GDPR Compliance

Our commitment to protecting your personal data

About GDPR

The General Data Protection Regulation (GDPR) is the European Union's comprehensive data protection law that came into effect on 25 May 2018. As a company based in Croatia, a member state of the European Union, Nocturne Bloom d.o.o. is fully committed to complying with GDPR requirements.

This page outlines how we implement GDPR principles in our operations and explains your rights under this regulation.

Our Role as Data Controller

Nocturne Bloom d.o.o. acts as a data controller for the personal information we collect directly from you, including:

  • Contact information provided when you inquire about our services
  • Business details shared during project consultations
  • Website usage data collected through cookies and analytics

As a data controller, we determine the purposes and means of processing your personal data and bear responsibility for ensuring that processing is lawful, fair, and transparent.

Data Protection Principles

We adhere to the core principles established by GDPR in all our data processing activities:

Lawfulness, Fairness, and Transparency

We only process personal data when we have a valid legal basis, and we are open about how we use your information. Our Privacy Policy details our data practices in accessible language.

Purpose Limitation

We collect personal data only for specified, explicit, and legitimate purposes. We do not use your information in ways that are incompatible with those purposes without obtaining additional consent.

Data Minimization

We limit the personal data we collect to what is necessary for the intended purpose. We do not request or retain information beyond what is needed to serve you effectively.

Accuracy

We take reasonable steps to ensure that personal data is accurate and kept up to date. You can request corrections to your information at any time.

Storage Limitation

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected. We have established retention periods for different categories of data and securely delete information when it is no longer needed.

Integrity and Confidentiality

We implement appropriate technical and organizational measures to protect personal data against unauthorized processing, accidental loss, destruction, or damage.

Your Rights Under GDPR

GDPR grants you specific rights regarding your personal data. We are committed to facilitating the exercise of these rights:

Right to Be Informed

You have the right to know how we collect and use your personal data. We provide this information through our Privacy Policy and direct communications when we collect your data.

Right of Access

You can request a copy of the personal data we hold about you. We will provide this information free of charge within 30 days of your request, along with supplementary information about how we process your data.

Right to Rectification

If any personal data we hold about you is inaccurate or incomplete, you have the right to request correction. We will make the necessary updates without undue delay.

Right to Erasure

Also known as the "right to be forgotten," you can request deletion of your personal data in certain circumstances, including when the data is no longer necessary for the original purpose or when you withdraw consent.

Right to Restrict Processing

You can ask us to limit how we process your data while we address concerns about accuracy, lawfulness, or our legitimate interests.

Right to Data Portability

Where processing is based on consent or contract and carried out by automated means, you can request your data in a structured, commonly used, machine-readable format to transfer to another service provider.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. When you object to direct marketing, we will stop processing immediately.

Rights Related to Automated Decision-Making

We do not engage in fully automated decision-making that produces legal or similarly significant effects on individuals.

How to Exercise Your Rights

To exercise any of your rights under GDPR, please contact our data protection team:

Email: [email protected]
Subject line: GDPR Request - [Your Name]

Please include:

  • Your full name
  • The email address associated with your interactions with us
  • A clear description of which right you wish to exercise
  • Any relevant details that will help us locate your records

We may need to verify your identity before processing your request. We will respond within 30 days. If we need more time due to the complexity of your request, we will inform you within that initial period.

Data Processing for Clients

When we provide smart home automation services to resort properties, our clients may share certain guest-related data with us for system configuration or troubleshooting purposes. In these situations:

  • We act as a data processor on behalf of our client (the data controller)
  • We process data only according to documented instructions from our client
  • We maintain appropriate data processing agreements with our clients
  • We implement security measures as specified in our service contracts

If you are a guest at a property using our automation systems and have questions about how your data is handled, please contact the property directly as they are the data controller for that information.

International Data Transfers

We primarily store and process data within the European Economic Area. If circumstances require transferring data outside the EEA, we ensure adequate protection through:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions where the destination country provides equivalent protection
  • Other appropriate safeguards as permitted by GDPR

Data Breach Notification

We have procedures in place to detect, report, and investigate personal data breaches. If a breach is likely to result in a risk to your rights and freedoms, we will:

  • Notify the Croatian Personal Data Protection Agency (AZOP) within 72 hours of becoming aware of the breach
  • Communicate directly with affected individuals when the breach is likely to result in a high risk to their rights and freedoms

Supervisory Authority

If you believe we have not handled your personal data appropriately, you have the right to lodge a complaint with the supervisory authority:

Agencija za zaštitu osobnih podataka (AZOP)
Croatian Personal Data Protection Agency
Selska cesta 136
10000 Zagreb, Croatia
Website: azop.hr

However, we would appreciate the opportunity to address your concerns directly before you contact the supervisory authority.

Updates to This Information

We review our GDPR compliance practices regularly and will update this page to reflect any changes. Significant updates will be highlighted on our website.

Contact Our Data Protection Team

For any questions about our GDPR compliance or data protection practices:

Nocturne Bloom d.o.o.
Data Protection Team
Trg bana Josipa Jelačića 15
10000 Zagreb, Croatia
Email: [email protected]