Siesta Extranet – Principles of the Protection of Privacy
SIESTA SOLUTION s.r.o., with its registered office at Bruselská 266/14, Vinohrady, 120 00, Prague 2, Company ID No. (IČO): 05203503, as the provider (hereinafter referred to as the “Provider”) providing the services (hereinafter referred to as the “Services”) pursuant to the Siesta Extranet Service Contract (hereinafter referred to as the “Contract” and “Product”) available at https://siestasolution.com/cs/siesta-extranet-zasady-ochrany-soukromi/, hereby informs of the method and scope of the processing of the personal data of the user (hereinafter referred to as the “User”), including the scope of the User’s rights related to this processing.
Use the following e-mail for any questions concerning the protection of privacy and the exercising of your rights: firstname.lastname@example.org.
For what purpose do we process personal data?
- The content of the Services is primarily to enable the User to operate a system entitled Siesta Extranet enabling the management of the reservation capacities (the Product). Thus, we primarily process the personal data of Users – physical persons (our customers), so that we can provide our Services to them. We also, as the processor (described in detail below), process information on the Users’ customers.
- The software ensuring the operation of the Product is a system accessible by remote access – the entire solution is therefore hosted in a cloud and the Users have the opportunity to connect remotely using the Internet.
- We first and foremost process the personal data for the purpose of concluding and fulfilling the Contract. For this purpose all of the Users have a user account set up (the user interface of the Product). The Contract is concluded both in paper document form and also electronically (especially when we update our conditions – this takes place exclusively electronically through the user account), thus for this purpose we collect data for the identification of the contractual party when carrying out the finalisation, so that we have a time stamp for evidence of the agreement with the concrete conditions. We further process the personal data for the purpose of fulfilling the Contract.
- We also collect the Users’ personal data for the purpose of recording and analysing the use of the Services by the Users with the goal of improving the quality of the Services for the User.
- In justified cases we also process the personal data for the purpose of protecting our interests, typically in the case of legal disputes, proceedings before the courts, etc. Here we have to prove that we acted in accordance with the legal regulations when providing our services.
- Since you are our clients, from time to time we will send you information about new products and services. If you do not want to receive these messages, you can unsubscribe from them at any time free of charge. The method will always be specified in such a notification.
- The law also frequently calls for the processing of personal data, e.g. when performing accounting, archiving, etc.
- The processing of this data is mandatory, without which it is not possible to use the Services.
- We do not perform any profiling or any automated decision-making.
From whom do we get the personal data and to whom do we provide it?
- We get personal data exclusively from you. We do not collect any other information about you except from that, which you give us yourself. You are obliged to provide us with only precise data and if your personal data changes, you must update the data.
- We use the following processors to process the Users’ personal data:
- Google LLC, Googleplex, Mountain View, California, U.S., as a processor of personal data through the Google Suite service, thus it is sent to the USA,
- Citrix Systems, Inc., a Delaware corporation, with its headquarters at 120 S. West Street, Raleigh, North Carolina 27603, U.S., as a processor of personal data through the Podio service, thus it is sent to the USA.
- Trivi s.r.o., with its registered office at Španělská 770/2, Vinohrady, 120 00 Prague 2, Company ID No. (IČ): 283 78 440, as a processor of personal data through the Trivi service.
- Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, U.S.A., specifically its “Microsoft Azure” service.
- Our external collaborators (individuals) providing the administration of our systems and the provisioning of consultations on accommodation.
- The Users’ personal data is processed in electronic form by automated means, specifically through the Product and subsequently in the Podio CRM system, or for the purposes of accounting and invoicing in the Trivi system.
- The Users’ personal data can also be processed manually and this can be performed by our employees or other entities working for us, including for the purpose of removing errors, inaccuracies, etc. These entities, however, can only process the personal data under the conditions and in the scope specified above and they are bound to the obligation to maintain confidentiality on personal data and on security measures, the publication of which could threaten the security of the personal data.
- We always process the personal data in accordance with the relevant legal regulations and ensure their requisite care and protection. We make sure that you never suffer any injury to your rights, especially to the right to maintain human dignity. We also protect you against the unjustified interference into your privacy and personal life.
How long do we process the personal data?
We store the personal data provided upon the conclusion of the Contract for the duration of the Contract.
We are, however, entitled to continue to process the personal data even after the termination of the personal data if their processing is necessary for the following purposes:
- Accounting and archiving of documents
- We must process personal data that is required by a legal regulation for the purposes of accounting and the fulfilment of tax obligations (or for the purposes of archiving, if necessary). The period of the processing is 5 years from the end of the accounting period, in the case of documents relevant for the payment of VAT it is, in fact, 10 years from the end of the taxation period in which the fulfilment took place;
- Justified interests
- We also process the personal data for the protection of our personal interests, i.e. protection against any claims by our customers, even before the courts (e.g. for a period during the relevant periods of limitation, which could be 15 years from the origin of the relevant events in the Czech Republic). In this respect the Provider processes your identification information (name and surname, Company ID No. (IČO), Taxation ID No. (DIČ), registered office) and contact information (email, telephone), information on the fulfilment of the Contract (its context, information on its fulfilment).We cannot delete this data, not even on the User’s request, since they are not processed on the basis of approval. We do, however, always assess whether it is no longer necessary to process the given data on the basis of your request.
What rights do you have?
First and foremost you have the right to ask for access to your personal data, including the creation of a copy of your personal data.
- We will always inform you about:
- The purpose of the processing of the personal data,
- The personal data, or categories of personal data, that are the subject of the processing, including all the available information about their sources,
- The nature of the automated processing, including profiling and information concerning the used methods, as well as the importance and expected results of such processing for the subject of the data,
- The recipients and, if necessary, the categories of recipients,
- The planned period for which the personal data will be stored, or if it is not possible to determine, the criteria used for specifying this period,
- All of the available information on the sources of personal data, if it is not acquired from you.
- Your other rights include:
- To ask us for an explanation,
- To ask us to remedy a situation, which primarily means blocking, making corrections, adding, limiting the processing or liquidating the personal data (the right to be forgotten),
- To request the personal data that applies to you in a structured, commonly-used and machine-readable format, and to submit this data to another controller, without preventing this in any way,
- To submit a query or complaint to the Office for Personal Data Protection,
- To raise an objection against the processing of the personal data that applies to you.
How we protect your personal data
We protect your data. To this end we use the following methods of security: Antivirus protection, firewalls, encryption, authorisation information, armed security.
When we are the processor
The personal data will be processed as part of the provisioning of the Services. Here the provider is the processor in the sense of Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), (hereinafter referred to as the “GDPR”).
The purpose of the processing is the operation of the Product, as a system for the administration of accommodation capacities, reservations and information on guests in the framework of the accommodations, where the Product also enables the export of data for the purpose of fulfilling obligations with regard to the announcement of accommodating foreigners and the payment of the local fees (hereinafter referred to the “Guests”, which also includes people interested in accommodations – people who have made reservations).
The product also permits the assignment of user authorisations to employees, statutory representatives and other people specified by the Users, who use the Product in the name of the Users (hereinafter referred to the “Product Users”).
The Provider will process the personal data for the duration of the Contract and, if it does not receive other instructions from the Users pursuant to paragraph 5.9 (g), it shall delete it without unnecessary delay upon the termination of the Contract.
The subject of the processing will be data on the Guests input manually or automatically uploaded to the Product through another application used by the User (e.g. the WuBook application or from any of the reservation channels such as AirBnB.com, booking.com, etc.) and personal data on the Product Users.
Categories of the data subjects are:
Guests or people interested in accommodations and related services.
Product Users specified by the User.
This is the type of data required for providing accommodation services – i.e. for concluding contracts. It is primarily the name, surname, residence, contact information such as telephone number, email, information on the accommodation reservation (including identification of the portal from which the reservation was made and information on the made reservation, including the means of payment) and the fulfilment of the accommodation agreement.
Data for the fulfilment of the obligation pursuant to the Act on Foreign Nationals and the maintenance of the guest book can also be processed (especially information in the scope of name, surname, date of birth, nationality, permanent residency abroad, number of passport and visa, if indicated in the passport, the beginning and place of the stay, the expected duration and purpose of the stay in the Czech Republic, the beginning and end of the accommodation) and records pursuant to the regulations on the local fees (duration of accommodation, purpose of the stay, name, surname, address of site of permanent residency abroad and the number of the citizen’s card or passport). The personal data can also be processed for the purposes of issuing of accounting documents (incl. the identification of the guest, character of the service and other relevant information) and the fulfilment of tax obligations.
Personal data entered by the User for the individual guests (e.g. in the form of notes, information on discounts, etc.) can also be processed.
This is the type of data concerning the user name and password and the activity within the Product (logged activities).
The Provider, as the processor of the personal data, undertakes:
- To only process the personal data on the basis of the User’s substantiated instructions, including in the questions of submitting personal data to third countries or international organisations, while the Provider shall inform the User without delay if, in the Provider’s opinion, a certain instruction breaches this Directive or other regulations of the EU or a member state regarding the protection of data;
- To ensure that the people authorised to process the personal data have committed to confidentiality or for the legal obligation of confidentiality to apply to them;
- To accept all the technical and organisational measures to ensure the degree of security corresponding to the given risk;
- To adhere to conditions for including other processors (particularly the User’s written approval of this inclusion);
- To take into account the nature of the processing, it helps the User through suitable technical and organisational measures, if possible, for the fulfilment of the controller’s obligation to react to the request to enforce the rights of the data subject;
- To assist the User when determining conformity to the obligations to secure the personal data, report security incidents, etc.;
- To either delete all the personal data or to return it to the User after the termination of the provisioning of services related to the processing, in accordance with the User’s decision, and to delete existing copies, unless specified otherwise by legal regulations, unless the Provider receives other instructions from the User, it deletes all of the data that it processes as the processor without unnecessary delay following the termination of the Contract;
- To provide the User with all the information required for substantiating the fact that the obligations specified in this article were fulfilled, and to permit audits, including inspections, performed by the User or another auditor entrusted by the User, and to contribute to these audits;
- To report breaches of the personal data to the User without unnecessary delay after determining them. The Provider undertakes to accept suitable measures to secure the personal data, for which the security measures are primarily used: Antivirus protection, firewalls, encryption, authorisation information, armed security, etc.A sub-processor is also used for the processing (the hosting, support and maintenance of the Product), specifically Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, U.S.A., and its “Microsoft Azure” service. The User also agrees with the inclusion of external collaborators (individuals) providing the administration of our systems and the provisioning of consultations on accommodation, whereas if it is a sub-processor, the Provider will inform the User of this inclusion in advance so that the User can object to its inclusion in the processing. A corresponding contract for the protection of the User’s data is concluded with all the sub-processors.
Personal Data of contact persons
The User guarantees that the Provider is entitled to process the relevant personal data of persons the User provided to the Provider for the purpose of the fulfilment of the Contract, and that these persons were entirely informed by the User in the sense of Article 14 and the Provider does not need to inform them to the specified extent.