INFORMATION ABOUT PERSONAL DATA PROCESSING
This informative text concerning personal data processing applies to clients making use of the services provided in the spa hotels and resorts of Royal Spa, a. s., Pod Kamennou 1009, 763 26 Luhačovice, Comp. ID No.: 26968614 (hereinafter referred to as the "Spa Resorts" or "We"), which include the following:
- Spa hotel ROYAL Mariánské Lázně: LS Royal Mariánské Lázně, a. s., Lesní 345, 353 01 Mariánské Lázně, Comp. ID No.: 49790731
- Spa hotels MIRAMARE, VILA ANTOANETA, Luxury Spa & Wellness VILA VALAŠKA: Léčebné lázně Luhačovice – Sanatorium Miramare, s. r. o., Bezručova 338, 763 26 Luhačovice, Comp. ID No.: 60727942
- SULPHUR RESORT Ostrožská Nová Ves: Sirnaté lázně Ostrožská Nová Ves, s. r. o. č. 664, 687 22 Ostrožská Nová Ves, Comp. ID No.: 47915005
- THERMAL SPA RESORT Velké Losiny and Wellness hotel DIANA: Lázně Velké Losiny, s. r. o., Lázeňská 323, 788 15 Velké Losiny, Comp. ID No.: 285618
The applicable provisions of Act No. 101/2000 Coll., on Personal Data Protection and on amendments to certain acts, as amended, and particularly the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the General Data Protection Regulation), which is to enter into force as of 25 May 2018, imply a number of obligations on our part in relation to the protection of your personal data. Please be assured that we pay maximum attention to compliance with those provisions; we would like to present you with the following most relevant information concerning the processing of your personal data.
I. WHICH DATA DO WE PROCESS
If you visit any of our Spa Resorts, we will process the following data:
In relation to your therapeutic stays in our Spa Resorts:
– personal contact details indicated in the registration card which you completed at the beginning of your stay in our spa resort:
- first and last name and degree, where applicable;
- date of birth;
- permanent residence address;
- phone and e-mail details;
- in case of foreigners, additional data required by law to report stays of foreign nationals (citizenship, passport number, visa number);
– data included in the proposed spa treatment – in addition to the contact details, also the following:
- information about health insurance institution;
- birth certificate number of the insured person;
- information about the proposing physician;
- information about the employer;
- information about the diagnosis / indication;
- information about the suggested length of stay;
– information about therapeutic stays you have completed – information about health care services provided to you in our facilities and other data required by health insurance institutions in relation to covered therapeutic and rehabilitation spa care services;
– in case of self-payers, also information about the payment for the stay (including your bank account number or payment card number, where applicable).
Whether you have booked your stay through a travel agency or a booking portal
We receive your personal data directly from the travel agencies and, for reservations booked through a website other than our website, from data controllers under "Accommodation booking – receipt of information from online booking portals". Information about these controllers and how your personal data are processed by them is available at the websites of the travel agencies or booking portals you used to make your reservation.
If you are a member of our ROYAL SPA FAMILY loyalty programme, also:
– information about your membership provided in the loyalty programme application, together with information about the benefits claimed.
The scope of processing covers only video images from the camera system. The different Spa Resorts act as data controllers.
We process no other personal data concerning you.
II. ON WHICH BASIS, FOR WHICH PURPOSE AND FOR HOW LONG DO WE PROCESS YOUR PERSONAL DATA
Information indicated in the proposed spa treatment, as well as information provided in the registration card together with the data about the payment for the stay are processed by us based on the legal relationship between you and our Spa Resorts, the subject-matter of which is the provision of therapeutic and rehabilitation spa care and related services (accommodation, catering services, etc.). The purpose of such processing is to provide the above services. Our Spa Resorts receive the proposed spa treatment from your health insurance institution.
Similarly, information about therapeutic stays you have completed is processed by us under the same legal basis; in case of covered therapeutic and rehabilitation spa care services (comprehensive or benefit-defined care), this processing is complemented by our obligation to provide the health insurance institution with data about the health care services provided to you in our facilities and other data required by the health care institutions, and to allow the insurance institutions to check these data.
In case of foreigners, we process the necessary data to report stays of foreign nationals based on the obligation imposed upon us under Act No. 326/1999 Coll., on the Residence of Foreign Nationals in the Czech Republic and on amendment of certain acts, as amended. This processing is carried out solely in order to meet the aforesaid obligation and includes transmission of the data included in the registration form to the Department of Foreign Police.
If you have granted your consent with the processing of your contact details and information about your stays in our Spa Resorts, these data are processed by us based on your consent (similarly to your membership in our loyalty programme). Here the purpose of processing is to provide us with the opportunity to inform you about the services and products we offer.
Based on our legitimate interest in accordance with Act No. 480/2004 Coll., we process your name and e-mail address to be able to send you e-mail promotions. The possibility to waive such communications is included in every such message.
In order to be able to provide therapeutic and rehabilitation spa care and related services, we process data concerning the care provided to you throughout your therapeutic stay in our Spa Resorts and, thereafter, for a period during which a health insurance institution is entitled to inspect the covered services provided and their account statement under the generally binding legal regulations. This is, similarly, also the case with benefit-defined care or with care paid by self-payers where we process data concerning the provided care for a period, during which the self-payer is entitled to question the care provided.
Certain personal data (the client's first and last name, type of the services provided, issue date of the document) are also included in the accounting and tax documents issued by us in relation to the care provided. We keep these documents solely for the purpose of meeting the obligations imposed by the relevant accounting and tax regulations and for the period of time prescribed by those regulations.
The services provided in our Spa Resorts are, as a rule, not questioned by health insurance institutions or by you as a self-payer. Should there be a case when our services are questioned, we would be forced to process data concerning the care provided throughout the duration of the dispute, solely with the aim of protecting our rights in such a dispute. In case of such processing of your personal data, we would inform you accordingly without undue delay.
For data processed on the basis of your consent, the period of processing is limited to the validity period of the consent, which is usually 10 years, unless the consent is withdrawn earlier.
The camera system is aimed at protecting the controller's assets and the lives and health of all persons. The data are deleted after 9 days. Access to the data is controlled, secured and protected by the controller. If an incident is recorded by the system, the recording is stored for the period necessary to deal with the case. We do not transmit the data to any third parties, except for providing the recording to law enforcement authorities or administrative authorities for the purpose of offence proceedings to resolve the incident in question, if any. In such case, the transmission of the recording is properly documented.
III. TO WHOM DO WE DISCLOSE OR TRANSMIT YOUR PERSONAL DATA
Your personal data are disclosed solely to the relevant health insurance institution for the purpose of the inspection required from health insurance companies under generally binding legal regulations (Act No. 48/1997 Coll., on Public Health Insurance and on changes and amendments to certain related acts, as amended). If you are a self-payer of the care provided, your personal data are disclosed to nobody.
In case of foreigners, we transmit the personal data indicated in the registration form to the Department of Foreign Police.
Your personal data can be transmitted to third parties who carry out ancillary activities for us – distribution of shipments, debt recovery or legal services. These third parties are in the position of personal data processors; we only transmit personal data necessary for the relevant purpose (distribution of shipments, debt recovery or legal services), solely as regards the data of the clients concerned by the specific ancillary activity. The personal data processors carrying out the above activities are carefully selected by us, as well as changed and added on a continuous basis; given these updates and changes, we are ready to provide you, upon your written or e-mail request, with an updated list of such entities to which we may transfer your personal data referred to above.
Your personal data are never transmitted to other countries.
IV. YOUR RIGHTS UNDER THE APPLICABLE LAW
We would also like to inform you that, under the applicable personal data protection laws, you enjoy the following rights:
– right of access to the personal data we process in your case;
– right of rectification of your personal data in the event that the data is incorrect or inaccurate in any way;
– if you would find or believe that we process your personal data in conflict with the protection of your private and personal life or contrary to law, in particular if your personal data would be inaccurate in view of the purpose of their processing, you have the right to request an explanation from us as well as demand that we eliminate the situation arising therefrom (e.g. by blocking, rectifying, amending or destroying your personal data);
– right to request your personal data be deleted or their processing be restricted;
– right to object against the processing in order to assess whether we have violated any obligation imposed upon us by the applicable legal regulations;
– right to withdraw your consent in the event your personal data are processed on the basis of your consent;
– in addition to the above, you also have the right to lodge a complaint with the supervisor, namely the Office for Personal Data Protection, having its registered office at Pplk. Sochora 27, 170 00 Prague 7;
– you also have the right of portability to these data, which you have provided to us and which are processed by us based on the need to process them in order to comply with a contract. If you would wish to transmit these data to another controller, we will give you the opportunity to obtain your personal data in a structured, commonly used and machine-readable format, and, where technically feasible, we will transmit the data directly to another controller.
In case of any ambiguity or questions concerning the processing of your personal data, feel free to contact us at any time in writing at: Royal Spa, a.s., Pod Kamennou 1009, 763 26 Luhačovice. You can also contact our officer in charge of personal data protection by e-mail at firstname.lastname@example.org.
In Luhačovice on 11th March 2019