Privacy Policy

1. DEFINITION OF BASIC TERMS

1.1

Personal Data
Personal data means any information relating to an identified or identifiable natural person (hereinafter the “data subject”); an identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, surname, identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1.2

Data Subject
For the purposes of this information, a data subject means any natural person whose personal data is held by the controller in connection with activities related to its business activities or other activities carried out by the controller.

1.3

Processing of Personal Data
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.4

Controller of Personal Data
A controller means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. For the purposes of this information, the controller means ALOSTAR, s.r.o., ID No.: 01461656, registered office Kaprova 42/14, Staré Město, 110 00 Prague 1, registered in the Commercial Register maintained by the Municipal Court in Prague, file number C 206976.

1.5

Processor of Personal Data
A processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller on the basis of an appropriate data processing agreement in accordance with Article 28 GDPR.

1.6

Recipient of Personal Data
A recipient means a natural or legal person, public authority, agency or another body to whom the personal data are disclosed, whether a third party or not. Public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by public authorities must comply with the applicable data protection rules according to the purposes of the processing.

1.7

Legal Bases for Processing Personal Data
The controller processes personal data of data subjects only on the basis of the following legal grounds:

a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
b) processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
d) processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

1.8

Principles of Personal Data Processing
a) Principle of lawfulness
The controller processes personal data only in a lawful manner and in such a way that the rights of data subjects are not violated.

b) Principle of purpose limitation
The controller processes personal data only for specific, explicit and legitimate purposes. The controller may further process personal data for archiving purposes in the public interest, for scientific or statistical purposes, provided appropriate safeguards are applied to protect the rights of data subjects.

c) Principle of data minimisation
The controller processes only personal data that it needs for its activities in order to achieve its purposes (e.g. provision of a service or product).

d) Principle of accuracy
The controller ensures that personal data are accurate and kept up to date as necessary.

e) Principle of storage limitation
The controller stores personal data only for as long as necessary or for as long as required by law.

f) Principle of minimisation of storage
The controller stores personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods if processed for archiving in the public interest, scientific or historical research, or statistical purposes.

g) Principle of integrity and confidentiality
Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

h) Principle of accountability
The controller is responsible for compliance with all these principles of personal data processing and for compliance with the GDPR. The controller must be able to demonstrate such compliance to the Office for Personal Data Protection if required.

1.9

Identification Data:
Identification data include in particular:

- name
- surname
- date of birth
- personal identification number
- passport number or other identity document number
- other data listed in individual personal data processing declarations, especially address, city, ZIP code

1.10

Contact Data:
Contact data include in particular:

- address
- telephone number
- email
- other data listed in individual personal data processing declarations

1.11

Descriptive Data
Descriptive data include in particular:

- visitor behaviour
- attempts to misuse our services
- bank account details + payment card number
- other data listed in individual personal data processing declarations of the card

2. INFORMATION ON THE PROCESSING OF CUSTOMERS’ PERSONAL DATA

This section applies to the processing of personal data of the controller’s customers. Alostar, s.r.o., when processing the personal data of its customers, acts in the capacity of a personal data controller. The following information provides an overview of how the controller processes the personal data of its customers.

2.1

Categories of Personal Data
The controller processes the following data about its customers:

- Address and identification data such as name, surname, permanent residence address, mailing address, email, telephone number, personal identification number, identity card number, and where applicable, the address of the company represented by the customer, work email, work telephone number, family relationship
- personal data not obtained directly from the data subject, such as security camera recordings (CCTV) or panoramic camera recordings used for public information;

2.2

Purposes of Personal Data Processing
The purpose of processing personal data by the controller is:

- Performance of a contract
The primary purpose of processing personal data is the performance of contractual relationships with the customer as a data subject when providing products or services, i.e. negotiations on the conclusion or amendment of a contract and mutual fulfilment of rights and obligations arising from the contract.

- Customer administration
The controller keeps records of services provided to its customers. Based on the analysis of these records, the controller evaluates its business strategy and adjusts its offers to customers.

- Provision of accommodation services
The controller keeps records of personal data of customers accommodated in the controller’s facilities for the purpose of fulfilling legal obligations related to the provision of accommodation services.

- Operational security, prevention of misuse of services
The controller monitors access, movement, and activities within its premises in order to maintain safety, protect the controller’s property, and prevent misuse of services provided to customers. The legal basis for this processing is the legitimate interest of the controller.

- Direct marketing
The controller processes personal data of its customers for the purpose of direct marketing, e.g. regular sending of newsletters or commercial communications, which can be unsubscribed from at any time via the footer link. The legal basis is the legitimate interest of the controller.

- Other
The controller further processes customers’ personal data for the purpose of fulfilling legal obligations related to tax and accounting requirements. The controller may also process data for the purpose of resolving potential disputes, complaints, misdemeanours, etc. The legal bases are legal obligations and the legitimate interests of the controller, e.g. processing reference and inspection photographs for the purpose of protecting the controller’s property.

2.3

Recipients of Personal Data
The controller may or must provide personal data to:

- processors who carry out full or partial processing of personal data for the controller on the basis of an appropriate data processing agreement;
- state authorities or public bodies in cases where provision of personal data is required by law – typically public administration bodies, courts, law enforcement authorities, supervisory authorities, bailiffs, notaries, insolvency administrators, etc.;
- other entities where necessary for the protection of the controller’s rights, e.g. insurance companies, legal representatives of Alostar s.r.o., its employees and cooperating persons, courts, judicial executors, auctioneers; the scope of data provided is limited to what is necessary for proper assertion of claims;
- other entities with your consent.

2.4

Data Retention Period and Storage Location
- Personal data are processed only for the necessary period, which is determined individually for each contract or legitimate interest of the controller with regard to the possibility of proper assertion and enforcement of contractual obligations. After this period, the personal data are destroyed or further retained for the period set by the valid Filing and Retention Plan issued in accordance with Act No. 499/2004 Coll., on Archiving and Records Management.
- The controller intends to transfer personal data to a third country (outside the EU) or an international organisation. Recipients of personal data in third countries are providers of cloud or mailing services, social networks.

2.5

Notice
- Providing personal data listed in Article II, paragraph I may be necessary for the performance of a contract and legal obligations of the controller as a provider of a product or service. Without these data, the controller may be unable to conclude the relevant contract with the customer.
- Automated decision-making is used during the processing of your personal data, on the basis of which actions or decisions may be made that could affect your rights or legitimate interests.
- In certain cases, your personal data may be collected and further processed on the basis of your voluntary consent, which always represents a free, specific, informed and unambiguous expression of your will to allow processing of your personal data for a given purpose, and which always includes information about the right to withdraw consent at any time.
- Individual rights of customers arising from the GDPR are listed in Article VIII below.

3. INFORMATION ON THE PROCESSING OF PERSONAL DATA OF VISITORS TO THE CONTROLLER’S WEBSITE

Cookies – cookies are small text files that are stored on a computer, phone, or other device when visiting and browsing a website. Cookies are used to store and receive identifiers and other information about computers, phones, and other devices from which data subjects access the website, and they help the controller provide, protect, and improve the services offered.

Cookies in particular:
- enable efficient navigation on the website, personalization, saving preferences and generally improving the user experience;
- allow recognition of whether a specific user has previously visited the website or is a new visitor;
- help display website advertising tailored to the interests of a specific user;
- are used to analyze traffic on the controller’s website, especially through services such as Google Analytics, Google AdSense, Facebook, etc.

3.1

Types and purposes of cookies:
The controller uses the following types of cookies on its website:

- Necessary cookies: cookies strictly necessary for the operation of the website and the controller’s online services. Necessary cookies enable navigation on the website and use of basic functions. This type of cookie does not collect any personal data of the data subject. With the help of these cookies, the controller’s website, for example, remembers the information that the data subject entered into an order form even when navigating between different screens, and remembers goods or services selected by the data subject when proceeding to the payment interface. Disabling them may cause full functionality of the website to be unavailable.

3.2

Categories of data
- information about the visit to the website apartmany-orli.cz
- information about the IP address
- information about platform, browser, location, language settings, etc.

3.3

Legal basis for processing personal data through cookies
The legal basis for processing personal data through cookies is the negotiation of a contract or the performance of a contract, and the legitimate interest of the controller.

3.4

Notice
- Consent of the data subject is not required for cookies strictly necessary for the operation of the website.
- The data subject determines in the settings of their browser whether the browser should allow the website to store cookies on the terminal device. This setting (if cookies are allowed) is considered consent to the processing of personal data in the case of third-party cookies.
- The data subject may withdraw consent in the same way it was granted, i.e. in the browser settings.
- The data subject may object to the processing by submitting a request to the controller’s address or email address.

4. RIGHTS OF DATA SUBJECTS

The controller usually does not require the consent of data subjects in order to process their personal data. However, data subjects have, under the GDPR and depending on the legal basis for processing, the following rights:

4.1

Right of access
The data subject has the right of access to his or her personal data under Article 15 of the GDPR. In particular, the data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

a) the purposes of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
d) the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
e) the existence of the right to request from the controller rectification or erasure of personal data concerning the data subject or restriction of processing or to object to such processing;
f) the right to lodge a complaint with a supervisory authority;
g) any available information as to their source, if the personal data are not collected from the data subject;
h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

All of the above information is provided in this document. The data subject also has the right to obtain a copy of the personal data processed by the controller; additional copies may be subject to a fee.

4.2

Right to rectification
The data subject also has the right to have inaccurate personal data rectified, to have incomplete personal data completed, and to request erasure, restriction of processing, object to processing, or exercise the right to data portability and other rights granted by the GDPR.

4.3

Right to erasure
If the data subject has granted consent for processing and there is no other legal ground for processing within the meaning of the GDPR – in particular performance of a contract, fulfilment of a legal obligation, or the legitimate interest of the controller – or if the controller processes the data unlawfully or for an unreasonably long period, the data subject has the right to have such data erased.

4.4

Right to restriction of processing
The data subject has the right to obtain restriction of processing in any of the following cases:

a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defence of legal claims;
d) the data subject has objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise, or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

4.5

Right to data portability
The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used, and machine-readable format and has the right to transmit those data to another controller, provided that the processing is based on the data subject’s consent or the performance of a contract.

4.6

Right to object
The data subject has the right to object to the processing of his or her personal data where such processing is based on the legitimate interest of the controller, particularly for the purposes of direct marketing.

4.7

Right to lodge a complaint
If the data subject has concerns about the manner in which the controller processes his or her personal data, he or she has the right to lodge a complaint with the supervisory authority, which is the Office for Personal Data Protection (Úřad pro ochranu osobních údajů).

4.8

Where to exercise data subject rights
Please submit your rights and requests to the above-mentioned Data Controller: Alostar, s.r.o., IČ: 01461656, Mailing address: Kaprova 42/14, Staré Město, 110 00 Praha 1, e-mail: info@apartmany-orli.cz, Data box ID: gbwsamp.

Your requests will always be duly assessed and handled in accordance with the applicable provisions of the GDPR.

This updated wording is effective as of 1 May 2025.