Privacy Policy on CzechTourism Websites

Issued on 25 May 2018
This document describes how personal data that you entrust to our website is processed. The data administrator, the Czech Tourism Authority – CzechTourism – is aware of the importance of the protection of personal data and therefore undertakes to take the necessary measures to protect your personal data entrusted to the websites it manages and to prevent its possible misuse. Your personal data will only be processed in accordance with the law and for the purposes of which you are duly informed or with which you have agreed, and only for the strictly necessary time.

IDENTITY AND CONTACT DATA OF THE ADMINISTRATOR

The administrator of your personal data on this site is:
The Czech Tourism Authority – CzechTourism,
Vinohradská 46,
120 41 Prague
tel.: +420 221 580 111
fax: +420 224 247 516
ID No.: 49277600
Tax ID No.: CZ49277600

(hereinafter the "administrator").

WHAT LEGISLATION REGULATES PERSONAL DATA PROCESSING?

The area of personal data processing is governed by these legal regulations:

Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR);
Act No. 101/2000 Coll., on the protection of personal data, in the current version (the "Data Protection Act");
The Convention for the Protection of Human Rights and Fundamental Freedoms (protecting the rights and freedoms of individuals, in particular the right to privacy, see Article 7);
Resolution of the Czech National Council No. 2/1993 Coll., on the proclamation of the Charter of Fundamental Rights and Freedoms as part of the constitutional order of the Czech Republic;
Individual areas are regulated by special laws, the Labour Code, Act on Accounting, VAT Act, etc.)

For the lawful processing of your personal data, at least one of the conditions specified in Article 6 of the GDPR must be fulfilled. In the case of a special category of personal data, at least one of the conditions specified in Article 9 of the GDPR must be fulfilled. In both cases, the principles of processing personal data set out in Article 5 of the GDPR must be respected.
You can find up-to-date information on GDPR privacy issues here: EU – Rights for citizens.

DEFINITION OF TERMS

Let us explain to you some of the basic terms used in the area of personal data protection

Title	Description
Cookies	A cookie is a small amount of data the web server sends to the browser and then stores on your computer, tablet or other device from which you access the web. Each time the browser visits the same server, the browser sends the data back to the web server. Cookies are commonly used to distinguish individual users, store user preferences and so on. They also help the server know what sections of the site you have been to, and enable you to return to the previous page. Cookies can also be set on the server side. Cookies as such are not executable code and are not dangerous to your computer, but may be a means of interfering with your privacy.
Supervisory authority concerned	The supervisory authority which deals with the processing of personal data because: the administrator or processor is established in the territory of the Member State of that supervisory authority; data subjects residing in the Member State of that supervisory authority are, or are likely to be, substantially affected by the processing; or a complaint was filed with them
Supervisory authority	An independent public authority set up by a Member State under Article 51 of the GDPR.
International organisation	An organisation and its subordinate entities subject to international law by a public or other entity established by or on the basis of an agreement between two or more countries.
Restricted processing	Designation of personal data stored to restrict their processing in the future.
Personal data and data subject	Any information about an identified or identifiable natural person (a "data subject"); an identifiable natural person is a natural person that can be identified directly or indirectly, in particular by reference to a particular identifier such as name, identification number, location data, network identifier or one or more specific physical, physiological, genetic, psychological, economic, cultural or social identities of this natural person.
Data breach	Breaches of security resulting in the accidental or unlawful destruction, loss, alteration or unauthorised provision or disclosure of transferred, stored or otherwise processed personal data.
Profiling	Any form of automated processing of personal data involving their use in evaluating certain personal aspects relating to a natural person, in particular to analyse or assess aspects relating to their performance, economic situation, state of health, personal preferences, interests, reliability, behaviour, location or movement.
Cross-border processing	the processing of personal data in connection with the activities of establishments in more than one Member State of the administrator or processor in the EU where such administrator or processor is established in more than one Member State; or the processing of personal data which takes place in connection with the activities of a single office of the administrator or processor in the EU, but which will or is likely to substantially affect data subjects in more than one Member State
Recipient	A natural or legal person, a public authority, an agency or other entity to whom personal data is provided, whether or not a third party. However, public authorities which can obtain personal data in a special inquiry in accordance with the law of a Member State are not considered to be recipients; the processing of such personal data by those public authorities must be in accordance with the applicable data protection rules for the purposes of processing.
Pseudonymisation	The processing of personal data so that it can no longer be assigned to a specific data subject without the use of additional information if this additional information is kept separately and is subject to technical and organisational measures to ensure that no identified or identifiable natural person is assigned.
Relevant and justified objection	An objection to a draft decision in order to assess whether the GDPR has been violated or whether the action envisaged is in line with the GDPR, which clearly demonstrates the significance of the risks arising from the draft decision as regards the fundamental rights and freedoms of the data subjects, or the free movement of personal data within the EU.
Consent of data subject	Any free, specific, informed and unambiguous manifestation of will by which the data subject gives a declaration or other apparent confirmation of their consent to the processing of their personal data.
Administrator	A natural or legal person, a public authority, an agency or any other body which, alone or jointly with others, determines the purposes and means of processing personal data; where the purpose and means of such processing are determined by the law of the EU or of a Member State, that authority may designate the person concerned or the specific criteria for determining it.
Third party	A natural or legal person, a public authority, an agency or other entity that is not authorised to process personal data by a data subject, a controller, a processor, or a person directly subject to the controller or processor.
Health data	Personal data relating to the physical or mental health of a natural person, including data on the provision of health services, which indicate their state of health.
Processing	Any operation or set of operations of personal data or sets of personal data that is performed with or without the help of automated procedures, such as assembling, recording, arranging, structuring, storing, customising or altering, finding, viewing, using, accessing, transmitting, any other disclosure, sorting or combining, restriction, deletion or destruction.
Processor	A natural or legal person, public authority, agency or other entity processing personal data for an administrator.

PROCESSED DATA AND THE PURPOSE OF ITS PROCESSING

This site processes several categories of personal data:

The data that you complete in the forms on this site.
Information from cookies, which can serve different purposes. In principle, it is divided into two groups. The information needed to make the site work properly, and the information that collects data for statistical evaluation of visits or the behaviour of site visitors, which we use to optimise site content and analyse traffic. Detailed information about cookies can be found on the relevant web presentation.

We respect the principle of minimisation and, therefore, for each purpose of processing, we limit the extent of the processed data only to data that is necessary for the given purpose.

The basic purposes of processing your personal data entrusted to us on these websites are as follows:

Responding to your queries, suggestions or complaints, when your personal data completed in the form will be used solely to respond to your query and will be deleted within 60 days after termination of the communication for that query or complaint. The question and answer can be anonymised and generalised and used in the Frequently Asked Questions section. In justified cases, the administrator is entitled to retain your suggestion for as long as necessary for its legal protection or for the period specified by law.
Processing a newsletter request or news about events in the Czech Republic. Based on your request, we will send you our newsletter and news about events in the Czech Republic. You can decide to terminate this service at any time by clicking on the link located in the footer of the email in which the information is delivered to you. You can also end the service by sending an email with the subject line DO NOT SEND to privacy@czechtourism.cz. We will keep your contact data for as long as we send you information and we will keep the information that we should no longer send you messages for 3 years.
Processing your inquiry/order. In this case, your personal data will be processed for the purpose of negotiations leading to the conclusion of the contract. In the absence of a contract, your personal information will be deleted within one year of termination of the communication.
If you are or become our customer, we are required to keep your billing information and to keep accounting documents containing them for 10 years. We are also authorised to inform you about news and services related to the product or products we have supplied to you.
From time to time, you can sign up for our contests through our website. In this case, the details of the processing of your personal data are listed in the contest information.
In some cases, we ask for your first name and surname to be filled in, although it would be possible to process the request only on the basis of the provided email address. For example, when answering a question. Providing your first name and surname or phone number will allow us to communicate more effectively with you, identify you when communicating (for example, we can make a phone call to verify your identity) and prevent someone else from obtaining your data. Filling in this information is voluntary, and by filling it in, you are telling us that you want a more effective manner of communication.

The administrator does not engage in automatic decision-making within the meaning of Article 22 of the GDPR or individual profiling.

WHO ELSE CAN ACCESS YOUR PERSONAL DATA?

In addition to our employees, your personal data can be accessed by company personnel who manage the website for the administrator and support the operation of its internal IT system.
With all such entities, the administrator has concluded a contract for the processing of personal data within the meaning of Article 28 of the GDPR

WHERE CAN YOUR DATA BE PROCESSED?

Our web servers are located in the Czech Republic.
We use Google services to process statistics and analytics – you can find the details information about cookies on the relevant web presentation.
The administrator does not intend to hand over your personal data to a non-EU country or an international organisation

YOUR RIGHTS

We respect the principle of transparency of the processing of personal data contained in the GDPR. In accordance with this principle, we are always ready to provide you with information about how we process your personal data and for what purpose.

Please note that we are required to properly verify the identity of the applicant or submitter of the complaint and to document this verification. If there is any doubt as to the identity of the data subject who submits a request for information about the processing of personal data, exercises some of the rights of the data subject or gives the administrator a suggestion, we may ask them to provide additional information necessary to confirm their identity.

You can find more detailed information about the GDPR and your rights on the official EU GDPR website.

WHERE CAN YOU MAKE A COMPLAINT?

Contact for any questions, suggestions or complaints related to the processing of personal data: privacy@czechtourism.cz, or you can contact the administrator's office in writing or by phone at the address mentioned in Article 1 above.

Our supervisory authority where you can file a complaint if you are not satisfied with our approach to dealing with your complaint or how we handle your personal data:

Office for Personal Data Protection
Pplk. Sochora 27
170 00 Prague 7
Rights for citizens

You can also file a complaint with the supervisory authority in the EU country where you live or work.

UPDATING OF THIS POLICY

As the area of data protection and legislation is evolving dynamically, we will regularly review the compliance of this policy with legislation and established practice, and this text may be updated on the basis of these reviews.