Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data – the General Data Protection Regulation – GDPR (hereinafter: the Regulation), ŽITO d.d., Osijek acts as the Data Controller of your personal data collected through this website.

This Notice on the Processing of Personal Data applies to guests of Hotel Materra and users of the services of the travel agency ŽITO d.d. BRANCH ČEPIN, travel agency.

Data Controller:

ŽITO d.d.
Đakovština 3, 31 000 Osijek
OIB (Personal Identification Number): 03834418154
[email protected]

ŽITO d.d. respects privacy and protects the personal data of hotel guests and users of travel agency services in accordance with the General Data Protection Regulation (GDPR) and other applicable regulations. It implements appropriate technical and organizational protection measures and ensures that all personal data of guests is processed lawfully, fairly and transparently.

A stay at Hotel Materra may be booked directly through our website, by e-mail, by telephone or through partner booking platforms.
When making an inquiry or reservation, we process the data necessary to handle your request – name and surname, e-mail address, telephone number, desired arrival and departure date, number of guests, number of children under the age of 12, and any additional notes you may provide.

Upon arrival at the Hotel, for the purpose of providing accommodation services, we process your personal data, including data relating to your stay, services used and method of payment.

During your stay, you may use various hotel services and facilities – wellness, bar, conference hall, television content, room service, transportation, excursions and other services.

For the purpose of providing these services, we process data such as name and surname, room number, time and type of service used, and any special requests or notes.
If, for certain services (e.g., room service), you voluntarily provide information relating to dietary habits or other special requests, such data are processed exclusively on the basis of your consent for the purpose of providing a personalized service.

For certain health and wellness treatments, it is necessary to have certain information about the guest’s health condition in order to assess whether the treatments are safe and appropriate. Such data is necessary solely for the protection of the guest’s health and the proper provision of the service. If the guest withholds or fails to disclose relevant information, there is a risk that the selected treatment may not be suitable or may have undesirable effects on the guest’s health, which means that, in such circumstances, certain treatments may not be performed.

Legal basis: taking steps at the request of the data subject prior to entering into a contract and performance of a contract; guest consent for special requests.

In accordance with special regulations of the Republic of Croatia, all guests are registered in the Tourist Check-in and Check-out Information System (eVisitor).

For this purpose, we collect data contained in an identity document – first and last name, date of birth, nationality, place and country of birth, gender, and the identity document number.

Legal basis: compliance with a legal obligation of the controller.

When confirming a reservation or checking in at the Hotel reception, a bank card pre-authorization may be carried out, i.e. a temporary reservation of a certain amount as a payment guarantee and to cover possible additional costs, such as mini bar, wellness or damage to property.

The pre-authorized amount does not constitute a charge to the bank account, but only a temporary reservation of funds. The final payment is made upon the guest’s check-out, and the unused part of the pre-authorization is released immediately after the end of the stay.

Payment card data is stored exclusively in a secure and certified payment system that meets international security standards for the processing of card transactions, PCI-DSS – Payment Card Industry Data Security Standard.

All payment card data is encrypted and processed through an authorized payment processor, thereby preventing unauthorized access, copying or use of data.
Hotel Materra does not have access to complete card data, such as card number and security code – CVV. Only an anonymized form of data is available, enabling secure payment processing and cancellation of pre-authorization.

During the stay and at check-out, we also process data necessary for payment, invoicing, and fiscalization (name/company name, address, OIB – where required, data on quantity and price of services used, and payment transaction data).

Legal basis: taking steps prior to entering into a contract and performance of a contract; compliance with a legal obligation of the controller.

Your e-mail address, collected during the reservation and check-in process, will be used to send notifications and newsletters about Hotel Materra services, special offers, benefits, discounts and news in our offer, which we believe may be relevant and useful to you as a guest. In this case, we process your personal data on the basis of our legitimate interest.
You can unsubscribe from the newsletter recipients list at any time by selecting the appropriate option at the bottom of each message received.

If, as a website visitor, you have subscribed to receive the newsletter, the legal basis for data processing is your consent. Consent is entirely voluntary and may be withdrawn at any time via the unsubscribe link included in each received message or by sending a request to [email protected].

A guest may also give consent to participate in surveys on satisfaction with Hotel Materra services. Data collected through questionnaires and ratings are used exclusively for analyzing the stay experience and improving service quality. Responses are processed statistically, without linking them to the identity of the guest.

Hotel Materra occasionally organizes prize contests, promotions, and giveaways via its official social media profiles. In such activities, we process personal data of participants who voluntarily register to participate – such as name and surname, social media username, contact details (e-mail address or phone number), and the content of posts, comments, or messages submitted as part of the contest.

Legal basis: consent of the guest/contest participant.

Data you provide via e-mail, website contact forms, by phone, or in person are used exclusively to provide the requested information and respond to inquiries.

Legal basis: depending on the content of the inquiry or the existing relationship with the person submitting the inquiry (guest, potential guest, etc.), processing is based on consent or on taking steps prior to entering into a contract and the performance of rights and obligations arising from a contractual relationship.

In the event of a written complaint or claim regarding a provided service, the hotel processes personal data required to handle the complaint (first name, last name, contact details, content of the complaint, and supporting documentation).

The data are used exclusively for resolving complaints and are retained in accordance with consumer protection regulations.

Legal basis: taking pre-contractual steps and performance of a contract; fulfillment of the legal obligation of the Data Controller.

For the purpose of improving the quality of our service, verifying and proving received requests, reservations and special instructions, and protecting our legal interests in the event of complaints, claims or legal requests, outgoing and incoming telephone calls to the Hotel reception are recorded. Before the beginning of each conversation, data subjects are informed about the recording by a recorded announcement.

Legal basis: legitimate interest of the Data Controller.

Certain areas of the hotel, such as entrances/exits, reception, corridors, gym, parking area, and outdoor areas, are covered by a video surveillance system installed for the safety of guests, employees, and hotel property. Recordings are retained for a limited period, no longer than 60 days. Clear notices with basic information about recording and data processing are displayed in all monitored areas.

Legal basis: the controller’s legitimate interest in protecting persons and property.

ŽITO d.d. Branch Čepin, travel agency, collects and processes basic identification and contact data of guests and/or service users, exclusively to the extent necessary for the provision of travel services, including the organization, sale and execution of package arrangements, excursions, transport and transfers, as well as services within congress tourism, organization of tours of cultural and historical landmarks, and the sale, intermediation and reservation of tickets, catering and other related travel services, including intermediation in the provision of services by other providers.

Legal basis: taking steps prior to entering into a contract and performance of a contract; compliance with a legal obligation of the controller.

Hotel Materra collects and processes personal data of children only to the extent necessary for the provision of accommodation services and fulfillment of legal obligations, for example when registering in the eVisitor system. Children’s data is collected from their parents or legal representatives.

Special categories of guests’ personal data are not required for reservation, provision and payment of services. However, before and during the stay, the guest may, at their own discretion, provide certain special categories of personal data – for example, information about health condition, dietary habits, allergies or other circumstances relevant for a comfortable and safe stay. Such data is processed exclusively with the guest’s consent, for the purpose of providing a tailored service and increasing safety during the stay.

ŽITO d.d. is a potential employer and Data Controller of the personal data of interested candidates.

Information on the processing of personal data of job applicants for employment at Hotel Materra is available at: https://zito.talentlyft.com/

The Hotel Materra website uses cookies to ensure the proper functioning of the website, improve user experience and analyze website traffic. Detailed information about the types of cookies, their purpose and storage period is available within the cookie management tool, which can be accessed by selecting the cookie icon at the bottom of the website.

Personal data of Hotel Materra guests and users of travel agency services is available exclusively to persons and partners authorized to process it, and only to the extent necessary for the provision of a particular service. Reliable business partners – processors – participate in the processing of personal data on behalf of and for the account of the Hotel by providing services necessary for regular business operations, such as managing the reservation system, carrying out payment transactions through secure payment systems/payment gateways, maintaining and administering the Hotel website and providing IT support. The Hotel’s relationship with these partners is regulated by personal data processing agreements, under which the partners are obliged to maintain confidentiality, apply appropriate technical and organizational protection measures and process personal data exclusively in accordance with the instructions of the Data Controller – ŽITO d.d.

In accordance with applicable regulations of the Republic of Croatia, the Hotel is required to provide certain personal data to competent public authorities.

For the purpose of fulfilling the legal obligation to register tourists’ stays, guest data are entered into the Information System for the Registration and Deregistration of Tourists – eVisitor – managed by the Croatian National Tourist Board.

In certain cases, when necessary to fulfill legal obligations or act upon a request from a competent authority, such as the Ministry of the Interior, a competent court or another public authority, the Hotel will be obliged to provide personal data in a precisely defined scope and exclusively for the purpose prescribed by law. Each such disclosure is carried out with appropriate protection measures and documented recording of the data transfer.

For sending newsletters, Hotel Materra uses the Mailchimp service, owned by Intuit Inc., headquartered in the United States of America. The transfer of personal data is carried out in accordance with the GDPR, as Intuit Inc. participates in the EU–US Data Privacy Framework, which constitutes an adequacy decision under Article 45 of the GDPR and ensures an adequate level of personal data protection.

Personal data are stored for the period necessary to achieve the purpose of processing or for the period prescribed by law.

• Data on reservations and guests’ stays, including check-in and check-out data, is stored for a minimum of 2 years from the guest’s check-out, in accordance with the Ordinance on the form, content and manner of keeping the guest book and guest list.
• Invoices, accounting records, and fiscal documents are retained for 11 years after the end of the year in which the document was created, in accordance with the Accounting Act and tax regulations.
• Payment and bank card pre-authorization data are retained until the transaction is completed and all costs are settled, and for a maximum of 14 days from guest check-out, due to possible complaints or refunds.
• Data from inquiries and communication with potential guests are retained for up to 12 months after completion of communication.
• Data related to complaints and claims is stored for 12 months from receipt of the complaint, in accordance with the Consumer Protection Act.
• Data processed on the basis of consent, such as for sending newsletters or participating in satisfaction surveys, are retained until consent is withdrawn.
• Data collected for the purpose of organizing prize contests are retained until the end of the contest.
• Audio recordings of calls to the reception are stored for 12 months.
• Video surveillance recordings are retained for a maximum of 60 days.
• Data on users of travel agency services is stored for a minimum of 2 years from the use of the service, in accordance with the Act on the Provision of Tourism Services.
After the expiry of the stated periods, all personal data is deleted or anonymized, unless further storage is mandatory under special regulations or necessary for the establishment, exercise or defense of legal claims of the Data Controller.

Hotel Materra applies appropriate technical and organizational measures to ensure the confidentiality, integrity, and availability of personal data. Measures include, among others, controlled access to systems, protection of computer and communication networks, regular security updates, access logs, backups, and other applicable measures depending on the sensitivity of the data and security risks.

All employees and partners with access to personal data are obliged to maintain confidentiality and act in accordance with internal data protection rules. Guests’ personal data are not transferred outside the European Union. If, in exceptional cases, such a transfer were necessary (e.g., due to use of external providers), the transfer would be carried out exclusively with appropriate safeguards, such as the European Commission’s Standard Contractual Clauses or another applicable protection mechanism.

Depending on the legal basis and purpose of processing, you have the following rights regarding the processing of personal data:

• Right to information and access – the right to obtain confirmation as to whether personal data are being processed and access to the data and information on the purpose, scope, and manner of processing
• Right to rectification – the right to request correction of inaccurate data or completion of incomplete data
• Right to erasure (“right to be forgotten”) – the right to request deletion of personal data if they are no longer necessary for the purpose of processing or if there is no other legal basis for their retention
• Right to withdraw consent – where processing is based on consent, it may be withdrawn at any time, without affecting the lawfulness of processing based on consent before its withdrawal
Where applicable, depending on the processing circumstances and legal basis, you may also have the following rights:
• Right to restriction of processing – for example, where the accuracy of data is contested or where data are no longer needed for the original purpose but must be retained for legal claims
• Right to data portability – the right to receive personal data in a structured, commonly used, and machine-readable format if processing is based on consent or contract and is carried out by automated means only
• Right to object – the right to object at any time to processing based on the hotel’s legitimate interest, including processing for direct marketing purposes
• Right to object to automated decision-making – in cases where a decision about a guest would be made solely by automated processing, without human assessment

To exercise your rights or obtain additional information about the protection and processing of personal data, you may contact the Data Protection Officer at: [email protected] or by sending a written request to Hotel Materra, Ul. Ovčara 5, 31431 Čepin, marked “For the Data Protection Officer”.
You may also submit a complaint to the Croatian Personal Data Protection Agency (AZOP) at: [email protected], if you believe that your rights have been infringed or your request has not been fulfilled.

This Personal Data Processing Notice is regularly updated to ensure compliance with applicable regulations, business practices, and Hotel Materra services.

Last updated: May 2026.