GDPR

The Ten Commandments on your personal data:

Personal data is anything that can identify you to anyone .
We are controllers who sometimes use processors to process personal data and you are the data subject.
We protect your personal data carefully and only use it for what we are authorised to do or what you have consented to.
Wedo not always need your consent to process your personal data.
We are constantly working to improve processes, technical and organisational measures to protect your personal data.
Wecarefully select, vet and contract the suppliers to whom we sell your personal data.
If you make a request, you have the right to know what personal data we process about you, why we process itwe do so, and if we do so without your authorization or consent, you have the right to erasure, correction or restriction of that data.
We keep a record of the processing of personal data.
We assess the impacts and risks of processing your personal data.
You can find outabout everything about your personal data that we process by visiting gdpr@hotelbratislava.sk.

For those who want to know more:

INTRODUCTORY INFORMATION

In the following, we provide you with information about the processing of your personal data and your rightsrelated to the processing of your personal data in the context of our activities, i.e. in connection with the services we provide to you.

Any processing of personal data is governed by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealingDirective 95/46/EC (hereinafter referred to as the "General Data Protection Regulation" or "GDPR") and Act no. 18/2018 Coll. on the protection of personal data and on amending and supplementing certain acts.

In accordance with Art. 13 et seq. of the General Data Protection Regulation, we provide the following information to you as so-called data subjects.
This document serves to inform you properly about the scope, purpose, duration of the processing of theof the processing of your personal data and to inform you of your rights in relation to the protection of your personal data.

WHO IS THE CONTROLLER OF YOUR PERSONAL DATA?

The controller of your personal data is City Hotel Bratislava s.r.o. 45 956 316, a company registered in the Commercial Register of the Municipal Court Bratislava III, Sec. 69326/B (hereinafter referred to as the "Company").

WHAT IS PERSONAL DATA?

Personal data is all information relating to an identified or identifiable natural person on the basis of which a specific natural person can be directly or indirectly identified (hereinafter referred to as !data subject"). Personal data thus includes a wide range of information such as name, gender, age and date of birth, personal status, photographs, birth numbernumber, place of residence, telephone number, e-mail, health insurance data, nationality, health data, signature, IP address and many others.

ON WHAT BASIS CAN WE PROCESS YOUR PERSONAL DATA?

Processing is lawful if and only to the extent that at least one of the following conditions is met:

(a) the data subject has consented to the processing of his or her personal data for one or more specific purposes,
(b) the processing is necessary for the performance of a contract to which the data subject is a party or for pre-contractual measures to be taken at the request of the data subject,
(c) the processing is necessary for compliance with a legal obligation,
(d) processing is necessary to protect the vital interests of the data subject or of another natural person,
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller,
(f) the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where suchsuch interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

WHAT IS THE PURPOSE OF THE PROCESSING OF PERSONAL DATA, WHAT PERSONAL DATA DO WE PROCESS, FOR HOW LONG DO WE STORE YOUR PERSONAL DATA?

The company as the controller processes your personal data in the following way/for the following purposes:
a) E- mail booking

Your personal data is collected directly from you to the extent necessary tonecessary for your e-mail reservation to be entered into the Company's internal booking system.
Legal basis: performance of the contract
Retention period: until the end of the stay

b) Reservation of accommodation by any of the electronic forms

Your personal data is collected directly from you to the extent necessary for us to be able to book your chosen accommodation.
Legal basis: performance of the contract
Retention period: until the end of the stay

c) Guest registration card

Your personal data collected directly from you, either already provided when booking your accommodation or directly at the hotel reception, to the extent necessary for us toto provide you with accommodation or which is necessary for us to fulfil our obligations towards certain state and local government authorities (e.g. local tax on accommodation, mandatory reporting to the foreign police).
Legal basis: performance of a contract, legal obligation
Retention period: 3 years

(d) CCTV - monitoring of premises

The purpose of the monitoring is to protect the property in the monitored area and to protect the natural persons present in thethe protection of individuals within the premises, as well as to obtain evidence of the causes, progress and consequences of security incidents on an ongoing basis.
Legal basis: a legitimate interest pursued by the controller or a third party consisting in the rightthe right to the protection of property, the protection of the health of natural persons and the right to require the maintenance of public order
Retention period: 15 days

(e) Accounting and commercial agenda

The purpose is the fulfilment of the legal obligations of the controller arising from specific regulations (e.g. Accounting Act, Value Added Tax Act, Income Tax Act)
Legal basis (including provision to third parties): legal obligation
Retention period: 10 years

(f) Business communications

The purpose of the processing is the preparation and implementation of the business activities of the controller.
Legal basis: Legitimate interest pursued by the controller consisting in the rightthe right to carry on business within the scope of the objects of activity entered in the extract from the relevant register.
Retention period: subject to the preparation and duration of the business relationship, as well as the expiry of the limitation period.

(g) Personnel and payroll

The purpose of the processing is the preparation and conclusion of the employment contract or agreement on outside employment, the recording of documents on fitness for work, the payment of wages, levies, the fulfilment of obligations to public authorities, attendance records, education records, records of issued authorisations and powers of attorney, records of property or equipment, conclusion of agreements onmaterial liability, records of the issue of cash, provision of employee benefits, records of damage caused by employees to the workplace or to the property of the operator (employerthe employer), provision of meals, copying of documents necessary for the purposes of the employment or similar relationship, as well as the fulfilment of other legal and contractual obligations.
Legal basis: performance of a legal obligation, performance of a contract, consent or legitimate interest
Retention period: during the duration of the employment relationship or other similar relationship until the employee (including former employees) reaches the age of 70.

(h) administration of the register, handling of the whistleblowers' agenda

The purpose of the processing is the fulfilment of legal obligations, in particular those arising from Act No 395/2002 Coll. on archives and registers and on the amendment of certain acts, as amended, and from Act No. 305/2013 Coll. on the electronic form of exercising the powers of public authorities and on amendments and supplements to certain acts (Act on e-Government) and the fulfilment of the obligations arising from Act No. 307/2014 Coll. on certain measures related to the notification of antisocial activities and on amendment and supplementation of certain acts.
Legal basis: fulfilment of a legal obligation
Retention period: set by specific regulations

(i) taking photographs of employees and their family members

The purpose of the processing is to take and publish stylised promotional photographs in the context of advertising campaigns promoting the Company's reputation.
Legal basis: the data subject has given his/her consent
Retention period: necessary for the duration of the marketing or advertising campaign and for the archiving period

(j) registration of the rights of data subjects

The purpose of the processing as a legal basis is the fulfilment of a legal obligation of the Company. Retention period: 2 years from the date of the data subject's request

k) events organised by the Company

The purpose of the processing is to organise and ensure your participation in an event organised by the Company.
Legal basis: Consent (by signing up); by giving your consent, you agree that photographs and videos may be taken at the Company's events for the purpose offor the purpose of marketing promotion of the Company and by moving within the marked area photographed by the photographer or videographer you consent to such processing. You have the right to object at any time to the making of a video or audio-visual recording of your person.

(l) visiting the website

The purpose of the processing is your visit to the social networks on which the Company has established its profile. The processing is governed by separate terms and conditions for the protection of your privacy, which are published on the social networks.
Legal basis: the data subject has given his or her consent (by interacting with the plugin) or by active action (by entering a competition)
Retention period: by type

m) litigation

The purpose of the processing as well as the legitimate interest is to prove, exercise and defend the Company's legal claims.
Legal basis: the legitimate interest of the controller in pursuing legal claims
Retention period: until the final conclusion of the case

TO WHOM WILL THE COMPANY SEND YOUR PERSONAL DATA?

The Company provides your personal data to the following persons: The Company's accountant (including external ones), state and public administration bodies, municipalities, the Company's website administrator, auditor, attorneys at lawt, information technology management and support companies, information service providers, data storage providers, inwhere justified, courts and law enforcement authorities, health insurers, supplementary pension funds, educational agenciesoccupational health services, occupational health assessments and fitness assessments, postal services,

DO WE USE AUTOMATED PROCESSING OF YOUR PERSONAL DATA?

Your personal data is generally not processed exclusively by automated means, but we may process your personal data in the following waysIt is always processed by our trained and instructed employees or by an external person.

WHAT DO YOU NEED TO KNOW?

The personal data of data subjects are processed in an automated manner, both electronically and manually by the Company's employees, depending on the type of service or product. We only pass on personal data to third parties in exceptional cases and only when it is in the legitimate interest of the Company.

DO YOU KNOW WHAT YOU ARE ENTITLED TO?

The data subject has the right to ask the controller for information about the processing of his/her personal data (Article 15 GDPR).
The data subject has the right to have inaccurate personal data concerning him or her rectified by the controller without undue delay. Taking into account the purpose of the processing, the data subject has the right to have incomplete personal data completed, including by providing an additional declaration (Art. 16 GDPR).

The data subject has the right to have personal data concerning him or her erased by the controller without undue delay and the controller has the obligation to erase the personal data without undue delay if any of the following is given one of the grounds set out in the General Data Protection Regulation (Art. 17 GDPR).

The data subject has the right to have the controller restrict the processing of personal data in the cases provided for in the General Data Protection Regulation (Art. 18 GDPR).

The data subject shall have the right to object to processing of personal data which concerning him or her if the controller processes the personal data on the following grounds:

the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller,
the processing is necessary for the purposes of the legitimate interests of the controller or of a third party,
for direct marketing purposes,
for scientific or historical research purposes or for statistical purposes (Article 21 GDPR).

The data subject has the right to obtain personal data concerning him or her which he or she has provided to the prevailingprovider, in a structured, commonly used and machine-readable format, and the right to transmit those data to another controller , without the controller to whom the personal datathe data subject has provided, in the cases provided for in the General Data Protection Regulation (Art. 20 GDPR).

Where the processing of personal data is based on consent to the processing of personalpersonal data is based on the consent given by the data subject, the data subject has the right to withdraw that consent at any time.

WHAT FORMS CAN YOU USE TO EXERCISE YOUR RIGHTS?

Námietka proti spracúvaniu osobných údajov (99,37 kB)

Odvolanie súhlasu so spracúvaním osobných údajov (89,97 kB)

Žiadosť o potvrdenie o spracúvaní osobných údajov (105,26 kB)

Žiadosť o obmedzenie spracúvania osobných údajov (128,73 kB)

Žiadosť o opravu osobných údajov (107,89 kB)

Žiadosť o prenos osobných údajov (106,8 kB)

Žiadosť o vylúčenie z automatizovaného individuálneho rozhodovania (105,69 kB)

Žiadosť o výmaz osobných údajov (108,69 kB)

If you believe that there has been a breach of the law in relation to the protection of your personal data, you have the right to lodge a complaint with the supervisory authority, which in the Slovak Republic is the Office for Personal Data Protection of the Slovak Republic.