Terms and Conditions of Personal Data Processing and Protection
1. The Data Controller in the sense of Article 4, Paragraph 7 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the General Data Protection Regulation, hereinafter the “GDPR”) is DIANA COMPANY, spol. s r.o., a Czech limited liability company with registered address 8 Rumunská, 120 00 Prague 2, Czech Republic; Business Registration no. 60469463 (hereinafter, the “Controller“).
2. The Controller’s contact information is:
address: 13 Legerova, 120 00 Prague 2, Czech Republic
phone: +420 226 538 911
3. Personal Data is any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
4. The Controller has not appointed a Data Protection Officer.
Sources and Categories of Personal Data Being Processed
1. The Controller processes personal data that you have provided to it, as well as personal data it may have acquired through the fulfillment of your order.
2. The Controller processes your identification and contact information and information required to perform the contract between it and yourself.
Legal Reason for and Purpose of Personal Data Processing
1. The legal reasons for the processing of your personal data are:
· The performance of the contract between yourself and the Controller, pursuant to Article 6, Paragraph 1-b, GDPR.
· The Controller’s justified interests in processing personal data (in particular, improvement of services offered), pursuant to Article 6, Paragraph 1-f, GDPR.
· Your consent to personal data processing for direct marketing purposes (in particular, the delivery of commercial messages and newsletters), pursuant to Article 6, Paragraph 1-a, GDPR and, in the event that no goods or services were ordered, pursuant also to Section 7, Subs. 2 of Czech Republic Law no. 480/2004 – the Information Society Services Act.
2. The purposes of the processing of your personal data are:
· The processing of your booking and the performance of rights and obligations arising from the contractual relationship between yourself and the Controller. During booking, we require such personal data as is necessary to correctly process your booking; in particular, we may require: first name, last name, e-mail address, phone, residence address (street, city, ZIP code, country), payment card holder contact information, payment card information. The provision of such personal data is necessary for bookings and subsequent performance of the contract; if you do not provide this data, the Controller will not be able to enter into a contract with you.
· The processing of your order and the performance of rights and obligations arising from the contractual relationship between yourself and the Controller. During the order process, we require such personal data as is necessary to correctly process your order; in particular, we may require: first name, last name, e-mail address, phone, billing address (street, city, ZIP code, country), shipping address, residence address, date of birth, payment card information, ID document number, visa number, nationality, citizenship, date of arrival, date of departure, vehicle license plate number, vehicle type, vehicle color, purpose of trip, signature. The provision of such personal data is necessary for bookings and subsequent performance of the contract; if you do not provide this data, the Controller will not be able to enter into a contract with you.
· Delivery of commercial messages and other marketing activities.
3. The Controller does not perform automated individual decision-making in the sense of Article 22, GDPR.
4. The Controller may process personal data for the purposes of website traffic statistics.
Data Retention Period
1. The Controller shall retain your personal data:
· For a period necessary to perform its rights and obligations under the contract between it and yourself, and to make potential claims in relation to this contract (i.e., 15 years from the end of the contractual relationship).
· For personal data processed on the basis of a consent to process personal data for marketing purposes, until such time as the consent is revoked, but no longer than 3 years.
2. Upon the expiry of the personal data retention period, the Controller shall destroy the personal data in its possession, unless there remains a legal reason enabling or requiring the Controller to process such data.
Personal Data Recipients (Controller’s Subcontractors)
1. The recipients of your personal data may include:
· Entities involved in the delivery of goods and services and the processing of payments under the contract between you and the Controller
· Providers of e-shop operation services (namely, virtual-zoom s.r.o.) and other services related to the e-shop (namely, Bookassist / Automatic Netware Limited)
· Marketing service providers
· When a foreign citizen (i.e., not a Czech Republic citizen) takes lodging with us, we submit their personal data to the Czech Foreign Police in the extent required by the law: first and last name, date of birth, citizenship, residence address, number of travel document, visa number (if applicable), start date of stay, location of stay, purpose of stay, expected time of stay.
2. The Controller is not planning to transfer data into third countries (i.e., EU non-members) or to multinational corporations.
1. Your rights under the GDPR include:
· Right to access to your personal data (Article 15, GDPR)
· Right to have your data corrected (Art. 16, GDPR) and / or have the scope of its processing limited (Art. 18, GDPR)
· Right to have your data deleted (Art. 17, GDPR)
· Right to object to processing (Art. 21, GDPR)
· Right to data transferability (Art. 20, GDPR)
· Right to revoke consent to processing, which may be exercised by writing to or e-mailing the Controller at the address / e-mail address given in Section III of these Terms and Conditions
2. Should you come to believe your rights in relation to personal data processing are not being respected, you have the right to lodge a complaint with the Czech Office of Personal Data Protection.
Personal Data Protection Measures
1. The Controller declares to have taken suitable technical and organizational measures to ensure personal data security.
2. The Controller has taken technical measures to secure its data storage media and storage sites of printed personal data.
3. The Controller declares to only provide access to personal data to its duly authorized personnel.
1. By placing an order through the Controller’s online order form, you declare to have familiarized yourself with these Personal Data Protection Terms and Conditions and to accept them in full.
2. The Controller may amend these Terms and Conditions at any time. In that event, the amended version shall be published at the Controller’s website.
These Terms and Conditions enter into effect on May 25, 2018.