DECLARATION ON PROCESSING OF PERSONAL DATA

Price list

Pursuant to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), and instructing data subjects (hereinafter “GDPR”)

I. Data Controller

Kampus Palace s.r.o., with its registered office at: Smetanovo náměstí 3116/10, 702 00 Ostrava, ID No.: 05029627, VAT No.: CZ05029627, entered in the Commercial Register maintained by the District Court in Ostrava under the file number C 65986, (hereinafter the “controller”) hereby informs you in accordance with Article 12 of GDPR about the processing of your personal data and about your rights.

II. Scope of Processing of Personal Data

Personal data are processed in the scope in which the data subject has provided them to the controller in relation to the conclusion of a contractual or similar legal relationship with the controller or which have been collected by the controller in accordance with applicable legislation or to fulfil legal obligations of the controller.

III. Sources of Personal Data

  • directly from data subjects (customers, job applicants, e-mail communication, phone communication, website contact forms etc.)
  • from controller’s business partners (travel agencies, companies providing on-line accommodation reservations etc.)

IV. Categories of Personal Data Processed

  • address and identification data used for unambiguous and unmistakeable identification of data subjects – name, surname, date of birth, permanent address, citizenship, number of the travel document or another official proof of identity, visa number, purpose of the stay, signature and data to contact the data subject – contact details – e.g. contact address, phone number, e-mail address and other similar information.
  • descriptive data (e.g. bank details)
  • other data necessary to perform the contract
  • data provided beyond the legal requirements, processed based on the data subject’s consent (use of personal data for marketing communications, personnel management etc.)

V. Categories of Data Subjects

  • controller’s customer
  • controller’s employee
  • controller’s supplier
  • another person in a contractual relationship with the controller
  • job applicant

VI. Categories of Recipients of Personal Data

  • financial institutions
  • processors
  • public and other authorities in the fulfilment of legal obligations stipulated by relevant legal regulations

VII. Purpose of Processing of Personal Data

  • execution of orders, reservations, concluding and performing contracts related to the services offered and provided, as well as in cases prescribed by the law, particularly by Municipal Charges Act for the purpose of collecting fees for spa or recreational stays, or fees for accommodation capacity, the act on the residence of foreign nationals, where the provision of personal data is mandatory (in the above cases, Kampus Palace s.r.o. is in accordance with the provisions of Article 6(1)(b), (c), (f) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) entitled to process your personal data without your consent).
  • purposes contained in the data subject’s consent
  • negotiations on a contractual relationship
  • performance of the contract
  • protection of rights of the controller, recipient or other persons concerned (e.g. recovery of amounts receivable of the controller)
  • archiving under the law
  • recruitment procedures
  • fulfilment of legal obligations by the controller
  • protection of vital interests of the data subject

When making reservations on the controller’s website, personal data are required for successful booking (name, surname, phone, e-mail). The purpose of processing of personal data is to handle orders from data subjects and to exercise rights and obligations arising from the contractual relationship between the data subject (customer) and the controller. The purpose of processing of personal data is also sending of commercial communications and performing other marketing activities. The legal reason for processing of personal data is the fulfilment of the contract under Article 6(1b) of GDPR, performance of the controller’s legal obligation under Article 6(1c) of GDPR and the controller’s legal interest under Article 6(1f) of GDPR. The controller’s legitimate interest is the processing of personal data for marketing purposes.

VIII. Method of Processing and Data Protection

Processing of personal data is conducted by the controller. The processing is carried out in controller’s premises and registered office by authorised employees of the controller, or by the processor. The data are processed by the computer technology, or manually in the case of personal data in paper form, in compliance with all security policies for the management and processing of personal data.

To this end, the controller has taken appropriate technical and organisational measures (in accordance with Article 25 of GDPR) to ensure the data protection, in particular, measures to prevent unauthorised and accidental access to personal data, their alteration, destruction or loss, unauthorised transfers, unauthorised processing, as well as other misuse of personal data. All entities to which personal data may be made available shall respect the data subjects’ right to privacy and proceed in accordance with applicable legislation related to data protection.

The Provider is not involved in automated individual decision-making (including profiling) within the meaning of Article 22 of GDPR.

IX. Period of Processing of Personal Data

In accordance with deadlines defined in the relevant contracts, the controller’s filing and shredding rules and in the relevant legal regulations, this is a period necessary to ensure the rights and obligations arising from the contractual relationship as well as from the relevant legal regulations.

X. Guidance

The controller processes data with the data subject’s consent, except where the data subject’s consent to the processing of personal data is not required by the law.

In accordance with Article 6(1) of GDPR, the controller may process the following data without the data subject’s consent:

  1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  3. processing is necessary for compliance with a legal obligation to which the controller is subject;
  4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

XI. Rights of Data Subjects

In accordance with Article 12 of GDPR, the controller will inform data subjects at their request about the right to access their personal data and the following information:

  1. purpose of processing,
  2. category of the personal data concerned,
  3. recipients or categories of recipients that have been or will be provided with access to personal data,
  4. planned period for which personal data will be stored,
  5. all available information on the source of personal data,
  6. if they are not obtained from the data subject, the existence of automated decision-making, including profiling.

In relation to the controller, the data subject has the following rights:

  1. the right to access his/her personal data under Article 15 of GDPR,
  2. the right to rectification of his/her personal data under Article 16 of GDPR,
  3. the right to erasure, right to be forgotten under Article 17 of GDPR,
  4. the right to restriction of processing under Article 18 of GDPR,
  5. the right to data portability under Article 20 of GDPR,
  6. the right to object to processing under Article 21 of GDPR,
  7. the right not to be subject to a decision based solely on automated processing, including profiling, under Article 22 of GDPR.

Each data subject who believes that the controller or processor processes his/her personal data contrary to the protection of data subjects’ privacy or contrary to the law, in particular, if the personal data are inaccurate with respect to the purpose of their processing, the data subject is entitled to:

  1. Ask the controller to provide an explanation.
  2. Ask the controller to remedy the situation. In particular, this may concern blocking, rectifying, completing or erasing personal data.
  3. If the data subject’s request pursuant to paragraph 1 found to be justified, the controller shall immediately remedy the situation.
  4. If the controller fails to satisfy the data subject’s request pursuant to paragraph 1, the data subject has the right to contact directly the supervisory authority, i.e. the Office for Personal Data Protection.
  5. The procedure described in paragraph 1 shall be without prejudice to the data subject’s right to contact directly the supervisory authority.
  6. The controller is entitled to require reasonable compensation for providing the information which does not exceed the costs necessary to provide such information.

XII. Changes of Data Protection Rules

Any changes of the data protection rules will be published on the website. Please check them regularly.

XIII. Contact Us

In case of any questions of requests regarding these data protection rules, please contact us at:

Kampus Palace s.r.o.

Smetanovo náměstí 3116/10

702 00 Ostrava

Phone: ++420 777 101 615

E-mail: info@kampuspalace.cz

You may also use these contact details if you are interested in the provision, rectification, blocking and erasure of data that have been collected about you by the website.