Personal information

Principles of Personal Data Processing of LIPNO SERVIS s.r.o.

These principles are based on the Regulation on the Handling of Personal Data, adopted by company LIPNO SERVIS s.r.o. (hereinafter as the “Company”) for the processing and protection of personal data, in the sense of GDPR and in compliance with the valid legal order of the Czech Republic, chiefly Act No. 110/2019 Coll., on Personal Data Processing, effective from 24 April 2019, as amended. These principles provide information as to the essential rules followed by the Company when processing personal data of job seekers, natural business persons, clients, interested persons, representatives of legal persons, suppliers, customers (buyers of goods and services, guests, accommodated persons), business and contracting partners, lessees, card holders, members of the LIPNOCARD Programme, users of benefits of the LIPNOCARD Employee Programme, club members, employees, voluntary workers, seasonal workers, instructors and students completing practical training, forwarders, visitors, guests and other persons (hereinafter as “Data Subjects”), and information relating to the Company’s approach to the processing, processing and security of personal data of Data Subjects.

1. Introduction

1.1. The Company, as a personal data controller, processes personal data of Data Subjects in the scope of the Company’s main activities, based on the division of the Company’s branches, while applying various measures, including security measures such as a controlled access to such information. In addition, the Company processes personal data of its employees for legitimate purposes related to their full employment relation with the Company. In the role of a processor of personal data, the Company also processes personal data of employees of clients/employers if the employee programme of LIPNOCARD members is used.  

1.2. Since 25.05.2018, the Company has processed personal data of Data Subjects in compliance with the effect of Regulation (EU) No. 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), directly applicable in all members states of the EU (General Data Protection Regulation, “GDPR”). Moreover, the Company processes personal data of Data Subjects as per Act No. 110/2019 Coll., on Personal Data Processing, effective from 24 April 2019. 
 
1.3 The Company, as a legal person, processes personal data while fulfilling obligations of the controller or the processor of such data, as stipulated in valid legislation.  
1.4. A Data Subject provides the Company with personal data depending on the purpose of processing hereof, delineated in detail in Annex No. 1 to the Company’s Regulation on the Protection of Personal Data, whereas the purposes of personal data processing are defined exclusively as follows:
a) selection procedure for the given position;
b) to ensure the provision of services rendered by the Company, including the provision of a “LIPNOCARD” and the operation of the chairlift;  
c) for the purposes of legitimate interests of the Company or third persons, for protection of own rights and claims;
d) to perform a contract concluded between the Data Subject and the Company and compliance with legal obligations, including for the purposes of record keeping and statistics;  
e) for the purposes of registration and members in the LIPNOCARD Programme, LIPNOCARD Employee Programme, for the purposes of the LIPNOCARD Loyalty Programme and services related to activation, issuance and provision of LIPNOCARD, online shop and self-service ticket offices of LIPNO Ski Resort;  
f) to communicate with customers, suppliers, contracting and business partners;
g) to perform the purpose of intermediating the rental, accommodation, bookings;
h) for educational activities; 
i) for promotional and marketing activities; 
j) to arrange for internal security processes and protection of personal data, upkeep of payroll and personnel administration and the relating obligation to maintain the Company’s accounting records; 
k) for other purposes conditional on the Data Subject’s consent to processing to his/her personal data.
1.5. The consent to personal data processing is given by Data Subjects in case when another legal title cannot be used for the given purpose of processing.
The Company accepts consent granted by Data Subjects as a free, specific, informed and definite expression of will, which is given by a Data Subject, in the form of his/her declaration or another clear confirmation, as his/her approval of the processing of his/her personal data. A Data Subject has a right to withdraw his/her consent at any time. The withdrawal of such consent shall not affect the legitimacy of prior processing of the given Data Subject’s personal data, based on consent previously given by the Data Subject. The Data Subject shall be informed in this respect before giving his/her consent.

2. Purpose of the processing of Data Subjects’ personal data 

2.1. Data Subjects’ personal data must be collected only for certain, explicitly expressed and evidentiary provable purposes and may not be processed in a manner incompatible with such purposes. Personal data processing is carried out especially in order to cover the Company’s main scope of business and for the purposes of the processing delineated in para. 1 hereof, which chiefly consists in the provision of physical education and sports services in the area of operating a skiing school, operation of a cableway and a railway transport by chairlift, production, trade and services not listed in Annexes 1 to 3 to the Trade Licensing Act, innkeeper’s activities, activities of accounting advisors, upkeep of accounting records, upkeep of tax records, and other activities.   
2.2. Further, the Company processes Data Subjects’ personal data to address to its contractual and other relations, for upkeep of accounting records, personnel and payroll administration, recruitment administration and other activities directly connected with the Company’s main scope of business, as defined in the Company’s internal Regulation on the Protection of Personal Data.

3. Categories of personal data processed

3.1. The Company collects, processes and retains the following categories of Data Subjects’ personal data, the composition of which is at all times subject to the necessity to process personal data according to the defined purpose of personal data processing for the given Data Subject: 
3.1.1. address, contact and identification personal data - in particular: name, surname, date of birth, birth reg. no., residence, telephone number, e-mail, delivery address, citizenship, Identity Card no., Passport no., Driving Licence no., bank account no., data box, personal experience; education, 
3.1.2. descriptive personal data - in particular: the Data Subject’s data as to the contractual relation, in addition to the personal data referred to in subpara. 3.1.1., these data include especially the Tax ID, address of the registered office and branch offices, etc.; 
3.1.4. special categories of personal data, especially the Data Subject’s sensitive data;
3.1.5. other personified data - especially photographs or camera recordings, biometric data, physiological data, payment data and data associated with the registration and membership in the LIPNOCARD Programme, such as authentication data, data relating to the use of the LIPNOCARD Employee Programme, data concerning the funds on the LIPNOCARD Account, and other necessary data. 

4. Manner of processing and retaining of personal data and the period of retention of same with the Company 

4.1. The Company processes Data Subjects’ personal data manually or in an automated manner and retains the same securely in the paper or electronic form during a period determined by the archiving, filing and shredding rules. In connection with the purpose of processing, certain personal data of Data Subjects are kept in the Company’s information system (e.g. the personnel system, economic information system, archiving system, system for loans, booking portal, etc.).
4.2. The Company processes personal data in a manner ensuring a proper security of the same by means of security measures implemented against unauthorized or illegal processing and incidental loss, destruction or damage, specifically in the form of controlled access to such information, by encrypting and anonymization of persons data and the capability to recover the accessibility of personal data, or in the form of regular audits of the security measures implemented. 

5. Transfer of personal data

5.1. The Company shall not transfer personal data to persons other than personal data processors or personal data controllers (where such obligation results from a contractual relation with a controller, processor or sub-processor), unless an obligation to transfer the same to authorities, competent bodies or institutions is imposed on the Company by a legal regulation, or the given Data Subject has given his/her consent to such transfer.  
5.2. When personal data are processed in the Company, i.e. the personal data controller, automated decision-making is not conducted, on the basis of which any acts or decisions would be done or made that might interfere in rights or legitimate interests of Data Subjects. 

6. Rights of Data Subjects

6.1. At his/her request, a Data Subject shall receive from the Company all information, unless further specified in the request, on the processing of all of his/her data, in a concise and easily accessible manner, using clear and plain language.
6.2. The request may be lodged electronically, by a filing sent through a data box or a postal service provider, or verbally using a record in the Company’s office; the request cannot be placed by telephone.
6.3. Where personal data relating to the given Data Subject are obtained directly from the Data Subject, the Company shall provide him/her with the following information at the moment when the personal data are obtained:
a) identity and contact data of the controller,
b) contact data of the Data Protection Officer (DPO),
c) purposes of processing for which the personal data are intended and processed, and the legal basis for processing thereof, 
d) legitimate interests of the controller or a third party in case the processing is based on such legal title, 
e) any recipients or categories of recipients of the personal data, including a processor, if any, 
f) the controller’s intent, if any, to transfer the personal data to a third country or an international organization, including a reference to suitable safeguards,
g) the period during which the personal data are retained by the Company, and where this period cannot be established, this period shall be determined according to appropriate criteria, 
h) the existence of the right to require that the Company provide the Data Subject with access to personal data concerning him/her, the rectification or erasure thereof, or restriction of processing, and to object to processing, as well as the right to data portability, 
i) if the processing is based on the Data Subject’s consent, the existence of the right to withdraw the consent at any time, without prejudice to the legitimacy of the processing established by consent given before the withdrawal, 
j) an option to lodge a complaint with a supervisory authority,
k) information whether the provision of the personal data constitutes a statutory or contractual requirement or a requirement that must be incorporated in a future contract, and whether the Data Subject is obliged to provide the personal data, and possible consequences of a failure to provide such data,
l) information whether automated decision-making, including profiling, is done, and at least in these cases, reasonable information must be given in relation to a procedure applied, as well as the meaning and contemplated consequences of such processing for the Data Subject. 
6.4. If the Company intends to process the personal data for a purpose different from that for which the personal data have been collected, the Company shall provide the Data Subject with information on that different purpose before the other processing commences.
6.5. The Company need not provide the Data Subject with information on the processing in case such information is already available to the Data Subject, insofar as the Data Subject already has the information. 
6.6. If personal data were not obtained from the Data Subject, the Company shall supply him/her with identical information and the source of the personal data, and, as the case may be, information whether the data were derived from publicly accessible sources.  
6.8. In case personal data were obtained from persons other than the Data Subject, the Company shall not exercise the obligation of information if the obtaining or disclosure is expressly stipulated in a legal regulation applicable to the Company and imposing security and organizational measures to protect the Data Subject’s legitimate interests.  
6.9. The Data Subject who discovers or believes that the Company, as a controller, or another person who processes personal data on behalf of the Company, processes his/her personal data in conflict with regulations concerning personal data protection or in contradiction with legislative obligations in personal data protection, may ask for an explanation or require that the Company or the processor remedy such situation. Unless the Company or the relevant controller complies with the application, the Data Subject may contact the Office for Personal Data Protection, without prejudice to the Data Subject’s right to contact the Office for Personal Data Protection directly.  
6.10. In addition, the Data Subject has the following rights:
1. if the relevant conditions have been met, to obtain from the Company the information on processing of his/her personal data (information on identity and contact data of the controller and the controller’s representative, if any; or, as the case may be, contact data of the Data Protection Officer (DPO), processing purposes for which the personal data are intended, and the legal basis for processing, any possible recipients or categories of recipients of personal data and other information necessary to ensure the transparent and correct processing of  his/her personal data),
2. to obtain from the Company an access to his/her personal data, i.e. to obtain from the Company a confirmation as to whether or not personal data concerning him/her are being processed, and, where that is the case, access to the personal data and other information in the scope as prescribed by the law, 
3. to obtain rectification of his/her incorrect personal data, or to have incomplete personal data completed,
4. to obtain the erasure of his/her personal data, upon meeting statutory conditions, e.g. in case the personal data are no longer necessary for the purposes for which they have been collected or processed, e.g. where the Data Subject withdraws his/her consent on the basis of which the personal data have been processed, 
5. to obtain the restriction of processing of his/her personal data by the Company, where statutory conditions have been met, 
6. the right to data portability, i.e. to receive the personal data concerning him/her, which he/she has provided to the Company, in a structured, commonly used and machine-readable format,
7. the right to object on grounds relating to his/her particular situation to processing of personal data concerning him/her; 
8. the right not to be subject to automated individual decision-making, including profiling, unless the Data Subject gives his/her consent to the above, except when automated processing is permitted by legal regulations;
9. lodge a complaint at a supervisory authority. 
6.11. The Company may require that the Data Subject, when filing an application for asserting any of the above rights, identify himself/herself by verification with the respective employee, or identify himself/herself by verification using other accessible methods (e.g. the data box, notarization/Czechpoint, signature authentication at the Data Subject’s request, or in person in the Company’s registered office).  
6.12. In cases determined by legal regulations, the Company has a right to require a reasonable compensation for providing the information, not exceeding the costs necessarily expended on providing the information.

7. Final provisions

7.1. A Data Subject may obtain all information on processing of his/her personal data in person or by e-mail. Current contact data of the Data Protection Officer are available on the Company’s website https://www.lipno.info/infocentrum/kontakty.html. The rights arising from valid legislation in the area of processing and protection of personal data may be exercised by Data Subjects by writing to the e-mail address of the Data Protection Officer: gdpr@lipnoservis.cz 

7.2. Data Subjects have a right to contact the Office for Personal Data Protection, seated at Prague 7, Pplk. Sochora 27, 170 00, tel. exchange +420 234 665 111, www: https://www.uoou.cz, especially in the case when the Company fails to comply with a request for clarification or remedy of a situation caused by personal data processing that violates the valid legislation in the area of processing and protection of personal data.