Information on Data Protection

This Information applies in all cases of processing of your personal data by the sole proprietorship Citra, obrt za ugostiteljstvo, Controller of the Data, unless the use of other Information, Privacy Policy, or similar documents, regardless of their name which take precedence in application to this Information or supplement it (e.g., case-specific data processing cases) are foreseen for special processing cases.


The sole proprietorship Cittar, obrt za ugostiteljstvo za hotelijerstvo i turizam, 52466 Novigrad, Prolaz Venecije 1 is the controller of your personal data in the sense of the GDPR Regulation.
Regarding the processing of your personal data, you can contact us through our Personal Data Protection Officer, as follows:

  • by sending an inquiry to the email address:



We collect, store and process your personal data in other permitted ways for the following purposes.


Making a Reservation

  • When booking accommodation and other services, we collect your personal data so that we can enter into a contract for accommodation and other services, especially so that we can contact you (e.g., your phone/mobile number, email address), or entirely connect the reservation with you and other guests traveling with you (e.g., name, date of birth, number of guests, date of arrival, date of departure).

Without this information, we cannot enter into a contract for accommodation and other services.
Exceptionally, when making a reservation on the websites of our partners, in addition to the above data, we also collect and other data that the partner determines as mandatory and without which the contract cannot be concluded.


  • During your registration in the facility (check-in), we collect and process your personal data to comply with our legal obligations under the regulations on keeping a list and registering tourists.

According to currently valid regulations, we are obliged to collect the following data: surname and name, place, country and date of birth, citizenship, type and number of identity document, residence and address, date and time of arrival or departure from the facility, gender, note (basis for exemption from payment of sojourn tax, i.e., for the reduction of payment of sojourn tax).
We cannot provide you with accommodation without this information.

Safety-technical measures

  • During your stay in our facility, we apply safety and technical measures (e.g., video surveillance in public areas of the facility that can record you, key cards that can show your location, etc.) to protect you and your property, other guests and their property, our employees, and our property.

Safety and technical measures that exist in any of our facilities cannot be excluded from use at the request of an individual guest.

Statistical analyzes for our internal needs

  • We process your personal data for statistical purposes to collect information about our business and our services. The data is processed in a way that does not allow your identification (so-called depersonalized data).




We forward your personal data that we are obliged to collect when registering a guest (check-in) in electronic form to the eVisitor system, in accordance with the regulations on the manner of keeping the list and registering tourists.
We forward your personal data to our contractual processors who allow us to use computer programs for service management, and who have access to this data only to the extent necessary for the proper functioning of the program and other processors who allow us to provide catering and tourism services. We also forward your data to other Processors if this is necessary for the provision of accommodation services or other services (e.g., if you have booked a tourist transfer service provided by our contractual partner in addition to the accommodation service).
We disclose your personal data, i.e., make them available to third parties in other cases as well, but only when we are obliged to do so under the General Data Protection Regulation (GDPR), for example at the request of a competent judicial or administrative body.




We store your personal data:

  • for the duration prescribed by applicable regulations, if this data is collected solely for the purpose of fulfilling our legal obligations: – for example, we are obliged to keep the data from the guest book for at least 2 years from the end of the calendar year in which the guest stayed in our facility, and this data must be stored for 10 years in the eVistor system;
  • – in addition, according to the regulations in the field of accounting, we are obliged to keep the issued invoices for 11 years, and thus the personal data contained in them. for the duration required for the expiration of the statutory limitation period (three or five years) and the additional reasonable time required for any request sent to a judicial or administrative body to be delivered to us, if this information was obtained exclusively in connection with contracts we have concluded or negotiated with you (e.g., data from reservation requests/requests and booking confirmations, data related to membership in loyalty programs, participation in prize contests, etc.);
  • until you withdraw your consent if we also base the data processing on your consent;
  • 10 years if the processing is based on our legitimate interests;
  • 6 months (recordings – video surveillance).




Users of our services have the following rights under the General Data Protection Regulation (GDPR):




You can at any time ask us to confirm whether your personal data is being processed, and if they are being processed, you have the right to request access to that data and information listed in Article 15 of the General Data Protection Regulation (GDPR).
Upon your request for exercising the right of access, we will provide you with data and information in electronic form (e-mail), unless you have not specified an e-mail address in your request or if you have explicitly requested delivery by mail.




It is your right to obtain from us without delay the correction of inaccurate and incomplete personal data.




If you believe that we have collected or otherwise processed your data contrary to the General Data Protection Regulation (GDPR), you have the right to request that we delete such data. If the request is justified, the data will be deleted without undue delay.
You may also obtain the right to erasure if your personal data is no longer necessary for the purposes for which they were collected or otherwise processed, if you have withdrawn your consent to the processing, if you have objected to the processing necessary for our legitimate interests or if the data must be deleted to comply with a legal obligation.
If there are reasons that prevent or restrict us from complying with your request, we will notify you in response to the request.




It is your right to ask us to restrict the processing of your personal data if you dispute the accuracy of this data (for a period that allows the controller to verify the accuracy of personal data), if the processing is illegal and you object to the deletion of data, if you object to the processing of your data. and if we no longer need the data, but you need it to set, exercise or defend legal claims.




It is your right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format and to transmit these data to another controller if the processing of this data is based on consent or contract and is carried out automatically.




If we process your data on the basis of your consent, you may withdraw that consent at any time without affecting the legality of the processing based on that consent.




Your rights are exercised free of charge, and only exceptionally with the payment of an administrative cost.
We will inform you of the administrative cost we are entitled to charge under the General Data Protection Regulation (GDPR) before it is incurred, provided that the preconditions for its collection are met.




It is your right at any time, based on your special situation, to object to the processing of personal data that we carry out on the basis of our legitimate interests, which includes the right to lodge a complaint regarding the creation of profiles associated with those legitimate interests.
If you believe that the processing of your personal data violates the General Data Protection Regulation (GDPR) in any way, please contact us via our Personal Data Protection Officer at the e-mail address:
It is your right to lodge a complaint with the supervisory authority if you believe that the processing of your personal data violates the General Data Protection Regulation (GDPR) in any way. You can lodge a complaint, for example, with a supervisory authority in an EU Member State where you have your habitual residence or where you work or in the Republic of Croatia (Personal Data Protection Agency).
*** The processor shall provide the Data Subject with information on the actions taken on request without undue delay and in any case within one month of receiving the request. This period may be extended by an additional two months, as appropriate, considering the complexity and number of applications. The controller shall inform the Data Subject of any such extension within one month of receipt of the request, together with the reasons for the delay. If the processor does not act upon the data subject’s request, the processor shall without delay and no later than one month from the receipt of the request inform the data subject of the reasons for not acting and of the possibility of lodging a complaint with the supervisory authority.




We use your data (name and surname, email address and language) to personalize services and promotional (marketing) materials and adapt them for you. We personalize services and materials by profiling (e.g., the so-called segmentation) that help us better understand your interests. Profiling you does not limit you in any way in the choice of services we provide.
We apply automated decision-making in such a way that, depending on the created profile or data that you have provided to us, a computer program, without human participation, delivers an offer and/or promotional (marketing material) to you. This automated decision-making does not limit you in any way in the choice of services we provide.