Data Controller: Viator travel d.o.o./Epic Croatia
Sv. Križa 3, 20000 Dubrovnik
1. We consider personal data protection a key part of our work
Below you can find the types of data we collect and process, the purposes data is intended for, the lawful bases for the processing, the periods during which we store them, the measures we use to protect them, the third parties we transmit them to, and the rights you have regarding the protection of your data - in accordance with the General Data Protection Regulation (GDPR).
2. Purposes we collect data for, types of data and legal basis for processing
- Types of data: Name, surname, date of birth, gender, citizenship, passport number, e-mail address, phone number, height, health condition (food alergies, medications), travel insurance details
- Legal basis: Necessary for the performance of a contract and legitimate interest
- Types of data: Name, surname, address, passport number, state of issue, e-mail address, phone number, credit card details
- Types of data: Name, surname, address, telephone, postal code, IP address, Email, City, date and time of payment
- Legal basis: Necessary for the performance of a contract
- Types of data: First name, last name, address, city, postal code, country, OIB (for Croats)
- Legal basis: Legal obligation
- Types of data: First name, last name, flight number and arrival time, cell phone number, emergency contact, height (for bike tours)
- Legal basis: Legitimate interest
- Types of data: allergy information, medications, other relevant medical information, dietary restrictions
- Legal basis: Explicit consent
- Types of data: Photo
- Legal basis: Consent
- Types of data: Name, e-mail address, resume, sports experience, knowledge of English
- Legal basis: Legitimate interest
3. Lawfulness and fairness of data collection and processing
Viator travel/Epic Croatia collects and processes data in accordance with contractual obligations, legal obligations, our legitimate interest, or with provided consent.
We respect the fundamental principles laid down in the GDPR: we adhere to legal data processing mechanisms, the data is collected for specified, explicit and legitimate purposes and it's processed in accordance with them. We collect the minimum amount of data, strive to ensure that it is accurate, and we keep it only for as long as necessary for the purposes they're processed for. We conduct pseudonymization as well as anonymization of personal data wherever possible.
4. Data subjects rights and their exercise
- Right of access to personal data
- Right to rectification of inaccurate personal data
- Right to erasure of personal data
- Right to restriction of processing
- Right to data portability
- Right to object to processing
- Right to not be subject to automated decision-making
You can request the exercise of the aforementioned rights by making an inquiry to our physical address (Sv. Križa 3, 20000 Dubrovnik), or the e-mail address
You can also contact us for any interpretation of your rights, as well as request a summary of our data protection impact assessment. We respond to all requests within one month of receiving the request.
You can also submit a complaint to the Croatian Data Protection Supervisor: Personal Data Protection Agency (AZOP), Martićeva 14, Zagreb,
5. Relationship with third parties
Each relationship with our trusted partners is contractually specified for data protection. Our partners must not process your information outside of our instructions, they must take adequate measures to protect it securely and can only keep it for an agreed period.
- Accommodation, transfers, catering and multi-sport activities providing
- Online card payment processor
- Cloud service for internal use
- Accounting Services
- Website maintenance
- Digital marketing
6. Security of data protection
We use organizational, technical, and physical risk-based measures to protect personal data from destruction, loss, alteration, and unauthorized disclosure or access. Within the company, there is an ongoing dimension of privacy culture: the Director and all employees whose job description involves processing personal data are educated about the obligations and rights prescribed by the Regulation. Regular privacy awareness training is conducted.
The data collected through the website is protected by an SSL certificate, a technology that encrypts the connection between our server and your internet browser, ensuring that no one else has access to the data you give us. We work with trusted and professional partners who are committed to using high standards of protection.
Last update: 01.04.2020