Menu
En
Sk
Arte
Rezervovať

Privacy Policy

  1. Principles of personal data processing
    PALK, a. s. with registered office at Prostredná 49/13, 900 21 Svätý Jur, ID No.: 46 818 481 (hereinafter referred to as the “Controller”) in accordance with Regulation 2016/679 GDPR on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “Regulation”) and Act No. 18/2018 Coll. on the Protection of Personal Data and on Amendments and Additions to Certain Acts (hereinafter referred to as the “Act”) has developed security measures that are regularly updated. They define the scope and method of security measures necessary to eliminate and minimise threats and risks acting on the information system in order to ensure: – the availability, integrity and reliability of management systems using the latest information technologies; – to protect personal data from loss, damage, theft, modification, destruction and to preserve their confidentiality; – to identify and prevent potential problems and sources of intrusion. Contact person responsible (Data Protection Officer): dpo@www.kastielpalffy.sk

 

  1. Privacy Policy
    Your personal data will be stored securely, in accordance with the Data Retention Policy and only for as long as necessary to fulfil the purpose of the processing. Only persons authorised by the controller to process the personal data and who process the personal data on the basis of the controller’s instructions will have access to the personal data. Your personal data will be backed up in accordance with the retention policy of the controller. The personal data stored on backup storage sites is used to prevent security incidents that could arise, in particular, through a breach of security or damage to the integrity of the processed data.
  1. Definitions
    3.1. “personal data” means any information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;3.2. ‘processing’ means an operation or set of operations concerning personal data or sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, whether or not carried out by automated or non-automated means;

    3.3. ‘restriction of processing’ means the marking of personal data stored in order to restrict their processing in the future;

    3.4. ‘profiling’ means any form of automated processing of personal data which consists of using those personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects of the natural person concerned relating to job performance, financial situation, health, personal preferences, interests, reliability, behaviour, location or movements;

    3.5. ‘information system’ means any organised collection of personal data which is accessible according to specified criteria, whether the system is centralised, decentralised or distributed on a functional or geographical basis;

    3.6. ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes of the Data Protection – Information Obligation and the means of such processing are laid down in Union law or in the law of a Member State, the controller or the specific criteria for its determination may be determined in Union law or in the law of a Member State;

    3.7. ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

    3.8. ‘third party’ means a natural or legal person, a public authority, an agency or an entity other than the data subject, the controller, the processor and persons who are entrusted with the processing of personal data on the direct authority of the controller or processor;

    3.9. ‘data subject consent’ means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she consents, by means of a statement or an unambiguous confirmatory act, to the processing of personal data concerning him or her;

    3.10. ‘personal data breach’ means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data transmitted, stored or otherwise processed;

    3.11. ‘relevant and reasoned objection’ means an objection to a draft decision as to whether there has been an infringement of this Regulation or whether the envisaged measure in relation to the controller or processor complies with this Regulation, which must clearly demonstrate the seriousness of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free movement of personal data within the Union.

  1. Purposes of the processing of personal data 

    4.1. Performance of a contract to which the data subject is a party or to take pre-contractual measures at the request of the data subject The personal data we process about our customers are processed on the basis of a contract within the meaning of Article 6(1)(b) and Article 6(1)(c) of the Regulation within the meaning of Act No. 404/2011 Coll. on the movement of foreigners and on amending and supplementing certain acts. Scope of personal data processed: title, first name, surname, address, country, date and place of birth, payment card number and its expiry date, identity document number, telephone, e-mail, purpose of residence. They are subsequently stored in accordance with Act No. 395/2002 Coll. on archives and registers.4.2. Accommodation booking The personal data we process about our customers is processed on the basis of a contract within the meaning of Article 6(1)(b) of the Regulation. Scope of personal data processed: title, first name, last name, telephone, email, date and time of booking, IP address. Subsequently, they are stored for 10 years in accordance with Act No. 395/2002 Coll. on archives and registers.

    4.3. Booking services The personal data we process about our customers is processed on the basis of a contract within the meaning of Article 6(1)(b) of the Regulation. Scope of the personal data processed: title, first name, last name, telephone, email, date and time of booking. They are subsequently stored for a period of 1 year.

    4.4. Order of goods/services (e-shop) → Purchase contract The personal data we process about our customers is processed on the basis of a contract within the meaning of Article 6(1)(b) of the Regulation. Scope of the personal data processed: title. Name, surname, address, country, telephone, e-mail. They are subsequently stored for a period of 10 years.

    4.5. Processing of accounting documents The processing is necessary for compliance with the legal obligation of the controller under Article 6(1)(c) of the Regulation. Scope of the personal data processed: title, name, surname, address, telephone, account number, e-mail and signature. They are subsequently stored in accordance with Act No 395/2002 Coll. on archives and registers.

    4.6. Complaints Data protection – information obligation In the case of complaints, personal data is processed in accordance with Article 6(1)(c) of the Regulation. Scope of personal data processed: title, first name, surname, address, telephone, e-mail. They are subsequently stored in accordance with Act No 395/2002 Coll. on archives and registers.

    4.7. Debt recovery In the case of debt recovery, personal data are processed within the meaning of Article 6(1)(c) of the Regulation. Scope of the personal data processed: name, surname, birth number, address, telephone, e-mail. They are subsequently stored in accordance with Act No 395/2002 Coll. on archives and registers.

    4.8. Executions The processing of personal data is necessary for compliance with a legal obligation of the controller within the meaning of Article 6(1)(c) of the Regulation. Scope of the personal data processed: routine personal data, other personal data discovered or provided in the course of the proceedings. They are subsequently stored in accordance with Act No 395/2002 Coll. on archives and registers.

    4.9. Records of job applicants The processing of personal data of job applicants is carried out on the basis of “Consent” to the processing of personal data within the meaning of Article 6(1)(a) of the Regulation, which is provided by the applicant. Only successful applicants will be contacted by the controller. The personal data will be processed for a period of 3 years from the date of consent. Personal data will not be transferred to a third country. Personal data will not be used for automated individual decision-making, including profiling. You have the right to withdraw your consent to the processing of your personal data at any time before the expiry of the above-mentioned period by sending a request to the following email address: dpo@kastelpalffy.sk or by sending a request to the address of the Data Controller with the text “GDPR withdrawal of consent” on the envelope. The Controller declares that in the event of a written request from the data subject to terminate the processing of personal data before the aforementioned period, the personal data will be erased within 30 days of receipt of the withdrawal of consent.

    4.10. Newsletter If you wish, you can subscribe to our newsletter, which is located on our website www.kastielpalffy.sk. Personal data will only be processed for the purpose of sending newsletter messages to the e-mail address you have provided. By subscribing to the newsletter you agree to the processing of your personal data. Personal data is processed within the meaning of Article 6 (1) (a) of the Regulation. Your e-mail address will be processed until you unsubscribe. You can unsubscribe by clicking on the “unsubscribe” link provided in each newsletter message you receive from us. After unsubscribing, you will no longer receive any newsletter messages from us. Scope of personal data processed: email address. Personal data are processed by a common controller: – PALK, a. s., Prostredná 49/13, 900 21 Svätý Jur, ID No. 46 818 481 – ViaJur, s. r. o., Prostredná 49/13, 900 21 Svätý Jur, ID No. 46 972 137

    4.11.Monitoring of premises for the purpose of property protection
    A camera information system is installed on our premises, which monitors the external and internal premises of the operator for the purpose of property protection in accordance with the legitimate interest of the operator in accordance with Article 6(1)(f) of the Regulation. The CCTV footage shall not be disclosed to third parties. They shall only be made available to authorised persons of the controller and to IT specialists who carry out maintenance on them. Personal data collected by the CCTV system shall be used for the protection of property and for the taking of evidence in administrative proceedings in cases where personal data collected by the CCTV system are used as evidence in an ongoing administrative procedure. If the recording made is not used for the purposes of criminal or offence proceedings, the recording shall be automatically destroyed, by programming, within a period of 7 days from the day following the day on which the recording was made. Protection of personal data – information obligation

    4.12. Records of representatives of suppliers and customers The processing of personal data of suppliers and customers is carried out in accordance with the legitimate interests of the controller, in accordance with Article 6(1)(f) of the Regulation. Scope of the personal data processed: title, first name, surname, job title, job classification, job function, employee’s personal number, department, place of work, telephone number, fax number, workplace e-mail address and employer’s identification data. They are subsequently retained for 10 years after the end of the contract or business relationship.

  1. Rights of the data subject5.1 Right to withdraw consent – where we process your personal data on the basis of your consent, you have the right to withdraw that consent at any time. You can withdraw consent electronically, by writing to the person in charge, by notice of withdrawal of consent or in person at our registered office. Withdrawal of consent does not affect the lawfulness of the processing of personal data we have processed about you on the basis of that consent.

    5.2. Right of access – you have the right to be provided with a copy of the personal data we hold about you, as well as information about how we use your personal data. In most cases, your personal data will be provided to you in written paper form unless you request a different method of disclosure. If you have requested this information by electronic means, it will be provided to you electronically where technically possible.

    5.3. Right to rectification – we take reasonable steps to ensure that the information we hold about you is accurate, complete and up to date. If you believe that the information we hold is inaccurate, incomplete or out of date, please do not hesitate to ask us to correct, update or complete the information.

    5.4. Right to erasure (to be forgotten) – you have the right to ask us to erase your personal data, for example, if the personal data we have collected about you is no longer necessary for the fulfilment of the original purpose of the processing. However, your right must be considered in light of all the relevant circumstances. For example, we may have certain legal and regulatory obligations which mean that we may not be able to comply with your request.

    5.5. Right to restriction of processing – in certain circumstances you are entitled to ask us to stop using your personal data. These include, for example, where you believe that the personal data we hold about you may be inaccurate or where you believe that we no longer need to use your personal data.

    5.6. Right to data portability – in certain circumstances, you have the right to ask us to transfer the personal data you have provided to us to another third party of your choice. However, the right to portability only applies to personal data that we have obtained from you on the basis of consent or on the basis of a contract to which you are a party.

    5.7. Right to object – you have the right to object to processing based on our legitimate interests. If we do not have a compelling legitimate ground for processing and you object, we will no longer process your personal data. If you believe that any personal data we hold about you is incorrect or incomplete then please contact us. If you wish to object to the way in which we process your personal data, please contact our Data Protection Officer by email at dpo@www.kastielpalffy.sk or in writing to PALK, a. s., Prostredná 49/13, 900 21 Svätý Jur. Our person in charge will review your objection and will work with you to resolve the matter.