Security and Personal Data Protection (GDPR)
Basic Information
Data Controller: Historické Hotely Slovenska, Civic Association, with registered office at Prístavná 11, 921 01 Piešťany, ID No.: 42 158 125, approaches your personal data responsibly. Therefore, in accordance with Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as “GDPR Regulation”) and Act No. 18/2018 Coll. on the protection of personal data and on the amendment and supplementation of certain acts (hereinafter referred to as the “Act”), it provides you as a data subject (a natural person whose personal data is processed) with necessary information on its website, including identification and contact details, as well as other necessary information available in the tabs on the left.
The Data Controller, following Article 24 of the GDPR Regulation and Section 31 of the Act, has implemented appropriate technical, organizational, personnel, and security measures and safeguards, which take into account, in particular:
- principles of data processing, including lawfulness, fairness, transparency, purpose limitation, data minimization, pseudonymization, encryption, as well as integrity, confidentiality, and availability;
- principles of necessity and proportionality (regarding the scope and quantity of processed data, retention period, and access to personal data of the data subject) concerning the processing purpose;
- nature, scope, context, and purpose of the processing operation;
- resilience and recovery of data processing systems;
- training of authorized persons by the Data Controller;
- prompt detection of personal data breaches and timely notification to the supervisory authority and Data Protection Officer;
- measures to correct or delete incorrect data or exercise other rights of the data subject;
- risks with varying probability and severity concerning the rights and freedoms of natural persons (such as accidental or unlawful destruction, loss, alteration, or misuse of personal data—unauthorized access or disclosure, and risk assessment considering the origin, nature, likelihood, and severity of the risk in connection with data processing, and identification of best practices for risk mitigation).
Information on the Purpose of Data Processing and Retention Period
Purpose of Processing Personal Data
One of the principles of data processing is purpose limitation. Under this principle, personal data must only be collected for specific, explicitly stated, and legitimate purposes and must not be further processed in a way incompatible with these purposes. The processing of personal data should be closely related to the purpose of data processing, particularly concerning the list or scope of personal data, which should be necessary to achieve the purpose. It is not appropriate to artificially or additionally expand the list or scope of personal data beyond the intended purpose. If the purpose and the list or scope of personal data are defined by law, it must be respected. If the Data Controller defines the list or scope of personal data, care should be taken not to expand it unnecessarily beyond the purpose.
The Personal Data Protection Act requires the Data Controller to provide the data subject with information about the purpose for which their data is being processed, even when the data is not collected directly from the data subject. This information should be provided to the data subject at the latest at the time of data collection or, if possible, in advance, clearly and understandably, so that the data subject can familiarize themselves with and understand the information.
We process your personal data to comply with legal obligations related to taxes and accounting, to fulfill your orders and services, for invoicing purposes, or to deliver orders to your contact address.
Data Processing Duration or Criteria for Its Determination:
Your personal data is processed for as short a time as possible. Generally, we securely dispose of all your personal data once we have fulfilled our contractual obligations or after you withdraw your consent to the processing of personal data, or after the expiration of a reasonable period as governed by the principle of data minimization under Article 5(1)(e) of the GDPR, which regulates data retention.
As the Data Controller, we ensure the deletion of personal data without undue delay after:
- all contractual relationships between you and our company have ended; and/or
- all your obligations to our company have been settled; and/or
- all your complaints and requests have been resolved; and/or
- all other rights and obligations between you and our company have been settled; and/or
- all legal purposes for processing your personal data, or the purposes for which you provided consent, have been fulfilled; and/or
- the consent period has expired, or you have withdrawn your consent; and/or
- your request for deletion of personal data has been fulfilled, and one of the reasons justifying compliance with the request has been met; and/or
- the relevant legal basis for ending the processing purpose has occurred, and the retention period has expired, considering the principle of data retention minimization.
- At the same time, there is no further legitimate interest from our company, and all obligations imposed by general legal regulations that require the retention of your personal data (particularly for purposes such as archiving or tax audits) have been fulfilled.
Should any personal data be accidentally obtained, it will not be processed systematically. When possible, the data subject will be informed about the accidental acquisition, and necessary assistance will be provided to regain control over their personal data. Once the situation has been resolved, all accidentally obtained personal data will be securely deleted without delay.
If you are interested in further details about the specific retention period of your personal data, please contact us via the contact information provided on our website.
Data Subject Rights
Rights of the Data Subject
Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as “GDPR Regulation”) and Act No. 18/2018 Coll. on the protection of personal data and on the amendment and supplementation of certain acts (hereinafter referred to as the “Act”), guarantee the following rights to you as a data subject:
- a) Right of access to personal data, which includes:
- The right to obtain confirmation from the Data Controller whether or not personal data concerning you are being processed;
- If personal data are processed, the right to access those personal data and the following information:
- Information about the purposes of processing;
- Information about the categories of personal data concerned;
- Information about recipients or categories of recipients to whom personal data have been or will be disclosed, particularly recipients in third countries or international organizations;
- Where possible, information about the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period;
- Information about the existence of the right to request from the Data Controller the rectification or erasure of personal data, or restriction of processing of personal data, and the right to object to such processing;
- Information about the right to lodge a complaint with a supervisory authority;
- If the personal data were not collected from you, any available information as to their source;
- Information about the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the Regulation, and, at least in such cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
- The right to be informed about the appropriate safeguards under Article 46 of the Regulation relating to the transfer of personal data to a third country or international organization;
- The right to obtain a copy of the personal data being processed, provided that the right to obtain a copy of personal data must not adversely affect the rights and freedoms of others.
The data subject’s right of access to personal data essentially means that the data subject has the right to obtain confirmation from us as to whether or not personal data concerning them is being processed, and if so, the right to access such personal data. Upon the data subject’s request, we will provide a copy of the personal data being processed. For any additional copies requested by the data subject, we may charge a reasonable fee based on administrative costs. If the data subject submitted their request electronically, the information will be provided in a commonly used electronic format, unless the data subject requests otherwise. Information must be provided without delay and at the latest within one month of the request. We have the right to extend the processing time by an additional two months if the request is complex or frequent. However, we must inform the data subject of the reason for the extension within one month. In the case of unfounded or excessive requests, we have the right to charge a fee corresponding to the administrative costs or to refuse the request. We must explain the reason for the refusal and inform the data subject of their right to lodge a complaint with the supervisory authority.
- b) Right to rectification of personal data, which includes:
- The right to have the Data Controller, without undue delay, correct inaccurate personal data concerning you;
- The right to have incomplete personal data completed, including by means of providing a supplementary statement.
The data subject’s right to rectification of personal data means that you can request us to correct or complete your personal data at any time if it is inaccurate or incomplete. The data subject has the right to have incomplete personal data completed, including by providing a supplementary statement.
- c) Right to erasure of personal data (right to be forgotten), which includes:
- The right to obtain from the Data Controller the erasure of personal data concerning you without undue delay where one of the following grounds applies:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- You withdraw consent on which the processing is based, and there is no other legal ground for the processing;
- You object to the processing pursuant to Article 21(1) of the Regulation, and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2);
- The personal data have been unlawfully processed;
- The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the Data Controller is subject;
- The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the Regulation.
The right of the data subject to have the Data Controller, who has made the data subject’s personal data public, take reasonable measures, including technical measures, considering available technology and the cost of implementation, to inform other controllers processing the personal data that the data subject requests the deletion of any links to, copies, or replicas of these personal data.
However, the right to erasure of personal data, as described in Article 17(1) and (2) of the Regulation does not apply where the processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation that requires processing under the law of the European Union or of a Member State to which the Controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
- for reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) of the Regulation, as well as Article 9(3) of the Regulation;
- for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes in accordance with Article 89(1) of the Regulation, in so far as the right referred to in Article 17(1) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise, or defense of legal claims.
The data subject’s right to erasure of personal data means that we are required to delete your personal data if they are no longer necessary for the purposes for which they were collected or otherwise processed, the processing is unlawful, you object to the processing and there are no overriding legitimate grounds for the processing, or we are required to do so by legal obligation.
The data subject’s right to restriction of processing means that until any disputes regarding the processing of your personal data are resolved, we must restrict the processing of your personal data so that the data can only be stored and not further processed.
- e) The data subject’s right to notification obligation regarding recipients, which includes:
- The right to have the Data Controller inform each recipient to whom personal data has been disclosed of any rectification, erasure, or restriction of processing carried out in accordance with Article 16, Article 17(1), and Article 18 of the Regulation, unless this proves impossible or involves disproportionate effort;
- The right to have the Data Controller inform the data subject about these recipients, if the data subject requests it.
The right of the data subject to notification obligation regarding recipients means that the Data Controller is obliged to inform each recipient to whom the data subject’s personal data has been disclosed of any rectification, erasure, or restriction of processing. This obligation does not apply if such notification is impossible or requires disproportionate effort.
- f) The data subject’s right to data portability, which includes:
- The right to receive personal data concerning the data subject, which they have provided to the Data Controller, in a structured, commonly used, and machine-readable format and the right to transmit those data to another controller without hindrance from the Data Controller, if:
- The processing is based on the data subject’s consent pursuant to Article 6(1)(a) of the Regulation or Article 9(2)(a) of the Regulation, or on a contract pursuant to Article 6(1)(b) of the Regulation, and simultaneously;
- The processing is carried out by automated means, and simultaneously;
- The right to receive personal data in a structured, commonly used, and machine-readable format and the right to transmit those data to another controller without hindrance from the Data Controller will not have adverse effects on the rights and freedoms of others;
- The right to have the personal data transmitted directly from one controller to another, where technically feasible.
The right to data portability means that you have the right to receive your personal data, which you have previously provided to us, in a structured, commonly used, and machine-readable format, and you have the right to request that we transmit your personal data to another controller, provided the legal conditions are met. Exercising this right does not affect your right to erasure of personal data. However, the right to data portability applies only to personal data that we have obtained from you based on a contract to which you are a party.
- g) The data subject’s right to object, which includes:
- The right to object at any time, on grounds relating to the data subject’s particular situation, to the processing of personal data concerning them that is based on Article 6(1)(e) or (f) of the Regulation, including profiling based on those provisions of the Regulation;
- The right, in the case of exercising the right to object at any time, on grounds relating to the data subject’s particular situation, to the processing of personal data concerning them that is based on Article 6(1)(e) or (f) of the Regulation, including profiling based on those provisions of the Regulation, to have the Data Controller no longer process the personal data of the data subject, unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims;
- The right to object at any time to the processing of personal data concerning the data subject for direct marketing purposes, including profiling to the extent that it is related to such direct marketing; in such cases, if the data subject objects to the processing of personal data for direct marketing purposes, the personal data shall no longer be processed for such purposes;
- (In the context of the use of information society services) the right to object to the processing of personal data through automated means using technical specifications;
- The right to object, on grounds relating to the data subject’s particular situation, to the processing of personal data concerning the data subject for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1) of the Regulation, except where the processing is necessary for the performance of a task carried out for reasons of public interest.
The data subject’s right to object means that, as a data subject, you can object to the processing of your personal data that we process for direct marketing purposes or for legitimate reasons. We will immediately cease processing personal data for marketing purposes upon receiving an objection.
- h) The data subject’s right related to automated individual decision-making, which includes:
- The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly significantly affects them, except in cases referred to in Article 22(2) of the Regulation [i.e., except in cases where the decision: (a) is necessary for entering into, or performance of, a contract between the data subject and the Data Controller, (b) is authorized by Union or Member State law to which the Data Controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, or (c) is based on the data subject’s explicit consent].
The data subject’s right related to automated individual decision-making means that, as a data subject, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. In cases where such processing is necessary for entering into or performance of a contract, or based on the data subject’s explicit consent, the Data Controller will implement suitable measures to safeguard the rights, freedoms, and legitimate interests of the data subject, including the right to obtain human intervention from the Data Controller, to express their view, and to contest the decision.
The Data Controller shall provide the data subject with information on measures taken following a request under Articles 15 to 22 of the GDPR Regulation without undue delay and in any case within one month of receipt of the request. This period may be extended by a further two months if necessary, taking into account the complexity and number of requests. The Data Controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. If the data subject submits a request by electronic means, the information shall be provided electronically, where possible, unless the data subject requests otherwise.
In the cases mentioned, the Data Controller may refuse to act on a data subject’s request to exercise their rights under Articles 15 to 22 of the GDPR Regulation only if it can demonstrate that it is not able to identify the data subject.
- i) The right of the data subject to file a complaint under Section 100 of the Personal Data Protection Act, which includes:
- The right of a data subject who believes that their personal data is being processed unlawfully or has been misused to file a complaint with the Office for Personal Data Protection of the Slovak Republic (hereinafter referred to as the “Office”), requesting the initiation of personal data protection proceedings;
- A complaint can be filed in writing, in person orally on record, electronically with a certified electronic signature, by telegraph, or by fax, but it must be supplemented in writing or orally on record within three days;
- The complaint must include the following information under Section 100(3) of the Personal Data Protection Act:
- The name, surname, permanent address, and signature of the complainant;
- The identification of the entity against whom the complaint is directed; the name or surname, registered office, or permanent address, and, if applicable, legal form and identification number;
- The subject of the complaint, specifying which rights the complainant believes were violated during the processing of personal data;
- Evidence supporting the claims made in the complaint;
- A copy of the document proving the exercise of rights under Section 28, if such a right could have been exercised, or reasons justifying special consideration;
- The Office will decide on the complainant’s proposal within 60 days from the initiation of the proceedings. In justified cases, the Office may extend this period by up to six months. The Office will inform the parties involved in writing of the extension.
You can find a sample form for initiating personal data protection proceedings on the Office’s website (https://dataprotection.gov.sk/uoou/sites/default/files/vzor_navrhu_na_zacatie_konania_podla_noveho_zakona.docx).
Legal bases for processing personal data
The Data Controller processes your personal data in accordance with Article 6(1)(a) of the GDPR Regulation and Section 13(1)(a) of the Act—where the data subject has given consent to the processing of their personal data for one or more specific purposes; in accordance with Article 6(1)(b) of the GDPR Regulation and Section 13(1)(b) of the Act—where processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract; and in accordance with Article 6(1)(c) of the GDPR Regulation and Section 13(1)(c) of the Act—where processing is necessary for compliance with a legal obligation to which the Data Controller is subject. This primarily includes the following legal regulations:
- Act No. 395/2002 Coll. on Archives and Registries and on the Amendment of Certain Acts;
- Act No. 431/2002 Coll. on Accounting, as amended;
- Act No. 595/2003 Coll. on Income Tax;
- Act No. 222/2004 Coll. on Value Added Tax;
- and others.
Cookie Policy
Cookies are small text files that may be sent to your internet browser during a visit to a website and stored on your device. Cookies are stored in your browser’s file directory. Cookies generally contain the name of the website they come from and their creation date. Your browser retrieves the cookies during future visits to the site, sending the information back to the website that originally created the cookies.
The processing of cookies always requires your prior consent, in compliance with the GDPR Regulation, except for functional or technical cookies necessary for the website to function properly. Your consent to cookie processing is archived, and you have the right to withdraw it at any time.
For more details about the cookies used on the websites of Historické Hotely Slovenska, please refer to the company’s website.