Notice of Personal Data Processing

In accordance with the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (the General Data Protection Regulation) (hereinafter referred to as the “GDPR”)

Please read the following information on how we process personal data. Where your personal data are processed, you are a data subject, i.e. a person to whom the personal data processed by us are related.

Controller:

IMET a.s., with the registered office at Bardejovská 1/C, 040 11 Košice, CIN: 36 185 957, incorporated in the Commercial Register of the Košice I District Court, section: Sa, file no.: 982/V (hereinafter referred to as the “Controller”)

Controller’s contact details: phone no. +421-2-6020 2911, e-mail: imet@imet.sk.

Should you have any questions, or should you wish to exercise your rights in relation to the processing of your personal data, please contact the Controller at the e-mail address above or in writing by delivering your letter to the address of the Controller’s registered office, or contact the Data Protection Officer by e-mail at: zodpovednaosoba@imet.sk

 

How do we obtain personal data?                                                

In most cases, we obtain personal data directly from data subjects. Where we obtain the data subject’s personal data from another source, we also provide the data subject with the information on which source we use to obtain his/her personal data and the category of the applicable personal data.

 

We process personal data on the following legal bases:

  • on the basis of contractual and pre-contractual relations (Article 6 (1) (b) of the GDPR)
  • on the basis of our legitimate interests (Article 6 (1) (f) of the GDPR)
  • on the basis of compliance with legal obligation (Article 6 (1) (c) of the GDPR)
  • on the basis of the consent granted by the data subject (Article 6 (1) (a) of the GDPR).

 

We would like to inform you that the data subject is required to provide his/her personal data where it is necessary to process any personal data in connection with complying with the legal obligation of the Controller.

The data subject is also required to provide personal data in cases where such provision constitutes a contractual requirement resulting from a contract concluded between the Controller and the data subject. The provision of personal data within the pre-contractual and contractual relations is necessary, otherwise a failure to provide them would make it impossible for the data subject to participate in a selection procedure, conclude a contract or to perform such contract. 

Where the legal basis for personal data processing is the consent, the granting of such consent is voluntary. Where we process personal data based on your consent, you have the right to withdraw your consent at any time. The withdrawal of consent shall be without prejudice to the lawfulness of processing based on this consent prior to the withdrawal thereof. The withdrawal of consent shall be free of charge and it shall not be subject to any penalty. The consent may be withdrawn in writing by delivering the notice to the address of the Controller’s registered office or to the following e-mail address: zodpovednaosoba@imet.sk .

Where we process personal data on the basis of our legitimate interests (Article 6 (1) (f) of the GDPR), the data subject has the right to object to the processing of his/her personal data performed under this legal basis at any time for reasons specific to his/her particular situation.

 

For how long shall we store your personal data?

We shall store your personal data for the period necessary to achieve the purpose, for which the personal data are being processed.

Where your personal data are processed as part of the compliance with legal obligations of the Controller and the legal regulation establishes the data retention period or the criteria for its determination, we shall store the personal data and any related documentation for the period required by the applicable legal regulation.

The storage of personal data that we process about you is governed by Act no. 395/2002 Coll. on archives and registries, as amended.

You may find more information on the storage period below in this document.

 

For what purposes do we process personal data and what is the legal basis for processing them?

 

  • for the purpose of handling the applicant’s request for a service, including any request made by completing an online contact form (request relating to the offered services)

In this respect, we shall process personal data of the:

  • contact person of the entity interested in a service (employee, person acting on behalf of the company/organisation); in this case, the legal basis for personal data processing is the legitimate interest pursued by the Controller (Article 6 (1) (f) of the GDPR), and this namely the interest to provide the service and to secure communication with the entity interested in the service
  • entity interested in a service (in case of a natural person); in this case, the processing is necessary so that, at the request of the data subject, the measures are taken before concluding a contract (pre-contractual relations)

We collect personal data directly from data subjects or from the entity interested in the service, while we process common personal data to the extent of title, first name, surname, e-mail or phone contact, or possibly relationship to a legal entity whose contact person is the data subject and the information on his/her role/position. Where the data are collected via a contact form, we process the data to the extent of the completed form.

Retention period: until conclusion of the contract (provision of service), maximum however 1 year.

 

  • for the purpose of recording internal activities of the Controller aimed at acquiring the customer (sales process)

This purpose includes internal activities associated with recording the progress of the communication process, meetings, negotiations and other activities that must take place before concluding a deal with a potential customer based on the customer’s inquiry/order.

This case involves processing that is:

  1. necessary so that, on the basis of the data subject’s request, the measures are taken before concluding a contract (pre-contractual relations), or
  2. based on our legitimate interest to keep records and control the contracting process. In this case, we process common personal data of natural persons acting on behalf of a potential customer who has expressed interest in our services, respectively the customer’s employees (to the extent of title, first name, surname, e-mail or phone contact, relation to a legal entity whose contact person is a data subject and the information about his/her role/position).

Retention period: until contract conclusion, maximum however 1 year.

  • for the purpose of implementing the existing contractual relations with customers

The processing is necessary to perform the contract, to which the data subject (customer – natural person) is a contractual party.

Retention period: until the settlement of rights and obligations under the contract, minimum however 10 years following the end of the contractual relation.

 

  • for the purpose of implementing the existing contractual relations with suppliers

The processing for this purpose is necessary to perform the contract, to which the data subject (supplier – natural person – entrepreneur) is a contractual party.

Retention period: until the settlement of rights and obligations under the contract, minimum however 10 years following the end of the contractual relation.

 

  • for the purpose of valid conclusion and ensuring the performance of contractual relations

For this purpose, we process personal data of persons authorised to act on behalf of suppliers and customers, as well as data of their employees specified in contracts concluded as part of the supplier-customer relations, respectively in drafts of these contracts. We process the data of these data subjects for this purpose based on the legitimate interest of the Controller to ensure the valid conclusion of contracts and their effective performance.

Retention period: until the settlement of rights and obligations under the contract, minimum however 10 years following the end of the contractual relation.

 

  • for the purpose of proper identification of the contractual party

For this purpose, we process personal data based on the legal requirement to properly identify the contractual party where the contractual party is a natural person.

Retention period: until the settlement of rights and obligations under the contract, minimum however 10 years following the end of the contractual relation.

 

  • for the purpose of business communications

The legal basis of personal data processing in this case is the legitimate interest of the Controller to engage in communication with customers and suppliers in the course of conducting business activities.

Retention period: until the end of the contractual relation with the customer/supplier.

 

  • for the purposes of sending marketing emails and electronic newsletters

With your consent, we shall process your e-mail address data, to which address we shall be sending you e-mail messages including presentation of offered services and special offers, invitations to events and newsletters. The personal data shall be processed for this purpose with the consent of the data subject. The consent is voluntary. The data subject has the right to withdraw his/her consent at any time. The withdrawal of consent shall be without prejudice to the lawfulness of processing based on this consent prior to the withdrawal thereof.

Where we obtained your e-mail address in connection with the sale of goods or service, we shall process your data for that purpose based on our legitimate interest to inform our customers about the new products and services provided by us, including sending invitations to corporate events and presentations. Based on the legitimate interest, we only perform marketing of our own similar goods and services. Pursuant to Article 21 (2) of the GDPR, the data subject has the right to object at any time to the processing of personal data for the purposes of direct marketing. In such case, we must no longer process personal data for this purpose.

Each marketing e-mail or newsletter set includes a link serving for unsubscribing. If you are no longer interested in receiving information about our latest news and offers, you can unsubscribe by clicking this link.

Retention period: 5 years, respectively for the period specified in the consent (5 years from granting the consent).

 

  • for the purpose of contacting the potential customer with the request for granting consent to the processing of personal data for marketing purposes

In this case, we process personal data based on our legitimate interest: to approach a potential customer (or its contact person) with the request to grant consent to the processing of personal data for marketing purposes.

This involves the case where we obtained the personal data of a potential customer or its contact person from other sources and we wish to approach the customer with the request to grant consent to the processing of customer’s data for marketing purposes. We shall contact the data subject no later than within one month after obtaining his/her personal data while providing him/her in our first communication with the information about the source, from which we obtained his/her personal data and about the categories of applicable personal data. For this purpose, we only process personal data where we may reasonably assume that a potential customer could be interested in our services.

Retention period: for the period necessary to approach a potential customer and request the consent to personal data processing for marketing purposes, maximum however 1 month.

 

  • for the purpose of sending congratulations at the occasion of customers’ or customer contact persons’ birthdays

For this purpose, we process personal data based on our legitimate interest to develop relationship with the customer and to thank the customer for mutual cooperation.

Retention period: for the duration of contractual relation with the customer.

 

  • for the purpose of keeping records on guests and provision of services to guests staying in the Castle Hotel Galicia Nueva

The processing is necessary for performing the contract, to which the data subject is a contractual party (contract for provision of accommodation services).

Retention period: 10 years.

 

  • for the purpose of compliance with legal obligations in connection with the registration of citizens and foreigners staying in the Castle Hotel Galicia Nueva

 

The processing is necessary for the compliance with legal obligations of the Controller under Act no. 404/2011 Coll. on the residence of aliens, amending and supplementing certain acts, as amended, and Act no. 253/1998 Coll. on reporting the residence of citizens of the Slovak Republic and on the Register of Citizens of the Slovak Republic, as amended.

As a hotel, we are required to keep a guest book containing the information about the first name and surname of the accommodated guest, ID card or passport number, permanent residence address and the accommodation period. When accommodating a foreigner, we are required to check his/her identity, enter his/her nationality and date of birth to the guest book and to arrange the completion of the official foreigner residence report form, including its delivery to the police department within five days of accommodation.

Retention period: 10 years.

 

  • for the purpose of contacting the guest staying in the Castle Hotel Galicia Nueva in case of emergency

The processing of the hotel guest’s phone contact takes place where the guest gives his/her consent to it. The consent is voluntary and the data subject is entitled to withdraw it at any time. The withdrawal of consent shall be without prejudice to the lawfulness of processing based on this consent prior to the withdrawal thereof. The consent may be withdrawn by e-mail sent to recepcia@hotelgalicianueva.sk or asistentka@hotelgalicianueva.sk or zodpovednaosoba@imet.sk or in writing by delivery to the address of the Controller’s registered office. Where the consent is not granted, we are unable to inform the hotel guest in emergency cases (should any extraordinary/unforeseen event took place that would or could have any impact on him/her).

Retention period: for the period of accommodation.

 

  • for the purpose of organising presentations, training courses, corporate meetings and events, weddings in the premises of the Castle Hotel Galicia Nueva, including handling the request – inquiry for the said hotel services entered via the contact form on the Controller’s website at www.zamockyhotelgalicianueva.sk or in the form of email communication

In this respect, we shall process the personal data of the:

  • contact person of the entity interested in a hotel service (employee or person acting on behalf of the company/organisation); in this case, the legal basis for personal data processing is the legitimate interest pursued by the Controller (Article 6 (1) (f) of the GDPR), and this namely the interest to provide a service and to secure communication with the entity interested in the service
  • entity interested in a hotel service (with a natural person, for instance to organise a wedding); in this case, the processing is necessary so that, at the request of the data subject, the measures are taken before concluding the contract (pre-contractual relations) and so that the contract concluded with the data subject is performed.

We collect personal data directly from data subjects or from the entity interested in the service, while we process common personal data – first name and surname, contact details, work position or role (with contact persons) or possibly other data related to the event organised in the hotel, e.g. the wedding date of the data subject.

Retention period: until the end of presentation/training/company meeting/event/wedding in the hotel premises; maximum however 1 year.

 

  • for the purpose of presenting events (weddings and celebrations) organised by the Controller in the premises of the Castle Hotel Galicia Nueva by publishing photos of these events on the hotel’s website at zamockyhotelgalicianueva.sk

We process the personal data (photos) for this purpose with the consent of the data subject. The consent is voluntary and the data subject is entitled to withdraw it at any time. The withdrawal of consent shall be without prejudice to the lawfulness of processing based on this consent prior to the withdrawal thereof.  It is possible to withdraw the consent by e-mail sent to recepcia@hotelgalicianueva.sk or asistentka@hotelgalicianueva.sk or zodpovednaosoba@imet.sk or in writing by delivery to the address of the Controller’s registered office.

The recipient of personal data is a company providing external support and operation of the website, as well as the hotel website’s visitors.

Retention period: photos are published on the website for the period of 1 year from the date of publication thereof; the photos are then deleted and not stored.

 

  • for the purpose of claim handling

For this purpose, we process personal data of natural persons who lodge a claim relating to products/services supplied/provided to them by us. If you are consumer lodging a claim relating to our products/services, we shall process your personal data for the purposes of processing your claim whereas such processing is necessary to comply with legal obligations of the Controller under the Act no. 250/2007 Coll. on consumer protection, amending the Act of the Slovak National Council no. 372/1990 Coll. on misdemeanours, as amended (pursuant to this act, the Controller is required to keep records on claims and to submit it at the request of the supervisory authority for inspection, as well as to submit at the request of the supervisory authority the copy of the claim receipt confirmation etc.).

Where the claim is lodged by a data subject who is not a consumer, we shall process your personal data for this purpose based on the contract we have concluded with you and under which you are entitled to claim liability for defects of a product or service. In such case, the processing is necessary to perform the contract, to which the data subject is a contractual party.

Retention period: 5 years from handling the claim.

 

  • for the purpose of protecting the Controller’s property by monitoring the Controller’s premises with a CCTV system

In this case, we process the personal data of persons located in the monitored premises based on our legitimate interest: protection of the Controller’s property and prevention of damages.

Retention period: 15 days from the date of creating the recording; in justified cases, for the period necessary to investigate the recorded behaviour of a data subject and/or to prove and defend the legal claims of the Controller arising in connection with the course of events recorded by the CCTV system.

 

  • for the purpose of keeping records on visitors to the Controller’s premises

In this case, we process personal data of visitors and other persons entering the premises of the Controller based on the legitimate interest of the Controller: to protect the property of the Controller and prevent uncontrolled entry by strangers into the premises of the Controller.

Retention period: 1 year from the last entry in the guest book.

 

  • for the purpose of keeping records and handling complaints by data subjects in connection with the reporting of anti-social activities

For this purpose, we process personal data because it is necessary to comply with our legal obligation under Act no. 54/2019 Coll. on protection of persons reporting anti-social activities, amending and supplementing certain acts.

Retention period: 3 years from the report receipt date.

 

  • for the purpose of internal administrative activities implemented within the IMET Group (common database of clients and the system of internal regulations applicable within the group)

As a Controller belonging to the IMET Group (defined in more detail in the section on recipients), we have a legitimate interest in transmitting the personal data of our employees and customers (or their contact persons) within the group. This legitimate interest pursued by the Controller and other undertakings within the group is the interest in effective functioning of activities and relationships within the group of companies. We transmit the personal data within the group to the extent necessary for the given purpose.

Retention period: for the period during which the data subject is registered in the client database (customers or their contact persons); with employees for the duration of their employment relationship.

 

  • for the purpose of strategic management of companies within the IMET Group

We have a legitimate interest in transmitting personal data of employees, members of company bodies (Board of Directors and Supervisory Board) and customers, or their contact persons, within the IMET Group and to our shareholders. The legitimate interest pursued by us (as a controlling undertaking), by other undertakings within the group and by our shareholders is the interest in effective strategic management of activities of the group’s undertakings and in the effective exercise of control by the controlling undertaking. We provide personal data to other companies within the group and to our shareholders to the extent necessary for the given purpose.

Retention period: we keep the record of the meeting of the IMET Group management bodies and the Controller’s shareholders for the period of 10 years.

 

  • for the purpose of selection procedure (people seeking jobs with the Controller)

The processing of personal data of a person seeking job with the Controller includes, in particular, the activities associated with the receipt and review of the submitted CV and job application, organisation of selection procedure and provision of information to the jobseeker about the result (hiring or rejection of a job seeker). In this case, the processing is necessary to perform, based on the application submitted by a data subject, the measures before concluding a contract (pre-contractual relations).

Retention period: until the end of selection procedure.

 

  • for the purpose of keeping records on job seekers

In this case, we process personal data of a job seeker based on the consent of the data subject (job seeker). If you grant us your consent, we shall process your personal data for this purpose, which data you have provided to us as a job seeker in the CV, motivational letter, questionnaire or otherwise, for instance during a personal interview. The data subject has the right to withdraw his/her consent at any time. The withdrawal of consent shall be without prejudice to the lawfulness of processing based on this consent prior to the withdrawal thereof. Without you granting us your consent, we are unfortunately unable to keep records about you in our register of job seekers.

Retention period: for the period specified in the consent (1 year).

 

  • for the purpose of bookkeeping, processing of accounting and tax documents, invoicing and cash register records

The processing for this purpose is necessary for the compliance with legal obligations of the Controller, in particular pursuant to Act No. 431/2002 Coll. on accounting, as amended, Act no. 222/2004 Coll. on value added tax, as amended, Act no. 595/2003 Coll. on income tax, as amended, Act no. 283/2002 Coll. on travel expenses, as amended.

Retention period: 10 years (in accordance with the Accounting Act – § 35).

 

  • for the purpose of introducing the ISO international standard (quality management system)

The processing is based on the legitimate interest of the Controller to improve the functionality and quality of the operator’s quality management system by introducing a quality management system.

Retention period: 10 years from elaboration of the audit report.

  • for the purpose of ensuring network security and information security

The legal basis for personal data processing in this case is the legitimate interest of the Controller to prevent unauthorised access to electronic communication networks, to prevent damage to computer or electronic communication systems and to protect data stored in the IT technology equipment or in the Controller’s systems.

Retention period: 5 years following the end of the calendar year, in which the log is created.

 

  • for the purpose of keeping the agenda of management meetings

At the management meetings, we process the personal data of employees and our customers based on the legitimate interest of the Controller to ensure provision of information, functional management and flexible resolution of work-related and business matters by the Controller’s management body.

Retention period: we keep the records of management meetings for the period of 10 years.

 

  • for the purpose of access management and key handling rules

This purpose includes activities associated with keeping records on access codes and passwords to individual information systems and databases of the Controller, as well as records on access to the Controller’s premises. In this case we process personal data because it is in the Controller’s legitimate interest to prevent unauthorised access to the Controller’s systems, databases and selected premises.

Retention period: documentation relating to access management and key handling rules demonstrating access rights of a particular user to individual information systems must be retained for a period of 5 years from the revocation of his/her access rights. We keep records on the handover and return of the keys to the Controller’s premises for a period of 5 years from the handover (return) of the key.

 

  • for registry purposes, including records on sent and received postal items

The processing is necessary for the compliance with legal obligations of the Controller pursuant to Act no. 395/2002 Coll. on archives and registries, supplementing certain acts, as amended.

Retention period: for the period required by the applicable legal regulation (i.e. for the period, during which the registry creator needs the registry record for its activities) – the specific time periods are established by the Registry Plan. We store the personal data in the register of sent and received postal items for the period of 5 years (following the end of a calendar year, in which a postal item is sent/received).

 

  • for the purpose of handling requests for the exercise of rights of data subjects

The processing is necessary for the compliance with the Controller’s legal obligations under personal data protection regulations (GDPR), which obligations the Controller has in relation to the exercise of rights of data subjects under Articles 15 to 22 of the GDPR.

Retention period: 5 years from the date of handling the request, minimum however until the lawful ending of the administrative proceedings, which were initiated at the request of the data subject.

 

  • for the purpose of keeping the company’s agenda, registration and notification of changes to the Commercial Register

In this case, the processing is necessary to comply with legal obligations of the Controller (Act no. 530/2003 Coll. on the Commercial Register, amending and supplementing certain acts, as amended, the Commercial Code).

Retention period: we store the personal data processed for this purpose (included e.g. in the minutes of the General Meeting, as well as in other social & legal documents of the company) for the duration of the legal personality of the Controller (and also in the case of company dissolution with a legal successor).

 

  • for the purpose of keeping the agenda relating to ongoing litigations and enforcements and the agenda relating to recovery of receivables and other claims of the Controller as part of judicial, extrajudicial, enforcement or bankruptcy proceedings, including legal representation in these proceedings

Where we process your personal data for this purpose, the legal basis of the processing is the legitimate interest of the Controller, and this theexercise or defence of the Controller’s legal claims, prevention of damages and making sure that the Controller’s receivables and other legal claims are satisfied. For this purpose, we may disclose personal data to an attorney who processes the personal data to the extent necessary for the purposes of exercising advocacy.

Retention period: for the duration of statutory limitation and foreclosure periods; to fulfil the Controller’s registry obligations, the related documentation is stored for 5 years from the lawful conclusion of the applicable proceedings or from the settlement (repayment) of the enforced legal claim.

 

  • for the purpose of legal representation (excluding proceedings)

Where we process your personal data for this purpose, it involves the use of legal services of attorneys, e.g. in the form of commenting contracts and their amendments (including annexes) concluded with data subjects or participation at meetings or in other communications with data subjects. The Controller provides personal data to the attorney for this purpose.

In this case, we provide your personal data to the attorney based on our legitimate interest: to prevent damages from occurring by making use of professional legal services.

Retention period: 5 years following the termination of the provided legal representation service and, in justified cases, even longer for the period it is necessary to safeguard and defend legitimate interests and legal claims of the Controller.

 

  • for the purpose of proper identification of the litigation party and the debtor in the motion for enforcement

It is our legal duty to properly identify and designate the debtor in the motion for enforcement (Enforcement Code), as well as the plaintiff or the defendant in legal proceedings (Civil Procedure Code, Administrative Procedure Code).

Retention period: for the duration of statutory limitation and foreclosure periods; to fulfil the Controller’s registry obligations, the related documentation is stored for 5 years from the lawful conclusion of the applicable proceedings or from the settlement (repayment) of the enforced legal claim.

 

  • for the purpose of customs declarations

This purpose includes the processing of personal data to the extent necessary in connection with activities associated with handling documents for cross-border transport of goods and payment of customs duties. In this case, the processing is necessary to comply with legal obligations of the Controller under Act no. 199/2004 Coll., the Customs Act, amending and supplementing certain acts.

Retention period: 10 years following the date of lawful completion of customs proceedings that started by filing the customs declaration, in justified cases for the period of 20 years following the end of the year, in which the arrears in the customs debt become due.

 

  • for the purpose of ensuring proceedings on behalf of the Controller (in particular, concluding contracts and entering into other legal acts on behalf of the Controller)

In this case, the processing of personal data of the members of the Board of Directors is necessary to comply with legal obligations of the Controller as per the Commercial Code.

Retention period: for the term of office of a member of the Board of Directors, while the data in individual documents are stored for the period, for which it is necessary to store these documents to fulfil the registry obligations of the Controller.

  • for the purpose of performing the contracts for the discharge of office (managerial contracts) concluded with members of the Board of Directors

The processing for this purpose is necessary to perform the contract, to which the data subject (member of the Board of Directors) is a contractual party.

Retention period: 10 years following the end of the contractual relation.

 

  • for the purpose of keeping the Controller’s chronicle

For this purpose, we process personal data of employees and members of the Board of Directors (including former members) based on the legitimate interest of the Controller to document the activities of the Controller and present the corporate culture.

Retention period: 20 years after the end of keeping the chronicle.

 

  • for the purpose of keeping human resources and payroll records

For this purpose, the personal data are processed on the legal basis:

  1. processing is necessary for performing the contract, to which the data subject is a contractual party (employment contract or agreement on work performed outside employment, agreement on material responsibility), or
  2. processing is necessary to comply with legal obligations of the Controller, in particular the obligations under:
  • Act no. 311/2001 Coll., the Labour Code, as amended,
  • Act no. 125/2006 Coll. on labour inspection, amending and supplementing Act no. 82/2005 Coll. on illegal work and illegal employment, amending and supplementing certain acts, as amended,
  • Act no. 43/2004 Coll. on retirement pension savings, amending and supplementing certain acts, as amended,
  • Act no. 650/2004 Coll. on supplementary pension savings, amending and supplementing certain acts, as amended,
  • Act no. 580/2004 Coll. on health insurance, amending and supplementing Act no. 95/2002 Coll. on insurance sector, amending and supplementing certain acts, as amended,
  • Act no. 595/2003 Coll., on income tax, as amended,
  • Act no. 461/2003 Coll., on social insurance, as amended,
  • Act no. 5/2004 Coll. on employment services, amending and supplementing certain acts, as amended,
  • Act no. 462/2003 Coll. on employee income compensation in case of temporary incapacity to work, amending and supplementing certain acts, as amended,
  • Act no. 152/1994 Coll. on social fund, amending and supplementing Act no. 286/1992 Coll. on income tax, as amended.

To comply with the legal obligations of the Controller within this purpose, we process personal data of employees, former employees, as well as common personal data of other data subjects – employees’ spouses, dependent children of employees, parents of dependent children, close relatives (these data are provided to us by the employee).

Retention period: The retention period of personal data of employees is specified in more detail in a separate document designated for employees. We keep the personal data of other data subjects, which we process to comply with our legal obligations, for a period of time established in accordance with the applicable legal regulations (10 years).

 

  • for the purpose of complying with obligations towards the Social Insurance Agency

In this case, the processing of personal data is necessary for the compliance with legal obligations of the Controller pursuant to Act no. 461/2003 Coll. on social insurance, as amended, Act no. 43/2004 Coll. on retirement pension savings, as amended, Act no. 650/2004 Coll. on supplementary pension savings, amending and supplementing certain acts, as amended, Act no. 462/2003 Coll. on employee income compensation in case of temporary incapacity to work, amending and supplementing certain acts, as amended. In order to comply with these obligations, the employees provide us with the common personal data of their spouses, their dependent children, parents of dependent children, close relatives to the extent required by legal regulations.

Retention period: 10 years

  • for the purpose of complying with obligations towards health insurer

In this case, the processing of personal data is necessary to comply with legal obligations of the Controller pursuant to Act no. 580/2004 Coll. on health insurance, amending and supplementing Act no. 95/2002 Coll. on insurance sector, amending and supplementing certain acts, as amended. In order to comply with these obligations, the employees provide us with the common personal data of their spouses, their dependent children, parents of dependent children, close relatives to the extent required by legal regulations.

Retention period: 10 years

 

  • for the purpose of complying with the Controller’s tax liabilities (as an employer)

In this case, the processing of employees’ personal data is necessary to comply with legal obligations of the Controller pursuant to Act no. 595/2003 Coll. on income tax, as amended.

Retention period: 10 years

 

  • for the purpose of complying with the obligations towards supplementary pension savings company

In this case, the processing of personal data is necessary to comply with legal obligations of the Controller pursuant to Act no. 650/2004 Coll. on supplementary pension savings, amending and supplementing certain acts , as amended.

Retention period: 10 years

 

Recipients of personal data:

In connection with the compliance with legal obligations of the Controller, the recipients of your personal data are, or may be, the entities determined by legal regulations, in particular the health insurance company, Social Insurance Agency, tax office, supplementary pension savings companies, state administration bodies and public authorities exercising control and supervision, courts, law enforcement bodies.

Depending on the purpose of processing and specific circumstances, the recipients of your personal data may also include other persons (acting in the capacity of intermediaries or independent controllers), in particular:

  • attorney,
  • bailiff,
  • bank,
  • provider of postal services,
  • external service providers in the field of information systems and software products (e.g. external CRM system supplier, external IS administrator – Business cases),
  • company performing certification audit of the integrated management system,
  • auditing company performing statutory audit,
  • external provider of human resources services,
  • provider of ancillary services necessary for daily administration,
  • provider of managerial services for company management in the field of monitoring of financial operations, cash flow,
  • provider of external support and operation of websites,
  • external service providers in the field of marketing activities and PR services,
  • company performing external management of the HORES hotel system. FoodMAn,
  • providers of services in the field of payroll processing and human resources.

Where we process your personal data through intermediaries, as a special category of personal data recipients, we make sure to proceed in accordance with applicable legal regulations and the terms agreed in the Personal Data Processing Contract in order to bind them with confidentiality obligation and to protect your data in accordance with the requirements of the GDPR.

The recipients of published personal data (photos of weddings, celebrations) are the visitors to the hotel’s website.

For the purposes defined in this document, the recipients of personal data are also companies belonging to the IMET Group, namely:

  • IMET-AKE s.r.o., with the registered office at: M. Sch. Trnavského 2/B, Bratislava – Dúbravka Borough, 841 01, CIN: 31 341 870, a company incorporated in the Commercial Register of the Bratislava I District Court, Section: Sro, File no.: 4309/B;
  • IMET-TEC, a.s., with registered office at: M. Sch. Trnavského 2/B, Bratislava – Dúbravka Borough, 841 01, CIN: 36 822 213, a company incorporated in the Commercial Register of the Bratislava I District Court, Section: Sro, File: 4220/B;
  • AKE Skalica, s.r.o., with registered office at: Nádražná 33, Skalica 909 01, CIN: 44 598 106, a company incorporated in the Commercial Register of the Trnava District Court, Section: Sro, File: 23211/T.

 

Shall your personal data be provided outside the European Union?

We do not transmit personal data to any third country or to any international organisation, except as noted below

In connection with the conclusion of transactions with customers, respectively with third country (non-EU) contractors, the personal data of members of the Board of Directors of the Controller acting on behalf of the Controller are transmitted to a third country. Our employees’ data are transmitted to third-country contractual partners, which data we provide/disclose to them in connection with the performance of their work duties (in accordance with the provision of § 78 (3) of Act no. 18/2018 Coll. on personal data protection, amending and supplementing certain acts). The transmission of personal data of employees to third countries may also occur where it is necessary in connection with a foreign business trip to a third country.

The list of third countries, to which we transmit personal data, is specified in a separate document that is updated as necessary by the Controller and made available to data subjects at request.

We always inform the data subjects separately about any specific transmission and the conditions of execution thereof. Where this involves a country not guaranteeing the adequate level of security as per the resolution of the European Commission, other instruments shall be used for transmission, in accordance with the GDPR. At the same time, where there is no decision on adequacy nor any adequate transmission guarantees, we shall only make such transmission based on the express consent of the data subject (after being informed of the risks such transmissions may pose to him/her because of the absence of a decision on the adequacy and adequate guarantees), or where such transmission is necessary to perform the contract between the data subject and the Controller or to perform pre-contractual measures adopted at the request of the data subject.

Shall your personal data be used for automated individual decision-making?

The personal data shall not be used for automated individual decision-making, including profiling.

 

Rights of data subjects:

Right to access to personal data under Article 15 of the GDPR:

The data subject has the right to obtain from the Controller the confirmation whether or not personal data concerning him/her are being processed. The data subject has the right to gain access to his/her personal data (s/he has the right to be provided with a copy of the personal data kept by the Controller about the data subject) and to the information on how the Controller processes these data to the extent of Article 15 of the GDPR.

Right to rectification of personal data under Article 16 of the GDPR:

The data subject has the right to rectification of personal data concerning him/her where they are inaccurate, or to the supplementation where the data are incomplete. The Controller must comply with the request for rectification or supplementation of personal data without undue delay.

Right to erasure (right to be “forgotten”) under Article 17 of the GDPR:

The data subject has the right to obtain from the Controller without undue delay the erasure of personal data concerning him/her, and this under the conditions laid down in Article 17 of the GDPR (e.g. where the personal data obtained by the Controller about the data subject are no longer necessary for the purposes, for which they were collected or otherwise processed). This right of the data subject shall be reviewed by the Controller from the viewpoint of all relevant circumstances in accordance with Article 17 of the GDPR (e.g. the operator shall reject the request where the processing is necessary – to comply with the Controller’s legal obligation or to establish, exercise or defend legal claims).

Right to restriction of personal data processing under Article 18 of the GDPR:

The data subject shall have the right to obtain from the Controller the restriction of processing of his/her personal data where one of the cases referred to in Article 18 of the GDPR applies (e.g. where the data subject challenges the accuracy of the personal data, and this during the verification period thereof). Where the processing is restricted in accordance with Article 18 (1) of the GDPR, with the exception of storage the personal data shall be processed: (a) only with the consent of the data subject, or (b) for the establishment, exercise or defence of legal claims, or (c) for the protection of the rights of other natural or legal person, or (d) for reasons of important public interest of the Union or of a Member State.

Right to personal data portability under Article 20 of the GDPR:

Where the processing is based on a consent or on a contract and it is performed by automated means, the data subject shall have the right to obtain his/her personal data, which s/he has provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller. Where technically feasible, the data subject shall have the right to transmit the data directly from one controller to another controller.

Right to object under Article 21 of the GDPR:

Where the processing is based on legitimate interests (Article 6 (1) (f) of the GDPR), the data subject shall have the right at any time to object, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her, including profiling based on provisions of Article 6 (1) (f) of the GDPR. In such case, the Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

 

Right to file a motion or complaint to the Office for Personal Data Protection

You are entitled to file a motion or complaint in the matter of processing of your personal data at any time to the supervisory authority, i.e. to the Office for Personal Data Protection of the Slovak Republic, Hraničná 12, 820 07 Bratislava, Phone: +421 2 3231 3214, www.dataprotection.gov.sk.