Barbara Uher Hanková, ID 06010989, with registered office at náměstí Svobody 6, Frýdek-Místek 738 01, fully recognizes the importance of personal data protection in the information society. The ability to process personal data, including data necessary for individual identification, is crucial for the functioning of a wide range of business activities and forms a fundamental pillar for businesses working with new technologies. To ensure the smooth operation of all business activities of the company, we adhere to the relevant legislative requirements. These include, among other things, ensuring the protection of personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. 04. 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, or “GDPR”), as well as all implementing regulations adopted at the national level in the field of personal data protection.

This document contains basic information about the personal data we process in relation to our customers and website users, as well as information about what authorizes us to carry out such processing, to whom we may transfer personal data, and what rights our customers, as data subjects, have as a result.

1. What principles do we follow?

• We process personal data only in accordance with the law and based on one of the defined legal grounds for processing, which we elaborate on below.
• We process personal data only for the specified purposes of processing.
• We ensure the accuracy and timeliness of personal data processing.
• We adhere to the principle of data minimization, which means that we process only the personal data that is strictly necessary for the specified purposes of processing.
• We follow the principle of processing transparency and always provide our customers with complete information about the processing and their rights.
• We ensure appropriate security standards for the protection of the data we process to prevent their loss, destruction, or other unauthorized handling.
• If we no longer need personal data for any of the specified purposes, we ensure their immediate deletion in accordance with the law.

2. Personal Data We Process

If you decide to use our services, we will process the following categories of personal data:

2.1 IF YOU ARE A CITIZEN OF THE CZECH REPUBLIC AND THE PURPOSE OF YOUR STAY IS RECREATION:

1. Identification data, including your name and surname, identity card number, or passport number;
2. Contact details, including your email address, phone number, home address, and billing address;
3. Information related to your inquiries and requests, newsletter settings, and evaluations of the services provided;
4. Data about your orders, including details of the goods and services you have ordered from us, the method of their delivery and payment, including the payment account number, and any information about complaints;
5. Data about your behavior on the website, including information about the device you use to access the website, which services you viewed, how long you spent on the website, and data obtained from cookies and similar technologies;
6. Data obtained from using customer service, or data obtained after visiting the accommodation facility, including primarily recordings of telephone calls made through the customer service line and recordings from camera systems taken during the visit to the accommodation facility;
7. Information related to the use of specific services of the accommodation facility, including the use of parking spaces (in such cases, we also process the vehicle’s license plate number) and the rental of sports equipment (in such cases, we also require identification with an ID card or other identification document).

2.2 IF YOU ARE A CITIZEN OF THE CZECH REPUBLIC AND YOUR STAY IS DEMONSTRABLY FOR A PURPOSE OTHER THAN RECREATION:

1. Identification data, including your name and surname;
2. Contact details, including your email address, phone number, home address, and billing address;
3. Information related to your inquiries and requests, newsletter settings, and evaluations of the services provided;
4. Data about your orders, including details of the goods and services you have ordered from us, the method of their delivery and payment, including the payment account number, and any information about complaints;
5. Data about your behavior on the website, including information about the device you use to access the website, which services you viewed, how long you spent on the website, and data obtained from cookies and similar technologies;
6. Data obtained from using customer service, or data obtained after visiting the accommodation facility, including primarily recordings of telephone calls made through the customer service line and recordings from camera systems taken during the visit to the accommodation facility;
7. Information related to the use of specific services of the accommodation facility, including the use of parking spaces (in such cases, we also process the vehicle’s license plate number) and the rental of sports equipment (in such cases, we also require identification with an ID card or other identification document).

2.3 IF YOU ARE A FOREIGN NATIONAL:

1. Identification data, including your name and surname, date of birth, nationality, and identification card or passport number;
2. Kontaktní údaje, mezi které patří Vaše e-mailová adresa, telefonní číslo, adresa bydliště a fakturační adresa;
3. Information regarding your inquiries and requests, newsletter settings, and service evaluations;
4. Details about your orders, including information about the goods and services you have ordered from us, the method of their fulfillment and payment, including payment account numbers, and any complaints;
5. Information about your behavior on the website, including details about the device you use to access the website, which services you have viewed, the duration of your visit, and data obtained from cookies and similar technologies;
6. Information obtained from using customer service, or data collected after visiting the accommodation facility, including recordings of phone calls made through the customer service line and camera system recordings taken during your visit to the accommodation facility;
7. Information related to the use of specific services at the accommodation facility, including the use of parking spaces (in such cases, we also process the vehicle’s license plate number), and the rental of sports equipment (in such cases, we also require identification with a national ID or other identification document).

3. On what basis do we process personal data?

As part of our activities, we process personal data for various purposes and to different extents either:

1. without your consent, based on the legal grounds of contract performance, our legitimate interest, or due to the fulfillment of a legal obligation, or
2. based on your consent.

3.1 VISIT OF THE WEBSITE BY THE USER

When you visit our website, we process data about your activity on the website based on our legitimate interest (i.e., without your consent) for the purpose of:

• creating statistics on website traffic, including individual pages and overviews; our legitimate interest here is to determine the effectiveness of our website and its optimization;
• evaluating information based on which we can improve the website, with our legitimate interest being to enhance functionality for customers and provide higher quality services;
• preventing attacks on the website and ensuring data security; our legitimate interest here is the smooth functioning of the website and the security of data transmitted by users.

For these purposes, we process personal data for the time necessary to record the website traffic statistics, but no longer than 1 month.

You have the right to object to processing carried out based on legitimate interest.

3.2 CREATING AN ORDER

If you place an order with us, we carry out the following processing methods:

3.2.1 Contract Performance

If you place an order for services as an individual, we process your personal data for the purpose of preparing, concluding, and fulfilling the contract, including identification and contact details, as well as information about your orders.

If you place an order for services as a legal entity, we process the same data for the same purpose based on our legitimate interest, which involves concluding and fulfilling a contract with the entity you represent.

Preparing, concluding, and fulfilling contracts with our customers means that we need your data for the following reasons:

• to ensure the smooth completion of your order on the website;
• to carry out all necessary communication regarding this order;
• to ensure payment for this order, whether in cash or through partners who operate the payment system for us;
• to provide accommodation services at the facility and related services (e.g., swimming pool);
• to provide services related to your stay through partners who operate these services for us (e.g., sports and leisure activities);
• to handle complaints;
• to address all your related requests.

For this purpose, we process personal data for the duration necessary to fulfill the contract or handle related requests such as complaints. After this period, we further retain the data based on our legitimate interest for the purpose of protecting legal claims and our internal records and control, for the duration of the statute of limitations and 1 year thereafter, considering claims made at the end of the statute of limitations. In the event of the initiation of judicial, administrative, or other proceedings, we process personal data to the necessary extent for the entire duration of such proceedings and the remaining statute of limitations after its conclusion. Our legitimate interests here are the protection of legal claims and the control of proper provision of our services.

You have the right to object to processing carried out based on legitimate interest.

3.2.2 Fulfillment of Legal Obligations

The company also processes selected personal data to fulfill legal obligations imposed by law, for which it is not necessary to obtain the data subject’s consent. We process your identification and contact details, including information related to your requests and data about your orders, also for the purpose of fulfilling legal obligations according to the following regulations:

• Act No. 89/2012 Coll., the Civil Code,
• Act No. 634/1992 Coll., on Consumer Protection,
• Act No. 235/2004 Coll., on Value Added Tax,
• Act No. 563/1991 Coll., on Accounting.
• Act No. 326/1999 Coll., on the Residence of Foreign Nationals in the Territory of the Czech Republic,
• Act No. 565/1990 Coll., on Local Fees.

For these purposes, we use personal data for a maximum period of 10 years in accordance with the relevant tax regulations.

3.2.3 Legitimate Interest

If you are our regular customer, we may send you related offers of goods and services in accordance with applicable legislation based on our legitimate interest, which is the conduct of business activities. This does not change the fact that you always have the option to easily unsubscribe from these offers, either by contacting our customer service or directly using the unsubscribe link in the email.

For this purpose, we process personal data for the duration of your subscription to the newsletter.

You have the right to object to the processing based on legitimate interest.

3.3 CONSENTS TO PROCESSING

Selected types of processing are also carried out based on your consent. You may encounter these on our website in several situations, for example, if you wish to receive special offers and newsletters related to the company’s complete range of products, if you are interested in personalized advertising tailored to you, or its display on social networks or third-party websites.

In any case, giving consent is always voluntary, and we do not condition the functioning of our services on it. You can withdraw your consent at any time, depending on the type of processing to which the consent relates, as described below. If you have any questions, you can always contact our staff through the contacts listed in Section 8, Exercising Your Rights. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

• Sending Special Offers and Newsletters

If you are not our customer but still wish to receive the complete offer of our services, special promotions, and discounts, you have the option to subscribe to our newsletter by giving your consent on our website. This also applies if you are our regular customer and wish to receive information about the complete range of our products.

• Sharing Data and Displaying Personalized Advertising on Social and Advertising Networks

We improve our website using cookies, and the obtained information may be further shared with social and advertising networks for the purpose of targeting advertisements. You can refuse website customization and data sharing for advertising targeting by changing your browser settings (more information about the use of cookies can be found here). By continuing to use the website without changing your settings, you consent to the targeting of advertisements, for which we will use data about your behavior on the website.

3.4 PROCESSING OF PERSONAL DATA OF SERVICE RECIPIENTS

In the event that a service is ordered for a third party different from the customer, we process their personal data to the extent specified in Section 2, based on legitimate interest, for the purpose of preparing, concluding, and fulfilling the contract with our customer and also for the purpose of fulfilling legal obligations, particularly under Act No. 235/2004 Coll., on Value Added Tax, Act No. 563/1991 Coll., on Accounting, and Act No. 565/1990 Coll., on Local Fees.

For this purpose, we process personal data for the time necessary to fulfill the contract or to handle related requests such as complaints. After this period, we further retain the data based on our legitimate interest for the purpose of protecting legal claims and for our internal record-keeping and control, for the duration of the statute of limitations period and one year after its expiration with respect to claims made at the end of the statute of limitations period. In the event of the initiation of judicial, administrative, or other proceedings, we process your personal data to the necessary extent for the entire duration of such proceedings and for the remaining part of the statute of limitations period after their conclusion. Our legitimate interests here are the protection of legal claims and the control of proper provision of our services. For the purpose of fulfilling legal obligations, we retain personal data for a maximum period of 10 years in accordance with the relevant tax regulations.

Máte právo vznést námitku proti zpracování založenému na oprávněném zájmu.

3.5 COMMUNICATION WITH CUSTOMERS

When using the contact form or communicating with our customer service department, processing occurs without your consent based on the fulfillment of the contract (preparation of the contractual relationship), our legitimate interest in conducting business activities, and also the fulfillment of legal obligations. In this context, we process your identification and contact details, information related to your requests, and data about your orders. This is done for the purposes of:

• receiving and handling your requests;
• recording your requests and monitoring their fulfillment.

Personal data for this purpose is retained for the necessary period, which is the same as the retention period for fulfilling the contractual relationship (if the communication relates to a completed order, its complaint, etc.), or for 3 months from the submission of your request (if it is a request not related to an order).

You have the right to object to the processing based on legitimate interest.

3.6 VISITING THE COMPANY’S HEADQUARTERS, STORE, OR THEIR SURROUNDINGS

When visiting the accommodation facility or its surroundings, recordings from the camera system may be made in which you may be captured. This processing is carried out based on the company’s legitimate interest, for the purpose of protecting our property and the safety of individuals in and around the company’s premises.

Personal data for this purpose is retained for the necessary period, which is 14 days.

You have the right to object to the processing based on legitimate interest.

4. To whom do we disclose your personal data and who processes it?

All the mentioned personal data is processed by us as the controller. We determine and are responsible for all purposes of processing your personal data obtained through the website and the forms provided here, as well as through other communication tools (email or telephone communication).

For the processing of personal data, we also use the services of other processors who process personal data only according to our instructions and for the purposes set out here. These processors are:

• • providers of selected sports, relaxation, and leisure activities
  • providers and suppliers of technology and support, including website operation
  • providers of accounting software
  • providers of marketing support tools

• in the event that we receive your consent to display personalized advertisements on social networks or third-party websites, additionally:
  • operators of social networks (Facebook Ireland Limited, located at 4 Grand Canal Square, Grand Canal Harbour, D2 Dublin, Ireland);
  • providers of marketing tools Google AdWords, Google Analytics, and Google My Business (Google Ireland Limited, located at Gordon House, Barrow Street, Dublin, D04 E5W5, Dublin, Ireland).

5. Where do we obtain personal data from?

In most cases, we process personal data that you provide directly to us when ordering services or when communicating with us through the provided web forms or by directly contacting our employees. We may also obtain personal data from business partners operating online intermediary services in the field of tourism (www.booking.com, www.hrs.com) in accordance with the terms and conditions of the respective service. We may also obtain personal data directly from you by making a camera recording at the accommodation facility or its surroundings.

6. Transfer of Data Outside the EU

For the processing of personal data, we select and use suppliers who are established within the European Union. Therefore, your personal data is not transferred outside the EU.

7. We respect your rights in the processing of personal data. What are these rights?

In connection with the processing of personal data, the company respects the rights of customers as data subjects, including in particular the right of access to personal data, which includes the right to information about the processing of personal data, the right to rectification, the right to erasure (the “right to be forgotten”), the right to restrict processing, the right to data portability, the right to object to processing based on the legitimate interest of the data controller, and the right to lodge a complaint with a supervisory authority. Below, you will learn what these rights mean for you and how to exercise them.

• Right of Access

As a customer, you have the right to know, for example, what data we process about you, for how long, for what purpose, who the processors of your personal data are, or where the data comes from. You can also request a copy of this personal data, which we will provide to you free of charge after your identification. In the case of repeated requests, we will process these with a fee.

• Right to Rectification

If you believe that the data we process is inaccurate or incomplete, you have the right to have it corrected or supplemented.

• Right to Erasure

We conduct ongoing reviews of the purposes for which we process data and the retention periods. If the specified processing period expires, we will promptly delete the relevant data. If you believe that we should no longer process your data, you have the right to erasure if the following conditions are met:

• the personal data is no longer needed for any of the specified purposes;
• we processed your data based on consent that you, as a customer, have withdrawn, and we have no other legal basis for processing it;
• we process your data based on legitimate interest, to which you object, and we determine that we no longer have any overriding legitimate interests;
• the processing is no longer in accordance with legal regulations.

If the processing of personal data is still necessary for compliance with legal obligations or for the establishment, exercise, or defense of legal claims, the right to erasure does not apply.

• Right to Restrict Processing

After exercising your right to restrict processing, we will temporarily mark your personal data, which will cease to be processed for a limited period. This may occur under the following circumstances:

• as our customer, you contest the accuracy of your personal data, resulting in the restriction of processing for the period necessary to verify the accuracy of the data;
• in exceptional cases, we find that the processing of personal data occurs without a legal basis; however, as our customer, you prefer the restriction of processing over erasure (typically in situations where you plan to provide us with the data in the future);
• we no longer need the data for the specified processing purposes, but you as our customer require it for the establishment, exercise, or defense of your legal claims;
• you have objected to the processing, and the processing will be restricted for the period during which we verify whether our legitimate interests override yours.

• Right to Data Portability

We process some of your personal data based on the fulfillment of a contract and also based on your consent. Under these circumstances, GDPR grants you the right to data portability. If you submit a request related to this right, we will provide you with the data in a machine-readable, structured, and commonly used format.

• Right to Object to Processing

As the data controller, we carry out certain processing based on legitimate interest. You have the right to object to these types of processing. If the processing involves marketing activities, your personal data will cease to be processed immediately upon raising an objection. In other cases, we will assess whether our legitimate interests persist and will promptly inform you whether there are still reasons for continuing our processing or if the processing has been terminated.

• Right to Lodge a Complaint

Last but not least, the GDPR grants data subjects the right to lodge a complaint with a supervisory authority. In the Czech Republic, this is the Office for Personal Data Protection, located at Pplk. Sochora 27, 170 00 Prague 7. You can file a complaint there if you believe that we are processing your data unlawfully or in violation of legal regulations.

8. Exercising Your Rights

For exercising your rights related to the processing of personal data or for any questions you may have regarding our processing of personal data, please do not hesitate to contact us using the appropriate contact details provided below:

Customer Service Department:
Email: sierravillases@gmail.com

Data Protection Officer:
Email: sierravillases@gmail.com

We will handle all requests within the legal period of one month. In the case of more complex requests, we may extend this period by an additional two months. However, you will be promptly informed of this.