Home page / Data processing agreement

Data processing agreement


Validity and effect of the Directive: May 25th 2018


We would like to inform you that in compliance with the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), you are entitled to legal protection imposed by this Directive. Processing of personal data complies with following legislation:


  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)
  • Act No. 101/2000 Coll., on the Protection of Personal Data
  • Article 7 of the European Convention for the Protection of Human Rights and Fundamental freedoms
  • Act No. 2/1993, Declaration of the Convention for the Protection of Human Rights as a part of Czech Constitution
  • Specific legislation as an integral part of Labour Code, Accounting Act, VAT Act and others.



I. Data Processor

Park Praha Ltd. (established in Za Elektrárnou 3, 170 00 Praha 7, IN: 150 39 650,

tel.: 266 712 470, e-mail: hotel@expoprag.cz, registered at City Court Prague, reference number

C 95299), operator of Expo Hotel (hereinafter referred to as Hotel), address Za Elektrárnou 3, 170 00 Prague 7, is the data processor of your personal data (hereinafter referred to as Data processor).



II. Basic terminology

a./ Data management – any operation or a set of operations by automatic means (collection, recording, organisation, storage, modification, usage, search, access by transmission, distribution or other method, blocking, combination, erasure, shredding and preventing further usage, photographing, sound and video recording and recording of physical characteristics for identification purposes, such as fingerprints, DNA samples etc.

b./ Publication by transmission - access to the data by a third party subject

c./ Data processor – an individual or a legal entity or a subject unregistered at the Business Register

d./ Data subject – a natural person identified or identifiable by specific data

e./ Personal data – any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

f./ Breach of data safety – committing a tort or delict, especially by providing unauthorized access, modification, transmission, erasure or shredding of the data and its unintentional erasure or corruption.

g./ Profiling – any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements

h./ Processor - a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

i./ Controller - a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law

j./ Restriction of processing - the marking of stored personal data with the aim of limiting their processing in the future

k./ Pseudonymisation – processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information

l./ Consent of the data subject - any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her

m./ Third party - a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data

n./ Cookies – small text files stored in a device (such as personal computer, mobile device or other devices with Internet access) and used to improve functionality of web pages and for marketing


III Principles of processing of personal data

Personal data shall be:

a./ processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

b./ collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes

c./ adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

d./ accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

e./ kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed

f./ processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures



IV. Extent of processed data

The extent of processed personal data may differ depending on the type and extent of services and may include following:

a./ identification data, such as:

  •  name, surname, academic titles and ranks
  •  date of birth
  •  home address
  •  citizenship
  •  ID card (passport number, ID card number, visa number)

b./ contact information

  •  phone number
  •  email address
  • home address

c./ payment details, such as

  •  kind, number and date of expiry of a credit card

d./ data on health status

e./ audiovisual data

  •  security camera footage

f./ professional profile data, such as

  •  education, professional qualification stated in curriculum vitae of candidates

g./ contractual information, such as

  •  concerning products and services
  •  requirements
  •  complaints and claims

h./ miscellaneous data, such as

  •  length of stay
  •  purpose of stay in the Czech Republic
  •  car registration


V. Acquisition and sources of personal data

Providing the personal data is voluntary and consensual. Contract can only be concluded with consent of the subject to provide personal data:

a./ directly (guest, job applicant), upon contract conclusion (accommodation contract, job contract etc)

b./ from accommodation operators (travel agencies, booking portals etc)

c./ public sources (Internet, Facebook, social networks and platforms)

d./ public lists and registers (Business Register, Trade Register etc)

e./ cookies


VI. Legal grounds and purpose of processing the personal data

a./ Contractual reasons

Booking contract, accommodation contract, supplementary services contract and/or job contract is based on consent to provide and process personal data. Contracts cannot be concluded or performed without processing personal data

b./ Legal reasons

  • to keep an accommodation log and reporting duty in compliance with Czech legislation on the residence of foreigners
  • to pay local accommodation charges
  • for tax purposes (tax reports and returns)
  • for payroll and accounting purposes (accounting and registration obligations)
  • for customer claims
  • for archiving and auditing
  • cooperation with public authorities

c./ Legitimate interest reasons: under condition that legitimate interest does not take precedence to basic rights and freedoms

  • for the purpose of efficient management and organisation
  • for the purpose of marketing and advertising – distribution of current offers, discounts and others. The legal ground is your voluntary and revocable consent with processing of your personal data.
  • for the purpose of development and improvement of services
  • for the purpose of defending legitimate interests – establishment, exercising and defence of legal claims, protection of rights, property and persons
  • for the purpose of insurance claims in case of an insured event.
  • for the purpose of safety and protection of property, including IT – Hotel is equipped with a camera system for protection of well being and property.
  • recruitment of new employees – receiving and processing incoming CVs, running job interviews, making job offers, communicating with applicants… Personal data are only stored for a limited period of three months in this case.

d./  Reason based on your consent: We also use your personal data upon your consent. We use the data solely to communicate with you and we do not provide the data to any third party, we do not use specialised software for profiling of your behaviour or preferences and your data is never subject to automated decision making. The consent you provided us with can be withdrawn any time.


VII. Recipients of personal data

a./ recipients, who are also data processors – professional and specialized subjects (IT providers, accountants, auditors, legal consultants…), who process data provided to them by the Data processor, are in the same legal position as the Data processor, may only process the data on our behalf and are not allowed to use the data otherwise. Each of our carefully selected partners is contractually obliged to attend to maximum protection and safety of personal data.

b./ recipients, who are also Controllers – subjects who process your personal data for their own purposes., mainly government bodies. These subjects are in no contractual relation with the Data processor and are liable to the same legislation as the Data processor.


VIII. Duration of retention of personal data

Your personal data are kept for a period of time in relation with the purposes of the data processing, namely the duration of the accommodation contract, for the duration of your consent, for the duration and conditions stated by legislation and in compliance with general prescription, archiving and retention periods.


IX. Rights of the data subject

a./ The right to withdraw consent - The data subject shall have the right to withdraw his or her consent at any time, in full or partial extent, the latter in relation to specific personal data or some of the purposes of processing.

b./ The right of access: The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.

c./ The right for rectification: The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

d./ The right of erasure: The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  • the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
  • the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
  • the data subject objects to direct marketing using his or her personal data
  • the personal data have been unlawfully processed
  • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

Upon request, we will erase the data without undue delay, unless we are required to retain the data to meet legal obligations, to exercise and defend legal claims and to archive the data.

e./ Right to restriction of processing: The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

  • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
  • the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

f./ Right to data portability: The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided

g./ Right to object to processing of your data: unless we demonstrate compelling legitimate grounds for the processing or for direct marketing

h./ Right to compensation: the right to receive compensation from the controller or processor for the damage suffered.

i./ Right not to be subject to a decision based on automated processing: Paragraph shall not apply if the decision:

  • is necessary for entering into, or performance of, a contract between the data subject and a data controller;
  • is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
  • is based on the data subject’s explicit consent

j./ Right to lodge a complaint with a supervisory authority: data subject shall have the right to lodge a complaint with a supervisory authority – Office For Personal Data Protection in the Czech Republic. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint within three months, including the possibility of a judicial remedy pursuant to Article 78.

k./ Right to an effective judicial remedy against a controller or processor: each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.


Should you have any inquiries and comments on this Agreement or should you wish to assert your rights, please contact us in writing at the following address of the Data processor: Park Praha, Ltd, Za Elektrárnou 3, 170 00, Praha7, or reach us electronically at hotel@expoprag.cz


Hotel Expo Výstaviště

Za Elektrárnou 3
170 00 Praha 7
Česká republika
tel: 00420 234 722 200
fax: 00420 266 712 469

logo kudy z nudy   logo cyklistevitani    logo baby friendly

platební karty

This website uses cookies to ensure you get the best experience on our website.