Information on the Purpose of Processing for which Personal Data is Intended
One of the principles of personal data processing is the principle of purpose limitation. According to this principle, personal data may only be collected for specific, explicitly stated, and legitimate purposes and must not be processed in a manner incompatible with those purposes.
The processing of personal data should be closely related to the purpose of processing, especially regarding the list or scope of personal data processed, which should be necessary to achieve the stated purpose. It is inappropriate to artificially or additionally expand the list or scope of personal data in light of the purpose. If the purpose and the list or scope of personal data are determined by law, it must be respected. If the list or scope of personal data is determined by the controller, they should ensure it is not unnecessarily extended beyond the purpose.
The Personal Data Protection Act imposes the obligation on the controller to provide the data subject with information on the purpose of processing their personal data, even when the personal data is not collected directly from the data subject. This information must be provided to the data subject no later than at the time of collection of their personal data, or within a reasonable time before that, in a clear and understandable manner, and in a way that the data subject can genuinely become familiar with and understand it.
Purposes of Personal Data Processing and Legal Basis
As a controller, we collect only the data necessary to provide full services related to relaxation stays or spa treatment procedures. The purposes and legal bases for personal data processing during operational steps are:
Data Processing for the Purpose of Creating and Accepting Orders/Reservations for Our Services from Your Side
The collection and processing of personal data through the order or reservation you make—electronically, in person, by phone, or in writing—takes place in accordance with Article 6(1)(b) of the General Data Protection Regulation (GDPR), where data processing is necessary for performing actions required by the data subject (you) before entering into a contractual relationship, i.e., during the pre-contractual phase.
Data Processing During the Provision of Our Services
The collection and processing of personal data during the provision of our services in the form of relaxation stays or spa treatments takes place under Article 6(1)(b) GDPR, where such processing is necessary for the performance of the contract to which you, as the client, are a party. Personal data within the scope of this contract is also processed for the purpose of mutual communication, fulfilling obligations, and exercising rights arising from this contractual relationship.
Data Processing for Receiving Updates via Newsletter
On our website, you have the option to register your email address if you wish to be promptly informed about our updates and current offers regarding our services. The collection and processing of personal data for this purpose are carried out based on your consent under Article 6(1)(a) GDPR. You may withdraw your consent at any time.
Contact Form or Other Inquiries
If you wish to contact us via the contact form, send a query regarding our services, share your opinion or evaluation, or address any other inquiry or problem, you can reach out to us, and we will gladly assist you. For this purpose, we will process your contact details under Article 6(1)(f) GDPR. Our legitimate interest is to assist our clients and address questions or requests from third parties. You have the right to object to such processing at any time.
List of Processed Personal Data
Depending on the specific purpose of processing, we process various categories of your personal data, including:
-
Creating and Receiving Orders/Reservations and Data Processing During Service Delivery:
Name and surname, residential or other correspondence address, phone number, email address, and possibly the names of other individuals using our services. -
Registration and Newsletter Subscription:
Name and surname, email address. -
Contact Form or Other Inquiries:
Name, email, message text, and in exceptional cases, phone number or other data provided in the message body.
Secure Internet Banking
When paying online via payment systems, you provide your details on secure bank websites. We do not handle your sensitive payment data; we only receive the success or failure result of the transaction.
Processors
The controller may, in certain cases, process personal data through processors in accordance with Article 28 GDPR. Processors process personal data on behalf of the controller. Processing through processors does not affect the exercise of the data subject’s rights. The controller uses only processors who provide appropriate technical, organizational, and other measures to ensure GDPR compliance and full protection of the data subject’s rights.
The controller uses the following categories of processors for personal data processing:
- Companies providing technical solutions, web hosting services, maintenance, and support for IT systems used by the controller.
Retention Period of Your Personal Data
Personal data processed based on Article 6(1)(b) GDPR—in connection with the controller's obligations towards clients and customers—will be processed for the fulfillment of legal obligations under tax and accounting regulations. For example, data retention of individual accounting records (orders and invoices) is required by Act No. 431/2002 Coll. on Accounting, and for demonstrating compliance with tax obligations under Act No. 595/2003 Coll. on Income Tax and Act No. 563/2009 Coll. on Tax Administration. These data must be retained for the duration specified by the respective legal provisions.
In compliance with the principle of data minimization under Article 5(1)(e) GDPR, personal data that is not subject to legal archiving will be deleted or anonymized after the retention period expires.
Personal data processed based on consent under Article 6(1)(a) GDPR—for purposes such as account creation or receiving marketing news—will be retained for 5 years or until consent is withdrawn. Upon expiration of the processing period, we will contact you to renew your consent, either by post or email. If consent is not renewed, we will stop processing your personal data, remove it from our records, delete electronic data from our systems, and shred any physical documents.
Personal data processed based on legitimate interest under Article 6(1)(f) GDPR—such as when you submit an inquiry—will be deleted once the request has been addressed and no longer required for any subsequent pre-contractual or contractual relationship.
As the controller, we ensure the deletion of personal data without undue delay after the following conditions are met:
- All contractual relationships between you and the controller have ended;
- All of your obligations towards the controller have been fulfilled;
- All complaints and requests have been addressed;
- All legal obligations for processing, or consent-based purposes, have been fulfilled; and
- The retention period has expired, or you have withdrawn your consent.
Any personal data inadvertently obtained will not be processed further for any defined purposes. If possible, we will inform the data subject whose data was inadvertently obtained and assist in restoring control over their data. Following necessary actions to resolve the situation, we will promptly delete all such data.
For more information on the retention period of your personal data, please contact us using the details provided on our website.
Disclosure of Data
The controller does not disclose collected data under any circumstances.
Cross-Border Data Transfers
Cross-border data transfers do not take place during standard internal processes, nor are they planned for the future.