Information about Personal Data Processing
In relation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and Act No. 18/2018 Coll. on Personal Data Protection, we are performing our information obligation in relation to the processing of your personal data.
Please read the following information about how we process your personal data.
Who is the controller of your personal data?
The controller of your personal data is IMET, a. s. with its registered office at Bardejovská 1/C, 040 11 Košice, company ID No (IČO): 36 185 957, registered in the Company Register of the District Court of Košice I, Section: Sa, File No: 982/V.
The controllers have appointed a Data Protection Officer to supervise personal data processing. You may contact the Data Protection Officer at: firstname.lastname@example.org.
For what purposes do we process your personal data and what is the legal basis for its processing?
Processing based on a contract and pre-contractual relationships:
In connection with the provision of accommodation, food and catering services, wellness services, conference and other additional services of our hotel we process your personal data based on a contract and we are entitled to process it without your consent.
We may process your personal data for the purposes of marketing through which we inform you about any news and changes in relation to our products and services either with your consent or based on the Controller´s legitimate interest. In case your personal data for marketing purposes are processed on legal basis of consent, we inform you , that you have the right to withdraw your consent at any time by clicking on the opt-out line (disclaimer) in the potential request for the processing of your personal data for marketing purposes sent by us or by sending a request to email@example.com
Processing based on the Controller´s legitimate interest:
Based on legitimate interest, we are entitled to process personal data for identification and in order to check the identity of visitors when entering the Controller´s premises or for use of the camera information system for the purposes of protection of our property. This legal basis also allows us to process personal data when recovering claims or in the case of litigations.
What entities have access to your personal data?
We use the services of external processors and third parties, e.g. for IT administration, camera information system administration, claims recovery, legal representation in litigations or in interview procedures. We make sure that all processors act in accordance with the applicable legislation, comply with the confidentiality obligation and process your data exclusively in the extent of the concluded contracts and protect it accordingly in compliance with GDPR requirements and international standards.
How long are we going to store your personal data?
We are going to store your personal data throughout the contract period and for a lawfully determined period of time for its archiving or for the period necessary for achieving its purpose.
We are entitled to process the personal data acquired with your consent (for marketing purposes) for such purpose until you withdraw your consent.
Any personal data processed for the purposes of legitimate interest is processed only in the extent necessary for achieving its purpose.
What rights do you have in relation to the processing of your personal data?
Right of access to personal data:
The Controller shall provide data subjects (persons whose personal data it is processing) with confirmation that it is processing personal data concerning them, while the data subjects have the right to have access to their personal data to the extent referred to in Article 15 of GDPR.
Right to rectification of personal data:
Data subjects have the right to have their personal data rectified if it is inaccurate or incomplete. The Controller is obliged to comply with any request for rectification of personal data without any undue delay.
Right to erasure (right to be forgotten):
The Controller has the obligation to erase the personal data of any data subject without undue delay where:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based;
- there is no other legal ground for the processing of personal data;
- the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
- the data subject objects to the processing and the personal data have been unlawfully processed;
- the personal data have to be erased in order to comply with a legal obligation in Union or Member State law to which the controller is subject;
- the personal data have been collected in relation to the offer of information society services.
Data subjects may file a request for erasure also if their data is processed unlawfully and illegally in relation to GDPR.
The Controller may not comply with a request for erasure to the extent that processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation;
- for the performance of a task carried out in the public interest;
- for reasons of public interest in the area of public health;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
- for the establishment, exercise or defence of legal claims.
Right to restriction of personal data processing:
Data subjects have the right to obtain from the Controller restriction of processing of their personal data where one of the following applies:
- the accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing pursuant to Article 21(1) pending verification whether the legitimate grounds of the Controller override those of the data subject.
Where processing has been restricted, such personal data will, with the exception of storage, only be processed:
- with the data subject’s consent;
- for the establishment, exercise or defence of legal claims;
- for the protection of the rights of another natural or legal person;
- for reasons of important public interest of the Union or of a Member State.
Right to have personal data transmitted:
Data subjects have the right to receive their personal data which they have provided to a Controller and they have the right to transmit those data to another Controller (e.g. in the event of a change of the provider of a certain service). Based on such request the Controller is obliged to enable transmission of such data in a structured, commonly used and machine-readable format (e.g. XML or CSV).
Who can you turn to in relation to the processing of your personal data?
Our Company has appointed a Data Protection Officer. If you have any questions or issues relating to the processing of your personal data, e-mail us as soon as possible at: firstname.lastname@example.org. You have the right to file a complaint to the Office for Personal Data Protection if you suspect any violation of your rights.