Principles of personal data processing

Principles of personal data processing

This document regulates the principles for the processing of personal data provided by a natural person (“Data Subject”) of Nutrend D.S., a.s., company ID number: 25853902, with its registered office at Chválkovice 604, 779 00, Olomouc, registered in the Commercial Register kept by the Regional Court in Ostrava, Section B, entry 2307 (“the Controller”). Nutrend D.S., a.s. has no commission for the purposes of personal data protection. Any questions or issues should be resolved via email: .

The kind of data being processed

On the basis of the booking, registration or accommodation process, the Controller obtains identification and contact details from the Data Subject, namely their name, surname, date of birth, ID card number, address, email address and telephone number. If the Data Subject is a natural person running a business or a company (organization) that made the booking and/or paid for it, the registered office, company ID number and tax ID number are processed.

Furthermore, the Controller processes data about the purpose of the stay on the basis of whether the Data Subject is subject to a recreation fee. It also includes data in relation to the services used by the Data Subject and the method of payment for these services, which is related to the bank account number or payment card number data. If the Data Subject is foreign, their name, surname, date of birth, nationality, travel document number, visa number and address of permanent residence abroad are processed.

 

Where the personal data is obtained from

In the case of accommodation services, the vast majority of personal data (name, surname, date of birth, ID card number, address of permanent residence, email address and telephone number) is obtained by the Controller directly from the Data Subject during the booking process and subsequently during the accommodation process. In some cases, data may be obtained from an organization, specifically the employer of the Data Subject, who made the booking on the Data Subject’s behalf. For bookings made in this way, the data on the organization (registered office, company ID number, tax number) is obtained by the Controller as well. Bank account number data or credit/debit card number data is obtained through the process of payment for the services provided. For bookings made through booking portals, the Controller obtains information about the Data Subject (to the extent of their name, surname, telephone number or email address) directly from the given booking portal.

In the Fitness Centre, the Controller obtains personal data from the forms the Data Subject fills in when registering for the Fitness Centre. These forms include data to the extent of name, surname, email address, telephone number, postal code, city and date of birth, the latter being optional. In the case of the Wellness Centre, before starting the procedures, the Data Subject is asked to fill in a form stating their name, surname, date of birth, telephone number and email address. In the restaurant, only an email address is obtained from the Data Subject on the basis of the filling in of a short form which the Data Subject fills in voluntarily for the purposes of receiving news and information from Nutrend World.

The purpose the data is processed for

The acquisition and subsequent processing of the Data Subject’s identification data is necessary for the fulfilment of the Controller’s legal obligations, namely compliance with the Act on Local Fees and the Act on the Residence of Foreign Nationals in the Czech Republic. Furthermore, identification data is necessary for the purposes of fulfilling the contractual relationship between the Controller and the Data Subject for the services provided. On the basis of the legitimate interest of the Controller, the personal data of the Data Subject (name, surname, email address) is processed for the purpose of direct marketing, the aim of which is to provide regular information about news, discounts, ongoing or planned events, etc.

To optimize and improve the marketing tools for the benefit of the usefulness of information towards the Data Subject, the Controller uses “cookies”. A cookie is a short text file the web page you visit sends to the browser. These files are primarily used for marketing purposes; the Data Subject has full control over them. These files do not make it possible to identify a specific person, only a device, as these files do not store any personal data with the exception of the IP address. Furthermore, the Controller uses one of Google’s basic analytical tools, Google Analytics. For information on the scope and manner in which personal data is processed by this company, please visit https://support.google.com/analytics/answer/6004245.

Rights of the Data Subject

Upon request, the Data Subject is entitled to obtain information on whether their personal data is being processed by the Controller. If so, the Data Subject may request information on the manner and purpose of this processing, to whom the data will be made available further and the planned period for which the personal data in question will be stored. If the Data Subject submits a request or proposes another step, the information on the measures taken must be communicated to him/her without undue delay within one month of said request being received. The period may, in special cases, be extended by two months; however, the Data Subject must be informed about such extension by the Controller, including the reason for the delay.

If the Data Subject believes their personal data is inaccurate or false, they have the right to notify the Controller about this fact. The Controller is required to address such a request for correction. At the same time, the Data Subject also has the right to request the personal data to be handed over to another controller in a structured, commonly used, and machine-readable format.

The right to the erasure of personal data represents, in the form of a general regulation, in other words, the obligation of the Controller to erase the personal data of the Data Subject if at least one of the following conditions is met: when the personal data is no longer required for the purposes it was collected for, if the processing of the data was in violation of the law, or if the data has to be erased in order to fulfil a legal obligation. However, the right to erasure is not an absolute right that would allow the Data Subject to submit a request for its deletion at any time, since the Controller is also subject to certain legal obligations on the further storage of specific personal data. Each Data Subject has the right to file a complaint or object, with the Office for Personal Data Protection being the supervisory body for the Controller, located at: Pplk. Sochora 27, 170 00 Prague 7.

Time period for personal data processing

Personal data which the Controller is required to process on the basis of legal regulations (e.g. the fulfilment of accounting and/or tax obligations) is processed for the exact period specified by said regulations, but not for a time period longer than 10 years from the end of the tax period in which the relevant tax document was issued. For the purposes of direct marketing, through which the Data Subject is regularly informed about the Controller’s news and events, their name, surname, and email continue to be processed until the Data Subject expresses their disagreement with said processing. In connection with a possible complaint, the Controller also processes the personal data of the Data Subject for the purposes of protecting its own rights and interests in the event of a possible dispute arising on the basis of such a complaint. Therefore, the data is processed for the period according to the legislation in force, but for no longer than five years following the conclusion of any complaint.

Transfer of personal data

The Controller does not transfer the personal data of the Data Subject to any third parties. State authorities to which such data is transferred for the fulfilment of legal obligations are exempted from this. Any person able to access the personal data of the Data Subject is bound by confidentiality and loyalty. Processing is performed by authorized employees of the Controller.

In the case of documentary personal data, compliance with all security principles is ensured and measures are put in place to prevent unauthorized access to personal data or its alteration, theft or loss.

 Disclaimer

The Controller processes data with the consent of the Data Subject, except in cases in which the processing of personal data does not require the consent of the Data Subject. The Data Subject may provide their consent for one or more specific purposes, and consent to the processing of personal data may be withdrawn by the Data Subject at any time.

In accordance with Article 6 (1) of the GDPR, the Controller may, without the consent of the Data Subject, process the following data:

processing is necessary for the performance of a contract to which the Data Subject is a party or for the implementation of measures taken before the conclusion of the contract at the request of the Data Subject in question; processing is necessary to meet a legal obligation to which the Data Controller is subject; processing is necessary to protect the vital interests of the Data Subject or another natural person; processing is necessary for the performance of a task carried out in the public interest or in the exercise of public authority entrusted to the Controller; processing is necessary for the purposes of the legitimate interests of the relevant Controller or a third party, except in cases in which the interests or fundamental rights and freedoms of the Data Subject that require the protection of personal data take precedence over those interests.