Privacy policy

The purpose of this Privacy Policy is to inform individuals, customers, service users, business partners, employees and other persons (hereinafter: the “data subject”) who cooperate with the company Elephant group, d.o.o.(hereinafter: the “Company”) about the purposes, legal bases, security measures and the rights of data subjects in relation to the processing of personal data carried out by the Company.

Any amendments to this document will be published on our website. By using the website, you confirm that you are familiar with the full content of this Privacy Policy.

Data Controller

The controller of personal data obtained through this website is the Company Elephant group, d.o.o., Dalmatinova 15, 1000 Ljubljana, registration number: 5308313, VAT ID: SI14568004. We are committed to respecting your privacy and to processing your personal data securely and in accordance with the legislation governing the protection of personal data (Regulation (EU) 2016/679 (GDPR) and the Personal Data Protection Act – ZVOP-2). The data obtained is used exclusively for purposes related to our business operations.

E-mail: reservations@cityhotel.si 

Website:  www.cityhotel.si

Personal Data

Personal data means any information relating to an identified or identifiable natural person (the data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Purposes of Processing and Legal Bases for Processing

The Company collects and processes personal data on the following legal bases:

• ­          processing is necessary for compliance with a legal obligation to which the controller is subject;
• ­          processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
• ­          processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party;
• ­          the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
• ­          processing is necessary in order to protect the vital interests of the data subject or another natural person.

How Do We Collect Your Personal Data?

We handle personal data with the highest possible degree of care. All personal data obtained from website users is private and confidential.

Personal data is collected via the reservation form, in which the user enters all personal data relevant to the reservation and to the performance of the requested service.

In addition, we collect personal data provided by the user when completing the newsletter subscription form and the online event enquiry form.

If a customer sends us an electronic enquiry regarding accommodation or other hotel services, we may send an offer for our services in the form of a modern proposal prepared using the Proposales tool.

We also collect personal data in person upon the guest’s check-in at the hotel reception.

In addition to the personal data you provide through the methods listed above, this website uses technology that collects certain technical data, such as the user’s IP address. The user’s IP address is recorded when subscribing to the newsletter (and is used solely as evidence that the data subject has personally subscribed to the newsletter).

In all other cases, IP addresses are not linked to individuals and website users remain anonymous. Anonymous data on website use is collected through cookies and similar technologies. More information on the use of these technologies is available in the Cookie Policy.

Categories of Personal Data Collected

Through the reservation form, we collect the following data:

• First name, surname, telephone number, e-mail address and country;
• Company details (where the reservation is made on behalf of a company);
• Credit card details (credit card type, cardholder name, card number and expiry date);
• Guest stay details, including arrival and departure dates, type of service, selected special offers, special requests and preferences;
• An option to subscribe to promotional newsletters by ticking an unchecked consent box.

Through the newsletter subscription form, we collect the data subject’s first name, surname, e-mail address, selected language, date and time of subscription, and IP address.

When submitting an enquiry regarding an event, we collect all data related to the event (contact details such as first name, surname, e-mail address, company name and address, start and end time of the event, duration of the event, number of participants, accommodation requirements and requested services).

Upon check-in at the hotel reception, we collect the guest’s first name and surname, country, date of birth, type of identity document and personal identification number.

Purposes of Use of Personal Data

All data obtained via the reservation form is used to process reservations and for communication related to the provision of our services. This includes transactional e-mails necessary for the performance of the contractual relationship concluded between the Company and the recipients of our services (guests).

The e-mail address obtained via the newsletter subscription form or by ticking the newsletter subscription box in the reservation form is used to send promotional materials via the HubSpot CRM system for e-mail marketing. Data relating to the name and selected language are used to personalise the newsletter experience. The data subject may, at any time, request the termination of such communication and the processing of personal data, and withdraw consent to receive messages by using the unsubscribe link included in the received message or by submitting a request by e-mail or post to the Company’s address.

Data collected via the event enquiry form is used to prepare offers for events, meetings or conferences organised at the hotel.

Personal data collected upon check-in at the hotel reception is processed for the purpose of complying with legal obligations.

Legal Basis for Processing

Retention Periods

The retention period depends on the legal basis for processing and therefore differs depending on the type of processing.

Personal data is only retained for as long as necessary to achieve the purpose for which it was collected. Where processing is based on legal obligations, data is retained for the period prescribed by law. Certain data is retained for the duration of cooperation with the Company, while some data must be retained permanently. Personal data processed on the basis of a contractual relationship is retained for the duration of the contract and for a further six (6) years after its termination, unless a dispute arises. In the event of a dispute, data is retained for ten (10) years after the final court decision, arbitration award or court settlement, or, if no judicial dispute occurred, for six (6) years after amicable settlement. Personal data processed on the basis of consent or legitimate interest is retained until consent is withdrawn or a request for erasure is submitted. Withdrawal of consent does not affect the lawfulness of processing prior to withdrawal. Data is deleted no later than fifteen (15) days after receipt of the request. The Company may also delete such data prior to the withdrawal of consent if the purpose of the processing of personal data has been achieved or if this is required by law. When a data subject exercises his or her rights, the Company shall retain that data subject’s personal data until a final decision has been taken in the matter and, thereafter, in accordance with the final decision.

By way of exception, the Company may refuse a request for erasure for reasons such as the exercise of the right to freedom of expression and information, compliance with a legal obligation requiring processing, reasons of public interest in the area of public health, archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or the establishment, exercise or defence of legal claims. Upon the expiry of the retention period, the Company shall permanently and effectively delete or anonymise personal data so that it can no longer be associated with an identified data subject.

Video Surveillance (CCTV)

The Company Elephant group, d.o.o. carries out video surveillance. CCTV is used to monitor entrances and exits at the locations Dalmatinova ulica 15 and Dalmatinova ulica 8, Ljubljana.

Video surveillance is carried out for the purposes of ensuring the safety of persons, protecting property, securing business premises, controlling access and investigating criminal offences (on the basis of legitimate interest pursuant to Article 6(1)(f) GDPR in conjunction with Articles 76 et seq. of the ZVOP-2). Within certain working areas (e.g. corridors), video surveillance is only carried out where this is strictly necessary for the safety of persons or property or for the protection of classified information or business secrets. Video surveillance assists in the detection, handling or resolution of incidents or extraordinary events, criminal offences, compensation claims or other claims. Recordings are retained for a maximum of 30 days. Video surveillance is not carried out in a manner that would have a significant impact, nor does it enable unusual further processing, such as transfers to recipients in third countries. Video surveillance allows for live monitoring.

All information regarding the operation of video surveillance may be obtained by e-mail at reservations@cityhotel.si. The rights of data subjects are described in this Privacy Policy. Any additional questions may be addressed to our e-mail address at reservations@cityhotel.si.

Joint Controllers

For certain aspects of personal data processing, we act as joint controllers together with the company Hotel Slon d.d., Slovenska cesta 34, Ljubljana, with our respective responsibilities determined in accordance with Article 26 of the General Data Protection Regulation.

Joint control applies to those processing operations in which both organisations process or have access to the same personal data for the purpose of providing agreed services. The purpose of this joint processing is to enable the efficient provision of services, the management of relationships with guests and business partners, the sending of notifications, and the performance of related administrative and support processes necessary to ensure the integrity of the business operations of both entities.

Each controller is responsible for the lawfulness of processing within its own scope of business operations and for the implementation of appropriate technical and organisational measures to protect personal data. At the same time, the joint controllers cooperate closely in handling data subject requests, ensuring transparent processing, fulfilling the statutory obligations and addressing personal data breaches.

Further information on data subjects or categories of data subjects and on retention periods or the criteria used to determine the retention period of your personal data collected by the controllers is available in the privacy policy of the respective controller.

Contractual Processing of Personal Data and Data Transfers

The Company may entrust certain personal data processing operations to a processor on the basis of a data processing agreement. We cooperate with external service providers who act as our personal data processors. On our behalf, they process data for the purpose of obtaining reservations, providing analytical and marketing services, improving services and the user experience, and similar purposes.

• For the processing of card data and payments, we use the payment services of the company Worldline Financial Services (Europe) S.A., Representative Office Slovenia, Gospodinjska ulica 8, 1000 Ljubljana, Slovenia. More information on the Worldline privacy policy is available here.

• For marketing support, customer communication management and sending promotional newsletters, we use the HubSpot CRM software provided by HubSpot, Inc. HubSpot ensures a high level of security and personal data protection and processes personal data in accordance with the applicable legislation. In the event of transfers of personal data from the European Union, HubSpot relies on Standard Contractual Clauses (SCCs) approved by the European Commission, which constitute a lawful mechanism for secure data processing. The updated Standard Contractual Clauses are automatically incorporated into HubSpot’s Data Processing Agreement (DPA), ensuring that personal data is processed securely, lawfully and without interruption of services. More information on the privacy policy of HubSpot, Inc. is available here.
• We use the Proposales software provided by the company Proposales AB, Swedish registration number 559150-6075, as a tool for sending modern offers to customers in response to their electronic enquiries. Proposales AB stores and processes personal data in accordance with Swedish law and EU legislation. More information on the privacy policy of Proposales AB is available here.

For the purpose of ensuring better oversight and control of processors and the proper regulation of contractual relationships, the Company also maintains a register of processors, listing all specific processors with whom the Company cooperates.

Under no circumstances will the Company disclose a data subject’s personal data to unauthorised third parties. Processors may process personal data solely in accordance with the Company’s instructions and may not use such data for any other purposes.

The Company, as controller, and its employees do not transfer personal data to third countries (outside the member states of the European Economic Area – EU Member States, as well as Iceland, Norway and Liechtenstein) or to international organisations, except to the United States, in which case relationships with processors based in the United States are governed by Standard Contractual Clauses (model clauses adopted by the European Commission) and/or Binding Corporate Rules (adopted by the company and approved by the EU supervisory authorities).

Cookies

The Company’s website operates using so-called cookies, which are essential for the provision of online services and are used to store information on the status of individual web pages, assist in the collection of statistics on users and website traffic, and similar purposes. More detailed information on the use of cookies, their types and management options is available on the dedicated Cookies subpage.

Data Security and Accuracy

The Company ensures information security and the security of its infrastructure (premises and application/system software). Our information systems are protected, inter alia, by antivirus software and firewalls. Appropriate organisational and technical security measures have been implemented to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, as well as against other unlawful or unauthorised forms of processing. When special categories of personal data are transmitted, they are transmitted in encrypted form and protected by a password. The data subject is responsible for transmitting personal data securely and for ensuring that the data provided is accurate and truthful.

Your Rights

A data subject has the right to request access to personal data, rectification or the erasure of personal data, restriction of processing, the right to object to processing and the right to data portability. Requests are handled in accordance with the provisions of the General Data Protection Regulation and applicable personal data protection legislation.

All of the above rights and any related questions may be exercised by submitting a request to the Company’s address. The Company shall respond to the data subject’s request without undue delay and no later than one month after receipt of the request. This period may be extended by up to two additional months, taking into account the complexity and number of requests, of which the data subject will be informed together with the reasons for the delay. The exercise of rights is free of charge for the data subject; however, the Company may charge a reasonable fee if it is manifestly unfounded or excessive, in particular if it is repetitive. In such a case, the Company may also refuse the request. If there is reasonable doubt as to the identity of the data subject, the Company may request additional information necessary to confirm identity.

In its decision on a data subject’s request, the Company shall also inform the data subject of the reasons for the decision and of the right to lodge a complaint with the supervisory authority within 15 days of being informed of the decision. The right to lodge a complaint with the supervisory authority may be exercised with: The Information Commissioner of the Republic of Slovenia at the address: Dunajska 22, 1000 Ljubljana(e-mail: gp.ip@ip-rs.si, website: www.ip-rs.si). 

Our Contact Details

The controller of your personal data is Elephant group, d.o.o., Dalmatinova 15, 1000 Ljubljana, registration number: 5308313, VAT ID: SI14568004.

If you have any questions regarding the processing of your personal data or wish to exercise any of the rights provided under this Privacy Policy, please contact us at reservations@cityhotel.si.

Validity

This Privacy Policy enters into force on 16th January 2026. This document may be amended without prior notice.