GDPR – INFORMATION FOR GUESTS

PROCESSING OF PERSONAL DATA

This information, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as “GDPR”, and in accordance with the Controller’s Internal Directive dated 31 March 2025, sets out the key information regarding the processing of personal data of guests (data subjects – hereinafter referred to as “Clients”) of Hotel Zlatý anděl, operated by Zlatý anděl s.r.o., registered office: Náměstí Svornosti 11, 381 01 Český Krumlov, Company ID No.: 63887363, registered in the Commercial Register maintained by the Regional Court in České Budějovice, Section C, File 5583 (the “Controller”).

Subject of the Processing of Clients’ Personal Data (Data Subjects)

1.Data from Contact Forms and the Controller’s Website

When requesting services via online enquiry forms, the following personal data are collected: the date and time of receipt and the information submitted through the form, including the subject of the enquiry.

Based on the Client’s consent or the settings of permissions in the Client’s web browser, technical information obtained during visits to the Hotel’s website is processed only for the period specified in the cookie information available on the Hotel’s website – www.hotelzlatyandel.cz.

2.Data Related to Enquiries, Conclusion of a Service Agreement, or Accommodation (Without Prior Reservation)

- First name and surname, permanent address, date of birth, and, where applicable, Personal ID number, identity card number, or similar identification document number, and, if relevant, also e-mail address and telephone number. In the case of foreign nationals, in addition to the above data, the following are also collected: date of birth, nationality, passport number, visa number, and permanent address abroad.

-Name of the self-employed individual (sole trader), registered office, Company ID No. (IČO), Tax ID No. (DIČ), VAT-payer status; in the case of business stays,  or in the case of business trips of non-entrepreneurs, also details of the organisation that ordered or paid for the stay.

- Information on the purpose of the stay and information indicating that the Client is a person exempt from the local stay tax.

-Details regarding the stay, services used, and the amount and method of payment for the services provided (in the case of cashless payment, the bank account number or payment card details).

-For guests using the hotel car park, also the vehicle registration number (licence plate).

The above-mentioned data are obtained:

-directly from the Client in connection with the ordering of services or with the conclusion of an Agreement for the provision of accommodation and catering services;

-through another person who arranged the reservation (e.g. employer or family member);

-through booking portals, where personal, identification and contact details are transmitted by the respective booking portal.

a) The provision and processing of the above-mentioned personal data, with the exception of the e-mail address and telephone number, are necessary for the fulfilment of legal obligations, in particular obligations arising from the Act on Local Fees, the Act on the Residence of Foreign Nationals in the Territory of the Czech Republic, as well as from accounting and tax legislation. An overview of the records kept, and the provision of data is set out in Annex No. 1.

b) The processing of identification data and data concerning the stay at the Hotel, the services provided, and the amount and method of payment is necessary for the performance of the contractual relationship relating to your stay – that is, for arranging orders and reservations and for the conclusion and performance of contracts relating to the accommodation, catering and related services offered and provided.

c) Clients’ personal data, to the extent of first name, surname, e-mail address and information about the stay, are processed on the basis of the Hotel’s legitimate interest for direct marketing purposes, in order to enable the sending of commercial communications (information about discounts, promotions, etc.) relating to services identical to those previously used by the Client.

Clients may opt out in advance of receiving commercial communications. If commercial communications are sent, the Client may object at any time to the processing of personal data for the purpose of sending such communications and may refuse further commercial communications.

Personal data to the same extent are also processed for sending post-stay satisfaction questionnaires in order to verify satisfaction with the services provided and to improve the quality of our services.

Consent may be withdrawn at any time, either directly via the unsubscribe option in the commercial communication e-mail, or by sending a withdrawal of consent to our postal address Zlatý anděl s.r.o., Náměstí Svornosti 11, 381 01 Český Krumlov, or to the e-mail address office@hotelzlatyandel.cz.

Withdrawal of consent shall take effect upon receipt of such notification.  The lawfulness of processing based on consent granted prior to its withdrawal shall not be affected by the withdrawal.

3.Data from the CCTV System

For the purposes of security and protection of the property of both the Controller and the Clients, the public areas of the Hotel and the car park are monitored by CCTV cameras, as indicated by information signs placed at the entrances or access points to the hotel premises. The data recorded by the CCTV system are not stored and are automatically deleted (time-loop system). The operation of the CCTV system is governed by a separate internal Directive.

4.Data from Photographic Documentation of Events

At certain organised events, photographic documentation may be taken to a reasonable extent for the purpose of subsequently publishing selected photographs on the Hotel’s Facebook page. Such photographs are used exclusively for the promotion of the Hotel. Images of individuals are not published in detailed resolution. According to the opinion of the Office for Personal Data Protection (Úřad pro ochranu osobních údajů), such cases are not primarily a matter of personal data protection but of privacy protection under the Civil Code; therefore, consent for the processing of personal data for “illustrative” photographs is not required.

Protection of the Hotel’s Rights and Good Reputation

In our Hotel, there have been no instances of disputes concerning accommodation, catering or related services provided to our guests. Should such a situation arise, we would be obliged to process personal data relating to the services provided to the extent necessary for the conduct of such proceedings, and solely for the purpose of protecting our rights in such a dispute.

Similarly, we would be obliged to process the necessary personal data in the event of non-payment for services or damage caused to the Hotel.

Automated Processing of Data

No automated decision-making or other automated processing of personal data that would produce legal effects concerning Clients is carried out.

Retention Period of Personal Data

Clients’ personal data are processed for the duration of their stay in the Hotel. After the stay has ended, the data are processed in accordance with Annex No. 1 – Overview of Processed Personal Data.

In the event of existing or potential disputes, data are processed only until the conclusion of the complaint procedure, any proceedings handled by the Czech Trade Inspection Authority (ČOI), or a final court decision, and until the fulfilment of any obligations arising therefrom.

Disclosure of Personal Data to Third Parties

Processing of personal data and their disclosure to third parties are specified in Annex No. 1.

No Clients’ personal data, except in cases required by law, are transferred for further processing, are not transmitted abroad, and are used solely by the Controller – the Hotel.

Protection of Personal Data

All persons (Hotel employees) who come into contact with Clients’ personal data are bound by a duty of confidentiality regarding the processed personal data and are required to observe all security measures for their protection. The duty of confidentiality continues even after the termination of their employment relationship with the Hotel.

Rights of the Data Subject – Client

Right to Rectification

The data subject has the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject also has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

 Right to Erasure

1. The data subject has the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay, and the Controller has the obligation to erase such personal data without undue delay where one of the following grounds applies:

a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b) the data subject withdraws consent on which the processing is based pursuant to Article 6(1)(a) or Article 9(2)(a) GDPR, and there is no other legal ground for the processing;

c) the data subject objects to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

d) the personal data have been unlawfully processed;

e) the personal data must be erased in order to comply with a legal obligation in Union or Member State law to which the Controller is subject.

1.Where the Controller has made the personal data public and is obliged pursuant to paragraph 1 to erase them, the Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copies or replications of, those personal data.

2.Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

a) for exercising the right of freedom of expression and information;

b) for compliance with a legal obligation which requires processing by Union or Member State law to which the Controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;

c) for reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) and Article 9(3) GDPR;

d) for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes in accordance with Article 89(1) GDPR, insofar as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing;

e) for the establishment, exercise, or defence of legal claims.

Right to Restriction of Processing

1.The data subject has the right to obtain from the Controller the restriction of processing where one of the following applies:

a) the data subject contests the accuracy of the personal data, for a period enabling the Controller to verify the accuracy of the personal data;

b) the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

c) the Controller no longer needs the personal data for the purposes of the processing, but the data are required by the data subject for the establishment, exercise, newsletters, or defence of legal claims;

d) the data subject has objected to processing pursuant to Article 21(1) GDPR, pending verification of whether the legitimate grounds of the Controller override those of the data subject.

1.Where processing has been restricted under paragraph 1, such personal data—with the exception of storage—shall be processed only with the data subject’s consent, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.

1.A data subject who has obtained restriction of processing under paragraph 1 shall be informed in advance by the Controller before the restriction of processing is lifted.

Automated Processing

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, except in cases expressly provided for by the GDPR.                  

Right to Data Portability

1.The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used, and machine-readable format, and has the right to transmit those data to another controller without hindrance from the Controller to which the personal data have been provided, where:

a) the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) GDPR, or on a contract pursuant to Article 6(1)(b); and
b) the processing is carried out by automated means.

2.In exercising his or her right to data portability pursuant to paragraph 1, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible.

3.The exercise of the right referred to in paragraph 1 shall not affect Article 17 (Right to Erasure). This right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.

4.The exercise of the right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

Right to Object

1.The data subject has the right, on grounds relating to his or her particular situation, to object at any time to the processing of personal data concerning him or her. The Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defence of legal claims.

2.Where personal data are processed for the purposes of direct marketing on the basis of the data subject’s consent, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such marketing.

3.Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

4.The data subject shall be explicitly informed of the right referred to in paragraphs 1 and 2, and it shall be clearly presented and separately from any other information, at the latest at the time of the first communication with the data subject.

Exercise of Data Subject Rights

A request for the disclosure of personal data may concern only the data subject’s own personal data.

The request must be submitted in writing at the Controller’s office during business hours, where the applicant’s identity will be verified against a national identity card or passport. Requests submitted without verification of identity will not be accepted.

The request may also be submitted via a data mailbox (datová schránka) with the applicant’s electronic signature. Within one month of receiving the request, a written response to the request will be provided in person at the same location after identity verification or delivered via the data mailbox.

The exercise of data subject rights is free of charge.

For more than one copy, a reasonable administrative fee may be charged to cover the associated costs.

Address for submission:

Zlatý anděl s.r.o.

Náměstí Svornosti 11

381 01 Český Krumlov

e-mail: office@hotelzlatyandel.cz

Data Mailbox ID: zz9tfhf

Complaints regarding violations of the GDPR may be lodged with the independent public supervisory authority:

Office for Personal Data Protection (Úřad pro ochranu osobních údajů)

Pplk.. Sochora 27

170 00 Praha  7