7. Sources of personal data
- Friend making the reservation on behalf of the customer
- Company for whom the customer works
- Booking agencies
8. Recipients of personal data or recipient groups
- Public authorities based on their legal inquiries
- Security company representative, in case of suspected inappropriate behaviour
- Third parties – service providers and business partners
9. Transfer of data to countries outside the EU
Customer data may be transferred to countries outside the EU, for example, if a foreign tour operator requests a confirmation of reservation with the customer’s data for a visa application.
10. Retention period
The retention period of personal data in the hotel system is 299 days.
11. Rights of the data subject
The personal data in the customer register are processed on the basis of the legitimate interests pursued by the controller (General Data Protection Regulation, EU/2016/679, Article 6, paragraph 1, subparagraph f). In this context, the legitimate interest is the customer relationship. The personal data are also processed in order to perform contracts between the hotel and the data subject (General Data Protection Regulation, EU/2016/679, Article 6, paragraph 1, subparagraph b).
The data subject shall have the right to object.
12. Right to lodge a complaint with the supervisory authority
The data subject has the right to lodge a complaint with the competent supervisory authority if the data subject takes the view that the data controller has not observed the applicable data protection regulation in the course of its operations.
13. Data requests
In matters pertaining to the processing of personal data and exercising the rights of the data subject, the data subject may contact the contact person of the data controller stated in section 2.
Any request related to the right of access or any other right of the data subject shall be made in writing to the data controller via post or email. The request can also be presented in person at the data controller’s premises.
The data controller may request the data subject to specify sufficiently which information or processing the request concerns.
In order to ensure that in exercising the rights of the data subject no personal data are disclosed to others than the data subject, the data controller may, if necessary, request a signed data request from the data subject. The data controller may also request the data subject to verify his/her identity with an official identity document or another reliable method.