GDPR - Privacy policy and information on data protection rights
PRINCIPLES OF PROTECTION AND PROCESSING OF PERSONAL DATA
provided to meet the information obligation of the data controller in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council, the General Data Protection Regulation, as well as national legislation, i.e. Act No. 110/2019 Coll., on the processing of personal data, as amended.
(hereinafter collectively referred to as the "Principles")
1) In this document you will find an overview of the main principles of protection and processing of personal data, which as a personal data controller in its business activities is carried out by the company: Špindlerův - Mlýn.com s. r. o., ID No.: 025 15 580 with registered office: Na strži 2097/63, Krč, 140 00 Prague 4, registered with the Municipal Court in Prague, Section C, Insert 398744 (hereinafter referred to as the "Controller").
2) The Controller processes all personal data of users in accordance with all legal regulations of the Czech Republic, in particular, but not exclusively, in accordance with Act No. 110/2019 Coll., on the processing of personal data, as amended, and also Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the "GDPR".
3) For the purposes of this policy, a user is understood to be any - natural persons who are so-called data subjects (hereinafter referred to as "users" or "data subjects").
4) Processing of personal data means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated processes, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other disclosure, alignment or combination, restriction, erasure or destruction.
5) For the purposes of this policy, personal information is any information that makes it possible for the Company to identify individuals/users.
6) What personal data does the Controller process?
In order to fulfill the purpose set out below, the Controller processes personal data to the extent necessary, which is why it is further processed to the following extent:
- accommodation reservation - name and surname, contact details, nationality
- business partners - name, surname, residence, contact details, contact persons;
- records from the camera system in Spindleruv Mlyn - records are taken in the form of photographs only twice a day, in low resolution.
7) Purpose of processing your personal data, legal reason for processing
Your personal data that you provide in the booking form on the website www.spindleruv-mlyn.com is processed for the purpose of processing and processing your booking request. The legal basis for processing your personal data is therefore the performance of the contract on the basis of which we provide you with the requested service and the protection of the legitimate interests of the Controller, which is why you give your explicit consent to the processing to the extent specified in Article 6 by filling in the form in question.
The Controller also processes the personal data of its business partners for the purpose of fulfilling the concluded contracts and for the purpose of fulfilling the legal obligations arising from the applicable legislation, such as in particular the obligation to archive accounting documents.
The records from the camera system available via the website www.spindleruv-mlyn.com are processed in order to provide visitors to the website with up-to-date information from Spindleruv Mlyn. The camera system is set up in such a way that individual persons are not identifiable as far as possible (low resolution of the footage). The footage is taken because of the administrator's legitimate interest in providing information services to visitors to Špindlerův Mlýn.
8) Your personal data in the above scope may be processed by the Administrator in accordance with the GDPR without your consent, as they are processed for:
a. for the purpose of providing the requested service (performance of the contract with the interested party),
b. the performance of a contract with a business partner,
c. the performance of a legal obligation of the Controller and the protection of legitimate interests
The possibility and lawfulness of the processing on the basis of the above reason follows directly from the applicable legislation, your consent is therefore not required for this processing.
9) Who has access to your personal data?
Your personal data may only be transferred or disclosed to those entities that provide sufficient guarantees for the protection of your rights and your privacy, in particular by implementing appropriate technical and organisational measures in accordance with the GDPR. In the cases provided for by law, the Controller is obliged to transfer personal data to the relevant public authorities.
Your personal data may be transferred to the following categories of recipients:
- to our business partners, i.e. to the relevant accommodation facility for the purpose of processing
reservations;
- to public authorities on the basis of the law;
- to external suppliers, if this is necessary for the performance of a given contract or legal obligation.
We will provide you with a full list of the categories of recipients of your personal data upon request.
10) Transfer of personal data to a third country or international organisation
Your personal data is not transferred to a third country or an international organisation.
11) How long is your personal data processed?
We store the personal data of customers, business partners and contact persons, in accordance with applicable law, for a period of 10 years. We also retain personal data until the end of any dispute, the settlement of any liabilities or the expiry of any limitation periods for our claims. We keep personal data required by law to be archived for a specified archiving period. CCTV footage is stored for 5 years from the date of acquisition, after which it is automatically deleted.
12) Your rights in relation to data protection
In particular, you have the following rights in relation to your personal data:
- The right to request information about whether or not your personal data is processed;
- the right to access your personal data:
- the right to request the transfer of your personal data;
- the right to be informed of the sources of your personal data or, where applicable, whether your personal data have been obtained from publicly available sources;
- the right to object to the processing of your personal data;
- the right to lodge a complaint with a supervisory authority, which in the Czech Republic is the Office for Personal Data Protection;
- the right to be notified of rectification, erasure or restriction of processing - the data subject has the right to be notified by the controller in the event of rectification, erasure or restriction of processing of personal data;
- the right not to have your personal data subject to any decision based solely on automated processing or profiling, provided that the specific conditions for this are met;
- the right to request a copy of your personal data processed about you;
- request that we correct or supplement your personal data;
- the right to contact the Data Protection Authority - the data subject has the right to contact the Data Protection Authority (https://www.uoou.cz/).
- Request the erasure of your personal data or, if applicable, request a limitation of the scope of processing of your personal data, if this is legally permissible in a particular case;
13) If you consent to the processing of your personal data, you are entitled to withdraw your consent at any time. This request will be complied with by the Controller, unless it contravenes the relevant legal provisions.
14) Data Protection.
a) The Controller collects and stores the personal data entered by the data subject via electronic storage media in a secure database. The controller shall protect personal data to the maximum extent possible by using modern technologies that correspond to the state of technological development. The controller declares that he has taken all the measures currently known to him to safeguard the data against unauthorised interference by third parties.
(b) In the event of discovery of any serious breach of security of personal data, the controller shall report it to the supervisory authority without undue delay and, if possible, within 72 hours of becoming aware of it, and shall provide appropriate remedy.
15) Use of automated decision-making, including profiling
No automated decision-making, including profiling, is used in the processing of your personal data.
16) Data Protection Officer
The controller is not obliged under the GDPR to appoint a data protection officer. If you have any questions about data protection, you can contact the Data Controller by email: support@spindl.info
Please note that any information about personal data may only be provided to the person to whom the personal data belongs. As a result of this fact, the Controller may require verification of your identity. Unless it can be sufficiently demonstrated, in view of the nature of the personal data, that this is the person whose personal data is concerned, the information requested will not be provided to you.
_________________________________________________________________________________________________________________________________
Information on data protection rights
This document provides more detailed information on the rights of individuals to the protection of personal data in accordance with Articles 15-22 and 34 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of data Traffic. Repeal of Directive 95/46 / EC (General Data Protection Regulation, hereinafter referred to as "GDPR").
This information is provided by the administrator of personal data, the company Špindlerův - Mlýn.com s. r. o., ID No.: 025 15 580 with registered office: Na strži 2097/63, Krč, 140 00 Prague 4, registered with the Municipal Court in Prague, Section C, Insert 398744 (hereinafter referred to as the "Controller"). According to the GDPR, natural persons whose data are processed by the administrator have the following rights:
1) The right to access your personal data
This right consists in the possibility of contacting the administrator and requesting confirmation whether he processes your personal data or not. If you receive information that the administrator is processing your personal data, you have the right to request the following information:
○ What is the purpose of processing your personal data.
○ What category of personal data is it?
○ To whom is your personal data transferred or made available and whether it is a recipient from a third country or an international organization?
○ How long your personal data will be processed or what determines this time.
○ You have the right to request the deletion or correction of your personal data.
○ You have the right to request restrictions on the processing of your personal data.
○ You have the right to object to the processing of your personal data.
○ You have the right to lodge a complaint with the supervisory authority, which is the Office for the Protection of Personal Data.
○ You have the right to be informed about the sources of your personal data.
○ You have the right to request information about whether your personal data will be profiled, i.e. how your personal data will be processed, what meaning and what expected effects your personal data will have.
○ You have the right to request information about whether your personal data is processed automatically, i.e. how the processing of your personal data takes place, what meaning and what expected effects your personal data will have.
○ You have the right to provide a copy of the processed personal data that relates to you personally. A copy is provided free of charge. In the event of a repeated request, the administrator can charge you a reasonable fee based on the administrative costs incurred.
2) The right to correct personal data
If you find that the personal data that the administrator processes about you is incorrect, you have the right to request that it be corrected. The administrator makes the correction immediately after you have given him the current personal data
3) The right to request the deletion of personal data
If you exercise your right to erasure of your personal data with the Controller, the Controller is obliged to erase all your personal data, unless this request is in conflict with the relevant legal regulations. However, this request can only be granted if any of the following grounds are met:
○ Your personal data is no longer required for the purposes for which it was collected or processed.
○ You withdraw your consent if your personal data were processed on their basis and there is no other legal reason for the processing of your personal data.
○ Your personal data will be processed illegally.
○ Your personal data must be deleted in order to comply with an obligation under the law of the European Union or the Czech Republic.
○ Personal data was collected directly from the child in connection with the provision of information society services without the conditions being met.
In the event that the conditions for deletion of your personal data are met, the administrator is obliged to inform your next administrator of your request, who knows that he is processing your personal data, and to inform him that you would like that your personal data will be deleted. However, this obligation can only be met if the available technology and reasonable costs allow it. The assessment lies exclusively with the administrator.
If the conditions for deleting your personal data are not met, the administrator will inform you immediately. Reasons why your right cannot be granted.
4) The right to request restrictions on the processing of your personal data
If you exercise this right with the administrator, he is obliged to limit the scope of the processing of your personal data. However, this requirement can only be met if one of the following reasons is met:
○ If you believe that your personal information is incorrect, the administrator will restrict the processing of your personal information until he verifies this.
○ if you believe that the processing of your personal data is being carried out illegally by the administrator and at the same time you refuse to delete your personal data;
○ Your administrator no longer needs your personal data for processing, but to determine your possible legal claim.
○ You have exercised your right to object to the processing of your personal data and it has not yet been decided whether our legitimate reasons for processing them take precedence.
If the restriction you requested is lifted, you will be notified in good time.
5) Notification obligation regarding the correction, deletion or restriction of the processing of your personal data
If the administrator has made your personal data available to other recipients (third parties), he is obliged to inform them of corrections, deletions or restrictions on the processing of personal data that have been made in relation to your personal data. This obligation does not have to be fulfilled if this would be objectively impossible or would require a disproportionate effort. Upon request, the administrator will provide you with a list of recipients who have been notified of your personal data.
6) The right to request the portability of your personal data
You have the right to request and receive your personal data from the administrator in a structured, commonly used and machine-readable format. This right is only granted to you if the processing is carried out by the administrator on the basis of your consent to the processing of your personal data or the processing is necessary to fulfill the contract, if it has been concluded with the administrator and the processing of your personal data is automated. Otherwise, the administrator is not obliged to comply with your request for portability of personal data.
You have the right to share this information with another administrator. If technically feasible, you have the right to request the transfer of your personal data directly to another administrator.
7) The right to object
You have the right to object to the processing of personal data concerning you at any time if your personal data is processed for a reason that is necessary for the performance of a task carried out in the public interest or for the purposes of our legitimate interests or the interests of third parties, including Profiling.
You can object to the processing of your personal data for direct marketing purposes at any time. In this case we will no longer process your personal data for these purposes.
8) Rights related to automated individual decision making and profiling
You have the right to request that your personal data not be automated or processed by profiling. Automated means processing with computer technology without human intervention. Profiling is a form of processing your personal data that is also automatic and is used to evaluate certain aspects that relate to you personally. For example, it is an assessment of your personal preferences, shopping habits, etc.
9) Obligation to report a security breach that could pose a high risk to your rights and freedoms
If the security of your personal information is breached in a way that puts you at high risk, you will be promptly informed, along with the nature of the breach, of the likely consequences that may occur to you, including the measures that are accepted to resolve the problem.
At the same time, the administrator is obliged to report a case of violations that could endanger your rights and freedoms to the Office for Personal Data Protection immediately, at the latest 72 hours after the violation has become known.
