Last modified: March 2019
At Terme Krka, the protection of our guests’ and website users’ privacy is a fundamental value that all of us, from the highest level of management to operative providers of our services, are bound to respect. We are dedicated to protecting the personal data you entrust us with. We act in the interests of our guests, which is why we process personal data in a clear way. The complete transparency of data processing is key in the responsible processing of your personal data.
All the platforms listed above are connected to the Phobs system (channel manager), which synchronises data with Terme Krka’s reception information system. This also applies to the Synexis system (channel manager), which operates offline in the booking network on the grad-otocec.com website.
The personal data processer is Terme Krka, d. o. o., Novo mesto, Novi trg 1, 8000 Novo mesto. Terme Krka comprises the branches of Terme Dolenjske Toplice, Terme Šmarješke Toplice, Talaso Strunjan and Otočec Hotels (which also includes the business hotel Krka Hotel in Novo mesto). Terme Krka is also the contractual controller of the personal data of guests of Golf Grad Otočec, d. o. o.
How we collect, use and otherwise process your personal data
We collect your personal data when you provide it yourself or when you use one of our services, when you send an enquiry about a hotel room or when you book a room, when you use our websites and their functions, when you contact us by e-mail, telephone, in writing, on social media or in any other way where you transmit your personal data to us.
Within legal limits, we can also obtain information about it from other sources.
The types of personal data we collect or obtain
Depending on the type of service we offer, Terme Krka processes personal data that are generally divided into 4 categories: personal data, preference data, transaction data and special types of personal data.
(i) Personal data includes information about guests, such as name and surname, date of birth, identification document type and number, Slovenian health insurance number for users of our services in the health care and wellness system, as well as date of arrival and departure, contact details such as business e-mail address or other e-mail address provided by you, and telephone number.
(ii) Preference data is monitored in order to understand what guests prefer, including the room type and category, culinary offer and wellness services, as well as data about the computer or mobile device used, such as IP address and browser type, device type, and information about how you use our website (which pages you visited, how long you browsed them, what you clicked, etc.). In the tourism sector, satisfying the needs and interests of guests is standard practice. Only in this way can we provide a satisfactory experience.
(iii) The third category of personal data is transaction data, which is collected at points of sale, such as our website and call centre, through the reservation system or services that allow payments to be carried out, and can included bank details and credit card details.
(iv) The special types of personal data (sensitive) that are processed in the health care and wellness system are used for the needs of diagnoses, treatment and improving health.
In accordance with the Slovenian Residence Registration Act (ZPPreb-1), we collect certain legally defined personal data that includes data from your passport or personal ID card and we transmit on the Agency for Public Legal Records and Related Services website them to the competent authority (police, Statistical Office of the Republic of Slovenia, and municipalities). The content of the data we transmit is set out in the Slovenian Residence Registration Act (ZPPreb-1) and come from the guest book, while the means of transmitting the data is set out in the Rules on check-ins and check-outs of .
In addition to offering tourism packages, Terme Krka also offers and performs healthcare services, including specialist clinics and the treatment of insurance holders (stationary and out patients) with the purpose of restoring their functional abilities. As part of this we process sensitive personal data about people’s state of health, with the purpose of improving it. We perform treatments in accordance with the following Slovenian laws: Health Services Act (Official Gazette of the Republic of Slovenia, No. 9/1992, with amendments), Health Care and Health Insurance Act (Official Gazette of the Republic of Slovenia, No. 9/1992, with amendments) and Healthcare Databases Act (Official Gazette of the Republic of Slovenia, No. 65/2000, with amendments). We ensure patients’ privacy on the level of the entire system of our healthcare services and on the level of each individual treatment, whereby their rights regarding privacy protection are set out in the Patients’ Rights Act (Official Gazette of the Republic of Slovenia, No. 15/08 and 55/17; hereinafter referred to as ZPacP). At Terme Krka, we also uphold the guidelines of the Information Commissioner for providers of healthcare services.
We can also obtain your personal data (but not without limits) from certain publicly accessible sources, such as public online databases, business registers, media publications, social media and websites.
How we use your personal data and what is the purpose of their processing
We can use your personal data:
1) In connection with your use of our services,
2) In connection with enquiries received from you or for the creation of an offer for you and the conclusion of an agreement,
3) With your explicit consent for advertising purposes, in order to notify you about our services, news, events, special offers and for carrying out prize competitions,
4) For our legitimate interest in knowing our guests and website visitors, and for our effective operations, namely for:
- Managing and improving both our websites and services, including personalising the user experience, and for directly communicating with you in connection with updates on our websites – This is necessary for our legitimate interest in better understanding the needs of our guests and potential guests in order for our websites, products and services to be adapted to these wants and needs.
- Terme Krka direct marketing and customer relationship management with current and potential guests – This is done by analysing and segmenting data about hotel guests and analysing data about the history of our relationship with our guests, with the purpose of adapting our services and offer to the needs of our guests, to improve business relationships with hotel guests and those interested in our services, with an emphasis on retaining regular guests and reaching sales growth, as well as the success and recognition of Terme Krka. This is necessary for our legitimate interest in better understanding the wishes of our guests (e.g. information about how you use our website, which pages you visited, how long you browsed them, what you clicked) and for the successful management of our business operations.
- Protecting our business operations and business interests, including checking past experiences, preventing potential criminal offences and collecting debt – This is necessary in order to protect out legitimate interest in preventing criminal activities (such as fraud and money laundering), to ensure that our services are not abused and to protect our business operations. Such checking will only be carried out within the framework of the applicable legislation. We may have to use and process your personal data in order to operate in accordance with the legal obligations we must abide by. For example, we may request that you submit certain personal data to fulfil the legal obligations of preventing money laundering or request that you disclose your personal data to a court following a court order. We may also need your personal data to fulfil applicable legal obligations regarding tax and accounting legislation, as well as other regulations that also bind us to protect the organisation’s memory, with a backup and archiving policy.
- Communication with our business advisors and legal representatives – This is necessary for our legitimate interest in obtaining legal or other professional business advice; however, we will only transmit your personal data if absolutely necessary, to the smallest extent possible and, if at all possible, it will be anonymised.
- Sharing personal data with third parties (hereinafter referred to as data recipients) that are connected with us in relation to the provision of our services, i.e. (i) associated companies, such as Krka, d. d., Novo mesto, and Golf Grad Otočec, d. o. o., and (ii) suppliers or providers of ICT services (the most important of which are listed below). Such data sharing will be necessary when either creating an offer or carrying out an agreement (order) concluded with you, for our legitimate interest in effectively managing our business operations, for compliance with legal regulations that bind us, or for our own purposes of direct marketing. In the event that we share your personal data, we will do so consistently on the basis of shown needs, in accordance with the appropriate limitations of privacy and only to the extent that will be absolutely necessary for any of these purposes. We have also concluded personal data processing agreements with our contractual processors in which we demand a high level of personal data protection and regularly monitor their fulfilment. In cases where our services are used through a travel agency, be aware that the travel agency also processes your personal data as an independent controller.
- Sharing personal data within the KRKA Group– Terme Krka, d. o. o., Novo mesto, is part of the KRKA Group, while Golf Grad Otočec, d. o. o., is a subsidiary of Terme Krka. To ensure the effectiveness of business operations, certain work processes, including the IT infrastructure (IT communications devices, server, disk array, backup policy), are managed by Krka, d. d., Novo mesto. Krka manages the personal data it has at its disposal on the same basis as a contractual processor and does not use the personal data in any way for its own purposes. The relationships between the companies of Terme Krka, Krka and Golf Grad Otočec regarding the processing of guests’ personal data are set out in written agreements.
- Requests for disclosure and in the event of the sale or purchase of the company and/or its assets, both actual and potential – This is necessary for our legitimate interest in the sale and/or ensuring and promoting the success of our business operations.
- For statistical and research purposes – You personal data will be anonymised in certain cases and used for the legitimate interest of personal data processing for research purposes, for market research, to better understand you interests and wishes, and to successfully adapt our products and services to your needs.
When processing your personal data on the basis of your consent, you can withdraw your consent at any time by sending an e-mail stating this to email@example.com. Such a withdrawal will go into effect in 30 working days from the day of receiving your request. Furthermore, in every e-mail sent by us to you there is the option to immediately unsubscribe from receiving any further newsletters from us.
Storing personal data and the period of their processing
Certain personal data, mainly from our health care activities, are also stored in paper form (archives, medical files).
Terme Krka undertakes to process your personal data to the relevant extent, limited to the purposes for which they are being processed. For example, if the data is being stored in order for us to be able to continue fulfilling our contractual obligations to you or for our legitimate interests; if we have a legal obligation to, e.g. any obligation to keep records set out in the applicable legislation; and if we have a legal basis to continue processing your personal data, such as your consent or out legitimate interest.
If you would like more information about where and for how long your personal data is stored by us, and for more information about your rights to erasure and transferability of personal data, contact us at dataprotection.officer.TK@terme-krka.si.
How we protect your personal data
We have adopted the appropriate technical and organisational measures to safeguard your personal data and to protect them against the unauthorised or unlawful use or processing and against the accidental loss or destruction or damage of your personal data, including the following:
- The principle of collecting and processing the minimum amount of data necessary and processing it on an anonymous basis, wherever possible,
- Training all our employees on the importance of confidentiality and retaining of privacy and the security of your data,
- Being dedicated to adopting the appropriate disciplinary measures to enforce employee responsibility regarding violations of privacy rules,
- Continuously and comprehensively updating and testing our security technologies,
- Carefully defined user rights regarding databases,
- Carefully and responsibly choosing our contractual sub-processors,
- Measures for network security,
- Measures for protecting servers on which your personal data is stored,
- Appointing independent authorised persons for personal data protection,
- Requiring proof of ID from anyone requesting access to personal data,
- Establishing clear procedures for the reporting of privacy violations or misuse of data,
- Clearly defined procedures, including procedures of built-in and default privacy (Privacy by Design, Privacy by Default).
Terme Krka will adhere to the good data protection practices that apply to the Krka Group.
However, we would like to make you aware that the transfer of data (including personal data) on the internet is not always entirely secure, and if you send any information to us (either by e-mail, through our website or in any other way), you do so entirely at your own risk. We are unable to take on any liability for any potential costs incurred, loss of profit, damage to reputation, liability or any other loss or damage that you may incur due to your transmitting of data to us over the internet.
Technological tools and browser plugins that we use
On all our websites we use plugins that are managed by Google on YouTube. The website administrator is YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. By visiting our website that contains a YouTube plugin, a connection is established with YouTube’s servers and YouTube is notified about your visit to our website.
If you have a YouTube account, this enables you to connect your browsing habits directly with your personal profile.
If you would like to prevent this, logout of your YouTube account.
YouTube helps make our website appealing. This is our legitimate interest in accordance with Article 6(1)(f) of the General Data Protection Regulation (hereinafter referred to as the GDPR).
Additional information about the handling user data by YouTube is available in their data protection policy: youtube.com/static?template=privacy_guidelines.
b) Google Maps
All our websites use the cartographic service of Google Maps, through an application program interface (API) managed by Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA.
If you want to use Google Maps, you must enter your IP address. This information is usually transmitted to Google’s server in the USA and is stored there. The website provider does not have any influence on this data transmission.
Use of the Google Maps application is in our interest to make our website appealing and make it easier to locate the locations you define on the website. This is our legitimate interest in accordance with Article 6(1)(f) of the GDPR.
Additional information about the handling user data by Google is available in their data protection policy: policies.google.com/privacy.
c) Google Analytics (basic)
All our websites use Google Analytics to perform online service analyses. It is managed by Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA.
Google will use this information to calculate your usage of the website, for website activity reports for their administrators and for other services connected to the use of websites and the internet. This data can be transmitted to third parties if prescribed by law or if the third parties process the data on the order of Google. Google will not link your IP address with other data it has at its disposal.
You can disable Google Analytics cookies by clicking on this link. If you decide not to accept certain cookies, some website functionalities will be lost. For example, if you do not want to receive targeted advertisements, you will still see advertisements on the internet, but these will not be tailored to your wishes and browsing habits.
Regarding the international transfer of data, Google is registered at the EU-US Privacy Shield, whereby it is bound to adhere to EU rules about personal data protection.
Google Analytics cookies are stored on the basis of Article 6(1)(f) of the GDPR.
d) Google AdSense
To include advertisements, we use the Google AdSense service, provided by Google Inc. (1600 Amphitheater Parkway, Mountain View, CA 94043, USA; Google).
The use of these cookies can be disabled in your browser settings, however, this may affect the functionality of some services on our website.
Google AdSense cookies are stored on the basis of Article 6(1)(f) of the GDPR. We have legitimate interest in the behaviour analysis of our users with the purpose of optimising our websites and our advertising.
e) Google AdWords and Google Conversion Tracking
We use the Google AdWords service by Google Inc. (1600 Amphitheater Parkway, Mountain View, CA 94043, ZDA) to track the number of visits to our websites. This is used for advertising purposes (remarketing) in the Google search engine and in the Display Network. When you visit a website, your browser stores cookies that enable the website to recognise you as a visitor when you visit other websites that are part of the Google advertising network. These websites then display advertisements relating to the content that you previously viewed on other websites that also use Google’s remarketing function.
You can deny data being recorded by the Google AdWords service on ads.google.com.
We use Conversion Tracking as part of the Google AdWords service to generate Conversion statistics, which measures the effectiveness of our online advertising campaigns. The Conversion Tracking cookie is stored if the user clicks on an advertisement published by Google. If you do not want to take part in this tracking, you can object to its use by deactivating the Google Conversion Tracking cookie in your browser settings.
The Google AdWords and Google Conversion Tracking cookies are stored on the basis of Article 6(1)(f) of the GDPR and we have legitimate interest in the behaviour analysis of our users with the purpose of optimising our websites and our advertising.
f) Google reCAPTCHA
In order to ensure adequate data protection when you enter any data on our website, we sometimes use the Google reCAPTCHA service (hereinafter referred to as reCAPTCHA).
It is primarily used to determine whether the data entry on our website (e.g. contact form) was performed by a real person or misuse occurred with an automated automatic entry. The reCAPTCHA service includes sending IP addresses and any other information required by Google for this service (e.g. information about the webpages you visited, how long you browsed them, what you clicked, etc.).
The analysis performed by reCAPTCHA takes place in the background continuously, while visitors of our websites are not notified that this analysis is occurring.
Data processing with the reCAPTCHA service is carried out on the basis of Article 6(1)(f) of the GDPR.
As the website administrator, we have a legitimate interest in the protection of our online offer against malicious automated entries and unsolicited e-mails (spam).
g) Google remarketing
Our website uses the remarketing function of Google Analytics in connection with the Google AdWords and DoubleClick, both offered by Google.
This function enables advertising to display on the basis of your interests, determined by your previous use of our websites and your browsing history on this device (e.g. on your mobile phone) or on all devices (e.g. also on your table or computer).
When you give your consent, Google will connect your browsing history and applications to your Google account. This means that any device that logs into your Google account will display the same promotional messages.
If you have enabled this function, Google Analytics collects advertising ID to identify devices that are temporarily connected to our data as part of the Google Analytics service in order to identify and create target groups for the promotion of advertisements between devices.
You can permanently disable remarketing/targeting between devices by switching off the tailored advertising in your Google account. To do so, click on this link: google.com/settings/ads/onweb/.
Collecting data that is stored in your Google account is based solely on your consent that can be given or withdrawn on the basis of Article 6(1)(a) of the GDPR. Collecting data that is not stored in your Google account (either because you do not have an account or have objected to this) is also based on Article 6(1)(a) of the GDPR.
h) Salesforce CRM
For customer relationship management (CRM), we use the most technologically and security advanced, leading American solution by Salesforce.com Inc., which also has data centres in Europe.
We have concluded an agreement on personal data processing with Salesforce.com, with which the company undertakes to comply with EU rules on personal data protection. The international transfer of personal data to Salesforce.com takes place on the basis of Binding Corporate Rules.
Salesforce.com undertakes to process the personal data of our users in accordance with our instructions and not transmit it to third parties.
The use of CRM is carried out on the basis of Article 6(1)(f) of the GDPR and we have a legitimate interest in the optimisation of our services and to better manager our relationship with customers.
i) Pardot Marketing Automation
We use the Pardot Marketing Automation System (Pardot MAS) by Pardot LLC, 950 East Paces Ferry Road, Suite 3300, Atlanta, GA 30326, USA, which is software that collects and analyses website visitors’ movement profiles.
We also use Pardot MAS to record interaction with user and to communicate with users of our website; we use Salesforce for customer support and to hold chats as part of our online support. If not stated otherwise, these confidential third companies are not entitled to use you personal data, outside of what is needed to help ensure the best possible service. In the event that we share personal data with these third parties, we require that they fulfil the data processor requirements as set out in the GDPR.
Pardot MAS stores a tracking cookie on your computer hard drive to monitor your actions and use of the website, however, it does not collect or store any of your personal data. You can prevent cookies from being stored at any time by configuring your browser to not accept cookies from the pardot.com domain. However, please note that, in this case, you will not be able to fully use all functionalities on the website.
We have concluded an agreement with Salesforce.com on personal data processing, in which it undertakes to process the personal data of our users in accordance with our instructions and not transmit it to third parties.
Pardot MAS cookies are stored on the basis of Article 6(1)(f) of the GDPR.
j) ROS SYSTEMS
In the production process we use the ROS technological solution that support hotel operations and covers the following areas: HIS – hotel information system (Reception), GIS – gastronomy information system (Gastronomy), HIS – health and wellness information system (Health and Wellness) in HB – hotel billing. The ROS system is integrated with other IT solutions that we use and exchanges information with the systems of the Agency for Public Legal Records and Related Services, Financial Administration of the Republic of Slovenia, eZdravje health service system and the Health Insurance Institute of Slovenia (legal obligations).
We have concluded an agreement with ROS, d. o. o., Mlinska ulica 32, 2000 Maribor on personal data processing, in which it undertakes to process the personal data of our users in accordance with our instructions and not transmit it to third parties.
k) Flexkeeping (Facility)
The Flexkeeping application is used by hotels to manage and optimise work processes in the housekeeping service and maintenance service, and it ensures the faster flow of information between hotel employees, therefore providing better services for hotel guests.
The application is connected to the ROS system and enables the processing of hotel guest and employee personal data. The period the hotel guests’ personal data is stored in the Facility system depends on how long they are staying at the hotel. Personal data in deleted once per day; this applies to checked-out guests.
International transfers of personal data
If we transfer your personal data from the European Economic Area, we only do so following our due diligence of suitable legal bases and protective measures, such as:
- Data protection policies, known as the Binding Corporate Rules,
- Standard agreement clause that have been adopted by the European Commission or by the Information Commissioner and have been approved by the European Commission in accordance with the appropriate law,
- Codes or codes of conduct drawn up by associations or other bodies and approved by the Information Commissioner,
- Approved certification mechanisms (such as the EU-US Privacy Shield),
- Measures permitted by the Information Commissioner, agreement clauses between the data controller or processer and the data controller, processer or recipient of personal data in a third country or international organisation.
Your rights relating to your personal data
We would like to bring to your attention the following rights relating to your personal data that you can exercise by sending an e-mail to firstname.lastname@example.org and requesting access to your personal data and information about how we use and process your personal data,
- Request the rectification or deletion of your personal data,
- Request that we limit the use of your personal data,
- Request that we send you the personal data you have provided us with in a structured and machine-readable form (e.g. Excel spreadsheet), with the right to transfer this personal data to a different personal data controller,
- Object to the processing of your personal data for specific purposes (for additional information see the section below titled ‘Your right to object to the processing of your personal data for specific purposes’), and
- Withdraw your consent for us to use your personal data for which we require consent. If you withdraw your consent, this will not affect the legality of our use and processing of your personal data on the basis of your consent up to the day you withdrew your consent.
You are also entitled to lodge a complaint with the supervisory body, which is the Information Commissioner in the Republic of Slovenia, whose contact details are available at ip-rs.si/.
For additional information about your rights relating to your personal data, including the limitations that apply to some of these rights, see Articles 12 to 23 of the GDPR, available at:
Your right to object the processing of your personal data for specific purposes
Relating to your personal data, you have the following rights that you can exercise in the same way as is described in the previous chapter (‘Your rights relating to your personal data’):
- You can object to us using or processing your personal data, despite us processing your personal data as part of our legitimate interests, including profiling on the basis of any of the listed purposes, and
- Processing your personal data for the purposes of direct marketing (including every automated assessment we perform about you or any of your personal characteristics, if this is in connection with such direct marketing).
You can also exercise your right to object to the use or processing of your personal data for the purposes of direct marketing by:
- Clicking on the unsubscribe link that is located at the bottom of all of our marketing e-mails that are sent to you, and by then following the instructions that appear in your browser after you click on this link, or
- Sending an e-mail to email@example.com with the request for us to stop sending you marketing e-mails, or just with the words “OPT OUT”.
In the event that you object to our direct marketing with a communication method that is not the same as the marketing messages that you receive from us, you must also provide us with your name and sufficient information to enable use to identify you in connection with the messages that you received (e.g. if you received a text message from use, but you want to unsubscribe by e-mail, you must provide information about your telephone number in the e-mail you send to us).
If we will intend to use your personal data for a new purpose, you will be notified about the purpose and provided with any other important information before your personal data is used for this new purpose.
Changes to your personal data
We ask that you notify us about any changes to your personal data in order that the information we have about you is accurate and up to date.
Data Protection Officer
Terme Krka has appointed an authorised person for personal data protection (DPO - Data Protection Officer). In addition to other tasks that are set out in the General Data Protection Regulation, one of the key tasks of the DPO is to establish certain procedures and processes regarding personal data protection. The DPO is independent its is work, conflicts of interest do not apply to them and they have expert knowledge about national and European legislation, experience in data protection and an in-depth understanding of the General Data Protection Regulation.
Our Data Protection Officer is
SAŠA KOS DRAGAŠ, univ. dipl. pravnica / Attorney-at-Law
TERME KRKA, d. o. o., Novo mesto, Novi trg 1, 8000 Novo mesto