INFORMATION MEMORANDUM ON PERSONAL DATA PROCESSING
Dear Guests, Visitors, Clients and Business Partners,
the document you are currently reading contains basic information about how we process your personal data. We appreciate the fact that you share your personal data with us, and we are committed to protecting it to the maximum extent possible. We also strive to be as transparent as possible towards you, in particular with regard to how we process your personal data.
In view of the new legislation of the European Union, this information memorandum was prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR).
1. Who are you entrusting your personal data to?
You are handing over your personal data to the company (i.e. personal data administrator) H & HOTELS s r. o., headquartered at: Václavské náměstí 839/7, 110 00 Praha 1 – Nové Město, Company ID No.: 458 09 534, registered in the Commercial Register kept by the Municipal Court in Prague under File No. C12375 (hereinafter the "company").
Your personal data may also be processed by external employees of the company, such as an external tax and accounting company, the operator of the email, accommodation and camera system operating the computer infrastructure, etc. The entities that cooperate with us are carefully selected on the basis of guarantees they provide in order to ensure the technical and organizational protection of the personal data handed over.
Personal data may be processed for the company only by data processors and solely on the basis of a personal data processing contract concluded between them and the company.
2. What purpose do we need the personal data for?
We process and use your personal data for:
Booking and ordering your accommodation or seat at a table via web portals,
Booking accommodation and other services through a booking form on the website http://www.hhotels.cz/ and other websites of individual centres
Communication with individual employees of the company,
Filling in a registration form and accommodation card,
Ensuring that your health and property are protected through monitoring with a camera system,
Ensuring the conclusion and subsequent fulfilment of a contractual obligation between you and us, as well as for the purpose of fulfilling legal obligations arising from such a relationship,
The protection of our legitimate interests, namely the proper fulfilment of all our contractual obligations towards you, the proper fulfilment of all our legal obligations, direct marketing, the protection of our business and assets and, last but not least, for the purpose of protecting the environment and ensuring sustainable development.
3. Authorization to process
The lawfulness of processing is governed by Article 6 (1) of the GDPR, according to which the processing is lawful if it is necessary for the fulfilment of the contract, for the fulfilment of a data administrator's legal obligation, for protecting the legitimate interests of the administrator or if the processing takes place on the basis of a consent that you have granted to us. The provision of personal data to an administrator is generally a statutory or contractual requirement. As regards the provision of personal data for marketing purposes, which does not represent the fulfilment of a contractual and statutory obligation of an administrator, your consent is required. If you do not grant your consent to the processing of your personal data for marketing purposes to the administrator, it does not mean that the administrator would refuse to provide a service under a contract as a result.
In the interest of ensuring that your privacy is protected to the maximum extent possible, you have the right to raise an objection and require that your personal data be processed solely for the most imperative legal reasons or that your personal data be blocked. For more details on your rights relating to personal data processing, please refer to Article 9 of this information memorandum.
4. How is the personal data obtained?
The personal data is obtained directly from you, namely from filled in forms, mutual communications, from contacts at trade fairs and other similar professional events, or from concluded contracts. In addition, personal data may also come from publicly available sources, registers and records, such as the commercial or trade register, debtors' register, professional registers, or from the Land Registry, for example. However, we will process this personal data only for pursuing our legitimate interests or for the fulfilment of legal obligations. Furthermore, your personal data may have been obtained from third parties who are authorized to access and process your personal data, namely within the scope and for the purpose for which the third party is authorized to process it.
5. What categories of personal data are processed?
For the purpose of ensuring your satisfaction with the proper fulfilment of an obligation, ensuring the fulfilment of legal obligations, providing a personalized offer of the goods and services of the administrator and for the other purposes mentioned above, we process the following categories of personal data:
basic identification data - name, surname, address, date of birth and identification number, purpose of residence, ID card number, passport number in the case of non-Czech nationals, visa number and expiry date, and nationality;
contact details - phone number and email address, if you have granted your consent to us;
information on the use of our products and services - information about which products you ordered from us and which products you are currently using, including an exact specification of the products, etc.;
information from mutual communications - information from emails, from phone call records or other contact forms;
billing and transaction data - in particular information appearing on invoices about billing terms agreed upon and payments received;
information from the camera system located in our hotels and restaurants for the purpose of protecting your safety and our property.
6. What is the legal basis for the processing of personal data?
The lawfulness of processing is governed by Article 6 (1) of the GDPR, according to which the processing is lawful if it is necessary for the fulfilment of a contract, for the fulfilment of a data administrator's legal obligation or for protecting the legitimate interests of the administrator. In the case of our company, the lawfulness of processing is based, for example, on 326/1999 Coll., on the residence of foreign nationals in the Czech Republic, Act no. 565/1990 Coll., on local fees, Act no. 563/1991 Coll., on accounting, based on which invoice details are processed and archived, Act no. 89/2012 Coll., the Civil Code, based on which the administrator protects its legitimate interests and Act no. 235/2004 Coll., on value-added tax and some others.
7. Will we transfer the personal data to someone else?
Within the legal boundaries, we are obliged to provide the personal data to state authorities, such as the tax administrator, courts or law enforcement bodies.
8. Will we transfer the personal data to a third country or an international organization?
We will rarely transfer the personal data to non-member states of the European Economic Area, and it will always be within our ownership structure. In any case, we will do so while maintaining all the security measures, we will require processors to do the same, and in the process, we will comply with all international agreements, decisions of European Union bodies and the current conditions for such transfers, which are adhered to and listed on the website of the Czech Office for Personal Data Protection. 
9. For how long will we store the personal data?
The personal data will never be stored for a longer period than the maximum period set by law. After the archiving period has elapsed, the personal data will be securely and irrecoverably destroyed so that it cannot be misused.
The personal data will be processed and stored at least for the duration of the contract. Some personal data needed, for example, for tax and billing obligations will be stored for a longer period of time, generally 5 years starting from the year following the occurrence of the detail stored, and in the case of a statutory time limit, only for the period set directly by law.
Personal data that is important for the exercise of the administrator's legitimate interests is stored for a maximum period of 3 years from the end of the contractual relationship with the administrator.
Recordings from CCTV systems are stored for 30 days, after which they are overwritten with a new recording.
After the above-mentioned periods have elapsed, the personal data will be securely and irrecoverably destroyed so that it cannot be misused.
Personal data processed for marketing purposes will be stored for a maximum period of 5 years from the time when you request us to receive news and business information / communications.
Personal data may be archived in the public interest and used for scientific, historical or statistical research purposes. In justified cases, personal data may be subject to processing for the purpose of resolving legal issues, including the performance of obligations towards public administration bodies and the monitoring and on-going evaluation of legal risks (legitimate interest of the administrator).
10. What rights related to the processing of your personal data do you have, and how can you exercise them?
We make every effort to ensure that your data is processed properly and securely. The rights described in this article are guaranteed to you, and you can exercise them towards us.
How can you exercise your rights?
You can exercise your individual rights by sending an e-mail to email@example.com or by calling the phone number +420 222 244 713. You can also exercise your rights through a written request sent to our mailing address.
Any communications and statements regarding rights exercised by you will be provided free of charge. However, if the request is evidently unjustified or unreasonable, in particular because it is made repeatedly, we are entitled to charge a reasonable fee which takes into account the administrative costs involved in providing the requested information. If a request for the provision of copies of processed personal data is made repeatedly, we reserve the right to charge a reasonable administrative fee.
Comments and any information on the measures taken will be provided to you as soon as possible, but not later than within one month. If necessary and depending on the complexity and number of requests, we are entitled to extend the time limit by two months. We will inform you of the extension, including the reasons for it.
Right to information about the processing of your personal data
You are entitled to request information from us on whether or not your personal data is being processed. If your personal data is being processed, you are entitled to request information from us, in particular information about the purposes of processing, the categories of the personal data being processed, the personal data recipients or recipient categories, authorized administrators, your rights, the possibility to turn to the Office for Personal Data Protection, and information on the source of the processed personal data and on automated decision-making and profiling.
The information provided to you when you exercise this right is already contained in this memorandum, but that does not prevent you from requesting it again.
Right to access personal data
You are entitled to request information from us as to whether or not your personal data is being processed, and if it is, you have access to information on the processing purposes, the categories of the personal data in question, the recipients or recipient categories, the period for which the personal data is stored, information about your rights (the right to request the administrator to correct or delete the data, restrict the processing, or the right to object to such processing), on the right to file a complaint to the Office for Personal Data Protection, information on the source of the personal data, information on whether automated decision-making and profiling is taking place and information on the procedure used (as well as the significance and implications that such processing has for you), and information and guarantees in the case that the personal data is transferred to a third country or international organization. You have the right to be provided with copies of the processed personal data. However, the right to obtain this copy must not unfavourably affect the rights and freedoms of other persons.
Right to correct data
If, for example, your residence, phone number or other detail that can be considered personal data changes, you have the right to request a correction of your personal data being processed. Furthermore, you have the right to complete incomplete personal data and may provide an additional statement in order to do so.
Right to deletion (right to be forgotten)
In certain specified cases, you have the right to require that we delete your personal data. One such case is, for example, when the data being processed is no longer needed for the purposes mentioned above. After the period for which your personal data is needed expires, we will delete your personal data automatically, but you may contact us with a request for deletion at any time. Your request will then be subject to an individual assessment (despite your right to deletion, we may have an obligation to or legitimate interest in keeping your personal data), and you will be informed in detail about the handling of your request.
Right to the restriction of processing
We process your personal data only within the necessary scope. However, if you have the impression that we are, for example, exceeding the above-mentioned purposes for which we process your personal data, you may file a request that your personal data be processed solely for the most essential and legitimate reasons or that the personal data be blocked. Your request will then be subject to an individual assessment, and you will be informed in detail about the handling of your request.
Right to data portability
If you wish that your personal data be provided to another administrator (i.e. another company), we will transfer your personal data to the entity designated by you in the appropriate format provided that there are no legal or other significant obstacles preventing us from doing so.
Right to object and automated individual decision-making
If you learn that or believe that we are processing your personal data in conflict with the protection of your private and personal life or in violation of legal regulations (provided that the personal data is being processed by the administrator on the basis of a public or legitimate interest or for the purposes of direct marketing, including profiling, or for statistical purposes or scientific or historical purposes), you may contact us with a request for clarification or the remediation of the defective state. You have the right not to be subject to automated decision-making (including profiling).
Right to file a complaint with the Office for Personal Data Protection
At any time, you may file a request or complaint regarding the processing of your personal data to the supervisory authority, namely the Office for Personal Data Protection, headquartered at: Pplk. Sochora 27, 170 00 Praha 7, website: https://www.uoou.cz/.
11. How can you contact us?
If you have any questions regarding the processing of your personal data, please do not hesitate to contact us either electronically or over the phone at the email address firstname.lastname@example.org and on phone number +420 222 244 713. In all cases, we can be contacted also at our mailing address: H&Hotels Group, Václavské náměstí 7, 110 00 Prague 1, Czech Republic.