GENERAL PRIVACY PROTECTION PRINCIPLES

We, Residences Unlimited Plus s.r.o., Company Reg. No.:10706801 , with its registered office at Ovenecká 341/46, 170 00 Praha 7 (hereinafter referred to as the “Controller”), are aware of the importance of protecting the personal data of our employees and suppliers, and have therefore decided to adopt these general privacy protection principles (hereinafter referred to as “General Principles”). These General Principles relate to any and all processing of personal data that takes place within the scope of the Controller’s activities, and therefore apply to the processing of personal data of our employees and suppliers.

The Controller processes personal data of data subjects in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC effective from 25 May 2018 (hereinafter referred to as the “GDPR”) and other legal regulations governing the issue of personal data protection, in particular Act No. 110/2019 Coll. on the processing of personal data.

CONTACT DETAILS

The Controller hereby informs you of the following contact details:

Postal address: Kapucínské nám. 15, 602 00 Brno
E-mail address: info@masarykova30.cz
Contact person for matters concerning the processing of personal data: Yana Rebrova

SOURCES OF PERSONAL DATA

The Controller primarily obtains personal data directly from data subjects, in particular as part of exercising the rights and obligations of data subjects within the framework of an employment relationship with the Controller, as well as through the implementation of orders and requests from the Controller with suppliers, e-mail communication, telephone communication, business cards, reservation forms, accommodation operators, accommodation portals, etc. Personal data are also obtained from publicly accessible registers, lists, and records (e.g., commercial register, trade register, real estate register, public telephone directory, etc.).

SCOPE OF PROCESSING PERSONAL DATA

Personal data are processed to the extent that the relevant data subject has provided them to the Controller, either in connection with the conclusion of a contractual or other legal relationship with the Controller, or our company has collected them another manner and processes them in accordance with applicable legal regulations or to fulfill our legal obligations.

PROCESSING OF THE PERSONAL DATA OF OUR EMPLOYEES

The Controller mainly processes personal data as an employer. In order to fulfill its obligations from concluded employment contracts, as well as the relevant legislation, the Controller processes the following categories of personal data in connection with the employment relationship of our employees:

Jméno a příjmení; datum narození; rodné číslo; pohlaví; státní příslušnost;
Adresa pobytu; telefonní číslo; emailová adresa;
Pracovní pozice; místo výkonu práce; údaje o mzdě; záznam o počtu odpracovaných hodin; číslo bankovního účtu; údaje o předchozích zaměstnavatelích; profesní historie; dosažené vzdělání; další údaje obsažené v životopise zaměstnance;
Name and surname; birthdate; personal identification number; gender; nationality; • Address; telephone number; e-mail address;
Position; place of work; salary details; a record of the number of hours worked; bank account number; details of previous employers; professional history; education; other data contained in an employee’s CV;
Marital status; information about children; other data needed to prepare a tax return; • Data on work incapacity; data on medical examinations; data on disabilities; and • Image recordings from the camera system.

Employment or other contracts concluded with the Controller

We process the personal data of our employees primarily for purposes related to the fulfillment of obligations from concluded employment contracts. In such a case, the legal basis for the processing is Article 6(1)(b) of the GDPR. The processing is necessary in particular for the purposes of enabling the performance of your work duties, management, planning and organization of work, keeping personal files and records of employees, reporting working hours and performance of a contract. This also includes the implementation of measures necessary to conclude the relevant contract. The provision of personal data of our employees and their subsequent processing is a prerequisite for concluding a contract between the relevant employee and the Controller. Failure to provide the required personal data by the employee may result in the inability to fulfill a contract and therefore its invalidity from the onset.

We process the personal data of our employees for the duration of the contractual relationship between the relevant employee and the Controller. In justified cases, the period of processing of personal data may exceed the duration of the contractual relationship, in particular due to exercising the Controller’s legal claims from expired contracts. In this case, the Controller is obliged to ensure that the period of personal data processing never exceeds the statutory limitation period of 10 years.

Fulfillment of legal obligations in the field of labor law and social security law

The Controller is obliged to comply with the entire legal system of the Czech Republic, in particular legislation in the field of labor law, occupational health and safety, tax laws and laws governing social security and health insurance. The personal data of our employees are therefore also processed for purposes relating to payroll, compensation to employees, payment of mandatory contributions for employees, ensuring occupational health and safety, etc. The legal basis for the processing in such a case is Article 6(1)(c) of the GDPR. The provision of personal data of our employees is therefore a legal requirement in these cases. Failure to provide the requested personal data by the employee may be sanctioned by the relevant legal regulations.

The Controller is also obliged to transfer the personal data of its employees to the relevant state administration bodies, either on the basis of fulfilling a legal obligation or upon request. These authorities can be, for example, the tax office, the social security administration, or the court. The transfer of personal data in such cases takes place only in the regime established by the relevant legal regulation or a decision of the relevant authority.

The Controller respects the special regime of processing personal identification numbers; therefore, it processes them exclusively in cases stipulated by law. Personal identification numbers are processed by the Controller primarily in connection with the taxation of the employee’s income and the payment of social security and health insurance contributions, and for communication with state administration bodies.

For the stated purposes, we process personal data for the period specified by the relevant legal regulations. For more detailed information, please contact us using our contact details above.

Legitimate interests of the Controller

Personal data of our employees may also be processed for the purposes of our legitimate interests in securing and ensuring the protection of health and property. In such a case, the legal basis of the processing is Article 6(1)(f) of the GDPR. The processing of your personal data is therefore necessary in particular for the following purposes:

The legitimate interest of the Controller in the operation of the camera system in the Masarykova 30 apartment building, managed by the Controller, at the address Kapucínské náměstí 15, 602 00 Brno, in order to ensure the protection of health and property; and
Defending our legal claims.

The processing of personal data for these purposes is based on our legitimate interests, except in cases where the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data take precedence over these interests, in particular where the data subject is a child. In the event of any doubts in relation to our legitimate interests, you have the right to contact us at any time with an objection to the processing under the conditions and in the manner specified in these General Principles.

The Controller, as an employer, is fully aware of its obligations arising from the relevant legal regulations in relation to the protection of the privacy of its employees and hereby declares that the camera system in the Žinkova chateau building is installed and operated in such a way as not to disturb the privacy of employees at the workplace and in common areas without serious grounds and to an unreasonable extent.

We process the personal data for the reasonable duration of our legitimate interests. In this case, the Controller is obliged to ensure that the period of personal data processing never exceeds 3 years.

PROCESSING OF THE PERSONAL DATA OF OUR CUSTOMERS

The Controller also processes personal data about its customers and those interested in the Controller’s services (“customers”). In order to fulfill its obligations from concluded contracts, as well as the relevant legislation, the Controller processes the following categories of personal data about its customers:

Name and surname; date of birth; Company Reg, No; VAT No.;
Address; telephone number; e-mail address;
Bank account details;
Citizenship;
Travel document, identification card number;
Duration of stay;
Purpose of stay in the territory of the Czech Republic;
Vehicle registration number; and
Image recording from the camera system.

Personal data are primarily obtained from customers when booking accommodation via the website www.masarykova30.cz (booking form) and the portal www.booking.com, as well as www.airbnb.com directly from the customer when making a reservation or indirectly through an accommodation operator or a person providing accommodation.

Fulfillment of a contract concluded with the Controller:

We process the personal data of our customers primarily for purposes related to the fulfillment of obligations from the concluded contract. In such a case, the legal basis for processing is Article 6(1)(b) of the GDPR. Processing is necessary in particular for the purposes of exercising the rights and obligations arising from the subject of the contract, management, planning and organization of the performance of these obligations, and provision of performance based on the contract. This also includes the processing of personal data as part of the negotiations necessary to conclude the relevant contract. The provision of a customer's personal data and their subsequent processing is a prerequisite for concluding a contract between a customer and the Controller. Failure to provide the required personal data by a customer may result in the inability to fulfill a contract and therefore its invalidity from the onset.

We process the personal data of our customers for the duration of the contractual relationship between the relevant customer and the Controller. In justified cases, the period of processing of personal data may exceed the duration of the contractual relationship, in particular due to exercising the legal claims of the Controller or the customer from expired contracts. In this case, the Controller is obliged to ensure that the period of personal data processing never exceeds the statutory limitation period of 5 years.

Fulfillment of obligations in connection with the provision of accommodation services

The Controller is obliged to keep records regarding accommodation in particular in accordance with the Act on the Residence of Foreigners in the Czech Republic and other laws relating to the provision of accommodation.

Fulfillment of legal obligations in the field of invoicing and accounting

The Controller is obliged to comply with the entire legal system of the Czech Republic, in particular legislation in the field of civil and commercial law, accounting and tax laws. The personal data of our customers are therefore also processed for purposes relating in particular to invoicing, accounting, and tax obligations, etc. The legal basis for the processing in such a case is Article 6(1)(c) of the GDPR. The provision of personal data is therefore a legal requirement in these cases. Failure to provide the requested personal data by the employee may be sanctioned by the relevant legal regulations.

The Controller is also obliged to transfer the personal data of its customers to the relevant state administration bodies, either on the basis of fulfilling a legal obligation or upon request. These authorities can be, for example, the tax office, the social security administration, or the court. The transfer of personal data in such cases takes place only in the regime established by the relevant legal regulation or a decision of the relevant authority.

For the stated purposes, we process personal data for the period specified by the relevant legal regulations. For more detailed information, please contact us using our contact details above.

Personal data of our customers may also be processed for the purposes of our legitimate interests in securing and ensuring the protection of health and property. In such a case, the legal basis of the processing is Article 6(1)(f) of the GDPR. The processing of your personal data is therefore necessary in particular for the following purposes:

The legitimate interest of the Controller in the operation of the camera system in the Pivoňka hotel building, managed by the Controller, at the address nám. Míru 466, 378 81 Slavonice, in order to ensure the protection of health and property; and
Defending our legal claims.

The Controller, as an employer, is fully aware of its obligations arising from the relevant legal regulations in relation to the protection of the privacy of its customers and hereby declares that the camera system in the Žinkova chateau building is installed and operated in such a way as not to disturb the privacy of employees at the workplace and in common areas without serious grounds and to an unreasonable extent.

PROCESSING OF THE PERSONAL DATA OF OUR SUPPLIERS

The Controller also processes personal data about its suppliers. In order to fulfill its obligations from concluded supplier contracts, as well as the relevant legislation, the Controller processes the following categories of personal data about its suppliers:

Name and surname; date of birth; Company Reg. No.; VAT No.;
Address; telephone number; e-mail address; and
Type of activity performed; the amount of the agreed remuneration; bank account details; supplier identifier.

Fulfillment contracts concluded with the Controller

We process the personal data of our suppliers primarily for purposes related to the fulfillment of obligations from the concluded contract. In such a case, the legal basis for processing is Article 6(1)(b) of the GDPR. Processing is necessary in particular for the purposes of exercising the rights and obligations arising from the subject of the contract, management, planning and organization of the performance of these obligations, and provision of performance based on the contract. This also includes the processing of personal data as part of the negotiations necessary to conclude the relevant contract. The provision of a supplier’s personal data and their subsequent processing is a prerequisite for concluding a contract between a supplier and the Controller. Failure to provide the required personal data by a supplier may result in the inability to fulfill a contract and therefore its invalidity from the onset.

We process the personal data of our suppliers for the duration of the contractual relationship between the relevant supplier and the Controller. In justified cases, the period of processing of personal data may exceed the duration of the contractual relationship, in particular due to exercising the Controller’s legal claims from expired contracts. In this case, the Controller is obliged to ensure that the period of personal data processing never exceeds the statutory limitation period of 10 years.

Fulfillment of legal obligations in the field of invoicing and accounting

The Controller is obliged to comply with the entire legal system of the Czech Republic, in particular legislation in the field of civil and commercial law, accounting and tax laws. The personal data of our suppliers are therefore also processed for purposes relating in particular to invoicing, accounting, and tax obligations, etc. The legal basis for the processing in such a case is Article 6(1)(c) of the GDPR. The provision of personal data is therefore a legal requirement in these cases. Failure to provide the requested personal data by the employee may be sanctioned by the relevant legal regulations.

The Controller is also obliged to transfer the personal data of its suppliers to the relevant state administration bodies, either on the basis of fulfilling a legal obligation or upon request. These authorities can be, for example, the tax office, the social security administration, or the court. The transfer of personal data in such cases takes place only in the regime established by the relevant legal regulation or a decision of the relevant authority.

For the stated purposes, we process personal data for the period specified by the relevant legal regulations. For more detailed information, please contact us using our contact details above.

PROCESSING OF THE PERSONAL DATA OF VISITORS TO OUR SOCIAL NETWORK SITES
The Controller operates social network sites on www.facebook.com and www.instagram.com, www.booking.com, and www.airbnb.com. For this reason, in order to ensure the optimal functioning and optimization of these social networking sites, we must process the following personal data about visitors to them:

Name and surname;

Profile picture; and

Other information that the data subject chooses to share with us by sending a message or posting a comment via a social network.

The source of personal data is the relevant social network and website. Information about the data submitted when making a booking is described in the processing of personal data of customers.

Legitimate interests of the Controller

We process the personal data of visitors to our social network sites primarily for the purposes of our legitimate interests in ensuring the functionality and optimization of our social network sites. In such a case, the legal basis for the processing is Article 6(1)(f) of the GDPR. The processing of your personal data is therefore necessary in particular for the following purposes:

Ensuring the functionality of our social network sites;
Conducting analyzes and measurements, e.g.: attendance, readership, number of views of posts and others. We collect these data using anonymized data in order to be able to offer high-quality content that is relevant to users and to develop services in which visitors to our sites have an obvious interest; and
Improving the quality of the services provided and the possible development of new services, e.g., development of social network sites, competitions, etc. New services are developed, and existing ones are improved by ascertaining the needs and wishes of visitors to our social network sites through analyzes on these social network sites, as well as interest in certain contributions and texts, etc.

METHOD OF PROCESSING AND PROTECTING PERSONAL DATA

When processing your personal data, the Controller undertakes to comply with the following main principles of personal data processing:

When storing, securing and further processing personal data, the Controller proceeds in accordance with applicable legal regulations, in particular with the GDPR;
The Controller processes your personal data only for the purposes and in the manner resulting from these General Principles;
The Controller has taken appropriate technical and organizational measures to ensure an adequate level of security for your personal data. All personal data that data subjects provide to the Controller are secured by standard procedures and technologies. However, it is not objectively possible to guarantee 100% security of a data subject’s personal data. In this context, the Controller regularly checks security measures, which are then regularly updated where necessary; and
As a data subject, you always have the option to contact the Controller at any time in a simple way, by any of the methods specified in these General Principles.

RECIPIENTS OF PERSONAL DATA

In addition to the Controller’s employees and managers, recipients of your personal data may also be third parties. The Controller carefully selects its suppliers to whom it entrusts the data of data subjects and who are able to ensure the technical and organizational security of the personal data of data subjects so that no unauthorized or accidental access to these data or their other misuse can occur.

As part of the legal relationships with our suppliers, they are, among other things, bound by confidentiality and may not use the provided data for any purposes other than those for which we have made the data available to them, and they must also ensure additional measures to secure the personal data of data subjects.

Third parties that may have access to personal data of data subjects, depending on the nature of the service that the data subjects use or have used, are:

SIESTA SOLUTION s.r.o., Company Reg. No.: 05203503 with its registered office at Jičínská 226/17, Žižkov, 130 00 Prague 3,
Persons who ensure the technical operation of a certain service for us or operators of technologies that we use for our services,
Persons who provide activities for us in direct relation to the performance of our activities, primarily accounting services, i.e., SVOBODA & WILLIAMS s.r.o., Company Reg. No.: 27588785, with its registered office at Prague 1 - Staré Město, Na Perštýně 362/2, Post Code 11000;
Providers of postal and communication services and electronic communications services;
Payment service providers and payment processors for the purpose of securing and performing payment transactions;
Authorized employees of the Controller; and
Persons who ensure the recovery of the Controller's claims for us.

Under certain, precisely defined conditions, the Controller is obliged to hand over some personal data of data subjects based on valid legal regulations, e.g., to the Police of the Czech Republic, the Financial Office, the Office for the Protection of Personal Data, and other public administration bodies.

TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

The Controller does not intend to transfer the personal data of data subjects to any third country. In the event that the personal data of data subjects is transferred to third countries outside the EU, this will be performed in accordance with the legislative requirements, and the protection of the personal data of data subjects will be ensured. The Controller undertakes to inform you immediately of any such transfer.

RIGHTS OF DATA SUBJECTS

In relation to the processing of personal data, data subjects may exercise the following rights: • The right to request access to your personal data from the Controller;

The right to request information from the Controller regarding the processing of your personal data;
The right to rectification of your personal data;
The right to complete your incomplete personal data;
The right to the restriction of processing. Restriction of processing means that we have to mark your personal data for which processing has been restricted and for the duration of the restriction we must not process it further, except for storing it. You have the right to obtain restriction of processing where one of the following applies:
- The accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data,
- The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead,
- The Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claim;
The right to the erasure of your personal data. The Controller is obliged to erase personal data only in the cases specified by the GDPR, unless it is prevented by another legal regulation (e.g., when the statutory limitation period for personal data has already expired);
The right to portability of your personal data. You can request that we provide you with your personal data for the purpose of transmitting them to another personal data controller, or that we ourselves transmit to another personal data controller. However, you only have this right regarding data that we process by automated means based on your consent or a contract with you;
The right to request information from the Controller regarding the transfer of your personal data to third parties;
The right to lodge a complaint with a supervisory authority, in the event that you believe that the processing of personal data infringes the legal regulations on the protection of personal data. You can lodge a complaint with a supervisory authority at your place of habitual residence, place of work, or place of the alleged infringement. In the Czech Republic, the supervisory authority is the Office for the Protection of Personal Data, Pplk. Sochora 27, 170 00 Prague 7, www.uoou.cz;
The right to object to processing in the cases specified by the GDPR.

If you believe that the Controller is processing personal data in violation of your right to protect your private or personal life, you can request an explanation and elimination of such a situation from the Controller.

You can exercise all your rights through the contacts listed in these General Principles.

AMENDMENTS TO THE GENERAL PRINCIPLES

We reserve the right, if necessary, to amend these General Principles, primarily with regard to the development of national legislation, the decision-making practices of the Office for Personal Data Protection, and other recommendations and opinions of other authorities whose outputs relate to the area of personal data protection. We recommend that you review these General Principles regularly to stay up-to-date on how we help protect your personal data that we process.

CONTACT

In the event of any questions about the protection of your personal data or withdrawal of consent to the further processing of your personal data, please contact us at the contact details listed above.

In this context, we would like to inform you that we may ask you to prove your identity to us in a suitable way so that we can verify it. This is a security measure to prevent unauthorized persons from accessing your personal data.

EFFECTIVENESS

These General Principles are effective as of 1 November 2022.