Where necessary, data recipients will be designated as data controllers, in accordance with the provisions of Article 28 of the GDPR.
10. Transfer of data to third countries
Personal data processed by Industrial Project d.o.o. may be transferred to other companies based in the United States of America (USA) exclusively for the pursuit of the purposes described above. This transfer will take place exclusively following the signing with the companies receiving the personal data of standard contractual clauses (S.C.C.) adopted by the Commission of the European Union (pursuant to Article 46, paragraph II, points C and D of the GDPR).
11. Rights of data subjects
In relation to the personal data provided, data subjects have the right at any time to request: confirmation of whether or not personal data concerning them is being processed and, if so, to obtain access to the data and a copy thereof (Art. 15 of the GDPR); the rectification of any inaccurate personal data or the integration of incomplete data (Art. 16 of the GDPR); in the cases specifically provided for by the legislation, the cancellation of the data (Art. 17 of the GDPR), the limitation of their processing (Art. 18 of the GDPR), the opposition to their processing (Art. 21 of the GDPR) or their portability (Art. 20 of the GDPR).
If data subjects consider that their rights under data protection law have been infringed, they may lodge a complaint with the competent Supervisory Authority (www.azop.hr).