Privacy policy

PRIVACY POLICY

The purpose of the privacy policy is to provide to a natural person - a data subject - with information about the purpose, scope, and protection of personal data processing, the period of processing, the data subject’s right during the data acquisition, and the processing of data and when transferring the data to competent authorities or any other data controller.

1.    Data controller and its contact information

1.1.    The controller of personal data processing shall be CTJ Slovakia s.r.o., registration No. 53541804, legal address: Laurinská 18, 811 01 Bratislava, Slovakia, telephone: +421 905 549 162, website: https://ibisbratislavacentrum.com/ (hereinafter - the Controller);
1.2.    Contact information of the data protection officer of the controller on issues related to personal data processing: Jevgenijs Jarosovs, tel.: +371 28440803, e-mail: legal@mogotel.com or dpo@mogotel.com.

2.    Applicable laws and regulations

2.1.    Regulation No. 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as - the GDPR), and the Slovak Act. no. 18/2018 Coll., the Data Protection Act.
2.2.    Other applicable national data protection law.

3.    The purpose of personal data processing

3.1.    We process personal data in accordance with the requirements of the GDPR and national data protection laws. In case we want to process personal data for a purpose not mentioned here, we will inform you in advance.

3.2.    Provision of services:
3.2.1. customer identification;
3.2.2. preparation and conclusion of contracts;
3.2.3. to process and facilitate bookings, reservations and payments, including verifying your identity, taking payments and communicating with you;
3.2.4. provision/maintenance of services;
3.2.5. customer service;
3.2.6. maintenance of operation of the webpage;
3.2.7. enabling a comfortable use of the webpage;
3.2.8. implementation of the franchise agreement;
3.2.9. communication for the purpose of marketing of our services and carrying out Loyalty Programs,
3.2.10. compliance with tax and other legal obligations, and
3.2.11.    ensuring the security of property, people, and information.

4.    Categories of personal data being processed by the Controller:

4.1.    name, surname, personal identity number or date of birth, correspondence address, address of the declared place of residence/ temporary or permanent residence, phone number, e-mail address;
4.2. data of the identification document;
4.3. list of received and planned services;
4.4. bank account numbers;
4.5. payment administration information;
4.6. phone, electronic communication information;
4.7. Curriculum vitae;
4.8. information included in the personal file, including information about education, dependants, data on health checks of employees;
4.9. photo images;
4.10. work e-mail, internet, and phone auditing records;
4.11. video surveillance system records;
4.12. data regarding website visits;
4.13. auditing records of access control devices and alarm devices with the data of employees, visitors, or subcontractors;
4.14.     for the purposes referred to in Paragraph 3, other data of which the data subject notifies the Controller by him/herself shall be also processed.

5.    Justification of the personal data collection and processing:

5.1.    consent of the data subject (Article 6(1)(a) GDPR and section 13/1/a of the Slovak Data Protection Act) – the data subject has provided his/her consent to data collection and processing for one or several specific purposes. The above applies to name and surname, personal identity number or date of birth, e-mail address, phone number, photo images, list of planned services, data publicly available on social media;

5.2.    before or after conclusion of the contract (Article 6(1)(b) GDPR section 13/1/b of the Slovak Data Protection Act) - customer relations (including remote) control, ensuring conclusion and fulfilment of the contract, as well as provision of the implementation of processes related to that, cooperation with customers and provision of the implementation of processes related to that. The above applies to name and surname, personal identity number or date of birth, address of the declared place of residence, e-mail address, phone number, bank account number and tax number, data of the identification document, list and date of carried out and/or planned services, payment administration information, phone, electronic communication information, photo images, accommodation data and special accommodation demands of guests (which way include possible food allergies and/or disabling or mental medical conditions);

5.3.    Legitimate interests of the Controller (Article 6(1)(f) GDPR and section 13/1/f of the Slovak Data Protection Act)– to implement commercial activity, to provide services, retention of customers, identification of data subjects, customer segmentation for more effective service provision, popularization and improvement of the image and services of the Controller, prevention of fraud, review of complaints and provision of support in relation to the provided services, marketing activities, company and financial risk management, corporate management, financial, business, and analytical recording, record-keeping, data archiving, provision of internal processes, video surveillance for the safety purposes of customers and the Controller, analysis of auditing records of the website, effective cash flow management, debt administration, administration of customer payments, court proceedings, provision of franchise relations, health safety of employees and customers (visitors) and fulfilment of the requirements of legal acts to be referred to that, as well as other legitimate interests of the Controller in force at the time of data processing. The above applies to publicly available company name and surname, personal identity number or date of birth, e-mail address, phone number, title, and contact details of companies and sole entrepreneurs in the course of their business activities and other business partners; details of the company you are employed at, your place of work, video, time of entry and exit from our premises list of received and planned services, data regarding website visits, auditing records of access control devices and alarm devices with the data of employees, visitors, or subcontractors, payment administration information, phone, electronic communication information; in relation to the  processing of the said personal data performance of the company's core business and providing security of persons, property and information;

5.4.    Fulfilment of requirements of regulatory enactments in force (Article 6(1)(c) GDPR and section 13/1/c of the Slovak Data Protection Act). - The above applies to name and surname, personal identity number or date of birth, temporary or permanent residence, e-mail address, phone number, tax number, data of the identification document, list of received and planned services, bank account numbers, payment administration information.

6.    Sources of acquisition of the personal data of the data subject:

6.1.    documents and information submitted by data subjects;
6.2. data of other controllers, processors, and sub-processors;
6.3. service provision process;
6.4. video and/or photo equipment data of the Controller;
6.5. computer network equipment data of the Controller;
6.6. Visiting and browsing data of the website of the Controller https://ibisbratislavacentrum.com/;
6.7.    Franchisor  may share guest personal data which it has collected through reservations systems and sales and marketing programs operated by franchisor or third party service providers on its behalf.

7.    Data processing process of the data subject:

7.1.    when identifying the data subject;
7.2. during commercial activity;
7.3. when entering into commercial agreements and controlling the fulfilment thereof;
7.4. when selecting employees, establishing and maintaining legal employment relations;
7.5. when fulfilling the requirements of regulatory enactments;
7.6. when participating in court proceedings;
7.7.    when providing information to state and municipal authorities and officials, as well as receiving information from them.

8.      Processing of cookies of the data subject:

8.1.    Cookies are small text files which are created and saved on the device of the data subject (computer, tablet, or mobile phone) upon visiting websites of the Controller. Cookies “remember” user experience and basic information, thus making the use of the site more convenient;
8.2. With the help of cookies information about users habits and history of use of the site are processed, problems and deficiencies in the operation of the site are diagnosed, statistics of user habits are collected, and complete and convenient use of the site is ensured;
8.3. If the data subject does not want to use cookies, it is possible to refuse their use in the browser’s settings; however, in such a case use of the site may be significantly disrupted and made difficult. Deletion of saved cookies is possible in the settings of a device’s browser by deleting the history of saved cookies.
8.4.    The data Controller processes cookies in accordance with the Cookies Policy.

9.    Period of storage of data:

9.1.    as long as the period for storage of data determined by the regulatory enactments in force has not expired;
9.2. as long as the agreement concluded with the data subject is in force;
9.3. as long as the consent of the data subject is in force;
9.4. as long as it is necessary in order to implement and protect the legitimate interests of the Controller;
9.5. as long as the legal obligation to store the data exists;
9.6.    upon expiry of any of the above-mentioned time periods, all data shall be deleted or anonymized in accordance with the procedure determined by the Controller.

10.    Sharing and issuing of personal data of the data subject:

10.1.    In order to provide the services and perform the work tasks, the Controller may share the data of the data subject, including in the countries of the European Union and EEA (European Economic Area);

10.2.    When providing special data protection, like the GDPR and national regulation requires, in order to guarantee the fulfilment of functions and duties, as well as the work of the Controller, the Controller may transfer the data to a third country (outside of the European Economic Area) or international organizations:
10.2.1.    Some countries where recipients are located have already been assessed by the European Commission as ensuring an adequate level of protection for this data (including those within the EEA), whereas others are not deemed to ensure an adequate level of protection according to GDPR.

10.3.    If recipients are located in other countries that are not deemed to ensure adequate protections for personal data, data Controller will take all necessary measures to ensure that transfers out of the EEA are adequately protected as required by applicable data protection law. This could include (without limitation) using appropriate safeguards such as the Standard Contractual Clauses which the European Commission has assessed as providing an adequate level of protection for personal data, and in each case Data Transfer Assessment related to each third country the data are exported to. You can ask for a copy of the appropriate safeguards by contacting us as set out below.
10.4. In order to fulfil the provisions of regulatory enactments, the Controller may share the data of the data subject with the state and municipal authorities, law enforcement authorities, court, or other institutions;
10.5. The Controller may share the data of the data subject with franchisor based on contractual relations and ensuring compliance with regulatory requirements;
10.6.    The Controller shall issue the data only to the extent determined by the regulatory enactments in force, including the GDPR and applicable national data protection law.

11.    Protection of the data subject’s personal data:

11.1.    The Controller shall protect the data of the data subject from unauthorized access, accidental loss, disclosure, or destruction. In order to achieve this, the Controller shall use modern technological possibilities, considering the existing privacy risks and organizational requirements, including using firewalls, break-in detection and analysis software, as well as encryption with standard SSL and anonymization;
11.2. The Controller shall carefully examine all processors and sub-processors who process the data of the data subject on behalf of it; the Controller shall assess whether the relevant safety measures are used, whether the data processing is performed in the way delegated by the Controller, whether it is performed in accordance with regulatory enactments in force and data protection requirements and standards;
11.3. processors and sub-processors shall not be entitled to process the data of the Controller for their own purposes;
11.4.    The Controller shall not bear any responsibility for any unauthorized access to the data of the subject or the loss of that data, if they are not under the competence of the Controller, for example due to the fault or negligence of the data subject.

12.    Profiling logic:

12.1.    Data Controller does not carry out profiling or other automated decision-making.

13.    Rights of the data subject:
In accordance with regulatory enactments in force, the data subject shall have the following rights in relation to his/her personal data’s processing:

13.1.    rights of access - the data subject shall be entitled to request a confirmation from the Controller regarding whether the personal data of the data subject are processed, as well as information about all processed personal data;
13.2. right to rectify - if the data subject considers that the information about him/her is incorrect or incomplete, he/she shall be entitled to request the Controller to rectify them;
13.3. objecting to processing based on lawful interest - the data subject is entitled to object to the processing of personal data processed based on legitimate interests of the Controller, except in cases when legal acts determine the processing of such data;
13.4. erasure - in certain circumstances the data subject has the right to request the erasing of his/her personal data, except in cases when legal acts determine the time period for storage of such data;
13.5. restriction of processing - in certain circumstances the data subject shall be entitled to restrict his/her personal data processing, except in cases when legal acts determine the volume of data processing;
13.6. data transmission - the data subject shall be entitled to receive or transfer his/her personal data to any other personal data controller. This right shall also include personal data which were provided to the Controller pursuant to consent of the data subject, on the basis of a contract or in cases where data processing is performed automatically. The data subject may use the above-mentioned rights to the extent the Controller does not implement the processing, upon fulfilling the obligations and tasks imposed under the regulatory enactments in force;
13.7. revocation of consent - the data subject shall be entitled at any time to revoke the consent given for data processing, in the same way as it was provided or by sending a relevant notification to the e-mail: legal@mogotel.com or dpo@mogotel.com.
13.8.    In this case, further processing based on prior consent regarding the specific purpose will not be performed. Revocation of the consent does not affect data processing carried out while the consent of the data subject was effective. Withdrawal of the consent cannot terminate data processing that is carried out by the Controller based on other legal grounds.

In order to carry out the above-mentioned rights, please submit a written application to the Controller or the data protection officer.

14.    Other

14.1.    Links to the websites of third persons, which have their own rules for usage and personal data protection, for which the Controller does not bear any responsibility, may be posted on the websites of the Controller. 

15.    Communication

15.1.    In case of any questions and uncertainties, the data subject may contact the Controller - in person at its office at Zamocka 38, 811 01 Bratislava; in presence at the hotel; or via the personal data protection officer: legal@mogotel.com or dpo@mogotel.com.
15.2.    The Controller shall contact the data subject by using the contact information (phone number, e-mail address, correspondence address) specified by the data subject.

Data subject shall be entitled to submit a complaint concerning our processing of your personal data with the competent data protection authority: 

Úrad na ochranu osobných údajov Slovenskej republiky, Hraničná 4826/12, 820 07 Ružinov, Slovakia, tel.: +421 2/323 132 14, e-mail: statny.dozor@pdp.gov.sk

https://dataprotection.gov.sk/uoou/.

The Controller shall be entitled to regularly improve or supplement the privacy policy. 

The Controller shall inform the data subject of any changes by publishing the updated version of the privacy policy on the website https://ibisbratislavacentrum.com/