Privacy policy
General information
Thank you for visiting our website. At the MERIDIJAN 16 Hotel, we approach our guests with special attention to provide you supreme service and to fulfill all yours expectations.
Considering the importancy of privacy and a right to privacy, the MERIDIJAN 16 Hotel is committed to protect your personal data in accordance to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: GDPR) and the national legislation (Act on application of the General Data Protection Regulation, Official Gazette No. 42/2018).
With this Privacy policy we want to inform you which personal data we collect from you on this website, through written or verbal communication and during your visit to our hotel, in what purpose, how do we act with it, who has an approach to it, who process it, to whom he disclose it and in what purpose, on what time period we keep them, how we assure them of unauthorised access and about your rights regarding to personal data protection.
This Privacy policy governs the processing and a way of handling with a personal data which you provide us via the contact form, reservation form or other forms or personal contact.
Personal Data Protection
Controller is:
16. MERIDIJAN Ltd., Zagreb, Ulica grada Vukovara 241, OIB: 91429672003.
Data processor contact informations:
- in written: 16. MERIDIJAN Ltd., Zagreb, Ulica grada Vukovara 241, or
- e-mail address: This email address is being protected from spambots. You need JavaScript enabled to view it.
By filling in the contact form and/or reservation form on the website, therefore, providing us with your personal data, such as name, e-mail address, phone number, etc., you guarantee that data you have provided are accurate and that you are familiar and agree with the provisions of this Privacy policy.
16. MERIDIJAN Ltd. guarantee to visitors and guests of the Hotel that all personal data represents a business secret.
16. MERIDIJAN Ltd. will take the necessary tenical and organization security measures to protect your personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
We collect and process personal data in order to response to your inquiry, statistical purposes, reservation, ensure the provision and payment of a service, and other purposes specified bellow, all in accordance to legal obligations and/or necessity for the purpose of legitimate interests of the controller or third party.
The credit card data you provide shall be used solely as a means of securing payment of booked services and we protect them as same as any other of your personal data, according to the GDPR and national legislation. After the duly rendered and paid services, this data shall no longer be used without your explicit consent.
If we wish to contact you in any manner regarding our promotions and services, we will ask your consent.
Personal data we collect, process and disclose, and that are governed and covered by our Privacy policy:
1. name and family name
2. sex
3. date of birth
4. state of residence
5. place of residence
6. identification document type
7. identification document number
8. date of arrival/departure
9. state of birth
10. e-mail address
11. phone number
This Privacy Policy does not apply to our personal data processing on behalf of and on the basis of instructions of a third party such as companies that organise or offer travel packages and other service providers legally entitled to share with us your personal data.
Definitions of certain terms
Privacy policy of the MERIDIJAN 16 Hotel is based on the terms from the GDPR. It should be legible and understandable for the general public and our customers. To ensure this, first we would like to explain the terminology used.
- Personal data
Personal data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Processing
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Restriction of processing
Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.
- Profiling
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
- Controller
Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
- Processor
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
- Recipient
Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
- Third party
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
- Consent
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
An access to personal data collected from the guests, personal data processing, personal data disclosure and a purposes and legal basis of processing and disclosure of personal data of the guests
A director, business manager, reception manager and all employees, processors and recipients due to personal data processing, have an access to personal data collected from guests.
Guest's personal data processing is performed for the following legal purposes:
- response to inquiry
- statistical purpose
- reservation
- check in and check out of the guest to the eVisitor system
- receipt issue
- check-in and check-out
- monitoring the implementation of the obligation of registering visitor check-in and check-out by the payer (accommodation service provider)
- records, calculations and collection of sojourn tax
- keeping a register or list of guests by the accommodation services provider and monitoring the implementation of the said obligation by the inspection authorities
- Registration of foreigners in the Ministry of the Interior and the monitoring of the implementation of the said obligation by the inspection authority
- keeping records of tourists by tourist boards and statistical processing and reporting
- supervision of business of accommodaton service providers in the part related to the legality of providing registered services and compliance with taxation and other regulations on public contributions
Personal data processing is performed for the following legal basis:
Sojourn Tax Act
- Ordinance on the manner of keeping visitor registers and the form and content of the form of registration of visitors with the tourist board
- Customs Services Act
- Hospitality and Catering Industry Act
- Tourist Inspection Act
- Aliens Act
- Act on Police Affairs and Authoritie
- Act on Tourist Boards and Promotion of Croatian Touris
- General Tax Act
- Act on the Inspection of Road Transport and Roads
Processors are:
- accounting service
- IT maintenance service provider
- web developer
Recipients are:
- Tourist Boards (eVisitor information system for check-in and check-out)
- tax administration
- Ministry of the Internal affaires
- court and other public authorities
Time period of keeping and usage of guests personal data
In accordance with Article 6 of the Ordinance on the manner of keeping visitor registers and the form and content of the form of registration of visitors with the tourist board, the collected information is retained for the period of 10 years.
Data Confidentiality
Your personal data shall remain confidential when you visit the hotel's website, and also during your physical visit to the hotel. We are obliged not to disclose your personal data to any third parties, except in the cases as set forth in the applicable legislation. We shall not disclose your personal data to any unauthorised third parties without your explicit consent, as this is contrary to the Privacy policy, the GDPR and to the national legislation.
Protecting the Personal Data of Children
16. MERIDIJAN Ltd. does not process the personal data of persons under 18 years that might be used for internet contact, without the explicit permission of a parent or legal representative.
16. MERIDIJAN Ltd. guarantees the protection of children’s personal data, provided for by special laws governing this issue.
Processing of special categories of personal data
Processing of special categories of personal data refers to processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. Basically, 16. MERIDIJAN Ltd. do not collect sensitive data, unless you voluntarily provide them to us as we could provide you a better service and meet your specific needs (e.g. disabled access etc.).
Use of Cookies
To make it easier to browse our website, the MERIDIJAN 16 Hotel website use cookies. Cookies are small files that the server puts on the user's computer upon approach to websites to enable extra functionality of those websites.
Informations collected by cookie includes your IP address. After you stop working on a server, informations are no longer available to the company 16. MERIDIJAN Ltd.
On our website choose a use of cookie you are agreed with, except cookies which use can not be excluded.
Rights of the data subject regarding to personal data protection
- Information to be provided where personal data are collected from the data subject (Article 13 of the GDPR)
Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
(a) the identity and the contact details of the controller and, where applicable, of the controller's representative;
(b) the contact details of the data protection officer, where applicable;
(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; (d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
(e) the recipients or categories of recipients of the personal data, if any;
(f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47 of the GDPR, or the second subparagraph of Article 49(1) of the GDPR, reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
In addition to the information referred to in Article 13 paragraph 1 of the GDPR, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:
(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
(b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
(c) where the processing is based on point (a) of Article 6(1) of the GDPR or point (a) of Article 9(2) of the GDPR, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
(d) the right to lodge a complaint with a supervisory authority;
(e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
(f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in Article 13 paragraph 2 of the GDPR.
Paragraphs 1, 2 and 3 of Article 13 of the GDPR shall not apply where and insofar as the data subject already has the information.
- Information to be provided where personal data have not been obtained from the data subject (Article 14 of the GDPR)
Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:
(a) the identity and the contact details of the controller and, where applicable, of the controller's representative;
(b) the contact details of the data protection officer, where applicable;
(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
(d) the categories of personal data concerned;
(e) the recipients or categories of recipients of the personal data, if any;
(f) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47 of the GDPR, or the second subparagraph of Article 49(1) of the GDPR, reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.
In addition to the information referred to in Article 14 paragraph 1 of the GDPR, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:
(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
(b) where the processing is based on point (f) of Article 6(1) of the GDPR, the legitimate interests pursued by the controller or by a third party;
(c) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability;
(d) where processing is based on point (a) of Article 6(1) of the GDPR or point (a) of Article 9(2) of the GDPR, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
(e) the right to lodge a complaint with a supervisory authority;
(f) from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;
(g) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
The controller shall provide the information referred to in Article 14 paragraphs 1 and 2 of the GDPR:
(a) within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
(b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or
(c) if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.
Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in Article 14 paragraph 2 of the GDPR.
Paragraphs 1 to 4 of Article 14 of the GDPR shall not apply where and insofar as:
(a) the data subject already has the information;
(b) the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) of the GDPR or in so far as the obligation referred to in paragraph 1 of Article 14 of the GDPR is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject's rights and freedoms and legitimate interests, including making the information publicly available;
(c) obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject's legitimate interests; or
(d) where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.
- Right of confirmation and acess (Article 15 of the GDPR)
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any available information as to their source;
(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR relating to the transfer.
The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. The right to obtain a copy shall not adversely affect the rights and freedoms of others.
- Right to rectification (Article 16 of the GDPR)
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
- Right to erasure (Right to be forgotten) (Article 17 of the GDPR)
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1) of the GDPR, or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR;
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
Where the controller has made the personal data public and is obliged pursuant to Article 17 paragraph 1 of the GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
Paragraphs 1 and 2 of Article 17 of the GDPR shall not apply to the extent that processing is necessary:
(a) for exercising the right of freedom of expression and information;
(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) of the GDPR as well as Article 9(3) of the GDPR;
(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR in so far as the right referred to in Article 17 paragraph 1 of the GDPR is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(e) for the establishment, exercise or defence of legal claims.
- Right to restriction of processing (Article 18 of the GDPR)
The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
(a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
(b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
(c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
(d) the data subject has objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
Where processing has been restricted under Article 18 paragraph 1 of the GDPR, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
A data subject who has obtained restriction of processing pursuant to Article 18 paragraph 1 of the GDPR shall be informed by the controller before the restriction of processing is lifted.
- Right to data portability (Article 20 of the GDPR)
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
(a) the processing is based on consent pursuant to point (a) of Article 6(1) of the GDPR or point (a) of Article 9(2)of the GDPR or on a contract pursuant to point (b) of Article 6(1) of the GDPR; and
(b) the processing is carried out by automated means.
In exercising his or her right to data portability pursuant to Article 20 paragraph 1 of the GDPR, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
The exercise of the right referred to in paragraph 1 of Article 20. of the GDPR shall be without prejudice to Article 17. of the GDPR. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
The right referred to in Article 20 paragraph 1 of the GDPR shall not adversely affect the rights and freedoms of others.
- Right to object (Article 21 of the GDPR)
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
At the latest at the time of the first communication with the data subject, the right referred to in Article 21 paragraphs 1 and 2 of the GDPR shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) of the GDRP, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
- Automated individual decision-making, including profiling (Article 22 of the GDPR)
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
Paragraph 1 of Article 22 of the GDPR shall not apply if the decision:
(a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
(b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
(c) is based on the data subject's explicit consent.
In the cases referred to in points (a) and (c) of paragraph 2 of Article 22 of the GDPR, the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
Decisions referred to in Article 22 paragraph 2 of the GDPR shall not be based on special categories of personal data referred to in Article 9(1) of the GDPR, unless point (a) or (g) of Article 9(2) of the GDPR applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.
- Right to withdraw data protection consent (Article 7 paragraph 3 of the GDPR)
The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
Filling a motion for rigths achievement
As we could assure you an achievement of rights mentioned above, we inform you that you can file a motion for an achievement of rigths in written: 16. MERIDIJAN Ltd., Zagreb, Ulica grada Vukovara 241, or through an e-mail adresu: This email address is being protected from spambots. You need JavaScript enabled to view it..
Filling an object
A guest has a right to file an object to the supervisory body- Personal Data Protection Agency (PDPA), Martićeva ulica 14, 10 000 Zagreb.
Changes and Termination of Privacy policy
16. MERIDIJAN Ltd. reserves the right to modify or terminate all or any part of this website and the Privacy Policy at any time.