1. Information on the processing of personal data
We hereby inform you in this document about the principles and procedures for processing your personal data and your rights, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("GDPR") and repealing Directive 95/46 / EC (hereinafter referred to as the Regulation) and Act No. 480/2004 Coll., on Certain Information Society Services, as amended.
Data subject (“Customer” or “Data subject”): individual to whom personal data relates;
Personal Data: any information relating to an identified or identifiable customer; an identified or identifiable customer is a natural person who can be identified directly or indirectly, in particular by reference to a particular identifier, such as name, identification number, location data, network identifier, or one or more specific elements of the physical, physiological, genetic, psychological, economic, cultural or social identity of that individual;
Controller: company Hermitage Holdings a.s. (“Controller” or “Company”), the entity that determines the purpose and means of the processing of personal data, performs processing and is responsible for them. The company may empower or entrust Processor with processing of personal data, unless a special law provides otherwise;
Processor: Any entity that, under a special law or under the authority of Controller, processes personal data under the Act and the Regulation on the basis of a personal data processing agreement;
Processing of personal data: processing of personal data is any operation or set of operations that the Controller or the Processor systematically performs with personal data by automated or other means; processing of personal data means in particular collecting, storing on information media, accessibility, modifying or altering, searching, using, transmitting, disseminating, publishing, storing, exchanging, sorting or combining, blocking and disposal;
Purpose of processing of personal data: The aim, for which it is necessary or effective to process personal data of data subject;
Scope of processing of the personal data: List of specific personal data of data subject processed for particular purpose;
Hermitage Holdings a.s. running hotel Hermitage Hotel Prague.
3. Personal data processing principles
• lawfulness, fairness and transparency of processing;
• purpose limitation – collection only for certain, explicit and legitimate pruposes;
• data minimization – adequacy, relevance and limitation of processing to absolutely necessary scope in relation to the purpose;
• accuracy and up-to-date – the controller shall take all reasonable steps to ensure that personal data which are inaccurate, taking account of the purposes for which, they are processed, are erased or corrected without delay;
• storage limitation – personal data shall be stored in a form which permits identification of data subject for no longer than is necessary for the purposes for which the personal data are stored, in accordance with implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedom of the data subject;
• Integrity and confidentiality – personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful and against accidental loss, destruction or demage, using appropriate technical or organizational measures;
4. Personal data sources
The Controller obtains the personal data of his/her customers, especially from them, in the negotiation of the contract. The controller always informs customers when the provision of personal data is necessary for the provision of a particular service and when it is voluntary, while providing such personal data facilitates mutual communication between the customer and the controller as well as a significantly more efficient service delivery; In order to ensure the security of the controller and data subject, as well as the security of the provided services, there is a camera system in the hotel’s premises. The data subject is always informed about location of the camera system by pictograms when entering such an area. Recordings from CCTV systems are archived for 3 days and are not processed anymore. Where necessary, records shall be forwarded to the law enforcement authorities for the purpose of properly clarifying the facts of the case.
5. Scope of processing
The controller and its contractual processors process the following personal data, respectively. category of personal data following the relevant legal title and purpose of processing.
a. identication data: salutation, name, surname, date of birth, identity card details, place and country of birth, nationality, seat of business, employer, job position;
b. details of address: address of permanent or temporary address, delivery address or other contact address;
c. electronic contact information: telephone, mobile phone, fax, e-mail address;
d. other electronic details: no processing;
e. personal data associated with a contractual relationship: bank account number, credit card number, customer account number (loyalty program), purpose of stay, length of stay (date of arrival, date of departure), orders and transactions, room number;
f. Personal data associated with video of people in the field of view of the camera system in the controller’s premises.
6. Personal data processing
The controller processes the personal data of the data subject on basis the following legal reasons:
• legitimate interest of data controller;
• contractual necessity;
• compliance with legal obligations;
• unambiguous conset of the individual.
6.1. Legitimate interest of data controller
Legal title processing of personal data where the legitimate interests / rights of the controller over the interests / rights of the data subject prevail, taking into account the reasonable expectations of the data subjects on the basis of their relationship with the controller. These are cases for which consent to the processing of personal data is not necessary.
These are in particular the following purposes (where the scope of data being processed is defined by the letters corresponding to the Article 5 - Scope of processing):
Protection of property of the controller, life and health of employees, customers and persons entering to controller’s premises for scope of processing 5.6 for 3 days from the recording.
6.2. Contractual necessity
The controller shall process the personal data of the data subjects related to the fulfillment of the contractual obligations of the two contracting parties, in particular for the purposes of the valid conclusion, modification and termination of the contract in accordance with the civil code and the commercial code.
The period of processing is determined by the duration of the customer's contractual relationship with the data controller.
It can be a contract for accommodation, a contract for renting conference rooms and organizing events, etc.
6.3. Compliacne with legal obligations
The data controller provides personal data about the data subjects in addition to the processors also to the recipients of personal data, including the state authorities and other entities in the application of the statutory rights and fulfillment of the statutory obligations.
The scope of processing of personal data and the length of time it is processed is determined by generally binding legal regulations.
6.4. Unambiguous conset of the individual
In the event that the controller processes personal data of the data subject for other purposes that can not be subordinated to the purposes specified in Articles 6.1, 6.2 and 6.3, he may do so only on the basis of the valid consent given to the processing of personal data by the data subject, which is a manifestation of the free will of the subject, and thus forms a specific legal title for such handling of personal data.
Granting consent to the processing of personal data is voluntary and freely. Failure to grant or reduce its scope of consent will not affect the performance of a previously contracted liability for the duration of the contract or the possibility of a new commitment by the data controller.
Failure to grant of consent to the processing of personal data may affect the level of supplementary services provided and the range of products offered. The consent may be opt-out at any time in whole or in part.
6.5. Period of retaining personal data
The controller keeps the personal data of the customers for the necessary time and to the necessary scope to meet the legal requirements (especially pursuant to Act No. 326/1999 Coll., On the Residence of Aliens in the Czech Republic, as amended and Act No. 565/1990 Coll. On the basis of these laws, the controller keeps the personal data listed in these laws for a period of 6 years.
The data controller keeps personal data of employees according to the Act 262/2006 Coll., Labor Code, as amended; 337/1992 Coll., On Administration of Taxes and Fees, as amended; 586/1992 Coll., On Income Taxes, as amended; 48/1997 Coll., On public health insurance, as amended; 143/1997 Coll., On Salary and Remuneration for Standby, as amended; 100/1998 Coll., On Social Security, as amended; 155/1995 Coll., On Pension Insurance, as amended, 10 years or 20 years respectively. The data are stored only according to the definition of these laws. The data are archived in a locked area with permitted access only for a limited circle of persons.
Other personal data are kept only for the time necessary for the providing and billing of the service and are subsequently erased or shredded.
VIn the case of consent to the processing of personal data, the data shall be retained for the duration of the consent.
7. Method of processing personal data
The personal data of the Data subject are processed automatically and manually and can be made available to the controller's employees, if this is necessary to fulfill their duties, the processors with whom the controller has entered into a contract for the processing of personal data, and another person in accordance with the Act and the Regulation. The list of processors of personal data is published in Chapter 8.
If the data subject considers that unauthorized processing of his or her personal data is involved, he or she may address a complaint to the supervisory authority, which is the Office for Personal Data Protection.
8. Recipients and processors of personal data
Company is running hotel without connection to any hotel chain. The Company has a TravelClick-Inc-EU-Data-Processing-Agreement-March-2020 agreement to connect to sales channels with TravelClick, Inc. (hereinafter "TravelClick") As part of this, the Company is connected to TravelClick's central reservation system. We distinguish personal data according to the legal title, while the scope and purpose of processing is defined for each legal title.
The processing of personal data may be processed by the processors solely on the basis of a contract for the processing of personal data, that is, with the guarantees of organizational and technical security of these data and with the definition of the purpose of the processing, and the processors may not use the data for other purposes.
9. Rights of the data subject
The data subject shall have the following rights:
• to access its processed personal data, their rectification, erasuring or limitation of processing;
• to object to processing of personal data;
• to address a complaint to the supervisory authority;
• to withdraw consent to the processing of personal data with effects into the future at any time;
• to obtain from the controller a confirmation that his or her personal data is processed or not;
• so that the controller without undue delay corrects inaccurate personal data concerning him / her. Taking into account the purposes of processing, the data subject has the right to supplement incomplete personal data;
• The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
a. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b. the data subject withdraws consent on which the processing, and where there is no other legal ground for the processing;
c. the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
d. the personal data have been unlawfully processed;
e. the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
f. the personal data have been collected in relation to the offer of information society services. Details and exceptions to this right are governed by the Regulation;
• to obtain from the controller restriction of processing where one of the following applies:
a. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
b. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
d. the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
• to data portability, so obtain the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, processing is based on consent or on a contract and the processing is carried out by automated means;
• at any time to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, including profiling based on the Regulatio. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims;
The data subject may apply the rights:
• personally, at the reception
• send by post (customer signature must be officially certified)
• filled in form, which will be emailed to firstname.lastname@example.org (the form must include a digital signature with a qualified certificate)
10. Contact details
Hermitage Holdings a.s., ID: 27146006, Svobodova 1, Prague 2, 128 00, Czech Republic. Do not hesitate to contact us at: email@example.com
This document will enter into force on 23rd of April 2020. The text was updated on 23rd of April 2020.