On behalf of AUSTRIA Hotels Betriebs CZ s.r.o. we would like to thank you for using our services and for your loyalty. Like most other companies we have taken measures based on the European Parliament’s General Data Protection Regulation (GDPR) and the objective of this document is to describe these measures and explain the procedures in the processing of the personal data that we obtain from you or about you through our website, as a result of written or oral communication with you, during your stay at our hotel or from other sources.
We would also like to point out that this Notification does not relate to our processing of data on behalf of any third parties and in compliance with their instructions, such as airlines, car hire companies and other service providers, as well as package tour companies, marketing partners or corporate clients.
We collect personal data during any contact with guests and we may also collect it while performing any aspect of our business. This personal data may include: your contact information; information related to your reservation, stay at or visit to our hotel or to a marketing programme; information related to purchasing and receiving products or services; personal information, nationality, passport number and date and place of issue; travel history; payment information, such as credit card number and other credit card data as well as verification information and other details on the statement of charges and account connected with issuing documents; guests’ preferences; and information on the vehicles you use to come to our hotel.
A data subject (hereinafter referred to as "Customer" or "Data Subject"): an individual to whom personal data relate.
Any information relating to an identified or identifiable Customer; an identifiable Customer is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an on-line identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Austria Hotels Betriebs CZ s. r. o. (hereinafter referred to as “Data Controller” or “Company”), the entity that determines the purposes and means of the processing of personal data and that carries out and is responsible for data processing. The Data Controller may authorise or mandate a processor to process personal data, unless a special law provides otherwise.
Any entity which processes personal data on behalf of the Data Controller according to the Act and the Regulation on the basis of a special law or the Data Controller’s authorisation and in relation to a data processing agreement.
Processing of personal data:
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The purpose of personal data processing
The objective for which it is necessary or purposeful to process the data subject’s personal information.
Principles of personal data processing
The Data Controller processes personal data according to the principles resulting from the Regulation:
§ Lawfulness, fairness and transparency;
§ Purpose limitation – personal data must be collected forspecified, explicit and legitimate purposes.
§ Data minimisation – personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
§ Accuracy and up-to-dateness – the Data Controller takes any reasonable measure so that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
§ Storage limitation – data are kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed, subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the Data Subject.
§ Integrity and confidentiality – personal data are processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
PERSONAL DATA SOURCES AND COLLECTION
The Data Controller obtains its Customers’ personal data mainly from the Customers themselves while making arrangements to enter into a contract. The Data Controller always informs its Customers when it is necessary to provide personal data for the provision of a specific service and when it is voluntary, the provision of such personal data making the communication between the Customer and the Data Controller easier and the provision of services more effective.
In order to ensure the security of the Data Controller and Data Subject as well as of the provided services, a camera system is installed on the Data Controller’s hotel premises. The Data Subject is always informed of the presence of the camera system by information signs and pictographs at the entrance to such an area. The records from the security camera system are stored for three days and besides the aforementioned purpose they are not processed in any other way. If necessary, the records are provided to the investigating, prosecuting and adjudicating bodies for the purpose of fact finding.
Personal data collection at the hotel:
The local law requires that we collect other personal data at the hotel upon registration / check-in. At our hotel we also use security measures which may capture or record the images of guests and visitors in the hotel’s public areas, and information about where you are within the hotel is recorded through entry cards and other technologies. If permitted by the law, we may also use CCTV and other technologies capturing sound or video in order to protect our hotels’ employees, guests and visitors. We may also collect other personal information in connection with locally provided services, such as the services of receptionists, baby-sitting and lease.
Events at the hotel:
If you plan an event at our hotel, we record specific details concerning the arrangements and the event, the date of the event, number of guests, detailed information about rooms, and for corporate events also the information about your company (name and number of events per year). We also collect information about guests who are members of your group or who attend your event. If you visit us as a member of a group, we may, in compliance with your settings and with the law, have information about you which is provided to us within the group, and we may approach you with our marketing offers as a result of your stay here with your group and of your participation in the group’s event. If you visit us within an event, we may, within the scope of the law, share your personal data with the persons that organise the event. If you organise an event, we may, within the scope of the law, share information about your event with third-party service providers, who may offer their services necessary for the event to you.
Social networking sites:
If you decide to participate in activities or use the offers of social networking sites organised by AUSTRIA Hotels Betriebs CZ s. r. o., we may – according to your account settings – collect certain information from your social network accounts, such as the place where you are, check-ins at hotels, your activities, interests, photographs, status updates and friend lists.
Besides your data which we collect directly we may also derive other information from the data that you provide us with or from other information that we receive.
Collecting information from third parties:
We may also collect information about you from third parties, including information from our partners from social media services, in compliance with your settings regarding these services and from other independent sources which have the legal right to share such data with us. We use and share this information (and we may add it to the information about you that we already have) for the purposes described herein.
How your collected personal data are used:
We use your personal data for many purposes, including the provision and customisation of the services which you get or expect from AUSTRIA Hotels Betriebs CZ s. r. o., for the offer of the expected level of hospitality in your room and at all our hotels, for direct marketing and special sales events and for the following matters:
We use your information in order to provide you with our news, promotional and transaction materials within different services provided by AUSTRIA Hotels Betriebs CZ s. r. o., and for customising the advertising and content which we provide you with on-line, by email, mobile devices or advertising displayed on our websites and in our applications, in compliance with your communication settings.
Marketing and communication:
If it is allowed by the law, we may use your personal data to send you or offer to you newsletters, information about special events and tailored special events and other marketing communication in accordance with your communication settings. We may use your data in order to provide you with news about stays, accounts, warnings and reservation confirmation and to send you marketing communication. This communication can be carried out through emails, on-line advertising, social media advertising and other means (including communication within hotels, such as television in rooms). We may also collect your credit card information, which may be added to your personal data and used by AUSTRIA Hotels Betriebs CZ s. r. o. or its business partners to verify what kind of credit card you have, e.g. what bank or network issued your card.
Improvement of services:
We may use your personal data in order to improve the services provided by AUSTRIA Hotels Betriebs CZ s. r. o. and to ensure that the offer of our website, products and services is interesting for you. Based on your personal data we also ensure the expected level of hospitality in the hotel rooms.
In connection with the legal title and purpose of processing, the Data Controller and its contractual processors process the following personal data, or more precisely, categories of personal data:
a) Identification data: title, name, surname, date of birth, identity card data, place and state of birth, citizenship, registered business address, employer, job title.
b) Address data: permanent or temporary address, delivery address or another contact address.
c) Electronic contact information: telephone, mobile phone, fax, email address.
d) Other electronic data: not processed.
e) Personal data connected with contractual relationship: bank account number, credit card number, customer account number (loyalty programme), purpose of stay, length of stay (arrival and departure dates), orders and transactions , room number, reservation (hotel, restaurant).
f) Personal data connected with video recordings of persons within the field of view of the camera system on the Data Controller’s premises.
Processing of personal data
The Data Controller processes the Data Subject’s data based on the following legal reasons:
§ Data Controller’s legitimate interest
§ Performance of contracts
§ Meeting legal obligations
§ Valid consent to the processing of personal data
Data Controller’s legitimate interest
The legal title to personal data processing where the Data Controller’s interests / rights override those of the Data Subject, taking into consideration the reasonable expectations of the Data Subject based on their relationship with the Data Controller. That concerns cases for which a consent to the processing of personal data is not necessary.
The purposes are mainly the following (the scope of data processed for these purposes is defined by items a)–f) in THE SCOPE OF DATA PROCESSING):
The protection of the Data Controller’s property, the protection of the lives and health of employees, customers and persons entering the Data Controller’s premises for the scope of processing defined by f) for three days after the recording is made.
Performance of contracts
The Data Controller processes the Data Subjects’ personal data related to the meeting of contractual obligations, especially for the purpose of effective conclusion, changes and termination of the contract in compliance with the Civil Code and the Commercial Code.
The time of processing is defined by the duration of the contractual relationship between the Customer and the Data Controller.
It can be an accommodation contract, a contract of conference venue hire and event organisation, etc.
Meeting legal obligations
Apart from processors, the Data Controller also provides the Data Subjects’ information to the recipients of personal data, which include state authorities and other entities within the application of the rights defined by the law and within the meeting of obligations specified by the law.
The scope of personal data processing and the duration of the processing is laid down by mandatory regulations.
Valid consent to the processing of personal data
If the Data Controller processes the Data Subject’s personal data for other purposes that cannot be included in the purposes under articles 5.1, 5.2 and 5.3, it may only do so with the Data Subject’s valid consent to the processing of personal data, which is an expression of the Data Subject’s free will and which, as a result, forms a specific legal title to such handling of personal data.
The consent to the processing of personal data is voluntary and it is an act of free will. If consent is not provided or if its scope is limited, it has no impact on any previously stipulated obligations for the contract duration or on the possibility of the Data Controller’s stipulating another commitment. If consent to the processing of personal data is not provided, it may have an impact on the level of additional services and on the scope of products offered. A consent may be withdrawn partially or fully at any time.
The period for which personal data are stored
The Data Controller stores the Customers’ personal data for the necessary period and within the scope necessary for the meeting of legal requirements (especially pursuant to Act no. 326/1999 Sb. on the residence of Foreign Nationals in the Czech Republic, as amended, and pursuant to Act no. 565/1990 on Local Fees, as amended.) Based on these Acts, the Data Controller stores the personal data specified by these Acts for six years.
The Data Controller stores its employees’ personal data pursuant to Act no. 262/2006, Labour Code, as amended; Act no. 337/1992 on Administration of Taxes and Fees, as amended; Act no. 586/1992 on Income Tax, as amended; Act no. 48/1997 on Public health Insurance, as amended; Act no. 143/1992 on Pay and Remuneration for the On-call Duty, as amended; Act no. 100/1998 on Social Security, as amended; and Act no. 155/1995 on Pension Insurance, as amended, for 10 or 20 years. The data are only stored as defined by these Acts. The data are stored in an archive in a locked area, which may only be accessed by a limited number of people.
Other personal data are only stored for the period necessary for the provision of the relevant services and are erased or shredded afterwards.
If consent is given to the processing of personal data, the data are stored for the period of the consent.
The methods of personal data processing
The Data Subject’s personal data are processed by automated means or manually and may be made accessible to the Data Controller's employees if it is necessary for their work duties, and to the processors with which the Data Controller has entered into a data processing agreement, or to any other persons pursuant to the Act and the Regulation.
The Data Controller does not transfer personal data to third countries.
If the Data Subject believes that their personal data are being processed without authorisation, they may lodge a complaint with the supervisory authority, which is the Office for Personal Data Protection, Czech Republic.
Personal data recipients and processors
The company belongs to the Gerstner Hotels & Residences group of hotel companies. These companies may process customers’ personal data as processors. The recipients and processors of personal data are distinguished by their legal title and the scope and purpose of processing are defined for each title.
Personal data processors may only process data for the Data Controller on the basis of a data processing agreement, i.e. with guarantees of organisational and technical security of such data and with a definition of the purpose of processing, and processors may not use the data for any other purposes.
We may cooperate with other companies to be able to provide you with products, services or offers based on your experience at our hotel, and we may share your information with our business partners in this context. For example, we can arrange car hire or any other services provided by our business partners and share your personal data with them so that they can provide you with such services.
Our services and products can be provided on our behalf by third parties, with which we may share your personal data for this purpose. Generally, our service providers are contractually obligated to protect your personal data and they may not use your data in another way or share them, except for cases permitted by the law. Service providers in the relevant area may use your data for fraud detection but they are not allowed to share them. In compliance with the applicable law and according to your communication settings we may use service providers to provide you, on our behalf, with news and advertising and transaction materials, including tailored on-line and mobile advertising. AUSTRIA Hotels Betriebs CZ s. r. o. only cooperates with parties that make it possible to opt out of such advertising activities.
AUSTRIA Hotels Betriebs CZ s. r. o. may also provide personal data in order to:
(i) comply with applicable law, (ii) respond to investigation or requirements of public authorities, (iii) comply with applicable legal procedures, (iv) protect the rights, privacy, security or property of AUSTRIA Hotels Betriebs CZ s. r. o., and of the visitors to its premises, its guests, employees or the public, (v) seek available compensation for or limitation of damage that we may suffer, (vi) enforce the general terms and conditions on our website, and (vii) respond to emergency situations.
Apple, or similar technologies). If you wish to delete cookies from your device or disable them, you can change your browser’s settings (please, see your browser’s Help section, where you can find information about how to delete or disable cookies). AUSTRIA Hotels Betriebs CZ s. r. o. is not responsible for your browser’s settings.
In some cases we may combine this other information with personal data. If we combine any other information with personal data, the combined information is, in compliance with this notice, handled in the same way as the personal data.
“Sensitive data” means information connected with your racial or ethnic origin, political views, religion, personal beliefs, trade union membership, health, sexual life or orientation, genetic information, criminal history or any biometric data for the purpose of unique identification. We do not collect sensitive data unless you provide them voluntarily. The information that you provide about your health will only be used so that we can offer better services to you and meet your specific needs (e.g. enabling access to the disabled).
Children’s personal data:
We do not intentionally collect personal data of persons under 18 years of age. We ask you, as parents or statutory representatives, not to allow your children do provide personal information without your approval.
The Data Subject has the right to:
§ access their processed personal data and have their personal data rectified, erased or have their processing limited;
§ object to such processing;
§ lodge a complaint with a supervisory authority;
§ withdraw consent to the processing of personal data with effect on the future, at any time;
§ obtain from the Data Controller a statement confirming whether or not the Data Subject’s personal data is processed;
§ obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning the Data Subject. Taking into account the purposes of the processing, the Data Subject has the right to have incomplete personal data completed.
§ to obtain from the Data Controller the erasure of personal data concerning him or her (“the right to be forgotten”) without undue delay and the Data Controller shall have the obligation to erase the personal data without undue delay where one of the following grounds included in the Regulation applies:
a) The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
b) The Customer withdraws consent and there is no other legal title for processing.
c) The Customer objects to the processing and there are no overriding legitimate grounds for the processing.
d) The personal data have been processed unlawfully.
e) The personal data have to be erased for compliance with a legal obligation in Union or national law to which the Data Controller is subject.
f) The personal data have been collected in relation to the offer of information society services. Details and exemptions to the exercise of this right are laid down by the Regulation.
§ obtain from the controller restriction of processing where one of the following applies:
a) The accuracy of the personal data is contested by the Data Subject, for a period enabling the controller to verify the accuracy of the personal data.
b) The processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead.
c) The Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
d) The Data Subject has objected to processing pending the verification whether the legitimate grounds of the Data Controller override those of the Data Subject.
§ receive the personal data concerning him or her (“right to data portability”), which he or she has provided to a controller, in a structured, commonly used and machine-readable format, and transmit those data to another controller without hindrance from the controller to which the personal data have been provided;
§ object to the processing of personal data concerning him or her, including profiling based on the provisions of the Regulation; the Data Controller no longer processes the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims;
The Data Subject can exercise the aforementioned rights:
§ personally at the Data Controller’s reception
§ by mail (the customer’s signature must be officially certified)
Data Controller’s contact information:
AUTSTRIA Hotels Betriebs CZ s.r.o. – Grand Hotel Bohemia
Praha 1, 110 00
Person in charge: Jan Vonšovský (Front Office Manager)
Mobile: +420 602 132 966
This document becomes effective on 25 May 2018. The text was last updated on 25 May 2018.