LEGAL FRAMEWORK FOR PERSONAL DATA PROCESSING

The valid legal regulation, i.e. Act No. 101/2000 Coll., on the Protection of Personal Data and on Amendment to Certain Acts, as amended, and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), which has come into effect on 25 May 2018 (hereafter the "GDPR"), impose upon us a number of obligations concerning the protection of personal data.

The below defined policy of personal data processing by:
Lázně Františkovy Lázně a.s., ID No.:46887121, Jiráskova 23/3, 351 01 Františkovy Lázně,
Františkovy Lázně IMPERIAL a.s., Dr. Pohoreckého 151/3, 351 01 Františkovy Lázně,
Františkovy Lázně AQUAFORUM a.s., ID No.: 10989391, 5. května 106/9, 351 01 Františkovy Lázně, and
AQUAFORUM s.r.o., ID No.: 03512452, 5. května 469/19, 351 01 Františkovy Lázně;
provides information on what personal data we process about you as joint controllers in connection with the sale and provision of spa therapeutic and rehabilitation services, accommodation services, visits to our website, reservations of stays in our e-shop and when contacting current and potential customers, for what purposes and for how long we process the personal data in compliance with the valid legal regulations, to whom and based on what grounds we may (or are obligated to) provide the personal data, as well as informs you of the rights that you have in relation to the processing of your personal data.

JOINT CONTROLLERS AND DATA PROTECTION OFFICER

We have determined the joint purposes and means of the processing of personal data by the joint controllers and we have defined among us by way of transparent agreements our shares in the liability arising from the fulfilment of the obligations laid down by the GDPR as specified hereinabove. We actively focus on the issue of personal data processing and we strive to monitor current developments in the area of information security, national and EU legislation in order to correctly implement any and all requirements stipulated by the regulatory framework for personal data protection.

In accordance with the GDPR, each of the above named controllers has an appointed data protection officer (hereafter "Data Protection Officer") who ensure the exercise of your rights pertaining to personal data protection, monitor the compliance of activities with the GDPR requirements and who have adequate competences to influence the adjustment of new and current processes for the sake of the maximum protection of your personal data.

CATEGORIES OF PROCESSED PERSONAL DATA

According to the GDPR, personal data mean any information relating to a directly or indirectly identifiable person. We process personal data manually, as well as by automated means, whereas we have set clear rules for the individual methods of personal data processing and, with the use of internal regulations, we also keep records of any and all activities involving personal data processing. In connection with the sale and provision of services, the following categories of personal data may be processed on our part.

Basic personal identification data and other data generated during a spa stay:
Data contained in the registration card which you complete during registration (CHECK-IN) at the hotel reception:
Name and surname, date of birth, address of permanent residence, contact telephone and e-mail, vehicle registration plate (if you use the hotel parking), and your signature.
As regards foreigners, additional information required by law for reporting the stay of foreign nationals (citizenship, travel passport number and/or visa number).
Service requirements and preferences in relation to a specific stay (e.g. preferred room type or other offered complementary services). You provide this information to us when booking your stay and it is stored only in our supportive information system.
Data contained in the spa treatment recommendation, including the following in addition to the contact information specified above:
Personal insurance number, information on your health insurance company, the type of treatment covered by your health insurance company, recommending physician, specialist physician, if provided, as well as information on indications, diagnosis, mobility, and recommendation urgency.
Compulsory data recorded in connection with the provision of healthcare services (medical records):
Identification data (name, surname, date of birth, personal identification number, public health insurance personal insurance number, if different from the patient's personal identification number, address or permanent residence), gender, information on the health condition, on the progress and the result of provided health services, data acquired from family, personal or employment history, as well as other important circumstances associated with the health condition and the process of provision of health services.
Data on completed spa stays – data on healthcare procedures provided to you in our facilities, as well as other data required by health insurance companies in case of spa therapeutic and rehabilitation care services covered from health insurance.
In case of self-payers, also data on the payment of their stay (account number and/or payment card type and transaction authorisation code).
Data on the health insurance company in relation to special offers for clients of Czech health insurance companies.

Loyalty programmes / clubs:
In order to be able to inform you about news, discounts and other loyalty programme/club membership benefits, spa stay and treatment programme offers, you grant us your consent to process your personal data provided by you in the loyalty programme/club membership application. The loyalty programme/club membership application contains the following personal data: name and surname, date of birth, address of residence, contact telephone, and e-mail address. Along with these data, we also process information on the utilised benefits in the form of loyalty points, which are retrieved by automated means when using our services. The details and the rules applicable to each loyalty programme/club are always stipulated in the specific terms and conditions, with which we shall familiarise you in the event of your interest in membership prior to your registration.

CCTV systems:
A CCTV system is operated on selected premises solely for the purpose of security surveillance in relation to the protection of property and/or the protection of legitimate interests. The CCTV systems are operated in real-time and no video recordings are stored. The locations where the CCTV systems are operated are duly and visibly marked at the entry to the premises under surveillance.

Processing cookies from our website:
When you visit our website, also in situations when you do not create a reservation, we may process information on your behaviour on our website in the form of small text files known as cookies for the purpose of improving the operation of our website, as well as for the purpose of internet advertising. In their default setting, most browsers automatically accept cookies. This means that you can reject cookies or allow only some cookies in your browser settings. If you create a reservation, our system registers the device and the website on which the reservation was made.

Data from communication between us and the customer:
On our website, we use online communication services between the user and our operators for the purpose of booking a stay at a spa hotel. This category also includes other data generated in connection with the communication between us and the customer in written or electronic form, telephone call recordings, and other online communication means (chats or video chats) used by the customer line personnel.

Booking portals of third-party operators:
We cooperate with several booking portal operators on the basis of a contractual relationship (e.g. Booking.com, Sanatoriums.com, rezervaceubytovani.cz, spabooking.cz, etc.). In such cases, you provide your personal data primarily to these operators. We process the personal data provided in this manner only for the purpose of processing your inquiry.

Agents arranging stays (travel agents):
We likewise cooperate, on the basis of a contractual relationship, with agents arranging stays for foreign and domestic clients. Also to these agents, you provide your personal data, which we process solely for the purpose of the provision of our services and the subsequent billing of your stay.

PURPOSES, LEGAL GROUNDS AND DURATION OF THE PROCESSING OF PERSONAL DATA

Data contained in the spa treatment recommendation and data entered in the registration card along with data on the payment of the stay are processed by us based on a legal relationship between you (or your health insurance company) and our company. The subject of this legal relationship is the provision of spa therapeutic and rehabilitation care, as well as associated services (accommodation, boarding, etc.). The purpose of such processing is the provision of the indicated services. We receive the spa treatment recommendation from your health insurance company.
Accordingly, data on your completed spa stays are processed by us on the same legal basis. In the case of spa therapeutic and rehabilitation care services covered by health insurance (comprehensive or contributory spa care), we are additionally obligated to provide data on healthcare procedures provided to you in our facilities, as well as other data required by health insurance companies, and to allow their review by them.
For the purpose of providing spa therapeutic and rehabilitation care, as well as associated services, we process data on the provided care for a period corresponding to the duration of your treatment stay at our spa and after its completion, for a period, during which the health insurance company is authorised to review the provided reimbursed services and their statements in accordance with the generally binding legal regulations. Similarly, in the case of contributory spa care or self-paid spa care, we process data on the provided care for a period, during which the self-payer is entitled to dispute the provided care.
Pursuant to the conditions set forth by Act No. 372/2011 Coll., on Health Services, and the applicable implementing regulation, we keep medical records in documentary and electronic form, which are protected from access or other disposal by unauthorised persons, as well as loss. Medical records in documentary and electronic form are stored by us in compliance with the Decree of the Ministry of Health No. 98/1992 Coll., namely for a period of 10 years from the completion of spa therapeutic and rehabilitation care.
As regards foreigners, we only process data necessary for the purpose of reporting the stay of foreign nationals based on our obligation imposed by Act No. 326/1999 Coll., on the Residence of Foreign Nationals in the Czech Republic and on Amendment to Certain Acts, as amended. We carry out such processing solely for the purpose of fulfilling the above indicated obligation, which includes the transfer of data contained in the registration card to the Foreign Police.
If you grant us your consent to process your contact data and data on your stays at our facilities, we process such data based on your consent (we proceed accordingly in the case of your membership in our loyalty programmes/clubs). The purpose of the processing is to allow us to inform you (as joint controllers or independently) about our spa stays and treatment programmes, as well as of other special or joint campaigns. Personal data provided when registering in the loyalty programme/club along with information on the utilised benefits in the form of loyalty points processed by automated means are stored by us only for the duration of your membership in the loyalty programme/club.
Telephone call recordings are stored for a period of 30 days, after the expiry of which they are automatically deleted. Recordings of other online communication means (chats or video chats) used by the customer line personnel are not stored.
Accounting and tax documents used for the billing of provided care/stays also contain certain personal data (client's name and surname, type of provided service, date of issue of document, as well as personal insurance numbers in case of reports for health insurance companies). We keep these documents for a period of 10 years from their issue in accordance with Section 35 of Act No. 235/2004 Coll., on Value Added Tax.

General duration of personal data processing:
With respect to the data that we process with your explicit consent, we always carefully consider and select, depending on the nature of the concrete purpose, a reasonable period of validity of your consent to the processing of personal data, which shall never exceed 10 years. You may withdraw your consent to the processing of personal data at any time by simply following the procedure set forth in Article VII –Information on the rights related to personal data processing.

DISCLOSURE AND TRANSFER OF PERSONAL DATA

We disclose your personal data exclusively to the relevant health insurance company for the purpose of their review as imposed upon health insurance companies by the generally binding legal regulations (Act No. 48/1997 Coll., on Public Health Insurance and on Amendments to Some Related Acts, as amended). If you are paying for the provided care as a self-payer, we do not disclose your personal data to anyone.
As regards foreigners, we are obligated to provide to the Foreign Police personal data contained in the registration card, namely in the form of a data set transferred by remote access via the Internet (Ubyport application).
We may also transfer your personal data to third parties who secure support activities for us – consignment mailing, debt collection, legal services. These third parties are in the position of a data processor and we transfer to them only personal data that are necessary for the particular purpose (consignment mailing, debt collection, or legal services) and pertain to clients whom the concrete support activity concerns. We carefully select the data processors who secure the above indicated activities and with each of them, we conclude an agreement on personal data processing, which imposes strict obligations upon the data processor in connection with the protection and security of personal data.
We continuously alter and add data processors and with a view to such updates or changes, we are ready, upon your written or e-mail inquiry, to provide you with a list of the current entities to whom we may conceivably transfer your personal data as specified above.

SENDING OF COMMERCIAL COMMUNICATION

Commercial communications, which we send to you solely based on your explicit consent to the processing of personal data for marketing and business purposes, are clearly and visibly designated by the abbreviation "CC" in accordance with the requirements of Act No. 480/2004 Coll., on Certain Information Society Services, and it is thus evident that the sent communication is commercial communication.
Commercial communications clearly indicate that we are their sender and they contain contact (or a link) in the end allowing you to opt out from their sending. We send commercial communications only until such time when you express your disagreement therewith.

INFORMATION ON THE RIGHTS RELATED TO PERSONAL DATA PROCESSING
Pursuant to the valid legal regulation governing the protection of personal data you have the following rights and in the event of their exercise, we verify the legitimacy of requests, which we subsequently accord without undue delay, however, no later than within the time periods set forth by the GDPR. To ensure the swift processing of your request, we recommend using the structured electronic form available on our website.

Right to withdraw consent to the processing of personal data:
In accordance with Article 7 of the GDPR, you may withdraw your consent to the processing of personal data for marketing and business purposes at any time. The withdrawal of consent shall not affect the lawfulness of processing based on the consent granted by you to us before its withdrawal. You should withdraw your consent by way of an explicit, intelligible and sufficiently concrete request sent to the address of the Data Protection Officer.

Right to access personal data:
In accordance with Article 15 of the GDPR, you have the right to access your personal data that we process in your case. The right includes obtaining the following from us, in particular:
Confirmation as to whether or not personal data concerning you are being processed, information on the purposes of the processing, the categories of personal data concerned, the recipients to whom the personal data have been or will be disclosed, the envisaged period for which the personal data will be processed, the existence of the right to request from us rectification or erasure of personal data or restriction of their processing, or to object to such processing, the right to lodge a complaint with a supervisory authority, where the personal data are not collected directly from you, any available information as to their source, the existence of automated decision-making, including profiling, or the appropriate safeguards where personal data are transferred outside the EU,
The right to obtain a copy of personal data provided that the same shall not adversely affect the rights and freedoms of others.

You should exercise your right to receive the confirmation on the processing of personal data along with your right to obtain a copy of your personal data by way of a written request sent to the address of the Data Protection Officer.
We would like to advise you that in case of repeated requests for copies of personal data, we may charge a reasonable fee based on administrative costs under the GDPR.

Right to rectification of personal data:
In accordance with Article 16 of the GDPR, you have the right to the rectification of your personal data if they are in any way incorrect or inaccurate. You should send your request for the rectification of your personal data to the address of the Data Protection Officer.

Right to erasure ("right to be forgotten"):
In accordance with Article 17 of the GDPR, you have the right to the erasure of personal data that we process about you, if we do not demonstrate legitimate grounds for their processing. We have set mechanisms with respect to our internal regulatory documentation, internal processes, and subsidiary information systems to secure the automatic anonymisation or erasure of personal data in situations when they are no longer necessary in relation to the purposes for which they were collected or processed.
Should you deem that we have not erased your personal data and we continue to process them unlawfully, you may request their erasure at the below indicated address of the Data Protection Officer.

Right to restriction of processing:
In accordance with Article 18 of the GDPR, you have the right to the restricted processing of your personal data pending the resolution of your request, when you contest the accuracy of your personal data, dispute the grounds for their processing or when you object to their processing pursuant to Article 21 of the GDPR.
You should send your request for the restriction of processing of your personal data to the address of the Data Protection Officer.

Notification obligation regarding rectification or erasure or restriction of processing:
If, upon your request, your personal data are rectified or erased, we shall notify individual recipients in accordance with Article 19 of the GDPR. This does not apply in cases where such notification proves impossible or involves disproportionate effort. We may also provide information to you about these recipients if you request the same. You should send your request for the provision of information on the recipients of your personal data to the address of the Data Protection Officer.

Right to personal data portability:
In accordance with Article 20 of the GDPR, you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format. You also have the right to request us to transmit these data to another controller.
When the personal data provided by you are processed by automated means, we shall, upon agreement, secure their transfer in a structured, commonly used and machine-readable format. Where technically feasible, we may transfer your personal data directly to a controller as designated by you.
You may send your request to the below indicated address of the Data Protection Officer and your request shall be accorded subject to the demonstration of the request legitimacy, and if the personal data are transferred to another controller, subject to the authorisation of the person acting for and on behalf of the relevant controller to whom the personal data are to be transferred.

Right to object:
In accordance with Article 21 of the GDPR, you have the right to object to the processing in order to examine whether obligations imposed upon us by the applicable legal regulation have been violated. You should file your objection in writing (in documentary or electronic form) at the below indicated address of the Data Protection Officer.

If we fail to demonstrate compelling legitimate grounds for the processing, which override your interests or rights and freedoms, we shall discontinue any such processing without undue delay.

Automated individual decision-making, including profiling:
In accordance with Article 22 of the GDPR, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. We represent that when processing the above specified categories of personal data, we do not perform any automated decision-making, including profiling.

Right to lodge a complaint with a supervisory authority:
In addition to the above, you have the right to lodge a complaint with a supervisory authority, which is the Office for Personal Data Protection, with its seat at Pplk. Sochora 27, 170 00 Praha 7 (www.uoou.cz).

DATA PROTECTION OFFICER CONTACT INFORMATION

If you have any comments to this policy or you wish to exercise your rights related to the processing of your personal data, you may contact us in written or electronic form at any of the contacts indicated below. The Data Protection Officers of the individual controllers closely cooperate with each other and in case of a mistake, your request will always reach the right hands:
Lázně Františkovy Lázně a.s., Data Protection Officer, Jiráskova 23/3, 351 01 Františkovy Lázně, e-mail: dpo@frantiskovylazne.cz,
Františkovy Lázně IMPERIAL a.s., Data Protection Officer, Dr. Pohoreckého 151/3, 351 01 Františkovy Lázně, e-mail: dpo@imperialfrantiskovylazne.cz,
Františkovy Lázně AQUAFORUM a.s., Data Protection Officer, 5. května 106/9, 351 01 Františkovy Lázně, e-mail: dpo@pawlik-aquaforum.cz,
AQUAFORUM s.r.o., Data Protection Officer, 5. května 469/19, 351 01 Františkovy Lázně, e-mail: dpo@pawlik-aquaforum.cz