GDPR regulation
Regulation of the European Parliament on the protection of natural persons with regard to the processing of personal data and on the free movement of such data or the GDPR
To ensure that you are not confused by newspaper articles on this topic and so you know how to proceed with regard to this regulation (with regard to the registration of guests), please find the opinion of the Croatian Tourist Board below:
"Personal data may only be collected and further processed if there is a legitimate purpose and a valid legal basis, i.e. exclusively with the consent of the data subject and only for the purpose for which the data subject has given consent, for the purpose of fulfilling legal obligations. Therefore, we are of the opinion that accommodation providers have the right to request an identification document from the guest in order to obtain personal data that must be collected for special, explicit and legal purposes, i.e. to fulfil the obligations arising from the relevant regulations.
We are also of the opinion that entering data into the eVisitor system does not require the consent of the data subject, since the data is collected for legal purposes. The data subject needs to be informed of these purposes and it needs to be explained to the data subject that without such data, the accommodation providers would not be able to fulfil their obligations prescribed by law, i.e. to register a guest, which would make it impossible to provide the accommodation service. Such data may be used exclusively for the purpose for which it was collected."
To clarify: a legal or natural person who provides an overnight stay service in an accommodation facility or an overnight stay service on a vessel of nautical tourism and a person in a household or homestead are obliged to report the arrival of guests to the tourist board of the municipality or city within 24 hours and deregister their stay within 24 hours. Accordingly, the data used in the registration and deregistration of tourists is entered on the basis of data from the identity document, travel document or some other identity document. Therefore, the registration of guests in eVisitor is your legal obligation, and you have the right to collect from guests only the data that you are obliged to enter into the program. This also means that you must not copy the data of your guests on any paper or in notebooks, that you must not scan, photocopy or photograph it without the consent of the owner of the documents, and that you must not exchange such data with each other via e-mail or messages (this also means that you must not send them to us by email in order to for us to register the guests).
Also, the GDPR restricts the current marketing practices of sending newsletters, notifications or offers to your guests by e-mail or text messages, unless you have their express consent for this. This consent must be written in understandable language, and it must specify the data whose collection is permitted, how long this data may be stored and what types of processing it may be used for. However, the data subject has the right to withdraw their consent at any time, and also has the right to request data deletion.
Considering that the legislator has prescribed that the registration of guests directly in eVisitor is the responsibility of the accommodation provider, we believe that there is no need to violate the GDPR regulation by misusing the personal documents of our guests. However, we think it is important to draw your attention to this.