Privacy Policy

Information on the processing and protection of personal data

 

Issued in accordance with EU Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as "GDPR") and in accordance with Act No. 18/2018 of 29 November 2017 on the protection of personal data and on amendments and supplements to certain acts (hereinafter referred to as "the Act") .

 

The company VV Invest, s.r.o., with registered office at Krajinská Cesta 679/21, 93101 Šamorín, ID No.: 48 080 870, registered in the Commercial Register of the District Court of Trnava, Section: Sro, (hereinafter referred to as the "Controller") processes the personal data of the data subjects in connection with the operation of the CARD Hotel at Krajinská Cesta 679/21, 93101 Šamorín (hereinafter referred to as the "Hotel").

 

The controller hereby fulfils its information obligation towards its customers and contractual partners (hereinafter referred to as "data subjects") regarding the processing of their personal data.

 

The data subject shall be any natural person, regardless of nationality or place of residence, whose personal data are processed.

Processing of personal data means an operation or set of operations concerning personal data or sets of personal data, in particular the obtaining, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise, alignment or combination, restriction, erasure or destruction, whether or not by automated or non-automated means.

 

Contact details of the controller for information about the processing of personal data:

If the data subject has any questions concerning the processing of personal data or wishes to exercise any of his or her rights concerning the processing of personal data by the controller, he or she may, by means of the following contact details:

e-mail: reservation@cardhotel.sk or in writing to the address of the operator: VV Invest, s.r.o. Krajinská cesta 679/21, 93101 Šamorín.

 

The controller processes the following personal data of data subjects in the information systems (hereinafter referred to as "IS") listed below, with the stated purpose of use and on the basis of the stated legal basis for the processing of personal data:

 

  1. IS THE PROVISION OF ACCOMMODATION SERVICES AND HOTEL RESERVATION SERVICES

For the purpose of providing hotel accommodation and related services, the operator collects and further processes the following personal data: title, name and surname, permanent or other residence (street and number, postcode, city), nationality, identity document number (ID, passport, other identification document), date of birth, email, telephone contact, period of accommodation, payment information: credit/debit bank card number and validity period, account number, or billing information, booking details, preferences, gender or occupation.

 

The Residence Registration Act requires the hotel to keep a register of guests. This should include the name and surname of the guest, the number of the guest's identity card or travel document, the address of permanent residence and the length of stay.

The Aliens Residence Act requires the hotel to hold data on the name and surname of the guest, the number of the guest's identity card or travel document, the address of permanent residence, the period of accommodation, nationality and date of birth.

For customers who have a visa obligation, in addition to the above personal data, we process data related to visas: type, number and validity of the visa, entry into the territory of the Slovak Republic.

 

We also process descriptive data such as behaviour in our premises, your activities in our hotel premises, booking history, personal preferences, claims and complaints you have made.

In the event that a customer provides a hotel review, the hotel will collect any data you provide in your review. If the customer decides to create a user account, the hotel will also collect the customer's personal preferences, uploaded photos and ratings related to previous bookings.

The controller may also process the audio recording of a telephone call with a customer for the purpose of creating an order - booking a hotel service.

The amount of personal data we collect and the way we collect it also depends on the form of communication the customer has with the controller.

 

The provision of the aforementioned personal data of the data subject is a necessary requirement for the conclusion of the accommodation contract, the subject of which is the hotel's obligation to book and provide you with the services you have ordered, as well as for the fulfilment of the legal obligations of the controller. The processing of your personal data is also necessary in the context of the performance of the contract for communication prior to the provision of accommodation, in particular for the execution of the reservation and the processing of your requests, the issuance of tax receipts, the recording of payments for services as well as the handling of your claims and complaints.

 

Data subjects: customers of the controller.

 

Legal basis - Pursuant to Article 6(1)(b) of the GDPR Regulation - performance of the accommodation contract or performance of measures prior to the conclusion of the accommodation contract on the basis of your request (making a reservation, a customer's request for information).

- according to Article 6(1)(c) of the GDPR Regulation - fulfilment of the legal obligations of the controller - the processing of personal data is necessary according to a specific regulation (registration of the register of accommodated persons according to the applicable legislation, the obligations of the controller according to the Act on reporting the residence of citizens of the Slovak Republic and the register of inhabitants of the Slovak Republic, the obligations according to the Act on the residence of foreigners, the obligations according to the accounting and tax legislation).

 

Processing period: for the duration of the contractual relationship and after the termination of the contract until the settlement of all obligations arising from the contract or related to the contract for the period strictly necessary for the fulfilment of legal obligations, including archiving obligations - for a maximum period of 10 years, unless a specific generally binding regulation requires a longer period.

 

2.   IS CAMERA SYSTEM

In order to protect the rights and property of the operator, its employees as well as to protect the property and health of the operator's hotel customers, the operator monitors the premises of the hotel and obtains and further processes the following personal data: visual, audio and video-sound recording of the hotel customers and the hotel operator's employees.

 

All common areas of the hotel are equipped with a closed-circuit camera security system. The operator shall inform persons entering the environment about the installed CCTV system by means of an information board.

The monitored area shall be clearly marked by the operator.

 

Data subjects: employees, customers of the controller.

 

Legal basis - Article 6(1)(f) of the GDPR - the processing of personal data is necessary for the purpose of the legitimate interests of the controller or a third party.

 

Duration of processing: only for the purpose and for the period prescribed by law, i.e. the record made may only be used for the purposes of criminal or misdemeanour proceedings, unless a special law provides otherwise. The controller must destroy the record which is not used for the purposes of criminal or offence proceedings within 30 days of the day following the day on which the record was made, unless a special law provides otherwise.

 

3. IS THE REGISTRATION OF CLAIMS

For the purpose of handling and registering complaints of hotel customers, the operator processes the following personal data: name, surname, title, residence, telephone number, e-mail, order/reservation number of the complained service, date and time of the complaint, bank account data (IBAN and SWIFT of the customer for refund, discount on the price of the service), customer's signature..

 

Legal basis for the processing of personal data - Article 6(1)(c) of the GDPR Regulation - fulfilment of the legal obligations of the controller - processing of personal data is necessary under a specific regulation - e.g. Act No. 250/2007 Coll. on Consumer Protection and on Amendments to the Act of the Slovak National Council, Act No. 40/1964 Coll., Civil Code, Commercial Code).

 

Data subjects: customers of the controller.

Processing period: 5 years from the date of the claim.

 

 

4. IS TAX AND ACCOUNTING

For the purpose of fulfilling accounting and tax obligations under applicable legislation (in particular Act No. 222/2004 Coll. on Value Added Tax, as amended, Act No. 461/2002 Coll. on Accounting, as amended, etc.), the controller processes the following personal data: name, surname, title, residence, order/reservation number, information on the delivered services/goods, bank account details and other payment data (data necessary for the performance of payment of the delivered goods/services, as well as for the payment of taxes, fees), other personal data strictly necessary for the defined purpose within the meaning of the applicable legislation.

 

Data subjects: customers of the controller and its business partners.

Legal basis - according to Article 6(1)(c) of the GDPR - fulfillment of a legitimate reason.

Processing period: for 10 years following the year to which the accounting documents or records relate, or 10 years following the year in which the documents were last used.

 

 

5. IS THE COLLECTION OF LOCAL TAXES AND FEES OF ACCOMMODATED GUESTS.

For the purpose of fulfilling the obligations associated with the assessment and payment of local tax for guest accommodation, the operator processes the following personal data: name, surname, residence, order/reservation number, address of the accommodation facility, number of accommodated persons, other personal data necessary for the defined purpose in accordance with applicable law (required by the City of Šamorín).

Data subjects: the operator's customers staying at the hotel.

Legal basis - according to Article 6(1)(c) of the GDPR - fulfillment of a legitimate reason. In particular, the Act on Local Taxes and Local Fees as well as the relevant general binding regulation of the city.

Processing period: for 10 years following the year to which the accounting documents or records relate, or 10 years following the year in which the documents were last used.

 

6. IS MARKETING

For the purpose of determining the satisfaction of the hotel's customers, promoting the hotel's services and products, sending sales and marketing notifications about the hotel's offers and services, events held at the hotel, sending notifications and notifications to customers registered in loyalty programs, the operator obtains and further processes the following personal data:

name, surname, email, telephone contact, Facebook account (or similar account on social networks), audio recording of the telephone call, consent to the processing of personal data and the signature of the data subject (if consent is required for the processing of personal data for marketing purposes under applicable legislation).

               

For marketing activities, personal data is processed for the following purposes:

  1. sending business offers by e-mail - e-mail marketing,
  2. contacting via SMS messages - sms marketing,
  3. contacting via telephone - telemarketing,
  4. sending newsletters,
  5. organisation of consumer competitions, loyalty system of the operator.
  6. carrying out market research and evaluation;
  7. inclusion in a marketing database for profiling and direct marketing;
  8. conducting segmentation (profiling) in order to target marketing according to the specific needs of the subject, for example, the choice of commercial communications with regard to participation in the activities of the operator, the identified preference, age and other information identified from the subject.

 

Direct marketing is a method of marketing communication that allows the operator to communicate with its customers by direct address (e.g. by e-mail, mail, telephone, newsletters).

 

Recital 47 of the GDPR sets out the legal basis for the processing of personal data for marketing purposes as follows: "The processing of personal data for direct marketing purposes may be considered a legitimate interest."

If the data subject objects to processing for direct marketing purposes, the personal data may no longer be processed for such purposes. In connection with this right of the data subjects, the controller shall, in promotional e-mails, use a text at the end of the e-mail that allows the addressee to opt out of receiving further e-mails, unless the data subject does not wish to receive them

 

In the case of direct marketing, the operator respects Act No.452/2021 Coll. on Electronic Communications, according to which for the purpose of direct marketing it is allowed to call or use automatic calling and communication systems without human intervention, telefax, electronic mail, including short message service to the customer only with his prior consent, which must be demonstrable. The consent granted may be withdrawn at any time.

 

If the consent of the data subject (customer) is required for the processing of personal data for marketing purposes under the applicable legislation, the processing shall only be carried out on those customers who have given their consent to the controller for this purpose.

Marketing information is sent to data subjects on the basis of their consent, in particular by electronic means (within the meaning of the Electronic Communications Act), in particular by e-mail, telephone, SMS, MMS messages, Facebook account or other social network account or application notifications.

If the customer does not wish to receive information about marketing activities, they can withdraw their consent at any time. The customer is also entitled to object to the processing of personal data by automated decision-making or profiling.

 

Data subjects: customers of the controller.

Legal basis - Article 6(1)(a) of the GDPR - The data subject has consented to the processing of his or her personal data for at least one specific purpose or

- Article 6(1)(f) of the GDPR, i.e. that the processing is necessary for the purposes of the legitimate interest of the controller

 

Processing period: the controller processes the personal data of Data Subjects only for the duration of the contractual relationship or until the consent is given, at the latest until the Data Subject withdraws his/her consent (or notifies the controller of his/her opposition to the sending of commercial communications or objects to this method of processing personal data).

 

Newsletter

For the purpose of sending the latest information, e.g. about events, promotions and services of the hotel, the operator delivers a newsletter to customers.

 

Newsletters are sent to customers who are members of the loyalty program or have already used the hotel's services and have not objected to such delivery, and we do not need the operator's consent to send them, as this is a legitimate interest of the hotel - i.e. the legal basis is Article 6, paragraph 1, letter f) of the GDPR Regulation.

 

In the case of a customer who has not yet used the services of the hotel or is not a customer of the hotel, it is possible to send him a Newletter exclusively on the basis of the customer's consent, in which case the legal basis is Article 6, paragraph 1, letter a) of the GDPR Regulation - the data subject has consented to the processing of his personal data for at least one specific purpose.

 

Data subjects: customers of the controller.

Legal basis - Article 6(1)(a) of the GDPR - The data subject has consented to the processing of his or her personal data for at least one specific purpose or

- Article 6(1)(f) of the GDPR, i.e. that the processing is necessary for the purposes of the legitimate interest of the controller.

Processing period: the controller processes the personal data of Data Subjects only for the duration of the contractual relationship or until the consent is given, at the latest until the Data Subject withdraws his/her consent (or notifies the controller of his/her opposition to the sending of commercial communications or objects to this method of processing personal data).

 

7. IS IMAGE AND SOUND - IMAGE RECORDS

The operator or the operator's business partners can organize various social events and events in the hotel.

For the purpose of informing about these events as well as for the purpose of further presentation of the services and offers of the operator, the following personal data may be collected and processed: visual, audio-visual and audiovisual recordings, including expressions of a personal nature, by means of their acquisition, production, collection on personal data carriers (physical and data carriers), viewing, organisation, storage, publication in presentation materials, on the website and social networks used by the operator and its marketing partners (Facebook, YouTube, Instagram, etc.), as well as dissemination and presentation, disclosure to third parties, and broadcasting (video recording, live streaming).

 

The scope of data subjects: employees, customers of the operator attending social events, events and actions held in the hotel of the operator.

 

Legal basis: - Article 6(1)(a) of the GDPR - The data subject has consented to the processing of his or her personal data for at least one specific purpose

Processing period: the controller processes the personal data of the Data Subjects only for the duration of the consent granted.

 

8. IS THE PERSONNEL AND PAYROLL AGENDA

For the purpose of processing personnel and payroll records and fulfilling legal obligations related to the personnel and payroll agenda of the operator as an employer, the operator processes the following personal data: first name, surname, maiden name, title, address of permanent and temporary residence (street and number, postcode, city), date of birth, nationality, citizenship, birth number, bank account number (IBAN), name of health insurance company, supplementary pension fund, OP number, marital status, email, telephone contact, highest completed education, basic salary, personal evaluation, sick leave, vacation, doctor, pension entitlement, changed work status, change of work status and other information.ability, information on whether the employee has been registered at the employment office, information on the employee's financial obligations to third parties, information on pending executions, criminal proceedings, prohibition of the employee's activity and other data if required by the applicable law.

 

The controller also processes personal data of employees' family members - names, surnames, addresses and birth numbers of family members, a copy of the employee's child's birth certificate.

 

The controller also processes personal data of job applicants in the following scope: name, surname, title, education, work experience, email, telephone contact, marital status, where the legal basis is the consent of the applicant.

 

Affected persons: employees and job applicants of the operators.

Legal basis - Article 6(1)(c) of the GDPR - the processing of personal data is necessary pursuant to a specific regulation (in particular Act No. 311/2001 Coll., the Labour Code, Act No. 595/2003 Coll. on Income Tax, as amended, the Social Insurance Act, the Health Insurance Act, etc.).

Processing period: for the duration of the contractual relationship and subsequently for 10 years after its termination, unless otherwise provided for by a specific law.

 

9. IS OSH

For the purpose of fulfilling the obligation of the controller as an employer to take measures to prevent damage to the employee's health and at the same time for the purpose of fulfilling the obligation to ensure safety in the performance of the employees' work, the controller processes the following personal data:

  1. in connection with the implementation of OSH training of employees: title, name, surname, signature,
  2. in connection with work-related accidents: title, first name, surname, date of birth, permanent address, daily assessment base, details of the accident (what accident the employee suffered, description of the course of the accident, cause of the accident, date and place of the accident), alcohol screening tests.
  3. in connection with the screening tests of employees to check compliance with OSH legislation (whether the employee is under the influence of alcohol, narcotic drugs or psychotropic substances): title, first name, surname, date of birth, position, supervisor, result of the test for alcohol, psychotropic substances, narcotic drugs.

 

Data subjects: employees of the controller.

Legal basis - Article 6 (1) (c) of the GDPR Regulation - the processing of personal data is necessary according to a specific regulation - Act No. 124/2006 Coll. on Health and Safety at Work and related legislation.

Processing period: for the duration of the contractual relationship and subsequently for 10 years after its termination, unless otherwise provided for by a specific law.

 

10. IS CONTRACTUAL RELATIONS WITH SERVICE SUPPLIERS AND BUSINESS PARTNERS

For the purpose of concluding contractual relations with service providers for the operator and other business partners of the operator, issuing tax documents in connection with the concluded contractual relations, resolving complaints and liability relations, the operator processes the following personal data: name, surname, title, function, e-mail, telephone contact, information about the delivered services or product, monetary institution, bank account number (IBAN) and other payment data, or other personal data necessary for the defined purpose within the meaning of the applicable legislation.

 

Data subjects: contractors and service providers of the controller.

Legal basis - Article 6 (1) (c) of the GDPR Regulation - the processing of personal data is necessary pursuant to a special regulation (in particular the Commercial Code, tax legislation),

- Article 6(1)(b) GDPR, the processing is necessary for the performance of a contract to which the data subject is a party.

 

Processing period: for the duration of the contractual relationship and subsequently for 10 years after its termination, unless otherwise provided for by a specific law

 

 

PROCESSING AND PROTECTION OF PERSONAL DATA ON THE HOTEL WEBSITE

 

Cookies

 

  • They are used to provide the user with certain automated form functions.
  • Cookies used by the hotel's website are automatically deleted when you close your browser. The hotel website uses the following cookies:

i/necessary (functional) cookies - these files are used to ensure the basic functionality of the website. They are stored directly on the customer's device by the website you are visiting. If the website operator does not use functional files, some functions of the website may not work properly or may not be displayed correctly.

ii/ analytical - used to analyse website performance, track website traffic and monitor website visitor behaviour, with the results being detailed statistics and analysis of website traffic, e.g. Google Analytics tool,

iii/marketing - used to store marketing cookies, which are used to detect preferences and subsequently target and personalize advertisements, whether in web browsers or on social networks, e.g. Meta Platforms Inc..

Analytical and marketing cookies are processed by the controller on the basis of the data subject's consent.

  • In addition to these cookies, the hotel's website may also use cookies that remain stored on the user's computer for several months or years, depending on the user's settings. The reason for using such cookies is to provide the user with the most relevant content and to enable the user to use the website as comfortably as possible.
  • Third party cookies may also be present on the website. These are mainly embedded advertisements or plug-ins etc. Third-party cookies are therefore also stored on the user's computer. The reason for storing third-party cookies is to be able to reach the user with relevant offers and content. The operator is not responsible for the use of third-party cookies in accordance with the relevant regulations.
    Cookies do not contain any personal data of the data subjects and only collect anonymous data associated with their user ID. This is data about which pages the customer has viewed or what content he/she has searched for. This data is never linked to the customer's personal data.
  • The user can influence the use of cookies on his/her computer by adjusting the settings of his/her internet browser (allowing or refusing the storage of cookies). However, doing so may limit some of the functions of the cardhotel.sk website

In the case of consent - permission for cookies, the following can be stored on the user's electronic device: i/temporary cookies, which are automatically deleted when the user's internet browser is switched off, ii/long-term cookies, which are retained on the user's internet browser even after switching off the device with which the user accesses the cardhotel.sk website (these cookies can be deleted by the user at any time and are also deleted automatically after a few weeks or months).

  • By consenting, the user also authorises the operator to use cookies for its own record-keeping or statistical purposes and for the purposes of targeted advertising by partners with whom it has entered into specific agreements for the display of advertising on websites. The user's consent lasts for as long as the settings of the user's internet browser are maintained. By changing the settings of the user's browser or by prohibiting the use of cookies, the user's consent is no longer valid.

 

Personal data that the hotel collects automatically when you visit the website.

  • The hotel automatically collects the following data when you visit our website or use our app (even if you do not make a reservation): the IP address, the date and time of use of the service, and information about the hardware and software used by the customer (e.g. internet browser, operating system, app/software version and language setting). The hotel also collects data about clicks and about the pages viewed by the customer, for example through cookies.
  • If the customer uses a mobile device, the hotel collects data that identifies the device, data regarding the type of device, its settings and characteristics, information about application crashes and other system activity.

 

Website security.

The cardhotel.sk website uses an encrypted SSL connection for any user connection and transmission of any data, which prevents third parties from accessing the transmitted data during its transmission on the Internet and the alteration of such data by third parties. The Controller's databases containing personal data are protected by encryption and non-public access data in accordance with the latest technical standards.

 

COMMON PROVISIONS CONCERNING THE PROCESSING OF PERSONAL DATA BY THE CONTROLLER IN ALL OF THE AFOREMENTIONED INFORMATION SYSTEMS:

1. The controller does not process special categories of personal data of data subjects in connection with the operation of the hotel and the performance of related activities.

2. Profiling, which includes: the automated processing of personal data and the use of such personal data to evaluate certain personal aspects relating to a natural person, is not carried out by the controller.

 

3. How the controller obtains personal data

  1. Customer personal data is provided to the controller directly by the customer (e.g. when you check in or out at the hotel, when you make a reservation, when you contact the hotel) and is sometimes collected by the controller, e.g. using cookies, to capture how the customer uses the hotel's website.

In certain circumstances, the controller may also obtain personal data from third party sources such as banks, travel and hotel booking platforms, travel agencies or credit card providers.

The controller may also collect personal data from third parties, in particular from social networks (such as Facebook, Tripadvisor, Instagram, Google), if customers have chosen to set up their user account through the services of these third parties. Furthermore, it may collect personal data from third parties with which it cooperates and which offer booking engine products, such as booking.com.

  1. The personal data of employees are obtained by the controller directly from the employees - the data subjects to whom they relate, but also from third parties, e.g. from the previous employer (in the form of employment certificates - enrolment letter and employment report).
  2. Personal data of the controller's contractual partners, e.g. service providers, are obtained directly from these providers or verified from public sources (remotely maintained public lists, registers or other publicly accessible records - e.g. commercial register, trade register).

 

4. Who has access to the data of the data subject

The controller may disclose personal data of data subjects to the following categories of recipients:

  • an external supplier of accounting, archiving and IT services, a server administrator, including the administrator's contractual partner,
  • to public authorities in the performance of their statutory duties (in particular foreign police, tax authorities, social security authorities, law enforcement authorities or other state administration authorities) or in connection with the exercise of rights and obligations under a contract (in particular the courts),
  • to a person authorised to practise advocacy within the meaning of Section 12 of Act No. 586/2003 Coll. on Advocacy (hereinafter referred to as "advocate") for the purpose of providing professional legal advice related to the conclusion and performance of the contract or for the purpose of asserting our claims arising from the contract,
  • third parties acting on behalf of the controller, such as service providers - in such cases, these third parties may use personal data only for necessary purposes and only in accordance with the controller's instructions, business partners
  • employees of the controller who are bound by the obligation of confidentiality, and only to the extent necessary for the performance of the employee's work tasks,
  • if required by a generally applicable law or a court order, the personal data of the customer may be shared by the controller with, for example, its suppliers or clients.
  • external applications and booking systems.
  • companies financially and personally related to the operator (in particular CARD CASINO s.r.o., Ariola s.r.o., ID No.: 36 794 384 and Aureola s.r.o., ID No.: 50 600 044).

The controller may also process all personal data through entities in the position of an intermediary, on the basis of a contractual relationship (processing on behalf of the controller), e.g. accounting firms, advertising agencies, software suppliers, security technicians, auditors.

 

5. Transfer of personal data to a third country

The Data Controller will not transfer the personal data of the Data Subjects to third countries (outside the European Union) or to an international organisation.

 

6.  Rights of the Data Subject in relation to the protection and processing of personal data

a) the right of the Data Subject to access to personal data, 

(b) the right to request confirmation as to whether or not personal data about the Data Subject is being processed,

(c) the right to rectification of personal data,

(d) the right to erasure of personal data,

(e) the right to restrict the processing of personal data,

(f) the right to object to the processing of personal data,

(g) the right to data portability,

h) the right to request a list of the Data Subject's personal data that are subject to processing,

(i) the right to have personal data completed, blocked,

j) the right to file a petition for initiation of proceedings pursuant to Section 100 of the Act with the competent supervisory authority, for example via www.dataprotection.gov.sk.

 

The data subject may at any time withdraw his or her consent to the processing of personal data and has the right to request their destruction in accordance with the Act, based on a written request sent to the controller at the contact listed at the beginning of this document. The data subject may withdraw consent in a manner similar to that in which he or she gave it.

 

The data subject acknowledges that the controller shall immediately terminate the processing of his or her personal data which he or she has processed on the basis of the data subject's consent and shall also properly dispose of such personal data. However, if there is another legal basis for the processing of the data subject's personal data which is based on a legal basis other than the data subject's consent, the controller shall also process the personal data without the data subject's consent or after the data subject's consent has been withdrawn.

 

The data subject may withdraw consent at any time and request their disposal in accordance with the law, based on a written request sent to the email of the controller: reservation@cardhotel.sk or in writing to the address of the controller: VV Invest s.r.o., Krajinská Cesta 679/21, 93101 Šamorín.

.

The data subject may inform the controller whether the provision of personal data is a legal or contractual requirement or a requirement necessary for the conclusion of a contract, whether the data subject is obliged to provide personal data, as well as the possible consequences of not providing such data.

7. Ensuring the protection of processed data

During the processing of personal data, the controller shall have in place specifically designed data protection measures, consisting of the adoption of appropriate technical and organisational measures, for example also in the form of pseudonymisation, to effectively implement adequate safeguards for the protection of personal data and to comply with the GDPR.

The controller undertakes to take into account the state of the art in the protection of personal data, the nature, scope, context and purpose of the processing of personal data and the risks of the processing of personal data of varying likelihood and severity that the processing of personal data poses to the rights of the data subject when specifically designing the protection of personal data.

The controller has adopted appropriate technical and organisational measures to ensure that personal data are processed only for a specific purpose, that the amount of personal data collected and the scope of processing, the retention period and the availability of personal data are minimised.

 

Organisational measures aim to use personal data only for the purposes for which the specific data need to be processed. The controller has the following measures in place: adoption of a data protection directive, assignment of authorised persons with the processing of personal data, conclusion of a contract on the processing of personal data with each processor, regular training of employees, etc.

 

The servers and the method of handling the data contained therein meet the technical requirements for an information security management system, which are set out in the technical standard STN ISO/IEC 27001: 2014 Information technology - Security techniques - Information security management systems - Requirements.

 

The operator has a server located in a data centre, which is designed for the location of information and communication technology in continuous operation and ensures stable operation of the server without environmental influences. The physical security of the server is ensured by providing protection at the level of the building in which the data centre is located.

The operator ensures that unauthorised access to the data centre is prevented and the server is secured against damage, theft or misuse of the server or interruption of its operation.

 

To ensure physical security, we use mechanical barriers, electrical safety signalling devices, fire prevention devices, fire prevention devices, fire prevention devices, access control systems, CCTV systems, devices to ensure protection against power supply failure and devices to ensure optimum operating conditions.

Data transfer from the administration interface is done via https protocol.  The data itself is encrypted on the server. The operator uses passwords to internal systems and applications.

 

Validity of this information

This Information on the processing and protection of customers' personal data may be periodically updated by the controller. Changes to the terms and conditions of processing and protection of personal data will be published by the controller.

 

This Personal Data Processing Information is valid and effective on the date of its publication on www.cardhotel.sk on 1 November 2024.

 

 

In Šamorín, on 1.10.2024