Privacy Policy

1. Principles of Personal Data Processing

SERIO s.r.o., registered office Nad Medzou B-16, 052 01 Spišská Nová Ves, Company ID: 46696822 (hereinafter the “Controller”), in accordance with Regulation (EU) 2016/679 (GDPR) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the “Regulation”) and Act No. 18/2018 Coll. on the Protection of Personal Data and on Amendments and Supplements to Certain Acts (hereinafter the “Act”), has implemented security measures that are regularly updated. These measures define the scope and method of security measures necessary to eliminate and minimize threats and risks affecting the information system, with the aim of ensuring:

– availability, integrity, and reliability of management systems using state-of-the-art information technology,
– protection of personal data against loss, damage, theft, modification, destruction, and maintaining their confidentiality,
– identification of potential problems and sources of disruption and prevention thereof.

Contact for the Data Protection Officer: info@vsrdcitatier.sk

2. Principles of Personal Data Protection

Your personal data will be stored securely, in accordance with the data retention policy, and only for as long as necessary to fulfill the purpose of processing. Access to personal data is limited exclusively to the Controller. Your personal data will be backed up in accordance with the Controller’s retention rules. Personal data stored on backup media serve to prevent security incidents, particularly those that could arise from breaches of security or damage to the integrity of processed data.

3. Definitions

3.1. “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
3.2. “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
3.3. “restriction of processing” means the marking of stored personal data with the aim of limiting their processing in the future.
3.4. “profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
3.5. “pseudonymization” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
3.6. “information system” means any structured set of personal data that is accessible according to specific criteria, whether centralized, decentralized, or dispersed on a functional or geographical basis.
3.7. “controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
3.8. “processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
3.9. “third party” means a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
3.10. “data subject’s consent” means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
3.11. “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.
3.12. “cross-border processing” means either:
a) processing of personal data which takes place in the Union in the context of the activities of establishments of a controller or a processor in more than one Member State, where the controller or processor is established in more than one Member State; or
b) processing of personal data which takes place in the Union in the context of the activities of a single establishment of a controller or processor but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
3.13. “relevant and reasoned objection” means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union.
3.14. “information society service” means a service as defined in Article 1(1)(b) of Directive (EU) 2015/1535.

4. Purposes of Personal Data Processing

4.1. Performance of a contract with the data subject or taking steps at the request of the data subject prior to entering into a contract

We process our clients’ personal data based on a contract under Article 6(1)(b) and Article 6(1)(c) of the Regulation, in accordance with Act No. 404/2011 Coll. on the Residence of Foreigners.
Scope of processed personal data: title, first name, surname, address, country, date and place of birth, payment card number and expiration date, ID document number, phone number, email address, purpose of stay. Subsequently, the data are stored in accordance with Act No. 395/2002 Coll. on Archives and Registries.

4.2. Accommodation reservation

We process personal data of our clients based on a contract under Article 6(1)(b) of the Regulation.
Scope of processed personal data: title, first name, surname, phone number, email address, date and time of reservation, IP address. Subsequently, the data are stored for 10 years in accordance with Act No. 395/2002 Coll.

4.3. Service reservations

4.4. Product/service orders (e-shop) → purchase contract

We process personal data of our customers based on a contract under Article 6(1)(b) of the Regulation.
Scope of processed personal data: title, first name, surname, phone number, email address. Subsequently, the data are stored in accordance with Act No. 395/2002 Coll.

4.5. Newsletter

If you wish, you may subscribe to our newsletter available on our website www.vsrdcitatier.sk.

Personal data will be processed solely for the purpose of sending the newsletter to the email address you provide. By subscribing, you agree to the processing of personal data.
Personal data are processed under Article 6(1)(a) of the Regulation. Your email address will be processed until you unsubscribe. You may unsubscribe by clicking the “unsubscribe” link included in every newsletter. After unsubscribing, you will no longer receive any newsletters.
Scope of processed personal data: email address.

4.6. Processing of accounting documents

Processing is necessary to fulfill a legal obligation of the Controller under Article 6(1)(c) of the Regulation.
Scope of processed personal data: title, first name, surname, address, date of birth, type and number of ID document, bank account number, signature. Subsequently, the data are stored in accordance with Act No. 395/2002 Coll.

4.7. Monitoring of premises for the purpose of property protection

Monitoring of premises is carried out based on the legitimate interest of the Controller under Article 6(1)(f) of the Regulation.
Recordings from monitored premises are stored for 7 days.

4.8. Complaints

In the case of complaints, personal data are processed under Article 6(1)(c) of the Regulation.
Scope of processed personal data: title, first name, surname, address, phone number, email address. Subsequently, the data are stored in accordance with Act No. 395/2002 Coll.

4.9. Debt recovery

In the case of debt recovery, personal data are processed under Article 6(1)(c) of the Regulation.
Scope of processed personal data: title, first name, surname, address, phone number, email address. Subsequently, the data are stored in accordance with Act No. 395/2002 Coll.

4.10. Enforcement proceedings

Processing of personal data is necessary to fulfill a legal obligation of the Controller under Article 6(1)(c) of the Regulation.
Scope of processed personal data: title, first name, surname, personal identification number, address. Subsequently, the data are stored in accordance with Act No. 395/2002 Coll.

4.11. Records of supplier and customer representatives

Processing of personal data of suppliers and customers is carried out on the basis of the legitimate interest of the Controller under Article 6(1)(f) of the Regulation.
Scope of processed personal data: title, first name, surname, job position, service position, function, employee ID number, department, place of work, phone number, fax number, work email address, and employer identification details. Subsequently, the data are stored for 1 year after the purpose has ceased.

No transfer of personal data to third countries takes place.
Personal data will not be used for automated decision-making, including profiling.

Personal data are stored for a period of 12 months from the granting of consent. You have the right to withdraw your consent to the processing of personal data at any time before the end of this period by sending a request to info@vsrdcitatier.sk

or by mail to the Controller’s address, indicating “GDPR consent withdrawal” on the envelope. The Controller declares that upon receipt of a written request for termination of processing before the end of the period, the data will be deleted within 30 days of receipt.

5. Rights of the Data Subject

5.1. Right to withdraw consent

Where your personal data are processed based on your consent, you have the right to withdraw that consent at any time. Consent may be withdrawn electronically at the address of the Data Protection Officer, in writing by submitting a statement of withdrawal, or in person at our company’s registered office. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

5.2. Right of access

You have the right to obtain a copy of the personal data we hold about you, as well as information about how your personal data are used. In most cases, your personal data will be provided in written form, unless you request a different form. If you requested these data electronically, they will be provided electronically where technically feasible.

5.3. Right to rectification

We take reasonable measures to ensure that the data we hold about you are accurate, complete, and up-to-date. If you believe that any data we hold are inaccurate, incomplete, or outdated, you are entitled to request that these data be corrected, updated, or completed.

5.4. Right to erasure (“right to be forgotten”)

You have the right to request the erasure of your personal data, for example where the personal data we have collected are no longer necessary for the purpose for which they were originally collected. Your right must, however, be assessed in light of all relevant circumstances, for example where we may have legal or regulatory obligations that mean we cannot comply with your request.

5.5. Right to restriction of processing

Under certain circumstances, you are entitled to request that we stop using your personal data. This applies, for example, where you believe the personal data we hold about you may be inaccurate, or where you believe we no longer need to process your personal data.

5.6. Right to data portability

Under certain circumstances, you have the right to request that we transfer the personal data you have provided to us to another third party of your choice. The right to data portability applies only to personal data that we obtained from you based on your consent or under a contract to which you are a party.

5.7. Right to object

You have the right to object to processing based on our legitimate interests. If we do not have a compelling legitimate ground for processing and you object, we will no longer process your personal data.

If you believe that any personal data we hold about you are incorrect or incomplete, please contact us.
If you wish to object to the way we process your personal data, contact our Data Protection Officer by email or in writing at the Controller’s address. The Data Protection Officer will review your objection and work with you to resolve the matter.
If you believe that your personal data are being processed unfairly or unlawfully, you have the right to lodge a complaint with the Office for Personal Data Protection of the Slovak Republic, Hraničná 12, 820 07 Bratislava 27; Tel.: +421 2 3231 3214; Email: statny.dozor@pdp.gov.sk, Website: https://dataprotection.gov.sk

Spišská Nová Ves, 01/01/2021