Dear Hotel Guest / Dear Person Interested in Hotel services,

Please read the following information on your personal data processing conditions, which we provide to you in accordance with the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (the General Data Protection Regulation) (hereinafter referred to as the “GDPR”).

Where your personal data are processed, you are a data subject, i.e. a person to whom the personal data processed by us are related.

Controller:

IMET a.s., with the registered office at Bardejovská 1/C, 040 11 Košice, CIN: 36 185 957, incorporated in the Commercial Register of the Košice I District Court, section: Sa, file no.: 982/V (hereinafter referred to as the “Controller”)

Controller contact details: phone no. +421-47-2852 200, e-mail: recepcia@hotelgalicianueva.sk.

Should you have any questions, or should you wish to exercise your rights in relation to the processing of your personal data, please contact the Controller at the e-mail address above or in writing by delivering your letter to the address of the Controller’s registered office, or contact the Data Protection Officer by e-mail at: zodpovednaosoba@imet.sk

We process your personal data on the following legal bases:

  • on the basis of contractual and pre-contractual relations (Article 6 (1) (b) of the GDPR)
  • on the basis of our legitimate interests (Article 6 (1) (f) of the GDPR)
  • on the basis of compliance with legal obligation (Article 6 (1) (c) of the GDPR)
  • on the basis of the consent granted by the data subject (Article 6 (1) (a) of the GDPR).

We would like to inform you that the data subject is required to provide his/her personal data where it is necessary to process any personal data in connection with complying with the legal obligation of the Controller.

The data subject is also required to provide personal data in cases where such provision constitutes a contractual requirement resulting from a contract concluded between the Controller and the data subject. The provision of personal data within pre-contractual and contractual relations is necessary, otherwise any failure to provide them would make it impossible to conclude a contract or to perform such contract.

Where the legal basis for personal data processing is the consent, the granting of such consent is voluntary. Where we process personal data based on your consent, you have the right to withdraw your consent at any time. The withdrawal of consent shall be without prejudice to the lawfulness of processing based on this consent prior to the withdrawal thereof. The withdrawal of consent shall be free of charge and it shall not be subject to any penalty. The consent may be withdrawn in writing by delivering the notice to the address of the Controller’s registered office or to the following e-mail address: recepcia@hotelgalicianueva.sk or asistentka@hotelgalicianueva.sk alebo zodpovednaosoba@imet.sk.

Where we process personal data on the basis of our legitimate interests (Article 6 (1) (f) of the GDPR), the data subject has the right to object to the processing of his/her personal data performed under this legal basis at any time for reasons specific to his/her particular situation.

 

For how long shall we store your personal data?

We shall store your personal data for the period necessary to achieve the purpose, for which the personal data are being processed.

Where your personal data are processed as part of the compliance with legal obligations of the Controller and the legal regulation establishes the data retention period or the criteria for its determination, we shall store the personal data and any related documentation for the period required by the applicable legal regulation.

The storage of personal data that we process about you is governed by Act no. 395/2002 Coll. on archives and registries, as amended.

You may find more information on the storage period below in this document.

  

For what purposes do we process the personal data of our hotel guests/persons interested in hotel services (or their contact persons), what is the legal basis for their processing and the retention period?

 

  • for the purpose of keeping records on guests and provision of services to guests staying in the Castle Hotel Galicia Nueva

The processing is necessary for performing the contract, to which the data subject is a contractual party (contract for provision of accommodation services).

Retention period: 10 years.

 

  • for the purpose of fulfilment of legal obligations in connection with the registration of citizens and foreigners staying in the Castle Hotel Galicia Nueva

The processing is necessary for the fulfilment of legal obligations of the Controller under Act no. 404/2011 Coll. on the residence of aliens, amending and supplementing certain acts, as amended, and Act no. 253/1998 Coll. on reporting the residence of citizens of the Slovak Republic and on the Register of Citizens of the Slovak Republic, as amended.

As a hotel, we are required to keep a guest book containing the information about the first name and surname of the accommodated guest, ID card or passport number, permanent residence address and the accommodation period. When accommodating a foreigner, we are required to check his/her identity, enter his/her nationality and date of birth to the guest book and to arrange the completion of the official foreigner residence report form, including its delivery to the police department within five days of accommodation.

Retention period: 10 years.

 

  • for the purposes of sending marketing emails and electronic newsletters

With your consent, we shall process your e-mail address data, to which we shall be sending you the e-mail messages with a presentation of offered services and special offers, invitations to events organised by the Hotel and newsletters. The personal data shall be processed for this purpose with the consent of the data subject. The consent is voluntary. The data subject has the right to withdraw his/her consent at any time. The withdrawal of consent shall be without prejudice to the lawfulness of processing based on this consent prior to the withdrawal thereof.

Where we obtained your e-mail address in connection with the sale of goods or service, we shall process your data for that purpose based on our legitimate interest to inform our customers about the news in the field of products and services provided by us (hotel’s sale offers, invitations to events organised by the hotel). Pursuant to Article 21 (2) of the GDPR, the data subject has the right to object at any time to the processing of personal data for the purposes of direct marketing. In such case, we must no longer process personal data for this purpose.

Each marketing e-mail or newsletter set includes a link serving for unsubscribing. If you are no longer interested in receiving information about our latest news and offers, you can unsubscribe by clicking this link.

Retention period: 5 years, respectively for the period specified in the consent (5 years from granting the consent).

 

  • for the purpose of contacting the guest staying in the Castle Hotel Galicia Nueva in case of emergency

The processing of the phone contact of a guest staying in the hotel for the given purpose only takes place where the guest gives his/her consent to it. The consent is voluntary and the data subject is entitled to withdraw it at any time. The withdrawal of consent shall be without prejudice to the lawfulness of processing based on this consent prior to the withdrawal thereof. The consent may be withdrawn by e-mail sent to recepcia@hotelgalicianueva.sk or asistentka@hotelgalicianueva.sk or zodpovednaosoba@imet.sk or in writing by delivery to the address of the Controller’s registered office. Where the consent is not granted, we are unable to inform the hotel guest in emergency cases (should any extraordinary/unforeseen event took place that would or could have any impact on him/her).

Retention period: for the period of accommodation.

 

  • for the purpose of organising presentations, training courses, corporate meetings and events, weddings in the premises of the Castle Hotel Galicia Nueva, including handling the request – inquiry for the said hotel services entered via the contact form on the Controller’s website at www.zamockyhotelgalicianueva.sk or in the form of email communication

In this respect, we shall process the personal data of the:

  • contact person of the entity interested in a hotel service (employee or person acting on behalf of the company/organisation); in this case, the legal basis for personal data processing is the legitimate interest pursued by the Controller (Article 6 (1) (f) of the GDPR), and this namely the interest to provide a service and to secure communication with the entity interested in the service
  • entity interested in a hotel service (with a natural person, for instance to organise a wedding); in this case, the processing is necessary so that, at the request of the data subject, the measures are taken before concluding the contract (pre-contractual relations) and so that the contract concluded with the data subject is performed.

We collect personal data directly from data subjects or from the entity interested in the service, while we process common personal data – first name and surname, contact details, work position or role (with contact persons) or possibly other data related to the event organised in the hotel, e.g. the wedding date of the data subject.

Retention period: until the end of presentation/training/company meeting/event/wedding in the hotel premises; maximum however 1 year.

 

  • for the purpose of presenting events (weddings and celebrations) organised by the Controller in the premises of the Castle Hotel Galicia Nueva by publishing photos of these events on the hotel’s website at zamockyhotelgalicianueva.sk

We process the personal data (photos) for this purpose with the consent of the data subject. The consent is voluntary and the data subject is entitled to withdraw it at any time. The withdrawal of consent shall be without prejudice to the lawfulness of processing based on this consent prior to the withdrawal thereof. The consent may be withdrawn by e-mail sent to recepcia@hotelgalicianueva.sk or asistentka@hotelgalicianueva.sk or zodpovednaosoba@imet.sk or in writing by delivery to the address of the Controller’s registered office.

In this case, the recipient of personal data is the company providing external support and operation of the website, as well as the hotel website’s visitors.

Retention period: photos are published on the website for the period of 1 year from the date of their publication; the photos are then deleted and not stored.

 

  • for the purpose of protecting the Controller’s property by monitoring the Controller’s premises with a CCTV system

In this case, we process personal data of persons staying in the monitored premises of the hotel based on our legitimate interest: protection of the Controller’s property and prevention of damages. The specific information about the processing of personal data by a CCTV system is displayed in the hotel lobby.

Retention period: 15 days from the date of creating the recording; in justified cases, for the period necessary to investigate the recorded behaviour of a data subject and/or to prove and defend the legal claims of the Controller arising in connection with the course of events recorded by the CCTV system.

 

  • for the purpose of claim handling

For this purpose, we process personal data of natural persons who lodge a claim relating to products/services supplied/provided to them by us. If you are consumer lodging a claim relating to our products/services, we shall process your personal data for the purposes of processing your claim whereas such processing is necessary to comply with legal obligations of the Controller under the Act no. 250/2007 Coll. on consumer protection, amending the Act of the Slovak National Council no. 372/1990 Coll. on misdemeanours, as amended (pursuant to this act, the Controller is required to keep records on claims and to submit it at the request of the supervisory authority for inspection, as well as to submit at the request of the supervisory authority the copy of the claim receipt confirmation etc.).

Where the claim is lodged by a data subject who is not a consumer, we shall process your personal data for this purpose based on the contract we have concluded with you and under which you are entitled to claim liability for defects of a product or service. In such case, the processing is necessary to perform the contract, to which the data subject is a contractual party.

Retention period: 5 years from handling the claim.

 

  • for the purpose of bookkeeping, processing of accounting and tax documents, invoicing and cash register records

The processing for this purpose is necessary for the compliance with legal obligations of the Controller, in particular pursuant to Act No. 431/2002 Coll. on accounting, as amended, Act no. 222/2004 Coll. on value added tax, as amended, Act no. 595/2003 Coll. on income tax, as amended, Act no. 283/2002 Coll. on travel expenses, as amended.

Retention period: 10 years (in accordance with the Accounting Act – § 35).

 

  • for registry purposes, including records on sent and received postal items

The processing is necessary for the compliance with legal obligations of the Controller pursuant to Act no. 395/2002 Coll. on archives and registries, supplementing certain acts, as amended.

Retention period: for the period required by the applicable legal regulation (i.e. for the period, during which the registry creator needs the registry record for its activities) – the specific time periods are established by the Registry Plan. We store the personal data in the register of sent and received postal items for the period of 5 years (following the end of a calendar year, in which a postal item is sent/received).

 

  • for the purpose of handling requests for the exercise of rights of data subjects

If you exercise your rights with us as a data subject, we shall process your personal data for this purpose. The processing is necessary for the compliance with the Controller’s legal obligations under personal data protection regulations (GDPR), which obligations the Controller has in relation to the exercise of rights of data subjects under Articles 15 to 22 of the GDPR.

Retention period: 5 years from the date of handling the request, minimum however until the lawful ending of the administrative proceedings, which were initiated at the request of the data subject.

 

Recipients of personal data:

The recipients of your personal data are, or may be, the entities designated by legal regulations, in particular the tax office, public administration bodies and public authorities exercising control and supervision, courts, law enforcement bodies.

Depending on the purpose of the processing and specific circumstances, the recipients of your personal data may also include other persons (acting in the capacity of intermediaries or independent controllers), for instance:

  • attorney,
  • bank,
  • provider of postal services,
  • external service providers in the field of information systems and software products (e.g. external CRM system supplier),
  • auditing company performing statutory audit,
  • provider of external support and operation of websites,
  • external service providers in the field of marketing activities and PR services,
  • company performing external management of the HORES hotel system. FoodMAn.

Where we process your personal data through intermediaries, as a special category of personal data recipients, we make sure to proceed in accordance with applicable legal regulations and the terms agreed in the Personal Data Processing Contract in order to bind them with confidentiality obligation and to protect your data in accordance with the requirements of the GDPR.

The recipients of published personal data (photos of weddings, celebrations) are the visitors to the hotel’s website.

 

Shall your personal data be provided outside the European Union?

We do not transmit your personal data to any third country or to any international organisation.

Shall your personal data be used for automated individual decision-making?

The personal data shall not be used for automated individual decision-making, including profiling.

Rights of data subjects:

Right to access to personal data under Article 15 of the GDPR:

The data subject has the right to obtain from the Controller the confirmation whether or not personal data concerning him/her are being processed. The data subject has the right to gain access to his/her personal data (s/he has the right to be provided with a copy of the personal data kept by the Controller about the data subject) and to the information on how the Controller processes these data to the extent of Article 15 of the GDPR.

Right to rectification of personal data under Article 16 of the GDPR:

The data subject has the right to rectification of personal data concerning him/her where they are inaccurate, or to the supplementation where the data are incomplete. The Controller must comply with the request for rectification or supplementation of personal data without undue delay.

Right to erasure (right to be “forgotten”) under Article 17 of the GDPR:

The data subject has the right to obtain from the Controller without undue delay the erasure of personal data concerning him/her, and this under the conditions laid down in Article 17 of the GDPR (e.g. where the personal data obtained by the Controller about the data subject are no longer necessary for the purposes, for which they were collected or otherwise processed). This right of the data subject shall be reviewed by the Controller from the viewpoint of all relevant circumstances in accordance with Article 17 of the GDPR (e.g. the operator shall reject the request where the processing is necessary – to comply with the Controller’s legal obligation or to establish, exercise or defend legal claims).

Right to restriction of personal data processing under Article 18 of the GDPR:

The data subject shall have the right to obtain from the Controller the restriction of processing of his/her personal data where one of the cases referred to in Article 18 of the GDPR applies (e.g. where the data subject challenges the accuracy of the personal data, and this during the verification period thereof). Where the processing is restricted in accordance with Article 18 (1) of the GDPR, with the exception of storage the personal data shall be processed: (a) only with the consent of the data subject, or (b) for the establishment, exercise or defence of legal claims, or (c) for the protection of the rights of other natural or legal person, or (d) for reasons of important public interest of the Union or of a Member State.

Right to personal data portability under Article 20 of the GDPR:

Where the processing is based on a consent or on a contract and it is performed by automated means, the data subject shall have the right to obtain his/her personal data, which s/he has provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller. Where technically feasible, the data subject shall have the right to transmit the data directly from one controller to another controller.

Right to object under Article 21 of the GDPR:

Where the processing is based on legitimate interests (Article 6 (1) (f) of the GDPR), the data subject shall have the right at any time to object, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her, including profiling based on provisions of Article 6 (1) (f) of the GDPR. In such case, the Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Right to file a motion or complaint to the Office for Personal Data Protection

You are entitled to file a motion or complaint in the matter of processing of your personal data at any time to the supervisory authority, i.e. to the Office for Personal Data Protection of the Slovak Republic, Hraničná 12, 820 07 Bratislava, Phone: +421 2 3231 3214, www.dataprotection.gov.sk.