Mosaic House s. r. o., Odborů 278/4, 120 00 Praha 2 (hereinafter referred to as the CONTROLLER) is aware of the dangers arising from the irresponsible processing of personal data. We therefore welcome Regulation (EC) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Regulation on the protection of personal data), hereinafter referred to as “GDPR”.
This statement informs our customers that we, as the data CONTROLLER process the personal data provided for the purpose of:
• compliance with the legal obligations arising from the laws governing rights and obligations in the context of consumer protection and bookkeeping
• identification of accommodated guests to ensure their safety
• security of people and property
• sending commercial communications where the CONTROLLER has a legitimate interest in maintaining contact with an existing customer
The CONTROLLER undertakes to dispose of the provided personal data after the expiration of the following periods:
• all personal data provided in electronic form and stored in the hotel system for 5 years from the last registration in the system (accommodation)
• issued documents for 10 years after the last invoicing in case of legal obligation – Value Added Tax Act (Act No. 235/2004 Coll.)
• house book 6 years from the last registration (accommodation) – Act on the Residence of Foreign Nationals in the Czech Republic and on Amendments to Certain Acts (Act No. 326/1999 Coll.)
Scope of personal data:
• the CONTROLLER undertakes to process personal data only to the extent necessary in relation to the above-mentioned purposes for which the data are processed
The CONTROLLER declares that personal data will only be made available to the appropriate CONTROLLER’s employees who are required to maintain confidentiality of such data, as well as of security measures the disclosure of which would jeopardize the security of such personal data. The CONTROLLER declares that personal data for the above purposes will be provided to the following processors for the below purposes:
• C4You, s. r. o. Poupětova 3, 170 00 Praha 7 – IT service provider
• Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, United States of America – data storage provider
• MEWS SYSTEMS, s.r.o., Maiselova 25/4, Staré Město, 110 00 Prague 1 – provider of on-line booking system
• MOJU properties s.r.o., Dukelských hrdinů 564/34, Holešovice, 170 00 Prague 7 – accounting processing
The CONTROLLER advises the customer of the fact that profiling will be performed (a form of automated processing of customer’s personal data by using personal data to evaluate some personal aspects relating to the customer, in particular to analyse or estimate aspects relating to personal preferences and interests). The CONTROLLER uses profiling only to personalize service offerings (targeted advertising). If the customer raises an objection to profiling, the CONTROLLER undertakes to terminate profiling in relation to the customer.
Rights of the data subject: The CONTROLLER informs the customer of the rights that ensue from the GDPR, in particular:
The right of access to personal data (the data subject has the right to obtain a confirmation from the CONTROLLER that the personal data concerning him/her are or are not processed according to Art. 15 of GDPR);
The right to rectification (the data subject is entitled to have the CONTROLLER rectify the inaccurate personal data concerning him/her, as well as the right to supplement incomplete personal data under Art. 16 of GDPR without undue delay ).
The right to erasure (the data subject has the right to have the CONTROLLER erase the personal data relating to the data subject without undue delay in the event of one of the reasons set out in Art. 17 of GDPR);
The right to restrict the processing (the data subject has the right to have the CONTROLLER restrict the processing in the cases specified in Art. 18 of GDPR);
The right to data transferability (the data subject has the right to obtain the personal data concerning him/her, which were provided to the CONTROLLER, in a structured, commonly used and machine-readable format, and the right to pass this data to another CONTROLLER without the CONTROLLER, to whom the personal data were provided, preventing it, in the cases referred to in Art. 20 of GDPR);
The customer may exercise the right to data transferability only in the case of the processing of personal data in order to fulfil the contract pursuant to Art. 20 of GDPR.
The right to raise an objection (the data subject has the right, at any time, to raise objections to the processing of personal data concerning him/her, on the grounds relating to his/her particular situation, based on Art. 6, paragraph 1, letter e) or f) of GDPR, including profiling based on these provisions according to Art. 21 of GDPR);
The customer may exercise the right to object only in the case of the processing of personal data for the purpose of sending commercial communications (direct marketing), which includes profiling as far as this direct marketing is concerned according to Art. 21 of GDPR (see above);
The right not to be the subject of any decision based exclusively on automated processing (the data subject has the right not to be the subject of any decision based exclusively on automated processing, including profiling, which has legal effects for him/her or significantly concerns him/her in accordance with Art. 22 of GDPR);
The right to file a complaint with a supervisory authority, which is the Office for Personal Data Protection, with its registered office at Pplk. Sochora 727/27, postcode 170 00, Prague 7
Customer contact for inquiries regarding personal data provided, request for erasure, transfer, or modification of the provided personal data is email@example.com.