Protection of Personal Data

Hotel Barónka****, Mudrochova 2, 835 27 Bratislava (hereinafter only referred to as the “Hotel”) is operated by the company HIMEX PLUS s.r.o., Mudrochova 2, 835 27 Bratislava, ID No.: 835 837 187 (hereinafter only referred to as the “Controller”.

The Controller provides for protection of personal data with the effect from 25 May 2018 in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter only referred to as the “Regulation”) and with Act No. 18/ 2018 Coll. on Personal Data Protection (hereinafter only referred to as the “Act”).

We hereby assure you that the Controller has adopted the respective technical, organisational, staff-related measures in compliance with the Regulation and the Act in order to protect your personal data as much as possible.

Information Obligation of the Controller in relation to the Data Subjects

Under the Regulation and the Act, the Controller is obliged to provide the data subjects with any information regarding processing of their personal data in a concise and transparent manner.

Purposes and Legal Basis of Processing of Personal Data

The Controller: HIMEX PLUS s.r.o., Mudrochova 2, 835 27 Bratislava, ID No.: 835 837 187, registered with the Business Register of District Court Bratislava I, Section: Sro, File No. 26637/B

Contact details of the Controller: HIMEX PLUS s.r.o., Mudrochova 2, 835 27 Bratislava, Tel.: 00421/ 2/ 44 87 23 24, gdpr@hotelbaronka.sk

IS Hotelov guests:

Purpose of processing: Performance of the obligation within the pre-contractual and contractual relationships in providing accommodation services and the related supplementary services, in particular keeping the records on the guests.

Legal basis of processing: Processing is necessary to perform the statutory obligation of the Controller under Article 6(1)(c) of the Regulation, in particular Act No. 40/1964 Coll. Civil Code as amended, Section 24(1) of Act No. 253/1998 Coll. on Reporting of Residence of Citizens of the Slovak Republic and on the Register of Citizens of the Slovak Republic as amended, Act No. 404/2011 Coll. on Residence of Foreign Nationals and on modifications of and amendments to some acts as amended, Act on VAT No. 222/2004 Coll. as amended, VZN of Bratislava Capital City of the Slovak Republic No. 8/2016 on Accommodation Tax

Recipient/ categories of recipients: contractual partners of the Controller, accommodation tax administrator, ALTO Slovakia s.r.o., Arisan, s.r.o., Detect s.r.o., CHAMEŠ SECURITY s.r.o., KasComp spol. s.r.o., TAX-AUDIT Slovensko, spol. s.r.o., Foreign Police Department of Police Forces Bratislava, public authorities which to the extent stipulated by special regulations perform tasks related to protection of constitutional establishment, public order and security of the State or protection of the State.

Period for which data are stored: 10 years

Requirement to provide personal data and potential consequences arising from failure to provide personal data: Providing of personal data is required by law. The data subject is obliged to provide personal data, otherwise it is not possible to provide the accommodation services or the associated supplementary services in a due manner.

Transfer of personal data to third country or international organisation: Not performed.

Automated decision-making, including profiling: Not performed.
Rights of data subjects: see below Rights of Data Subjects section

Right to data portability (Article 20 of the Regulation)

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where technically feasible, if the processing is based on the legal basis: consent to processing of personal data, contractual or pre-contractual relationships and if the processing is carried out by automated means.

Exercising of the right to data portability shall be without prejudice to the data subject’s right to erasure under Article 17 of the Regulation.

The right to portability shall not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller. The right to data portability shall not affect the rights and freedoms of others.

Right to object (Article 21 of the Regulation)

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

The right to object to automated individual decision-making, including profiling (if carried out) (Article 22 of the Regulation)

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her Unless it relates to the personal data necessary to conclude the contractor or perform the contract between the data subject and the Controller, if the decision is authorised by Union law or the law of the Slovak Republic or is based on the data subject’s explicit consent.

The right to lodge a complaint with a supervisory authority (Article 77 of the Regulation)

Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority being the Office for Protection of Personal Data if the data subject considers that the processing of personal data relating to him or her infringes this Regulation

The right to withdraw the consent (Article 7 of the Regulation)

Where processing of personal data is based on the data subject’s consent, the data subject has the right to withdraw his or her consent at any time.

The consent may be withdrawn in the same manner as it was given.

The consent may be withdrawn:

  • by sending a written request to the address of the Controller, i.e. HIMEX PLUS s.r.o., Mudrochova 2, 835 27 Bratislava or
  • by calling 02/ 44 87 23 24 or
  • by sending an email to: gdpr@hotelbaronka.sk
    he withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof.

Restriction on disclosure of information and data subject’s rights (Article 30 of the Act)

The Controller or processor may, under the conditions laid down by a special regulation or an international treaty having binding effect on the Slovak Republic, limit the scope of the obligations and rights under Sections 19 to 29 and under Section 41 as well as the principles under Sections 6 to 12 provided that they relate to the rights and obligations under Sections 19 to 29 when such a restriction is laid down to ensure:

  • the security of the Slovak Republic,
  • the defence of the Slovak Republic,
  • public order,
  • performance of tasks for the purpose of criminal proceedings,
  • other important goals of public interest of the European Union or the Slovak Republic, in particular the subject of an important economic interest or significant financial interest of the European Union and the Slovak Republic, including monetary, budgetary and taxation matters, public health or social security,
  • the protection of judicial independence and judicial proceedings,
  • prevention of breaches of ethics in the regulated professions or in regulated professional activities,
  • monitoring function, controlling function or regulatory function associated with the exercise of public authority,
  • the protection of the rights of the data subject or others
  • the exercise of a legal claim,
  • economic mobilization.

Exercising of rights by data subjects

Data subjects may exercise their rights as follows:

  • by sending a written request to the Controller’s address, i.e. HIMEX PLUS s.r.o., Mudrochova 2, 835 27 Bratislava, or
  • by calling: 02/ 44 87 23 24, or
  • by sending an email to: gdpr@hotelbaronka.sk

If a data subject exercises his/her right to access to personal data, the right to rectification and erasure of personal data, the right to restriction of processing, the right to portability, or the right to object to the processing of personal data, the Controller shall assist the data subject.

The Controller shall respond to requests from the data subject exercising his/her rights under the Regulation without undue delay, but no later within one month of the delivery of the request. In justified cases the defined period may be extended by two additional months due to complexity or high number of requests. The data subject shall be informed about the extension of the period always before the end of the month.

The Controller shall provide any information in connection with exercising of data subject’s rights free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Controller may refuse to act on the request.

Rights of Data Subjects

We process your personal data within the performance of all obligations of the Controller. In processing of personal data by the Controller you are a data subject, i.e. the person on which the personal data concerning him or her are processed. The data subject has, irrespective of the legal basis of personal data processing, the right to be informed, the right of access to personal data, the right to rectification, the right to erasure (the “right to be forgotten”), the right to restriction of processing, the right to data portability, the right to object, the right to object automated individual decision-making and profiling (if carried out), the right to lodge a complaint with a supervisory authority, and the right to withdraw consent to processing.

Right of access to data (Article 15 of the Regulation)

The data subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

  • the purposes of the processing,
  • the categories of personal data concerned,
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (if disclosed),
  • the period for which the personal data will be stored (if not possible, the criteria used to determine that period),
  • the right to request from the Controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing,
  • the right to lodge a complaint and a petition for initiation of proceedings with a supervisory authority, i.e. with the Office for Protection of Personal Data of the Slovak Republic
  • where the personal data are not collected from the data subject, any available information as to their source,
  • the existence of automated decision-making, including profiling
  • the appropriate safeguards related to transfer (if personal data are transferred to a third country or to an international organisation)

The Controller shall provide the data subject with a copy of the personal data undergoing processing. or any further copies requested by the data subject, the Controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

Right to rectification (Article 16 of the Regulation)

The data subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing of personal data, the data subject shall have the right to have incomplete personal data completed.

Right to erasure (“right to be forgotten”) (Article 17 of the Regulation)

The data subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed,
  • the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1) of the Regulation, or point (a) of Article 9(2) of the Regulation, and where there is no other legal ground for the processing,
  • the data subject objects to the processing of personal data pursuant to Article 21(1) of the Regulation and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the Regulation,
  • the personal data have been unlawfully processed,
  • the personal data have to be erased for compliance with a legal obligation in the Union or the Slovak Republic law,
  • the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the Regulation.

Where the Controller has made the personal data public and is obliged pursuant to Article 17(1) of the Regulation to erase the personal data, the Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

This right shall not apply to the extent that processing is necessary:

  • for exercising the right of freedom of expression and information,
  • for compliance with a legal obligation which requires processing by the Union or the Slovak Republic law or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller,
  • for reasons of public interest in the area of public health,
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the Regulation in so far as the right referred to above is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  • for the establishment, exercise or defence of legal claims.Právo na obmedzenie spracúvania (čl. 18 Nariadenia)

Right to restriction of processing (Article 18 of the Regulation)

The data subject shall have the right to obtain from the Controller restriction of processing where one of the following applies:

  • the accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data,
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead,
  • the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims,
  • the data subject has objected to processing carried out on the legal basis of public interest or legitimate interest of the Controller or of a third person pending the verification whether the legitimate grounds of the Controller override those of the data subject.