The company Golf Resort Karlštejn a.s. is a joint stock company incorporated in the Commercial Register kept by the Municipal Court in Prague. The main objective of the company is to achieve a stable profit in the area of operation of the Golf Resort Karlštejn. In the course of its business activities, the Company also handles personal data of third parties (hereinafter referred to as the “data subject”), always in compliance with the stipulated principles of handling and with great emphasis on compliance with conditions preventing unauthorized handling, damage or misuse of processed data. All persons who carry out operations with personal data are properly screened and regularly trained in the field of personal data protection. Information on the use of personal information is provided below:
Details on Data Manager:
Golf Resort Karlštejn a.s.,
Běleč 272, 276 27 Liteň, Czech Republic
Company ID: 25797603, VAT ID: CZ25797603,
registered at the Municipal Court in Prague, B 6114/MSPH
represented by dr. Mirko Grossmann.
In accordance with the law the function of the Data Protection Officer is not established.
Sources of personal data, purposes and method of processing and the period during which the data are stored
1. Personal data shall be obtained directly from data subjects or, as the case may be, from public registers database (OR – business record, record of economic subjects, database of persons affected by sanctions in relation to protection against terrorism etc.). Data can be processed manually or automated in protected IT systems of the administrator or its trusted contractors.
2. Processing for purposes specified by legislation for which the consent of the data subject is not required:
• fulfilment of a contract to which the data subject is a party, or to implement measures taken prior to the conclusion of the contract at the request of that data subject,
• processing is necessary to fulfill the legal obligation applicable to the administrator,
• processing is necessary for the protection of the vital interests of the data subject or of another natural person (the existence of a valid reason is always carefully examined),
• processing is necessary for the purposes of the legitimate interests of the administrator or third party, except where the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data take precedence (the existence of a legitimate interest is always carefully checked).
The administrato r underlines that if the data subject refuses to disclose personal data for the above purposes, the administrato r cannot enter into a contractual relationship or provide a service.
3. In exceptional cases and always for a purpose which is lawful, there may be processed even further personal data, but only on the basis of voluntary free consent granted by the data subject. The text consent to the processing of personal data is available to the data subject as part of the opening of negotiations on the contractual relationship.
The Administrator informs that the granting of consent is not bound by the provision of the service nor the conclusion of the contractual relationship.
4. Personal data shall not be transferred to third countries.
Categories of personal data that are mainly handled
Identification data (i.e. data that unmistakably identify the data subject) to the extent stipulated by legislation:
• Naturalperson (non-business): name and surname, title, date of birth, birth number, permanent address (or correspondence address), data from ID for verification of identity, signature, bank details
• Legal or natural entrepreneurs: business name, resp. name and surname, registered office, company registration number, information on entry in the public register, information on the representative or statutory body and its ID, VAT number, bank connection
Contact details (that is, the data that the data subject passes on to the administrator for the purpose of effective progress of contractual obligations performance): Phone contact, e-mail address, mailing address, data about box data.
The processing of personal data for the purpose of legal obligations fulfilling is mainly based on
the following legal regulations listed below:
• Act No. 164/2013 Coll., On International Cooperation in Tax Administration (this Act imposes an obligation to exchange information with other financial institutions on persons subject to tax obligations in another state)
• Act No. 253/2008 Coll., On certain measures against money laundering (this Act imposes an obligation to identify and control clients)
• Act No. 69/2006 Coll., On the implementation of international sanctions (this Act imposes an obligation to verify that the client is not subject to international sanctions)
• Act no. No. 89/2012 Coll., the Civil Code
• Act no. No. 499/2004 Coll., on Archiving and Records Management and on Amendments to Certain Acts
• Act no. No. 90/2012 Coll., on Business Corporations (§ 264)
• Act no. No. 256/2013 Coll., on the Land Register
• Act no. No. 304/2013 Coll., on Public Registers of legal and natural persons and the records of trust funds
• Act no. No. 93/2009 Coll., on auditors
• Act no. No. 133/200 Coll., on registration of inhabitants and social security numbers.
Recipients of personal data, processors
All personal data are processed by the administrator (at his headquarters), or, as the case may be, carefully verified external partners who handle personal data solely under the terms of the Agreement on Processing of Personal Data concluded with the administrator (whereby these partners must prove the technical and organizational security of the handling of the transferred personal data as well as fulfill all obligations imposed on them by data protection legislation). The administrator may provide data to the following entities for legitimate purposes:
• external collaborators of the administrator for the purpose of performing the contract,
• administrative bodies (e.g. Land Register Offices, tax offices, etc.)
• payment service providers and payment processors for the purpose of the execution of financial transfers.
Personal data may be transferred to other entities only on the basis of a legal obligation prescription or final decision of a judicial or administrative body.
Principles of personal data processing
Principle of legality, fairness and transparency – personal data are processed on the basis of legal regulations (including EU regulations or international treaties binding for the Czech Republic) for legitimate reasons.
Purpose limitation principle – personal data is treated in accordance with a legal reason for certain, explicitly stated purposes, communicated to data subjects.
Principle of minim aliz ation – personal data are processed to a minimum extent, number of operations and records.
Precision principle – only accurate, correct and up-to-date data are processed with updates made on the basis of the potential risks of injury appraisal.
Principle of limited storage – personal data are kept only for the time necessary to fulfill the purpose of processing and in accordance with the legal regulations stipulated by archiving time-limits.
The principle of integrity and confidentiality – personal data is processed safely, appropriate technical and organizational measures are taken to ensure the best possible level of data security.
Data subjects’ rights related to the protection of personal data
Right of access to personal data – the data subject has the right to request a typeout of his personal data, which the administrator processes
Right to rectify or complete personal data – the data subject has the right to request the updating or completion of personal data if he considers that the administrator keeps inaccurate or incomplete data about him. If the administrator considers that the data being processed are accurate, he or she shall inform the data subject with justification.
Right to personal data erasure (right to be forgotten) – the data subject has the right to the data erasure if any of the following conditions is met:
• personal data are no longer needed for the intended purposes,
• as regards the data processed under the consent that has been revoked and there is no other legal reason for the processing,
• if the data subject objects to the processing and there are no overriding legitimate reasons for the processing,
• if personal data is processed illegally
• if they must be deleted to fulfill a legal obligation
• if data has been collected in connection with the offer of information society services under Article 8 (1) of the GDPR
The data administrator shall provide a confirmation of erasure to the data subject.
Right to Restrict ion of Processing – At personal data for which he or she does not require erasure, the data subject has the right to request even the restriction on the processing of personal data, if it is illegal or inaccurate, was objected to being processed (unless it is clear that the legitimate interest of the data subject outweighs the legitimate interest of the administrator).
The right of erasure or restriction of processing shall not apply where the processing of personal data is necessary to determine, exercise or defend the legal claims of the administrator, to exercise the right to freedom of expression and information , required to comply with a legal obligation required under EU or Member State law which applies to the administrator or for the fulfillment of a task performed in the public interest, for reasons of public interest in the field of public health, for archiving purposes in the public interest or for statistical purposes, if it is probable that the right of erasure would prevent or seriously jeopardize the attainment of the objectives of that processing
Right to portability – the data subject has the right to obtain personal data relating to him or her and that has been provided by him or her to the administrator and to transfer the data to another administrator and that in the case that the processing of personal data is based on consent or on a contract and the processing is made electronically ( all conditions must be met). The data shall be transmitted in a structured, commonly used and machine-readable format.
Right to object – the data subject may object at any time to the automated processing if he or she considers that processing is not lawful.
Right to Revoke Processing Consent – The data subject has the right to revoke the consent granted to the processing of personal data at any time, whereby all processing carried out prior to the withdrawal of consent shall be legitimate.
Right to file a complaint – if the data subject believes that at processing of his or her personal data there has occurred a violation of the rules of personal data protection, he or she has the right to file a complaint with the supervisory authority, which is the Office for Personal Data Protection, based at Pplk. Sochora 27, 170 00 Prague 7, tel. +420 234 665 111.
The administrator shall respond to submissions in which the data subject exercises some of his rights without undue delay, at the latest within 30 days of delivery of the submission. If the matter requires a longer period for processing, the administrator is obliged to inform the data subject about the extension of the period.
Handling of data subjects’ requests and complaints
The administrator will proceed in the handling of personal data as well as in the processing of data subjects’ submissions so as to ensure that data subjects exercise their rights in the simplest and most effective way. If the data subject submitts the request in the electronical format, the data shall be provided in the same form, unless the data subject requests otherwise. In electronic communication, the administrator is obliged to verify in advance the identity of the person who submitted the request so that the information does not reach unauthorized persons (the data subject’s SMS to the telephone specified by him will be used for verification).
All information will be provided without undue delay, at the latest within one month of receiving the application. If the matter exceptionally requires a longer period for processing, the administrator is authorized to extend it by two months, while he is obliged to inform the data subject about the extension of the time-limit and its reasons.
As a general rule, all information relating to the processed personal data is provided to the data subject free of charge. Exceptions are unreasonable or disproportionate applications for which the administrator is entitled to impose a reasonable fee or reject the application. The apparent inadequacy or frivolousness is substantiated by the administrator.
This policy is effective from 23rd May 2018 and does not apply to employees, statutory or supervisory authorities of the administrator (for these categories of data subjects the internal rules of the administrator shall lay down the principles of treatment).