Dear Clients,

The current legislation of Act No. 101/2000 Coll. on the protection of personal data and on the amendment of certain acts, as amended, and in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), which comes into force on 25 May 2018, imposes a number of obligations on us regarding the protection of your personal data. Please be assured that we place the utmost importance on compliance with these obligations and provide you with the following key information regarding the processing of your personal data.

I. What data we process

If you come to one of our Spas, we process the following data.

For your treatment stays at our Spa, the contact personal data contained in the registration card you filled in when you started your stay at our Spa:

• name and surname, title if applicable,
• date of birth,
• address of permanent residence,
• telephone and e-mail address,

In the case of foreigners, in addition to the data required by law for reporting the stay of foreigners (nationality, travel document number, visa number), the data contained in the proposal for spa care, in addition to the contact details also:

• details of the health insurance company,
• the insured person's birth number,
• details of the proposing doctor,
• details of the employer,
• details of the diagnosis/indication,
• details of the proposed length of stay,
• data on your treatment stays - data on health care services provided to you in our facilities and other data required by health insurance companies in the case of reimbursed spa and rehabilitation services,
• in the case of self-payers, also the details of the payment for the stay (including your account number or credit card number, if applicable).

If you book your stay through a travel agency or booking portal, we obtain your personal data directly from the travel agency and, in the case of bookings made through a website other than ours, from the data controllers under "Accommodation Booking - Receiving information from online booking portals". Details of these controllers and how they process your data can be found on the websites of the travel agencies or booking portals through which you have made your booking.

In the case of your membership of our ROYAL SPA FAMILY loyalty programme, the details of this membership as provided in the loyalty programme application form, together with details of the benefits availed of.

CCTV - the scope of processing includes only the image recording of the CCTV system. The data controller is the individual Spa.

We do not process your other personal data.

II. On what basis, for what purpose and for how long we process your personal data

We process the data contained in the proposal for spa care and the data filled in the registration card, together with the data on the payment of the stay, on the basis of the legal relationship between you and our Spa, the subject of which is the provision of spa and rehabilitation care and related services (accommodation, catering, etc.). The purpose of such processing is the provision of the services mentioned. Our Spa receives the proposal for spa care from your health insurance company.

Similarly, we also process data on your completed medical stays on the same legal basis; in the case of reimbursable spa and rehabilitation care services (comprehensive or contributory care), this is supplemented by our obligation to provide the health insurer with data on the health care services provided to you in our facilities and other data required by health insurers and to enable their control by the insurers.

In the case of foreigners, we process data necessary for reporting the stay of foreigners, based on the obligation imposed on us by Act No. 326/1999 Coll. on the stay of foreigners in the territory of the Czech Republic and on the amendment of certain acts, as amended. We carry out this processing solely for the purpose of fulfilling this obligation, which includes the transmission of the data contained in the registration form to the Aliens Police.

Where you have given us consent to process your contact details and details of your stays with us, we process these data on the basis of your consent (similarly in the case of your membership of our loyalty programme). The purpose of the processing here is our ability to inform you about our service and product offers.

We process your name and email address for the purpose of sending you email offers due to legitimate interest in accordance with Act 480/2004. The option to refuse this mailing is included in each such message.

For the purpose of providing spa and rehabilitation care and related services, we process data on the care provided for the duration of your treatment stay in our spa and after its termination for the period during which the health insurance company is entitled to carry out an audit of the covered services provided and their billing on the basis of generally binding legal regulations. Similarly, in the case of contributory care, or in the case of care paid for by a self-payer, we process the care provided for the period during which the self-payer is entitled to dispute the provision of care.

The billing and tax documents that we use to account for the care provided also contain some personal data (name of the client, type of service provided, date of the document). We keep these documents only for the purpose of complying with the obligations set out in the relevant accounting and tax legislation, for the period of time imposed by such legislation.

In our spa there are no cases of disputing the services provided by the health insurance company or by you - the self-payer. If such a case were to occur, we would be required to process data about the care provided for the duration of the dispute, solely for the purpose of protecting our rights in such a dispute. In the event of such processing of your personal data, we would inform you of this without undue delay.

In the case of data that we process on the basis of your consent, the processing period is limited to the period of validity of the consent, generally 10 years, unless the consent is withdrawn earlier.

The purpose of the CCTV system is to protect the property of the controller and the life and health of all persons. The data is deleted within a period of 9 days. Access to the data is controlled, secured and protected by the administrator. In the event of an incident being captured, the footage is retained for the time necessary to review the case. We do not pass on the data to third parties, except for the submission of the record to law enforcement or administrative authorities for the purposes of misdemeanour proceedings to resolve any incident. In this case, the transfer of the record is duly recorded.

III. To whom we disclose or transfer your personal data

We disclose your personal data exclusively to the relevant health insurance company for the purposes of the control imposed on health insurance companies by generally binding legislation (Act No. 48/1997 Coll. on public health insurance and on amending and supplementing certain related acts, as amended). If you are a self-payer of the care provided, then we do not disclose your personal data to anyone.

In the case of foreigners, we pass on the personal data contained in the registration form to the foreign police.

We may pass your personal information to third parties providing support activities for us - mailing, debt collection, or legal services. These third parties are in the capacity of data processors and we only transfer to them the personal data necessary for the purpose (mailing, debt collection or legal services) and only the data of those clients to whom the specific support activity relates. We carefully select the personal data processors providing the aforementioned activities, we also change and supplement them on an ongoing basis, and in view of these updates and changes, we are ready to provide you with an up-to-date list of such entities for which the transfer of your aforementioned data is relevant upon your written or e-mail request.

We do not transfer your personal data to other countries.

IV. Your rights under applicable law

We would also like to inform you that you have the following rights under current data protection legislation:

• the right of access to the personal data we process in your case,
• the right to rectification of your personal data in the event that it is incorrect or inaccurate in any respect,
• in the event that you become aware or believe that we are processing your personal data in a way that is contrary to the protection of your private and personal life or contrary to the law, in particular if your personal data is inaccurate with regard to the purpose of its processing, you have the right to ask us for an explanation and also to request that we remedy the situation (e.g. by blocking, correcting, supplementing or destroying your personal data),
• the right to request the erasure of your personal data or, where applicable, the restriction of its processing,
• the right to object to processing in order to assess whether there has been a breach of the obligations imposed on us by applicable law,
• where we process your personal data on the basis of consent, you have the right to withdraw consent,
• in addition to the above, you also have the right to lodge a complaint with the supervisory authority, which is the Office for Personal Data Protection, located at Pplk. Sochora 27, 170 00 Prague 7,
• you also have the right to the portability of the data that you have provided to us and that we process on the basis of the necessity of their processing for the purpose of contract performance. In the event that you would like to transfer this data to another controller, we will enable you to obtain your personal data in a structured, commonly used and machine-readable format or, if technically feasible, we will transfer it directly to another controller.

In case of any uncertainties or questions regarding the processing of your personal data, you can contact us at any time in writing at Royal Spa, a.s., Pod Kamennou 1009, 763 26 Luhačovice. You can also contact our Data Protection Officer by e-mail at dpo@xgdpr.cz.

In Luhačovice, 11 March 2019.

Please be informed that by sending your CV to Royal Spa, a. s., you give your consent to the processing of your personal data for the purpose of selecting a suitable employee, negotiating an employment contract and their further storage in the internal database of our company for a period of 5 years.

Your data will be used only for the purpose of searching for suitable job offers for your person in our facilities. By providing this data you also confirm its accuracy and truthfulness. The personal data processed includes name and surname, place of residence, telephone number, e-mail address, education and previous work experience.

When processing your personal data, we will sufficiently ensure its protection and will not pass it on to any other legal entity, apart from the above-mentioned companies of the ROYAL SPA, a.s. group.

In accordance with the relevant legislation, we also inform you that you have the right to access your personal data with our company, you have the right to request the correction, deletion or restriction of the processing of your personal data and you also have the right to object to our company regarding the processing of your personal data.

The state supervisory authority for the protection of personal data is the Office for Personal Data Protection (www.uoou.cz), to which you can contact with a complaint.

If you have any doubts or questions about the processing of your personal data, you can contact us at any time in writing at the above address. You may also contact our Data Protection Officer by email at hr@royalspa.cz.