+421 342 251 251
Po - Pi: 8am – 8pm So - Ne: 9am – 6pm

Zásady ochrany osobných údajov na Hotel.cz

(„Zásady ochrany osobných údajov”)

This version of the Privacy Policies was translated automatically by external tool. You can find the official version of ONLINE HOLDING s.r.o. Privacy Policies on this link: https://www.hotel.cz/privacy-policy/

HOTEL.CZ as (with registered office: Kolbenova 882 / 5A, 190 00, Prague 9, e-mail: [email protected], phone: +420 222 539 539, IČ: 271 76 223, DIČ: CZ 271 76 223) as a data controller (hereinafter referred to as the"Data Administrator") protects all processed personal data as strictly confidential, handles them in accordance with applicable personal data protection and security legislation is essential for him.

The data controller operates accommodation web portals at www.hotel.cz , www.spa.cz, www.penzion.cz and other accommodation websites (hereinafter referred to as "Websites").

The Data Controller within the meaning of the General Data Protection Regulation (Regulation (EU) 2016/679) collects, stores and uses (and otherwise processes) personal data of Website users for the performance of their business activities ( the individual purposes for which personal data are processed are further defined below), which consists in arranging accommodation and stays with various accommodation operators.

The purpose of this document is to provide users of the Website and possibly other persons (hereinafter referred to as"Data Subject") with information about the processing of their personal data, how to protect them and their administration. The controller processes the personal data of the Data Subjects in particular on the basis of:

  • performing the activities necessary before the conclusion of the contract and fulfilling the obligations arising from the legal relationship in connection with the concluded contract
  • compliance with legal obligations
  • protection of legitimate interests (in particular the handling of requests, user complaints and the operation of the Website, etc.)
  • Consent to receive marketing newsletters and other marketing activities

Subject and Purpose of the Policy

The controller undertakes to ensure that all processing of data related to its activities complies with the requirements set out in this Policy and in applicable data protection legislation. The data controller is committed to protecting the personal data of its customers and users and attaches the utmost importance to respecting the right of users to informational self-determination. The data controller treats personal data confidentially and takes all security, technical and organizational measures to ensure the security of personal data.

Definitions

"Personal Data" means all information about an identified or identifiable natural person (Data Subject); an identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to a specific identifier, such as name, identification number, location data, network identifier or one or more specific physical, physiological, genetic, mental, economic, cultural or the social identity of that natural person;

"Processing" means any operation or set of operations involving personal data or sets of personal data which are carried out with or without the aid of automated procedures such as collection, recording , arranging, structuring, storing, adapting or modifying, retrieving, viewing, using, making available, transmitting, transmitting or otherwise making available, sorting or combining, limiting, deleting or destroying;

"Processing Restrictions" means the identification of stored personal data in order to limit their future processing;

"Controller" means a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data ; where the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for designating the controller may also be determined by Union or Member State law;

"Processor" means a natural or legal person, public authority, agency or any other body which processes personal data for the controller;

"Third party" means a natural or legal person, public authority, agency or any other entity other than a data subject, controller, processor or person under the direct control of controllers or processors authorized to process personal data;

"Consent" means any free, specific, informed and unambiguous expression of his or her will by which the data subject gives a statement or other obvious confirmation of his or her consent to the processing of his or her personal data. ;

"Personal Data Breach" means a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or disclosure of transmitted, stored or otherwise personal data processed;

"Data subject" means a natural person who is or can be identified on the basis of any information;

"Transfer" means disclosure of data to a third party;

"Recipient" means the natural or legal person, public authority, agency or any other body to whom personal data are disclosed, whether or not whether it is a third party or not. Public authorities which may have access to personal data in connection with individual investigations in accordance with Union or Member State law shall not be considered as recipients; the processing of such personal data by these public authorities must comply with the applicable data protection rules in accordance with the purposes of their processing;

"Profiling" means any form of automated processing of personal data in which personal data is used to evaluate certain personal aspects relating to a natural person, in particular analysis or an estimate of aspects relating to her performance, economic situation, state of health, personal preferences, interests, reliability, behavior, whereabouts or movement;

These Policies and the terms used in them are consistent with:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Regulation (ES) No 95/46/ES ("GDPR");
  • Act No. 110/2019 Coll., Personal Data Processing Act; a
  • Recommendations of the Office for Personal Data Protection ( "ÚOOÚ").

Principles of personal data processing

The administrator agrees to this and agrees to:

  • process personal data in a lawful, fair and transparent manner;
  • Collect personal information only for specific, explicit and legitimate purposes;
  • process personal data which are reasonable, relevant and only to the extent necessary in relation to the purpose of their processing;
  • Process personal information that is accurate and current;
  • retain personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed;
  • Process personal data in a way that ensures adequate security of personal data.

Details of personal data processing

The Data Controller processes the following personal data in connection with the use of its Website:

Name of the personal data processing activity

Personal data processed

Legal basis for the processing of personal data

Purpose of processing personal data

Retention period

1. Processing of personal data related to sending newsletters

Email Address, Last Name, First Name, Subscription Date, Subscription Source, Newsletter Activity (Opening Time, Number of Clicks on Links)

Legitimate interest (GDPR Article 6 (1) (f))

Informing Data Subjects about the latest accommodation and spa offers.

Until the Data Subject withdraws its consent.

2. Participation in the loyalty program

Membership creation date, Membership ID / number, Membership status (active, deleted), Point transaction data (number of points, type of transaction in points, place and time, number of points that have expired)

Data processing is necessary for the performance of a contract in which the data subject is one of the parties (Article 6 (1) (b) of the GDPR)

Through the loyalty program, the Administrator provides registered benefits to registered users (loyalty points, discounts, etc.).

For the duration of the contractual relationship and for 3 years after its termination

3. Processing data related to purchases:

Reservations made and active

Accounting Data:

  • Name, user ID, address (at the request of partners), Method and details of payment, including cash flow registration and user balance in case of online payment, booking details, unique identifier, data generated during booking management (request for price offer, modification, etc.),

Booking information (loyalty program only):

  • Point transaction data (number of points used in the purchase, type, place and time of the point transaction)

Other information:

  • Email address, Phone number, IP address, Additional information provided by the user.

When requesting a quote

  • Optional accommodation preferences information

Data processing is necessary for the performance of a contract in which the data subject is one of the parties (Article 6 (1) (b) of the GDPR)

The data controller operates a reservation service where the user can choose from the accommodation and services offered within the service and can initiate a reservation. If he does not provide his information, the data controller will not be able to provide the reservation service.

Accounting documents - For the period specified in the relevant legislation.

Other documents: For the duration of the contractual relationship and for a period of 3 years after its termination.

4. Processing of purchase-related data:

Reservations made but canceled

Accounting Data:

  • Name, user ID, address (at the request of partners), Method and details of payment, including registration of financial transfer and user balance in case of online payment, booking details, unique identifier, data generated during booking management (request for price offer, modification, etc.),

Booking information (loyalty program only):

  • Point transaction data (number of points used in the purchase, type, place and time of the point transaction)

Other information:

  • Email Address, Phone Number, IP Address, Additional User Information.

In the case of a bid request:

  • Optional accommodation preferences information

Data processing is necessary for the performance of a contract in which the data subject is one of the parties (Article 6 (1) (b) of the GDPR)

The data controller operates a reservation service where the user can choose from the accommodation and services offered within the service and can request a reservation. If he does not provide his information, the Data Administrator cannot provide the reservation service.

Accounting documents: (Only if the Administrator participates in the transfer of funds at the time of booking): for the period specified in the relevant legislation.

Other documents: For the duration of the contractual relationship and for a period of 3 years after its termination.

If the transfer does not transfer funds - 3 years.

5. Processing of purchase-related data:

No reservation made

Accounting Data:

  • Name, user ID, address (at the request of partners), Method and details of payment, including registration of financial transfer and user balance in case of online payment, booking details, unique identifier, data generated during booking management (request for price offer, modification, etc.),

Booking information (loyalty program only):

  • Point transaction data (number of points used in the purchase, type, place and time of the point transaction)

Other information:

  • Email Address, Phone Number, IP Address, Additional User Information.

In the case of a bid request:

  • Optional accommodation preferences information
  • Processing is necessary to take steps at the request of the data subject before the conclusion of the contract (Article 6 (1) (b) of the GDPR)
  • legitimate interest (Article 6 (1) (f) of the GDPR)

The reservation was not made during the process or

The data subject has sent a request for a new quotation, so no contract has been concluded. Conservation for consumer protection reasons.

3 years

6. Data processing in case of interruption of the purchasing process

Information obtained when filling in the booking form:

  • Surname, First name, e-mail, telephone number, address (at the request of partners)

Legitimate interest (GDPR Article 6 (1) (f))

Ease of purchase - The data subject does not have to re-enter all the data.

The user's browser data is stored until the session ends (browser closes).

The administrator sends the user a separate reminder about the accommodation displayed and left in the cart - we keep the data for a maximum of 7 days.

7. System messages

Website User Information:

  • Name, Email, Booking Details

Data processing is necessary for the performance of the contract (Article 6 (1) (b) of the GDPR), or due to the existence of a legitimate interest of the Data Controller in proper communication with users and information on the operation of the Website (Article 6 (1) (f) of the GDPR).

The Administrator is obliged to inform the Data Subjects about changes in the operation of the Website and about confirmations related to the use of the Services.

In the case of mandatory information about the registered account or newsletter service until the cancellation of the registration. For bookings based on the cancellation time stated in the points related to the purchase.

8. A survey based on Google Forms

The administrator conducts opinion polls anonymously, does not request or automatically record personal data.

 

Surveys have important marketing value, but surveys do not require identifiable individuals or personal information.

The data controller explicitly warns not to share personal data.

If the Administrator finds personal information in the responses, it will be deleted immediately and irrevocably.

9. Competitions

Personal data contained in the personal data processing notice for the relevant competition.

Data Subject Consent (Article 6 (1) (a) GDPR)

The data controller occasionally advertises prize competitions for marketing purposes. The related data processing may differ from competition to competition, so information on data processing is included in the personal data processing information for the competition in question.

Retention period in the personal data processing notice for the relevant competition.

10. Customer service

According to the user's content and request:


Phone requests:

  • Audio record, telephone number and data recorded in the system;

Email requests:

  • Email address, message, and information recorded in it (name, email, phone number, other contact information);
  • Data obtained during the administration of the application and its outcome;
  • Offers, reservations, offer details, individual needs;

Data required to process a complaint

  • bank account number;
  • Details of a declined or canceled reservation.

Data processing is necessary for the performance of the contract (Article 6 (1) (b) of the GDPR)

Collect offers and send them to candidates. Informing the Subject about the offer or reservation, change of reservation, individual conditions and loyalty program, solution of its requirements, questions, support and processing of requests for change, start of reservation. Investigation and investigation of complaints and requests.

The data controller processes the data as described in the "Purchasing Data Processing" section, depending on the user's request.

Recorded audio obtained during a phone call will be retained for 3 years after it was made.

11. Reviews

Name (optional), City (optional), Passenger category (optional), Opinion and service evaluation Data controller, accommodation, program, settlement (optional)

Data subject's consent (Article 6 (1) (a) GDPR)

Increasing user confidence in accommodation and ensuring the provision of quality services.

Until the Data Subject withdraws its consent.

12. No-show ratio

Number of reservations, number of completed reservations, number of no-shows, ratio of no shows calculated out of confirmed reservations.

Data processing is necessary for the performance of a contract (GDPR. Article 6(1)(b) and Article 22 (2)(a))

To ensure the quality and the actual performance of its services the Data Controller might request card guarantee based on automated decision making if the no-show ratio is higher than 40 %.

5 years after the last reservation.

Learn more about newsletter privacy

The data controller regularly checks the accuracy of the personal data provided and the data subject unsubscribes from the newsletter if the e-mail address does not work, even if the data subject has not unsubscribed.

After unsubscribing, the Data Controller stores the date of unsubscription and the e-mail address of the data subject separately in order to be able to prove that he or she has unsubscribed. It may further use this information to ensure that newsletters are not sent to unsubscribed entities.

The Data Manager analyzes the activities of the Data Subjects in relation to the newsletter. For analysis purposes, the submitted newsletter contains a "web beacon" ("web beacon" or "measuring pixel"). Personal data and the web beacon are linked to an e-mail address and a unique identifier (ID), which is part of the links in the newsletter. The Data Administrator will receive information about when the newsletter is opened and which links are clicked while viewing it, which helps to determine the interests and preferences of the Data Subject. This data is used to adapt the newsletters as much as possible.

Processing of third party personal data

If the Data Subject provides personal data to third parties (eg when purchasing a gift voucher), it is the Data Subject's responsibility to ensure that the necessary consent to their provision and processing is obtained or that another legal basis is met. for their processing. The data subject is further obliged to inform the Administrator of any changes to such personal data. Data subjects may not disclose personal data of third parties unless such disclosure is necessary for the performance of the contract with the Administrator.

Involvement of personal data processors

The Data Controller uses the personal data processors listed below to operate the Website. Other processors of personal data may be used on a case-by-case basis and the Administrator will inform the Data Subjects thereof.

Data recipients

In order to fulfill the contracts, the following information will be provided to the accommodation: name, e-mail address, telephone number, address (upon request of the accommodation), booking details, information provided in the requests / reviews, a description of the applications and their details.

In the case of a reservation, when a card guarantee or a deposit is required, the Data Administrator also transmits payment card details. For the purposes of the reservation process, the Data Administrator stores the payment card number and its expiration date in an encrypted manner. The stored information is always deleted when arranging accommodation.

Reviews provided by the Data Subject will be displayed on the Websites and affiliates of the Data Controller.

The processing of personal data based on an accommodation contract between the Data Subject and the accommodation establishment shall be governed by the principles of the respective accommodation establishment. The data subject is invited to always know the principles of the specific accommodation facilities he or she is interested in.

How personal data is stored, security of processing

The Data Controller shall take appropriate measures to protect the data subjects' personal data against any unauthorized access, alteration, disclosure, deletion or (accidental) destruction, damage or loss and unavailability resulting from changes in technology used.

The data controller shall ensure the security of the data processing by technical, organizational and organizational measures that provide a level of protection commensurate with the risks associated with the processing and taking into account the current state of technology.

Data subjects acknowledge that when sending electronic messages over the Internet (regardless of the protocol used - e-mail, web, ftp, etc.), their data may be vulnerable to transmission and may access or further unauthorized use by a third party. The data controller undertakes to make every effort to eliminate these threats on his part, and shall take all appropriate measures.

The data controller uses computer systems and other storage locations located at its headquarters and servers to protect the data received. The data controller selects and operates such IT tools for the processing of personal data so that the data processed:

  • Accessibility has been ensured only to authorized persons;
  • their authenticity and authenticity have been ensured;
  • they haven't changed;
  • They have been protected and unauthorized.

Transfer of personal data to public authorities

The Data Controller further informs the Data Subjects that the court, public prosecutor, investigating authorities, law enforcement authorities, administrative authorities, the Office for Personal Data Protection or other authorities authorized by law, may request the Data Controller to provide information, data or documents, and the Data Controller shall comply with such requests within the limits of the legal order.

The data controller shall communicate to the requesting authorities only such personal data as are strictly necessary for the purposes of the request.

Data subject rights

If you have any questions or requests regarding the processing of personal data by the Data Controller or this Policy, please contact us at privacy@hotel.cz

Right of access to personal data

The data subject has the right at any time to request information about the personal data processed by the Data Controller and information about such processing.

At the request of the Data Subject, the Data Controller shall provide information on whether the data relating to the Data Subject are being processed. If processing takes place, the Data Controller shall provide the Data Subject with information on the purpose of the processing, what data is processed, the legal basis to which the data is made available, the source of the data, processing time, information on processing activities, circumstances and effects of any data breach. and the measures taken to remedy such breaches.

The Data Controller shall provide the Data Subject upon request with a copy of the personal data that are being processed. The Data Administrator may charge a reasonable fee for additional copies requested by the data subject. Upon request submitted by electronic means, the information shall be provided in electronic format, unless the data subject requests otherwise.

If the Data Subject's request is manifestly unfounded or disproportionate, in particular due to its recurring nature, the Data Controller may, taking into account the administrative costs of providing the requested information or information or taking the required action, charge a reasonable fee. or refuse to comply with the request. If the Data Subject does not agree with the processing and accuracy of the processed data, he may, in connection with his rights, request the correction, addition, deletion or restriction of the processing of personal data concerning him, may in specific cases object to the processing of such personal data. complaint to the supervisory authority, ie the Office.

Right of correction

The data subject may request the correction of inaccurate personal data concerning him / her and the completion of incomplete data.

Right to delete

The data subject has the right to have his / her personal data deleted (or "right to be forgotten") if one of the following reasons exists:

  • Personal data is no longer needed for the purposes for which it was collected or otherwise processed by the Administrator;
  • The data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;
  • The data subject objects to the processing and there are no overriding legitimate reasons for processing his or her personal data;
  • Personal information is being processed illegally by the Administrator.

The data subject's right of erasure shall not apply if the processing is necessary for the bringing, enforcement or defense of legal claims.

Right to restrict processing

At the request of the Data Subject, the administrator will restrict processing if one of the following conditions is met:

  • The data subject denies the accuracy of the personal data (restrictions apply only for the time necessary to verify the accuracy of the personal data);
  • the processing is unlawful and the Data Subject requests the restriction of their use instead of deleting it;
  • The controller no longer needs personal data for processing purposes, but the Data Subject requires them to determine, enforce or defend his legal claims; or
  • The Data Subject has objected to the processing (the restriction applies until it is established whether the legitimate reasons of the Administrator outweigh the legitimate reasons of the Data Subject).

If processing is restricted, personal data may only be processed with the consent of the Data Subject or if their processing is intended to determine, enforce or defend legal claims or to protect the rights of another natural or legal person, or overriding public interest of the Union or a Member State; In such a case, the controller shall inform the Data Subject of the cancellation of the processing restriction.

The data controller shall inform any recipient to whom personal data have been disclosed of any rectification, erasure or restriction of processing which he or she has made, unless this proves impossible or involves a disproportionate effort. Upon request, the data controller shall inform the data subject of such recipients.

Right to data portability

The data subject has the right to receive personal data concerning him or her provided to the Data Controller in a structured, commonly used, machine-readable format and has the right to request the transfer of this data to another controller. >

The right to data portability can only be exercised for data whose processing is based on consent, on the performance of a contract or if it is carried out automatically.

Right to object

The data subject has the right to object at any time to the processing of his or her personal data on the basis of a legitimate interest of the Data Controller.

In the event of such an objection, the Data Controller may further process personal data only if there are serious legitimate reasons to do so which outweigh the interests, rights and freedoms of the Data Subject or which serve to determine, execute or defense of his legal claims.

If personal data are processed for direct marketing purposes, the Data Subject has the right to object at any time to such processing as well as to profiling (if such processing is related to direct marketing).

Automated decision-making in individual cases, including profiling

The data subject has the right not to be the subject of a decision based solely on automated processing, including profiling, which would have legal effects or be significantly affected by him.

The above right does not apply if the processing is:

  • necessary for the conclusion or performance of a contract between the Data Subject and the Controller;
  • is permitted by Union or Member State law applicable to the Controller, which also provides for appropriate measures to protect the rights and freedoms and legitimate interests of the Data Subject; or
  • is based on the explicit consent of the Data Subject.

Data subject has the right to obtain human intervention on the part of the Data Controller, to express his or her point of view and to contest the decision.

Right to withdraw consent

Procedural rules

The data subject has the right to withdraw his consent to the processing of the data at any time. Withdrawal of consent shall not affect the lawfulness of the processing based on the consent prior to its withdrawal.

The Data Controller shall inform the Data Subject of the processing of his request without undue delay, but no later than one month from the date of its receipt. If necessary and taking into account the complexity of the application and the number of applications, this period may be extended by a further two months if necessary.

If the Data Subject has submitted his request by electronic means, the Data Controller shall provide information on his request in the same way, unless the Data Subject requests otherwise.

If the Data Controller does not comply with the request, the Data Subject shall inform the Supervisory Authority of the reasons and his / her possibility to lodge a complaint (or the possibility to exercise his / her right to judicial protection) without undue delay, but no later than one month after receipt of the request.

Remedies

If the Data Subject has any comments, questions or problems with the Data Administrator, the processing of data or the use of the Administrator's services, he may contact him using the contact details on the Website.

Furthermore, the Data Subject also has the right to lodge a complaint with the ÚOOÚ; contact details:

Office for Personal Data Protection
Pplk. Sochora 27
170 00, Praha 7

Phone:  +420 234 665 111
Fax:  +420 234 665 444
E-mail:  [email protected]
Website:  https://www.uoou.cz/

Privacy Violations

A security breach is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data transmitted, stored, or otherwise processed.

The data controller keeps records for the purpose of monitoring the measures taken in connection with the personal data breach, informing the supervisory authority and informing the data subject, which include the scope of personal data affected by the breach, number and scope of data subjects, date infringements, the circumstances, effects and measures taken to remedy the infringements.

If the Data Controller considers that the incident poses a high risk to the data subjects' rights and freedoms, the Data Subject and the supervisory authority shall inform the personal data breach without undue delay, but no later than within 72 hours.

Consent to data processing

The processing of personal data not based on the performance of a contract, legal obligations or a legitimate interest may take place with the consent of the Data Subject. In such a case, the Data Subject voluntarily, expressly and on the basis of the information provided agrees to the collection, storage and transmission of its data provided on the Website. This consent is valid until revoked.

The data subject acknowledges that this consent may be revoked at any time without giving a reason. In the event of withdrawal of consent and if the Data Subject requests the Administrator to delete his data, deleting personal data may terminate my user account with the Administrator. The data subject shall take note of the possible consequences of withdrawing his consent. The data subject is fully responsible for the authenticity and accuracy of the data provided. By checking the box, the Data subject declares that he / she is aware of and has understood the processing.

The consent described in this article is given in the form of a check box; By granting it, for example, the data subject consents to the processing of the data provided for the purpose of sending personalized tenders (for more details on the processing by consent, see Article IV).

Other provisions

Data processing information not provided in this Policy is provided to the Data Subject at the time of collection.

This Policy is effective from 14.3.2022 and will be updated regularly.