GDPR - Privacy policy and information on data protection rights

PRIVACY POLICY

provided to fulfill the information obligation of the person responsible for the processing of personal data in accordance with Article 13 of the GDPR

This document provides an overview of the most important principles of personal data protection, which, as the administrator of personal data in the course of doing business, is carried out by Špindlerův - Mlýn.com s. r. o. based in Komenského 1636, 543 01 Vrchlabí, IČO: 025 15 580 (hereinafter referred to as "administrator").

The data controller processes all personal data in accordance with the legal system of the Czech Republic, in particular Law No. 110/2019 Coll.,. On the processing of personal data in the currently valid version and Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data, on the free movement of data and the repeal of Directive 95/46 / EC Protection of personal data), the so-called General Data Protection Regulation (hereinafter "GDPR") and other directly applicable regulations of the European Union.

The administrator hereby informs you about the processing of your personal data in accordance with Article 13 of the GDPR and about facts that affect or could affect their protection, including an overview of your rights.
1)    Person     responsible for personal data
The administrator of your personal data is:
Špindlerův - Mlýn.com s.r.o.
Komenského 1636, 543 01 Vrchlabí
ID: 025 15 580

2)    Commissioner  for the Protection of Personal Data
According to the GDPR, the controller is not obliged to appoint a data protection officer. If you have any questions about the protection of personal data, you can email the administrator: info@spindl.info

3)    The purpose of processing your personal data, the legal reason for processing
Your personal data, which you enter in the booking form on the website www.spindleruv-mlyn.com, will be processed in order to process and process your booking request. The legal reason for the processing of your personal data is therefore the fulfillment of the contract, on the basis of which we offer you the necessary service, and the protection of the legitimate interests of the administrator.
The administrator also processes the personal data of his business partners for the purpose of fulfilling concluded contracts and for the purpose of fulfilling legal obligations arising from applicable legal provisions, such as, in particular, the obligation to archive accounting documents.
Recordings of the camera system, which are available on the website www.spindleruv-mlyn.com, are processed to provide current information from Špindlerův Mlýn to visitors to the web portal. The camera system is set so that, if possible, individual people cannot be identified (low resolution of the recorded picture). The recording is based on the legitimate interest of the administrator in providing information services to visitors to Špindlerův Mlýn.

4)    What  personal data does the administrator process?
In order to fulfill the purpose of processing according to point 3), the administrator processes the following categories of personal data to the extent necessary:
-    Accommodation reservation - first and last name, contact details, nationality,     arrival and departure date, accommodation requirements;
-     Business partner - company, name, surname, registered office, business     address or place of residence, ID number, VAT identification number, contact details, contact persons;
-     Recordings from the camera system in Špindlerův Mlýn - recordings are only     made twice a day in the form of low-resolution photos.

5)    Can your personal data be processed without your consent?
Your personal data can be processed by the administrator in accordance with the GDPR without your consent, since the processing is possible for other legal reasons mentioned in number 3 above, i.e. to provide the necessary service (contract fulfillment with the applicant), contract fulfillment with the business partner the fulfillment of the legal obligation of the administrator and the protection of the legitimate interests of the administrator. The possibility and lawfulness of processing for the above-mentioned reason follows directly from the applicable legal provisions, so your consent is not required for this processing.

6)     Who has access to your personal data?
Your personal data may only be transferred or made available to those who offer sufficient guarantees for the protection of your rights and your privacy, in particular by implementing suitable technical and organizational measures in accordance with the GDPR. In cases stipulated by law, the administrator is obliged to transmit personal data to the responsible state administrative authorities.
Your personal data can be passed on to the following categories of recipients:
-    our business partners, ie the appropriate accommodation facility to process the reservation;
-    state administrative bodies based on the law;     
-    external suppliers, if this is necessary for the fulfillment of the contract or legal obligation.
On request, we will provide you with a complete list of categories of recipients of your personal data.

7)    Transfer of personal data to a third country or an international organization
Your personal data will not be transferred to a third country or an international organization.

8)    How long will your personal data be processed?
We store personal data of customers, business partners and contacts for 10 years. We also keep personal data until the end of a possible dispute, to fulfill all obligations or until the expiry of limitation periods for the exercise of our claims. We store personal data, the archiving of which is required by law, for a specific archiving period. Recordings from the camera system are saved for 5 years from the acquisition date and then automatically deleted.

9)    Your rights to protect personal data
In particular, you have the following rights with regard to your personal data:
-    the right to request information about whether or not personal data concerning     you is being processed;
-    the right to access your personal data:
-    the right to request the transfer of your personal data;
-    the right to information about the sources of your personal data or whether your personal data comes from publicly available sources;
-    the right to object to the processing of your personal data;
-    the right to lodge a complaint with the supervisory authority, which is the Office for Personal Data Protection in the Czech Republic;
-    the right not to subject your personal data to a decision based solely on     automated processing or profiling, provided certain conditions are met;
-    the right to request a copy of your personal data that is processed about you;
-    Request from us to correct or supplement your personal data;
-    request     the deletion of your personal data or a restriction of the     processing scope of your personal data;
-    If you     consent to the processing of your personal data, you can revoke this consent at any time.

Further information on your rights can be found in the document on data protection rights, which is available on request from the administrator or on the website www.spindleruv-mlyn.com.
10)     Use automated decision making, including profiling
There is no automated decision making, including profiling, when processing your personal data.
Please note that all information about personal data can only be made available to the person whose personal data it is. For this purpose, the administrator can request a verification of your identity. If the type of personal data does not provide sufficient evidence that it is the person whose personal data it is, you will not be given the requested information.

 

____________________________________________________

Information on data protection rights
 

This document provides more detailed information on the rights of individuals to the protection of personal data in accordance with Articles 15-22 and 34 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of data Traffic. Repeal of Directive 95/46 / EC (General Data Protection Regulation, hereinafter referred to as "GDPR").
This information is provided by the administrator of personal data, the company Špindlerův - Mlýn.com s. R. O., based in Komenského 1636, 543 01 Vrchlabí, IČO: 025 15 580 (hereinafter referred to as "administrator"). According to the GDPR, natural persons whose data are processed by the administrator have the following rights:
1)    The right to access your personal data

This right consists in the possibility of contacting the administrator and requesting confirmation whether he processes your personal data or not. If you receive information that the administrator is processing your personal data, you have the right to request the following information:
What is the purpose of processing your personal data.
○    What category of personal data is it?
○    To whom is your personal data transferred or made available and whether it is a recipient from a third country or an international organization?
○    How long your personal data will be processed or what determines this time.
○    You have the right to request the deletion or correction of your personal data.
○    You have the right to request restrictions on the processing of your personal data.
○    You have the right to object to the processing of your personal data.
○    You have the right to lodge a complaint with the supervisory authority, which is the Office for the Protection of Personal Data.
○    You have the right to be informed about the sources of your personal data.
○    You have the right to request information about whether your personal data will be profiled, i.e. how your personal data will be processed, what meaning and what expected effects your personal data will have.
○    You have the right to request information about whether your personal data is processed automatically, i.e. how the processing of your personal data takes place, what meaning and what expected effects your personal data will have.
○    You have the right to provide a copy of the processed personal data that relates to you personally. A copy is provided free of charge. In the event of a repeated request, the administrator can charge you a reasonable fee based on the administrative costs incurred.

2)    The right to correct personal data
If you find that the personal data that the administrator processes about you is incorrect, you have the right to request that it be corrected. The administrator makes the correction immediately after you have given him the current personal data

3)    The right to request the deletion of personal data
○    If you exercise your right to delete your personal data with the administrator, the administrator is obliged to delete all your personal data. However, this requirement can only be met if one of the following reasons is met:
○    Your personal data is no longer required for the purposes for which it was collected or processed.
○    You withdraw your consent if your personal data were processed on their basis and there is no other legal reason for the processing of your personal data.
○    Your personal data will be processed illegally.
○    Your personal data must be deleted in order to comply with an obligation under the law of the European Union or the Czech Republic.
○    Personal data was collected directly from the child in connection with the provision of information society services without the conditions being met.
However, your personal data will not be deleted if:
○    This would contradict the exercise of the right to freedom of expression and information.
○    This would violate the obligation imposed on the administrator by the law of the European Union or the Czech Republic.
○    it is necessary for reasons of public interest in the area of public health;
○    it is necessary for archiving purposes in the public interest;
○    this is particularly necessary for scientific purposes and historical research;
○    it is necessary for the exercise of legal claims.
In the event that the conditions for deletion of your personal data are met, the administrator is obliged to inform your next administrator of your request, who knows that he is processing your personal data, and to inform him that you would like that your personal data will be deleted. However, this obligation can only be met if the available technology and reasonable costs allow it. The assessment lies exclusively with the administrator.
If the conditions for deleting your personal data are not met, the administrator will inform you immediately. Reasons why your right cannot be granted.

4)    The right to request restrictions on the processing of your personal data
If you exercise this right with the administrator, he is obliged to limit the scope of the processing of your personal data. However, this requirement can only be met if one of the following reasons is met:
○    If you believe that your personal information is incorrect, the administrator will restrict the processing of your personal information until he verifies this.
○    if you believe that the processing of your personal data is being carried out illegally by the administrator and at the same time you refuse to delete your personal data;
○    Your administrator no longer needs your personal data for processing, but to determine your possible legal claim.
○    You have exercised your right to object to the processing of your personal data and it has not yet been decided whether our legitimate reasons for processing them take precedence.
If the restriction you requested is lifted, you will be notified in good time.

5)    Notification obligation regarding the correction, deletion or restriction of the processing of your personal data
If the administrator has made your personal data available to other recipients (third parties), he is obliged to inform them of corrections, deletions or restrictions on the processing of personal data that have been made in relation to your personal data. This obligation does not have to be fulfilled if this would be objectively impossible or would require a disproportionate effort. Upon request, the administrator will provide you with a list of recipients who have been notified of your personal data.

6)    The right to request the portability of your personal data
You have the right to request and receive your personal data from the administrator in a structured, commonly used and machine-readable format. This right is only granted to you if the processing is carried out by the administrator on the basis of your consent to the processing of your personal data or the processing is necessary to fulfill the contract, if it has been concluded with the administrator and the processing of your personal data is automated. Otherwise, the administrator is not obliged to comply with your request for portability of personal data.

You have the right to share this information with another administrator. If technically feasible, you have the right to request the transfer of your personal data directly to another administrator.

7)    The right to object
You have the right to object to the processing of personal data concerning you at any time if your personal data is processed for a reason that is necessary for the performance of a task carried out in the public interest or for the purposes of our legitimate interests or the interests of third parties, including Profiling.
You can object to the processing of your personal data for direct marketing purposes at any time. In this case we will no longer process your personal data for these purposes.

8)    Rights related to automated individual decision making and profiling
You have the right to request that your personal data not be automated or processed by profiling. Automated means processing with computer technology without human intervention. Profiling is a form of processing your personal data that is also automatic and is used to evaluate certain aspects that relate to you personally. For example, it is an assessment of your personal preferences, shopping habits, etc.

9)    Obligation to report a security breach that could pose a high risk to your rights and freedoms
If the security of your personal information is breached in a way that puts you at high risk, you will be promptly informed, along with the nature of the breach, of the likely consequences that may occur to you, including the measures that are accepted to resolve the problem.
At the same time, the administrator is obliged to report a case of violations that could endanger your rights and freedoms to the Office for Personal Data Protection immediately, at the latest 72 hours after the violation has become known.