CONTACT DETAILS

The Controller hereby informs you of the following contact details:

• Postal address: nám. Míru 466, 378 81 Slavonice
• E-mail address: info@hotelpivonka.cz
• Contact person for matters concerning the processing of personal data: Yana Rebrova

SOURCES OF PERSONAL DATA

The Controller primarily obtains personal data directly from data subjects, in particular as part of exercising the rights and obligations of data subjects within the framework of an employment relationship with the Controller, as well as through the implementation of orders and requests from the Controller with suppliers, e-mail communication, telephone communication, business cards, reservation forms, accommodation operators, accommodation portals, etc. Personal data are also obtained from publicly accessible registers, lists, and records (e.g., commercial register, trade register, real estate register, public telephone directory, etc.).

Legitimate interests of the Controller

• Personal data of our employees may also be processed for the purposes of our legitimate interests in securing and ensuring the protection of health and property. In such a case, the legal basis of the processing is Article 6(1)(f) of the GDPR. The processing of your personal data is therefore necessary in particular for the following purposes:
• The legitimate interest of the Controller in the operation of the camera system in the Pivoňka hotel building, managed by the Controller, at the address nám. Míru 466, 378 81 Slavonice, in order to ensure the protection of health and property; and
• Defending our legal claims.
  
  
• The processing of personal data for these purposes is based on our legitimate interests, except in cases where the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data take precedence over these interests, in particular where the data subject is a child. In the event of any doubts in relation to our legitimate interests, you have the right to contact us at any time with an objection to the processing under the conditions and in the manner specified in these General Principles.
  
  
• The Controller, as an employer, is fully aware of its obligations arising from the relevant legal regulations in relation to the protection of the privacy of its employees and hereby declares that the camera system in the Žinkova chateau building is installed and operated in such a way as not to disturb the privacy of employees at the workplace and in common areas without serious grounds and to an unreasonable extent.
  
  
• We process the personal data for the reasonable duration of our legitimate interests. In this case, the Controller is obliged to ensure that the period of personal data processing never exceeds 3 years.

PROCESSING OF THE PERSONAL DATA OF VISITORS TO OUR SOCIAL NETWORK SITES

The Controller operates social network sites on www.facebook.com and www.instagram.com, www.booking.com, and www.airbnb.com. For this reason, in order to ensure the optimal functioning and optimization of these social networking sites, we must process the following personal data about visitors to them:

• Name and surname;
• Profile picture; and
• Other information that the data subject chooses to share with us by sending a message or posting a comment via a social network.

The source of personal data is the relevant social network and website. Information about the data submitted when making a booking is described in the processing of personal data of customers.

Legitimate interests of the Controller

• We process the personal data of visitors to our social network sites primarily for the purposes of our legitimate interests in ensuring the functionality and optimization of our social network sites. In such a case, the legal basis for the processing is Article 6(1)(f) of the GDPR. The processing of your personal data is therefore necessary in particular for the following purposes:

• Ensuring the functionality of our social network sites;

• Conducting analyzes and measurements, e.g.: attendance, readership, number of views of posts and others. We collect these data using anonymized data in order to be able to offer high-quality content that is relevant to users and to develop services in which visitors to our sites have an obvious interest; and

• Improving the quality of the services provided and the possible development of new services, e.g., development of social network sites, competitions, etc. New services are developed, and existing ones are improved by ascertaining the needs and wishes of visitors to our social network sites through analyzes on these social network sites, as well as interest in certain contributions and texts, etc.

• The processing of personal data for these purposes is based on our legitimate interests, except in cases where the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data take precedence over these interests, in particular where the data subject is a child. In the event of any doubts in relation to our legitimate interests, you have the right to contact us at any time with an objection to the processing under the conditions and in the manner specified in these General Principles.

• We process the personal data for the reasonable duration of our legitimate interests. In this case, the Controller is obliged to ensure that the period of personal data processing never exceeds 3 years.

METHOD OF PROCESSING AND PROTECTING PERSONAL DATA

When processing your personal data, the Controller undertakes to comply with the following main principles of personal data processing:

• When storing, securing and further processing personal data, the Controller proceeds in accordance with applicable legal regulations, in particular with the GDPR;

• The Controller processes your personal data only for the purposes and in the manner resulting from these General Principles;

• The Controller has taken appropriate technical and organizational measures to ensure an adequate level of security for your personal data. All personal data that data subjects provide to the Controller are secured by standard procedures and technologies. However, it is not objectively possible to guarantee 100% security of a data subject's personal data. In this context, the Controller regularly checks security measures, which are then regularly updated where necessary; and

• As a data subject, you always have the option to contact the Controller at any time in a simple way, by any of the methods specified in these General Principles.

RECIPIENTS OF PERSONAL DATA

In addition to the Controller's employees and managers, recipients of your personal data may also be third parties. The Controller carefully selects its suppliers to whom it entrusts the data of data subjects and who are able to ensure the technical and organizational security of the personal data of data subjects so that no unauthorized or accidental access to these data or their other misuse can occur.

As part of the legal relationships with our suppliers, they are, among other things, bound by confidentiality and may not use the provided data for any purposes other than those for which we have made the data available to them, and they must also ensure additional measures to secure the personal data of data subjects.

Third parties that may have access to personal data of data subjects, depending on the nature of the service that the data subjects use or have used, are:

• SIESTA SOLUTION s.r.o., Company Reg. No.: 05203503 with its registered office at Jičínská 226/17, Žižkov, 130 00 Prague 3,

• Persons who ensure the technical operation of a certain service for us or operators of technologies that we use for our services,

• Persons who provide activities for us in direct relation to the performance of our activities, primarily accounting services, i.e., SVOBODA & WILLIAMS s.r.o., Company Reg. No.: 27588785, with its registered office at Prague 1 - Staré Město, Na Perštýně 362/2, Post Code 11000;

• Providers of postal and communication services and electronic communications services;

• Payment service providers and payment processors for the purpose of securing and performing payment transactions;

• Authorized employees of the Controller; and

• Persons who ensure the recovery of the Controller's claims for us.

Under certain, precisely defined conditions, the Controller is obliged to hand over some personal data of data subjects based on valid legal regulations, e.g., to the Police of the Czech Republic, the Financial Office, the Office for the Protection of Personal Data, and other public administration bodies.

TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

The Controller does not intend to transfer the personal data of data subjects to any third country. In the event that the personal data of data subjects is transferred to third countries outside the EU, this will be performed in accordance with the legislative requirements, and the protection of the personal data of data subjects will be ensured. The Controller undertakes to inform you immediately of any such transfer.


RIGHTS OF DATA SUBJECTS

In relation to the processing of personal data, data subjects may exercise the following rights:

• The right to request access to your personal data from the Controller;
• The right to request information from the Controller regarding the processing of your personal data;
• The right to rectification of your personal data;
• The right to complete your incomplete personal data;
• The right to the restriction of processing. Restriction of processing means that we have to mark your personal data for which processing has been restricted and for the duration of the restriction we must not process it further, except for storing it. You have the right to obtain restriction of processing where one of the following applies:
• The accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data,
• The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead,
• The Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claim;
• The right to the erasure of your personal data. The Controller is obliged to erase personal data only in the cases specified by the GDPR, unless it is prevented by another legal regulation (e.g., when the statutory limitation period for personal data has already expired);
• The right to portability of your personal data. You can request that we provide you with your personal data for the purpose of transmitting them to another personal data controller, or that we ourselves transmit to another personal data controller. However, you only have this right regarding data that we process by automated means based on your consent or a contract with you;
• The right to request information from the Controller regarding the transfer of your personal data to third parties;
• The right to lodge a complaint with a supervisory authority, in the event that you believe that the processing of personal data infringes the legal regulations on the protection of personal data. You can lodge a complaint with a supervisory authority at your place of habitual residence, place of work, or place of the alleged infringement. In the Czech Republic, the supervisory authority is the Office for the Protection of Personal Data, Pplk. Sochora 27, 170 00 Prague 7, www.uoou.cz;
• The right to object to processing in the cases specified by the GDPR.

If you believe that the Controller is processing personal data in violation of your right to protect your private or personal life, you can request an explanation and elimination of such a situation from the Controller.

You can exercise all your rights through the contacts listed in these General Principles.

AMENDMENTS TO THE GENERAL PRINCIPLES

We reserve the right, if necessary, to amend these General Principles, primarily with regard to the development of national legislation, the decision-making practices of the Office for Personal Data Protection, and other recommendations and opinions of other authorities whose outputs relate to the area of personal data protection. We recommend that you review these General Principles regularly to stay up-to-date on how we help protect your personal data that we process.


CONTACT

In the event of any questions about the protection of your personal data or withdrawal of consent to the further processing of your personal data, please contact us at the contact details listed above.

In this context, we would like to inform you that we may ask you to prove your identity to us in a suitable way so that we can verify it. This is a security measure to prevent unauthorized persons from accessing your personal data.


EFFECTIVENESS

These General Principles are effective as of 1 November 2022.