Spa Hotel Ulrika Karlovy Vary Spa Hotel Ulrika Karlovy Vary

Personal Data Protection

 
OZON
CLEAN
30
let

The introductory page – Personal Data Protection

What is GDPR? 

  • General Data Protection Regulation is a new legislation of the EU which increases the level of protection of personal data of natural persons, i.e. you as customers (hereinafter referred to as “GDPR” or “the Regulation”).

What rights does the GDPR give to you as customers?

  • One of the largest benefits of the Regulation is significant strengthening of rights of natural persons, or the so-called data subjects. These rights are particularly the right of access, to rectification, to erasure, the right to be forgotten, the right to restriction of processing, to data portability and last but not least the right to object.

What are the reasons for deleting your personal data? 

  • Personal data are no longer needed for the purpose for which they were collected or processed.
  • The customer withdraws the consent if the processing is based on the consent and there is no other legal reason for the processing.
  • The customer legitimately objects against processing which is based on legitimate interests of the personal data controller such as processing for the purpose of direct marketing.
  • The personal data have been unlawfully processed.

Terms

Data subject (hereinafter referred to as “the customer”)

  • Natural person (including self-employed persons) to which the personal data belong (e.g. a potential or a current customer or a customer from the past).

Personal data

  • Any information concerning an identified or identifiable natural person; an identifiable person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Controller

  • Company Hotel ULRIKA, s.r.o., company ID: 46884645, with the registered office at Sadová 875/16, 360 01 Karlovy Vary (hereinafter referred to as "the Company") as an entity that determines the purposes and means of the processing of personal data, performs the processing and is responsible for it. The Company may mandate or entrust a processor if a specific law does not specify otherwise.

Processor

  • Every subject which processes personal data for the Company under the instructions of the Company and according to relevant legal regulations and the Regulation and it does so on the basis of a concluded data processing agreement

The purpose for personal data processing

  • The aim (a commercial activity or another legitimate purpose) for which the processing of personal data of a data subject is necessary or purposeful.

The categories for personal data processing

  • The categories of personal data and the list of typical personal data of a data subject processed for a specific purpose.

Cookies

  • Electronic data which WWW server sends to the search engine which subsequently stores them on user’s (customer’s) computer. During every following visit of the same server, the search engines sends the data back to the server. Cookies usually serve for differentiating individual users, user preferences are stored in them, etc.

Personal data processing

  • Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

The categories for personal data processing

The Company and its contractual processors process the following categories of personal data based on the relevant legal basis and the purpose of processing

  • Identification and contact details of the customer (particularly name, surname, title, permanent residence address, e-mail, phone number, identity card number, travel document number, citizenship and potentially also visa number).
    • In the case of self-employed natural persons, they also process the specification of the self-employed natural person, the registered office, company ID, VAT ID, the information about a VAT payer.
    • In the case of business trips of natural persons who are not self-employed, they also process the data concerning the organization that ordered or paid for the trip).
  • The data concerning the stay and ordered services of the customer (mainly the date of the arrival, the date of the departure, the number of accommodated people, the type of stay, the type of the ordered room, the selected packages of spa and wellness services).
  • The data concerning the payment of the customer’s stay (mainly the bank account number, potentially also the type of a credit card and the authorization code of the transaction).
  • For customers who use medical and spa services: 
    • The data concerning the medical condition (mainly diagnosis, used medicines, information found out in the personal anamnesis and other major issues related to the medical conditions you voluntarily provide us).
    • The data concerning medical stays the customer has been to – the information about health treatments we provided you in our facilities.
  • The information from the video surveillance system concerning the people who enter the hotel (video recording).
  • Customers’ personal data in order to secure value-added services such as car hire, issuing the confirmation of the stay to obtain a visa, payment for the stay (mainly the information from travel documents, the information from credit cards, the information about a driver’s license, also the copies of individual documents and credit cards can be processed based on the customer’s wish and with his/her consent).
  • Other information obtained from the customer or from the communication with the customer.
  • Electronic data concerning the visits of the Company’s website (IP address, cookies). 

The sources of personal data

  • The Company obtains the personal data mainly from the customers from the communication concerning the conclusion of a contract (booking and the registration of the guest in a hotel) or third persons (e.g. travel agencies, online portals, etc.)
  • The Company also obtains the personal data from the communication with the customer before and during the stay, when using hotel, medical and wellness services or from the visits of its website. 
  • The Company also obtains the personal data from public registers and evidences, from public authorities and on the basis of specific legislation.
  • The Company always informs the customers about when the provision of personal data is necessary for the provision of a specific service and when it is voluntary, but the provision of such personal data makes the communication between customers and the Company easier and makes the provision of services far more efficient.

The legal basis for personal data processing

  • The Company processes customers’ personal data on the basis of the following legal reasons (titles):
    • the fulfilment of a contract;
    • the fulfilment of a legal obligation;
    • the legitimate interest of the Company;
    • customer’s valid consent to personal data processing.

The purposes for personal data processing

The fulfilment of the contract

  • The Company processes customers’ personal data for the purposes related to the fulfilment of contractual obligations of both contractual parties, particularly for the purposes of the fulfilment of the contractual relationship related to your stay, i.e. securing the orders and bookings, the conclusion and the fulfilment of contracts related to accommodation, food and related services we offer and provide. And also, the changes and terminations of contracts in accordance with relevant legislation, the related invoicing and the evaluation of the provided services.

  • The extent of personal data processed for these purposes is defined by the data on registration and booking forms and the data obtained when using the services provided by the Company. 

  • As a standard, the data mainly include: identification and contact details, information about the stay and ordered services, data on the payment of services and accommodation, data for securing value-added services. In the case of spa treatment, it also concerns the data concerning medical stays the customer has been to, the information about health treatments we provided you in our facilities and health information you provide us yourself during the provision of the services and the initial examination. 

  • We process these data on the basis of a contractual relationship between you and the Company the subject of which is the provision of medical and spa treatment and related services (accommodation, food, etc.). The purpose of such processing is the provision of the stated services.
    The period of processing is limited mainly by the period when the customer is accommodated, the guarantee period and legal archiving obligations of the customer and the internal policies of the Company. 

The fulfilment of a legal obligation

  • The Company processes personal data of its customers for the purpose of the fulfilment of its legal obligations set down by relevant legal regulations, e.g. Decree no. 98/2012 Coll. on Healthcare Documentation, Act no. 565/1990 Coll. on Local Fees, Act no. 326/1999 Coll. on the Residency of Foreign Nationals, and on the basis of the information provided by the customer in the extent stated by the law.
  • Besides processors, the Company also provides customers’ personal data to the personal data recipients among which also state authorities and other entities belong within the scope of the application of the rights laid down by law and the fulfilment of obligations laid down by law, particularly for the purpose of:
    • the provision of personal data on request to the authorities operating in criminal, infringement or administrative proceedings;
    • and for other purposes defined by law and to other authorities within the scope of the exercising of the rights laid down by law and the fulfilment of obligations laid down by law.
  • The extent of personal data processing and the period of their processing is laid down by generally binding legal regulations and relevant internal regulations of the Company.

Legitimate interest

  • Legitimate interest as a legal basis of personal data processing is applied when legitimate interests/rights of the controller are superior to the interests/rights of customers, taking into account adequate expectations of customers on the basis of their relationship with the controller. This concerns the cases where a consent to personal data processing is not necessary.
  • It mainly includes the following purposes:
    • The protection of fundamental and other important rights of the Company which result from generally binding legal regulations and contracts in various disputes, controls, investigations, proceedings and with regards to contractual partners and third persons and for the period of time which is laid down by generally binding legal regulations and relevant internal regulations of the Company.
    • Preventing fraudulent activities causing harm to the Company in the events of reasonable suspicion and for the period of time laid down by generally binding legal regulations and relevant internal regulations of the Company.
    • Claim recovery for the limitation period laid down by law, but for the period of  5 years at maximum.
    • For the purpose of the protection of the Company’s property and the health of people against illegal conduct, there is a video surveillance system installed in our hotel. Cameras are installed only in public space of halls and inside entrances to the buildings of the Company. There is always a sign with the information about the video surveillance system in front of the entrance to the building. The extent of the personal data processing is the video recording. The recordings are only used in relation to the events which harmed important interests of the Company which are protected by law. The recordings are stored for 14 days.

Consent to personal data processing

  • In the event that the Company processes customer’s personal data for other purposes which cannot be classified as the purposes stated in Article 6.1, 6,2 and 6.3, it can do so only on the basis of a granted valid consent to personal data processing from the customer which is an expression of the customer’s free will and therefore it constitutes a specific title for the processing of personal data.
    • It particularly concerns personal data processing for the purpose of sending special commercial offers and news. Your e-mail address is processed for this purpose. You grant us your consent for the period of 10 years or until you withdraw the consent.
  • Not granting the consent or the restriction of its use does not affect the fulfilment of previously agreed obligations for the period of the contract duration or the possibility of concluding a new obligation from the side of the Company. The granted consent can be partially or wholly withdrawn at any time.

Means of personal data processing

  • Customer’s personal data are processed by automated means as well as manually and they may be available to the employees of the Company if that is necessary for the fulfilment of their work duties and also to the processors the Company has concluded data processing agreements with and potentially to other persons in accordance with relevant legal regulations. 

Personal data recipients and processors 

  • Besides the Company and its employees, personal data may also be processed by its contractual processors in order to secure the above-described purposes and this shall be done on the basis of data processing agreements concluded in accordance with relevant legal regulations.
  • Personal data processing may be performed for the Company only by processors and controllers which guarantee the organisational and technical security of these data with the definition of the purpose of processing while these processors cannot use the data for other purposes.
  • The processors or joint controllers of personal data of the Company are the following categories of third parties: travel agencies, booking platforms, transport companies, external healthcare laboratories, external doctors, companies securing IT and other supporting services. 
  • Customers’ personal data may be transmitted to third entities which are legally authorized to ask for the transmission of the concerned personal data.
  • The Company can transmit the personal data of its customers to third countries outside EU/EEC when conditions for such transmission laid down by law according to GDPR are fulfilled, and mainly on the basis of standard concluded contractual causes of the EU, on the basis of your explicit consent or if it is necessary for the conclusion or for the fulfilment of the contract with you or in your interest.

Cookies

  • The website https://spa-ulrika.cz/en uses cookies. Cookies are small text files which are stored in the user’s PC, tablet or cell phone. Some of these files are necessary for optimal website functioning, some help to analyse the website or allow the operator to ensure better user experience (to remember the user and arrange the website content according to the user’s preferences which leads to the facilitation of viewing the site by the user). 
    This website uses both temporary cookie files which are stored in the user’s device only for the duration of the session as well as permanent cookie files which are stored in the user’s device depending on the set time of the existence of the specific cookie file.
  • Cookies used on our website
  • Google Analytics – analytical purposes
    • Google Analytics is an analytical tool by Google which helps the owners of websites and application to understand in what way the users use the websites and applications. It can use a set of cookie files for the collection of information and creating an overview concerning the use of the website while Google does not learn any personal identification data of individual visitors. Besides the creation of overviews concerning the statistics of the website use, Universal Analytics together with some of the cookie files may be used to present the most relevant ads in Google services (e.g. Google search) and on the website.
      You can find detailed information on Google Analytics and personal data protection at https://www.google.com/intl/cs/privacy/privacy-policy.html. If you want to prevent monitoring, you can install an add-on to your web browser  (https://tools.google.com/dlpage/gaoptout).
  • Cookie preferences (removal)
    • Cookies are allowed in most browsers by default. If the user does not want to use cookies or wants the Internet browser to notify him/her about the use of cookies, he/she needs to make specific settings in his/her own Internet browser. You can find more information on how to turn on and turn of the cookies and how to remove them in Help in your browser.
      However, setting the ban for using cookies can also mean some restrictions or the unavailability of certain functionalities of the website.

Customers’ rights related to personal data processing

  • Under the set conditions, the customer can exercise all the above-mentioned rights which are given to him/her by legal regulations which provide for the personal data protection:
The right What does it mean? How can you exercise this right? What are the conditions for its exercising?
Right of access  Under certain conditions, the customer has the right to access his/her personal data (including the information about their processing) the Company has available. The request for the provision of such data needs to be made personally or sent in a written form to the address of the Company or via e-mail. If possible, specify the type of data you are interested in so the reply matches your expectations.

The Company has to have a way of verifying your identity. 

Your request cannot infringe the rights and the freedoms of others. 

Right to rectification of incorrect or incomplete personal data The customer has the right to object because of incorrect or incomplete personal data about you that the Company processes. If it turns out that the personal data are incorrect, the customer has the right for the incorrect data to be removed, rectified or completed.

We recommend you notify us about any changes related to your personal data immediately, particularly the changes of your name, address, etc. 
You can send the notification in writing or via e-mail.

This right is related only to your own personal data. 

Be as specific as possible when exercising this right.

Right to data portability Under certain conditions, the customer has the right to receive the data which were provided from him/her to the Company and which are processed in an automated way and this shall be done in a commonly used and machine-readable format. The request for the provision of such data needs to be sent in a written form to the address of the Company or via e-mail. If possible, specify the type of data you are interested in so the reply matches your expectations.

This right is applied to the case when the data processing is performed on the basis of your consent or on the basis of a contract you signed and when the data are processed in an automated way (e.g. it does not apply to printed records). 

It concerns only the personal data you provided. Therefore, it generally does not apply to the personal data which were created by the Company (created and derived data). 

Right to object against the processing Under certain circumstances, the customer has the right to object against further processing of his/her personal data. Such objection against personal data processing needs to be sent in a written form to the address of the Company or via e-mail.

You have this right only if your personal data are processed on the basis of the legitimate interests of the Company. The objection has to be based on the facts concerning your specific situation so it could be properly assessed.

If the personal data is processed for the purposes of direct marketing, the customer has the right to object at any time ipso facto. In such case, the customer’s personal data will not be further processed for the purposes of marketing.

Right to restriction of processing Under certain conditions, the customer has to right to ask the Company for the restriction of personal data processing. Please send the request in writing or via e-mail. You have this right for example if (i) you challenge the accuracy of personal data until the accuracy is verified or (ii) the processing is against the law or (ii) you objected against their processing and for the period until this is verified whether the legitimate interests of the Company are superior to your interests.
Right to personal data erasure Under certain conditions, the customer is entitled to ask for the erasure of his/her personal data (this right is also known as “the right to be forgotten”) and that is for example if the customer suspects that the processed data are inaccurate or the processing is against the law or he/she withdrew his/her consent. Please send the request in writing or via e-mail. There are several lawful reasons on the basis of which it might happen that the Company will not be able to comply with your request for the erasure of personal data. It may concern situations when for example (i) the Company needs to fulfil its legal obligations or (ii) the Company does so for or protects its legitimate interests or (iii) the data are necessary for the fulfilment of the concluded contract. 
Right to withdraw the provided consent The customer has the right to withdraw the provided consent with any processing of personal data. Please send the request in writing or via e-mail.  If you withdraw your consent, it will have effects only for the future.
Right to lodge a complaint with a supervisory authority The customer has the right to lodge a complaint to the Office for Personal Data Protection if he/she believes that the Company infringes its legal obligations in personal data processing.

Contact details of the Office for Personal Data Protection: 

The Office for Personal Data Protection 
Pplk. Sochora 27,
170 00 Prague 7

www: www.uoou.cz, e-mail: postaatuoou [emailtecka] cz (posta[at]uoou[dot]cz)

 

  • Period, identity verification 
    • The Company will react to any request of the customer related to the exercise of his/her rights without undue delay, within one month from the receipt of the request at maximum. This period may be extended by two months in the case it is needed with regard to the complicated nature and the number of requests and the customer shall be informed about that. In the case of a major request (e.g. a request for data transmission or a request for erasure), the Company is allowed to request the verification of the customer’s identity (e.g. the customer’s verified signature on the request, e-mail with electronic signature or phone verification).

Effect

This information takes effect on 1 January 2019.

Contact person for data protection

Hotel ULRIKA s.r.o.
Sadová 875/16
360 01 Karlovy Vary


Telephone: +420 353 243 111
Email: gdpratspa-ulrika [emailtecka] cz (gdpr[at]spa-ulrika[dot]cz)

Let yourself be pampered in a luxurious setting in one of the most equipped hotels in Karlovy Vary.

book onlinecontact us