1. Personal Data Controller of Pension Liezky
Identification details of the controller:
Penzión v stráni, Zuzana Kršteníková
Mýto pod Ďumbierom 320, 976 44 Mýto pod Ďumbierom, Slovakia
Company ID: 41618815
Tax ID: 1074454579
VAT ID: SK 1074454579
Registered in the Trade Register of the District Office Brezno under number 630-9636
Telephone: +421 904 990 741
E-mail: zuzana@liezky.sk
This privacy and personal data protection document applies to you and your personal data because you are our client, customer, or business partner. Our company acts as a controller when processing your personal data. With this document, we also fulfil our obligation to provide information under Art. 13 of Regulation (EU) No. 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation), and Act No. 18/2018 Coll. of 29 November 2017 on the protection of personal data and on amendments to certain acts.
2. Data Subject
A data subject is any natural person whose personal data is processed. For the purposes of this document, it mainly concerns:
• a person entering into a contractual relationship with the controller,
• a contact or authorized person acting on behalf of a contractual party,
• a person using the services provided by the controller,
• a person located in a monitored area.
(hereinafter the “data subject”).If personal data of the data subject is provided to the controller by another entity (e.g., contractual party), it may only do so if it has a legitimate legal basis under GDPR or the Personal Data Protection Act. Upon the controller’s request, it must be able to demonstrate such a legal basis.
3. Purposes of Personal Data Processing
This document defines the purposes, extent of processed data, legal basis of processing, retention period, and personal data recipients.
3.1. For the purpose of concluding a contractual relationship between the data subject and the controller
3.1.1. We process personal data within the scope of contact details, identification data, payment data, and other specific data necessary to fulfil the contract.
3.1.2. Processing is carried out in accordance with Art. 6(1)(b) GDPR and is necessary to fulfil a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract, including submitting offers and calculations. The provision of personal data by the data subject is a contractual requirement. Failure to provide the required personal data will make it impossible to conclude a contractual relationship.
3.1.3. Personal data may be provided to:
• supervisory authorities within the scope of their activities pursuant to a special legal regulation (e.g., Slovak Trade Inspection),
• courts and law enforcement authorities upon request or in the controller’s legitimate interests,
• a law firm, postal service provider, reservation system providers, and other recipients to whom the controller is obliged or entitled to provide personal data.
3.1.4. Data is stored for at least 5 years from the termination of service provision. If personal data is part of an accounting document or record, it is stored for 10 years from the year following the termination of the contractual relationship and settlement of all obligations.
3.2. For the purpose of maintaining records and reporting residence of citizens of the Slovak Republic and processing notifications and reports
3.2.1. We process personal data within the scope of name and surname, personal identification number, permanent residence (address), ID card number or other identification document, date of birth.
3.2.2. Processing is carried out in accordance with Art. 6(1)(c) GDPR and is necessary to fulfil the controller’s legal obligation pursuant to Act No. 500/2004 Coll., consolidated version of Act No. 253/1998 Coll. on reporting residence of citizens of the Slovak Republic and the register of residents. The data subject is obliged to provide personal data. Failure to provide personal data will make it impossible to provide accommodation.
3.2.3. Personal data may be provided to:
• supervisory authorities,
• courts and law enforcement authorities,
• a law firm, postal service provider, and other recipients.
3.2.4. Data is stored for at least 5 years from the end of accommodation service provision.
3.3. For the purpose of maintaining records and reporting residence of foreigners and issuing related confirmations, reports, and notifications
3.3.1. We process personal data within the scope of name and surname, date of birth, nationality, travel document (passport or ID number within the EU), address of permanent residence abroad, start and end of accommodation, purpose of stay (recreation, business trip, etc.).
3.3.2. Processing is carried out in accordance with Art. 6(1)(c) GDPR and is necessary to fulfil the controller’s legal obligation under Act No. 404/2011 Coll. on residence of foreigners. Failure to provide data will make it impossible to provide accommodation.
3.3.3. Personal data may be provided to:
• supervisory authorities,
• courts and law enforcement authorities,
• a law firm, postal service provider, etc.
3.3.4. Data is stored for at least 5 years from the end of accommodation service provision.
3.4. For the purpose of collecting accommodation tax
3.4.1. We process personal data within the scope of name and surname, personal identification number, permanent residence (address), ID card number or other document, date of birth.
3.4.2. In accordance with the generally binding regulation of the municipality, issued under Act No. 582/2004 Coll. on local taxes and local fees. The processing scope is determined by §7 of the municipal regulation.3
.4.3. Processing is carried out in accordance with Art. 6(1)(c) GDPR and is necessary to fulfil legal obligations. Failure to provide data will prevent calculation and collection of tax, requiring direct notification to the municipality.
3.4.4. Personal data may be provided to:
• the municipality of Mýto pod Ďumbierom,
• other recipients as required.
3.4.5. Data is stored for at least 10 years from the tax collection.
3.5. For the purpose of exercising data subject rights under GDPR and maintaining records
3.5.1. We process personal data within the scope of contact data, identification data, payment data, and other data necessary to fulfil the contract.
3.5.2. Processing is carried out in accordance with Art. 6(1)(f) GDPR and is necessary to protect the legitimate interests of the controller and the data subject arising from GDPR. Provision of personal data is required to identify and inform the data subject. Failure to provide data will make it impossible to process the request.
3.5.3. Personal data may be provided to supervisory authorities, courts, law enforcement, law firms, postal services, and other recipients.
3.5.4. Data is stored for at least 5 years from exercising the right.
3.6. For the purpose of claiming damages, debt collection, handling complaints, maintaining documentation, and other legitimate interests
3.6.1. Processing is carried out in accordance with Art. 6(1)(f) GDPR and is necessary to defend the controller’s legitimate interests.
3.6.2. Personal data may be provided to supervisory authorities, courts, law enforcement, law firms, postal services, etc.
3.6.3. Data is stored for the period necessary to achieve the processing purpose.
3.7. For the purpose of monitoring premises to protect property
3.7.1. The purpose of processing personal data created by the camera system is monitoring premises to protect property, health, and detect crime.
3.7.2. Legal basis: Art. 6(1)(f) GDPR, Legitimate interest of the controller.
3.7.3. Personal data may be provided to supervisory authorities, courts, law enforcement, law firms, and other recipients.
3.7.4. Data is stored for 7 days.
4. Data Security
The controller adopts technical and organizational measures to protect personal data from loss, misuse, unauthorized access, or damage.
4.1. Technical measures• use of strong passwords and regular updates,
• data transmission encryption (SSL certificate on website and reservation system),
• securing access to devices (password, PIN, biometrics),
• regular backup and secure storage,
• antivirus and firewall,
• access to reservation system only for authorized persons according to role,
• secure disposal of data (shredding, deletion).4.2. Organizational measures• employee training,
• internal guidelines,
• contractual arrangements with processors,
• regular audits,
• assigned responsible persons,
• record of system access,
• regular risk assessment and mitigation.
5. Processing of Accounting Documents
5.1. Processing is necessary to fulfil legal obligations under Art. 6(1)(c) GDPR. Data is stored in accordance with Act No. 395/2002 Coll. on archives and registries.
6. Marketing Purposes, Newsletter
6.1. Personal data will be processed only for sending newsletters to the e-mail address you have provided. We process personal data under Art. 6(1)(f) GDPR.
Your e-mail address will be processed until you unsubscribe. You can unsubscribe by clicking the “unsubscribe” link in any newsletter. Upon unsubscribing, you will no longer receive any newsletters.
Scope of data: e-mail address.
7. Cookies and Online Services
7.1. If we are able to identify a website visitor, it constitutes personal data processing. A legal basis is required, either consent or legitimate interest of the controller to provide tailored services or direct advertising.
7.2. The controller may share your data with third parties under the following circumstances:
• with third parties acting on our behalf (service providers), bound by contractual obligations,
• with employees who need access and are bound by confidentiality,
• with authorities if required by law or court order.
7.3. Location of your personal data.
Your personal data will be stored within our technical systems, and with some partners within the EU/EEA.
7.4. Retention of personal data.
We store personal data for a limited time and delete it when no longer needed.
Records are deleted no later than legal deadlines after termination of the relationship, unless law requires retention.
Data may be processed longer in case of legal disputes or with consent.
8. Rights of Data Subjects
8.1. Right of accessYou have the right to receive a copy of your personal data and information about processing.
8.2. Right to rectificationIf you believe data is inaccurate or incomplete, request correction or update.
8.3. Right to erasureYou can request deletion of your personal data, subject to legal restrictions.
8.4. Right to restrictionYou may request restriction of processing, e.g., if data may be inaccurate or no longer needed.
8.5. ConsentWhere processing is based on consent, you can withdraw it at any time. Withdrawal does not affect prior lawful processing.
8.6. Right to data portabilityYou may request transfer of personal data to another party, where applicable.
8.7. Right to objectYou have the right to object to processing based on legitimate interests.
8.8. Right to lodge a complaintIf you believe your data is processed unlawfully, you can file a complaint with the supervisory authority:
Office for Personal Data Protection of the Slovak Republic
https://dataprotection.gov.sk
Hraničná 12, 820 07 Bratislava 27
Tel.: +421 /2/ 3231 3214
E-mail: statny.dozor@pdp.gov.sk
9. Contact
9.1. In case of questions or to exercise your rights, you can contact us:
• in writing at: Penzión Liezky, Zuzana Kršteníková, Mýto pod Ďumbierom 320, 97644 Mýto pod Ďumbierom, Slovakia
• electronically: zuzana@liezky.sk
• in person at the reception