Infotext to Customers of CPI Hotels, a.s. on the Processing of Personal Data
In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – the “GDPR”), this document provides key information on your personal data that is processed by CPI Hotels, a.s., Identification Number (IČO): 47116757, with its registered office at Bečvářova 2081/14, 100 00 Prague 10, registered in the Commercial Register maintained by the Municipal Court in Prague, File No. B 1914 (“CPI Hotels“ or “we“).
CPI Hotels is represented in the market by the following brands: Budha-Bar Hotel Prague, Clarion Hotels, Comfort Hotels, Mamaison Hotels & Residences, Spa & Kur Hotels, Fortuna Hotels, Private Label Hotels, Ubytovny.cz and Benada Restaurant.
- Which data do we process?
- Customer data
On the basis of your booking information (or information for stays without a booking), we process the following personal data:
- identification and contact details (full name, permanent address, identity card number or other document number and, where applicable, email address and telephone number);
- For natural persons registered as a business: business registration status, registered address, Identification Number (IČO), Tax Identification Number (DIČ), VAT payer information.
- For business trips of persons not registered as a business: information on the organization that arranged or paid the booking;
- Information on the purpose of your stay, or note that you are not subject to charges for a spa or leisure stay;
- Loyalty programme membership information;
- Information on your stay, services used and method of payment for services provided (for cashless payments, we process your bank account number or payment card details);
- For foreign nationals: date of birth, nationality, travel document number, visa number and permanent overseas address, in addition to the data above;
- For guests using our hotel car park: license plate number.
In addition to accommodation, we also provide spa treatments at our Spa & Kur Hotels. For guests using these treatments, we also process the following data:
- Medical diagnosis information that you provide to our doctor at your admission check-up;
- Information on the health care treatments you were provided with at our facilities and during the course of your therapeutic stay (check-up, any health complications during your stay, etc.)
- Photographs at organised events
We take a reasonable volume of photographs (event shots) at our organised events and selected photos are subsequently published on our website for the promotional purposes of CPI Hotels. The main purpose is not to obtain pictures of the guests at each event, but rather to capture the general atmosphere at each event. We do not publish close-ups and do not add descriptions of the persons in attendance at each event. According to the opinion of the Office for Personal Data Protection, this is not primarily a data privacy issue, but rather an issue concerning the protection of privacy under the Civil Code; therefore, we are not required to ask for consent to process personal data for “illustrative” images.
Events are marked with a camera pictogram to advise guests in advance that photographs will be taken and our photographers are visibly distinguishable. In addition, photographs are only taken in the main event areas and visitors can always stay in areas where photographs are not taken. If you have any queries or would like clarification on the taking of photographs, please contact us via the contact details mentioned below.
- On what basis and for what purpose do we process your personal information?
- Processing necessary to comply with legal obligations
It is necessary to provide and process all of the above-mentioned personal data, save for email address, telephone number and loyalty programme membership information, so that we can comply with our legal obligations, in particular our obligations under the Act on Local Taxes and the Act on the Residence of Foreigners on the Territory of the Czech Republic, as well as accounting and tax regulations.
- Processing necessary for performance of contract
It is necessary to process your identification data, information on your stay and the services provided and the amount and method of payment so that we can perform the contract relating to your stay; this involves arranging orders and bookings, and entering into and performing contracts concerning the accommodation, catering and related services that we offer.
For spa treatments, we process the data provided in your registration card, as well as information on your completed therapeutic stays and the health care treatments provided to you at our facilities and payment details for your stay. We process these data based on the legal relationship established between you and CPI Hotels for the provision of therapeutic spa and rehabilitation treatments and related services (accommodation, board, etc.). These data are processed so that we can provide these services.
- Consequences of failing to provide data
Failure to provide the data mentioned above means that we cannot provide you with our accommodation services. We do not require your personal information to provide board and other services and therefore we do not obtain or process your personal data for this purpose.
- Processing necessary for our legitimate interests
We process your full name, email address and information on your stay on the basis of our legitimate interest in direct marketing activities, the sole purpose of which is to send you marketing and commercial correspondence in terms of news and sales.
We also process the above personal data to send satisfaction surveys at the end of your stay at our hotels to assess how far you are satisfied with our services and to continually improve the quality of the service we provide you with.
Our guests do not doubt our services provided at our hotels or spa treatments received by them. If such a case occurred, we would be forced to process data regarding the services that we provide insofar as this is necessary for dealing with any dispute, solely for the purpose of protecting our rights in such a dispute. Similarly, we would also be forced to process all necessary data in the event of failure to pay for our services or any damage caused to us.
- Processing on the basis of consent
We process the technical information received during your visit to our website on the basis of your consent or on the permission settings on your browser – see separate infotext available at www.cpihotels.com/cs/cookies.
We offer wi-fi services to our customers, who can choose between a paid connection option and a free connection option. When you choose a free connection, you are informed in advance that CPI Hotels will use your e-mail address only for the purposes of sending marketing communications that inform you of news, sales, etc. You can opt out of receiving any further marketing communications at any time.
You can withdraw your consent at any time by sending express notice by post (CPI Hotels, a.s., Bečvářova 2081/14, 100 00 Prague 10), by email to email@example.com or by filling in our contact form at www.cpihotels.com. Alternatively, you can withdraw consent by changing your browser settings. The withdrawal of your consent will take effect once CPI Hotels receives delivery of this notice. Under the GDPR, withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
- Processing of your data by automated means
We never perform automated decision making or otherwise process your personal data by any automated means that could produce legal effects for you or substantially affect you in any other way.
- Source of personal data
We obtain all of the above information from you directly as part of contract negotiations and through the provision of accommodation and board services.
Where another person has booked our services on your behalf (for business trips, this is usually an employer), we obtain your basic identification and contact details (including your full name and telephone number or email address) from that person directly.
Where your booking is made through a bookings site, your basic identification and contact details (including your full name and telephone number or email address) are passed to us by that booking site.
- How long do we process your personal data?
We process your personal data for the duration of your stay at our hotel. Once your stay is over, we will only process the following:
- Data that we are under obligation to process by law, for the length of time required by law only (e.g. the accounting and tax documents we issue to you will also contain certain personal data regarding you (full name, type of service provided, document issue date). We retain these documents for the sole purpose of fulfilling the obligations established in the relevant accounting and tax legislation, for the period set out in those regulations only.
- Your full name, email address and information about your stay, for the direct marketing purposes of CPI Hotels (e.g. to send communications on news and sales of our services, etc.) and to send satisfaction surveys. The data we process to send satisfaction surveys is only processed until surveys have been evaluated (a maximum of 1 month after your stay). We will process your information mentioned above for direct marketing purposes until we are notified by you that you no longer consent to this processing.
- Data necessary for the purposes of existing or threatened disputes. We will only process these data until a final decision has been made in the dispute and the obligations arising from the decisions have been fulfilled, or for the time in which a dispute regarding services provided could arise under applicable law.
Once this period has expired, we will periodically destroy your personal data both in paper and electronic form.
- To whom do we transfer or disclose your personal data?
- Transfer to third parties
We do not transfer or disclose your personal data to any third parties save for public authorities in relation to which we have a statutory disclosure obligation (we typically process data under the Act on Local Taxes or the Act on the Residence of Foreigners on the Territory of the Czech Republic).
We do not disclose your data concerning spa treatment services to any third parties; our doctors and other healthcare staff are employees of CPI Hotels.
We use the services of processors which provide certain support services (e.g. sending marketing materials, improving communication and offer segmentation, providing online hotel bookings and processing cookies). This work is always carried out exclusively for our company based on our own guidelines. In selecting each processor, we take care as to their credibility and quality of service, as well as the security of personal data processed. Processing may only be performed within the framework of contract between CPI Hotels and a processor that commits the processor to the same degree of personal data protection as is provided by CPI Hotels. At your request, we will inform you of all processors that we currently work with.
- Transfer abroad
Our processors have their headquarters and process personal data in the Czech Republic or in another EU country. We do use processors in the territory of the USA, albeit only for sending and evaluating satisfaction surveys and for some booking systems. These are always renowned companies that belong to international hotel, booking or similar networks that provide services to hotels on a global scale.
In Commission Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield, the European Commission, together with the governing bodies of the United States of America, defined the “Privacy Shield” system as a special tool to ensure an adequate level of protection for personal data transferred to recipients in the United States of America. On the basis of this decision, U.S. companies that have committed to comply with the Privacy Shield Principles are adjudged to ensure an adequate level of protection for personal data. The above-mentioned U.S. processors have committed to comply with the Privacy Shield Principles. For more information, visit the programme’s official site at https://www.privacyshield.gov. The Privacy Shield Programme remains valid following the entry into force of the GDPR.
We do not transfer personal data outside of the EU in any other cases.
- How does CPI Hotels guarantee data privacy?
All persons coming into contact with personal data at our end are duty-bound to maintain confidentiality over the personal data processed and over the security measures used for their protection. This obligation will continue even if their legal contract with CPI Hotels or the processor is terminated.
- Your statutory rights
In accordance with the legislation in force as regards personal data protection, you have the following rights:
- the right to access your personal data that we process, including the right to obtain the following information from CPI Hotels:
- confirmation as to whether CPI Hotels processes your personal data;
- access to these personal data;
- information on the purposes of the processing;
- the categories of personal data processed;
- information on the recipients or potential recipients to whom your personal data will be disclosed;
- planned storage period and the criteria for establishing such period;
- the existence of the right to request the rectification or erasure of personal data or restriction of processing of personal data and the right to object to such processing;
- the right to file a complaint with the Supervisory Authority;
- where the personal data are not collected from the data subject (from you), all available information as to their source;
- whether or not any decision will be made based on automated processing, including profiling;
- the appropriate safeguards when transferring personal data outside the EU;
- a copy of personal data, where these do not adversely affect the rights and freedoms of others.
- the right to correct your personal data if it is in any way incorrect, inaccurate or incomplete; CPI Hotels will correct your data within its technical capabilities without undue delay;
- the right to request the erasure of your personal data where provided for by the GDPR – e.g. if you have refused consent or objected to processing, if the personal data is processed unlawfully or where the personal data are no longer necessary in relation to the purposes for which they were processed. In such an event, you may request the erasure of your personal data. However, this option does not apply if the processing is necessary to fulfil legal obligations and under certain other cases provided for by the GDPR;
- the right to request the restriction of the processing of your personal data where provided for by the GDPR – e.g. where you contest the accuracy of the personal data, object to the processing, etc.
- the right to the portability of the data you have provided to us, which we process by automated means on the basis of your consent, where their processing is necessary for the performance of a contract with you or for the implementation of pre-contractual measures taken at your request. In such cases, we will allow you to obtain your personal data in a structured, commonly used and machine-readable format or, if technically feasible, we will transmit them directly to the new controller determined by you;
- the right to object to the processing of your personal data where such processing is deemed necessary for the purposes of legitimate interests, including processing for direct marketing purposes. If we do not demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims, then we shall no longer process your personal data.
- the right to withdraw consent to the processing of personal data at any time by sending us express notice by post (CPI Hotels, a.s., Bečvářova 2081/14, 100 00 Prague 10), by email to firstname.lastname@example.org, or by filling in our contact form at www.ccom. Alternatively, you can withdraw consent by changing your browser settings. The withdrawal of your consent will take effect once CPI Hotels receives delivery of this notice. Under the GDPR, withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal;
- the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except for the above-mentioned cases expressly stated in the GDPR;
- where you feel that the processing of your personal data has been breached under the GDPR, and except in the above mentioned cases, the right to file a complaint with the supervisory authority, which is the Office for Personal Data Protection (in Czech: Úřad pro ochranu osobních údajů), which has its registered office at Pplk. Sochora 27, 170 00 Prague 7.
- Our contact details
If you have any queries or questions as regards the processing of your personal data, please write to us at any time at CPI Hotels, a.s., Bečvářova 2081/14, 100 00 Prague 10, or email our data protection officer at email@example.com. Alternatively, you can fill out our contact form at www.cpihotels.com.