Personal Data Protection

Personal data of accommodated guest are in the range of name, last name, ID number or passport number, residential address, date of birth, purpose of visit and length of stay processed in the information system - Evidence of accommodated guests, in accordance with § 24 par. 1 of the Act no. 253/1998 on the reporting of registered residence of citizens of the Slovak Republic and on the Registry of Inhabitants of the Slovak Republic as amended. On accommodated Foreigners in addition the data of nationality and place of birth are also processed in the information system of Evidence of Foreigners due to reporting their stay at immigration offices in accordance with § 113 of the Act no. 404/2011 Coll on Stay of Foreigners as amended. Personal data of accommodated guests and foreigners are provided to third parties only in accordance with applicable legislation.

Basic Legislation

The HOREC system used by BUILDING CITY s.r.o. – Kongres Hotel Roca incorporates tools that help users apply the principles set out in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and Directive (EU) 2016/680 of the European Parliament and of the Council. The principles listed below create a new, modernized legal framework for personal data protection. Its aim is to ensure the respect of fundamental rights and freedoms, particularly the right to personal data protection within the environment of new and increasingly used information and communication technologies, while also supporting the strengthening and convergence of the economies of the EU Member States within the EU internal market.

Within the general data protection legislative framework of the Slovak Republic, the Directive will apply:

1. to the processing of personal data within activities subject to EU law — both the Regulation and national law, except for Parts 1 to 3 of the national law,

2. to the processing of personal data within activities not subject to EU law — the national law as a whole,

3. to the processing of personal data for the purposes of criminal proceedings by the competent authority — national law, except for selected provisions of Part 3 of the draft law.

Basic Principles Addressed by the GDPR

1. Principle of Lawfulness (§6)

Verify whether the processing does not violate the fundamental rights of the data subject. Legal grounds for the processing of personal data:

a) Registration of accommodated guests

(§24, point 1, Act No. 253/1998 Coll., as amended) — the guestbook; no retention period is defined.

• First name

• Last name

• ID card or passport number

• Permanent residence address

• Duration of stay

b) Reporting to the Foreign Police

(Act No. 404/2011), supplements the guestbook; retention period is five years.

• First name

• Last name

• Date of birth

• Travel document number

• Visa number

• Start and end of stay

c) Act No. 582/2004 Coll.

on local taxes and local fees for municipal waste — always applied by the municipality through its local regulation.

d) VAT Act No. 222/2004 Coll., as amended, §74(b)

Retention period: until the end of the calendar year in which ten years have passed from the end of the year to which the data relate. The following personal data must be retained as stated in the Act:
“first and last name of the recipient of the goods or services, or the name of the recipient of the goods or services, the address of their registered office, place of business, establishment, residence or address of usual stay, and their tax identification number under which the goods or services were supplied.”

2. Principle of Purpose Limitation (§7)

Verify whether personal data are collected for a clearly specified and legitimate purpose (collect only the data defined in laws applicable to accommodation facilities).

3. Principle of Data Minimization (§8)

Verify whether the processed personal data are adequate, relevant, and limited to what is necessary.

4. Principle of Accuracy (§9)

Processed data must be accurate and updated where necessary.

5. Principle of Storage Limitation (§10)

Define a retention period for storing personal data that reflects the purpose of processing.

6. Principle of Integrity and Confidentiality (§11)

Assess whether adequate security of personal data is ensured, including protection against unauthorized processing.

7. Principle of Accountability (§12)

The controller is responsible for compliance with the basic principles of personal data processing. The controller must ensure that the processing is consistent with these principles and must be able to demonstrate such compliance to the supervisory authority upon request.