Protection of Personal Data – GDPR

The information provided in this document in accordance with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (hereinafter the “Regulation”) and Act No. 18/2018 Coll. on the Protection of Personal Data and on Amendments to Certain Acts, as amended (hereinafter the “Personal Data Protection Act”) serves to provide information to data subjects pursuant to Articles 13 and 14 of the Regulation, as well as to instruct these persons about their legal rights and about the method and scope of handling their personal data.

Controller:

• THERMALPARK DS, s., seat: 929 01 Dunajská Streda, Gabčíkovská cesta 237/38, Company ID (IČO): 31 450 920, Registration: Commercial Register of the District Court Trnava, Section: Sa, Insert No.: 224/T (hereinafter the “Controller”).

Data Subject: 

• Any natural person whose personal data are concerned. For the purposes of this document, this primarily includes visitors to the Thermalpark thermal spa area and event participants, purchasers of goods or services, and other persons present on the Controller’s premises (hereinafter the “Data Subject”).
• If the personal data of a Data Subject are provided to the Controller by another person, the provider of the Data Subject’s personal data is entitled to do so only if they have a legitimate legal basis for the provision pursuant to the relevant provisions of the Regulation or the Personal Data Protection Act and must be able to demonstrate it to the Controller upon request within 3 business days.

Disclaimer: 

• This information concerns exclusively the processing of personal data carried out by the Controller. The Controller is not responsible for the processing of personal data carried out by third parties that process personal data solely for their own purposes.

Purposes of Personal Data Processing by the Controller

• The Controller, in operating its website and online store www….sk, processes personal data of the Data Subject mainly for the purposes of:
  • establishing and fulfilling pre-contractual and contractual relationships,
• handling complaints, suggestions and claims,
• managing ordinary correspondence,
• ensuring the exercise of the Data Subject’s rights,
• monitoring compliance with visitor regulations,
• monitoring publicly accessible areas,
• monitoring non-public areas,
• necessary retention and/or archiving of created documentation and records,
• handling damages and insurance claims,
• recovering outstanding receivables and enforcing legal claims,
• business-marketing communication and promotion of the Controller, organization of competitions and prize draws,
• preparing internal analyses and statistics,
• fulfilling other obligations arising for the Controller from contractual commitments and specific legal regulations.

Processing of Personal Data Necessary for Contract Fulfilment:

• Within pre-contractual and contractual relationships, personal data are processed primarily for the purposes of:
• establishing pre-contractual relationships with data subjects (processing orders, reservations, negotiating the contractual relationship, issuing invoices and recording payments for supplied goods and services, etc.),
• fulfilling contractual relationships where the Data Subject is a contracting party, or where the contract was concluded by another third party for the benefit of the Data Subject (performance of the contract, provision of goods or services and related activities),
• handling complaints, suggestions and claims of data subjects related to the delivered goods or service for a legitimate purpose even after the contractual relationship has ended.
• Within pre-contractual and contractual relationships, personal data are processed to the extent necessary to conclude and perform the contract, in particular:
• natural person (non-entrepreneur): first name, surname, contact details, payment data, data on the subject of the contract and other personal data processed to a reasonable extent in connection with the specific contractual relationship (supplemented, for example, by other identification data);
• self-employed person: identification data of self-employed natural persons, first name, surname, contact details, payment data, data on the subject of the contract and personal data processed to a reasonable extent in connection with the specific contractual relationship, in particular data of the contact person to whom the shipment will be delivered: first name, surname, contact details;
• legal entities: identification data of the legal entity (including data on statutory representatives if necessary to achieve the purpose of processing), payment data, data on the subject of the contract and personal data processed to a reasonable extent in connection with the specific contractual relationship, in particular data of the contact person to whom the shipment will be delivered: first name, surname, contact details.
• Providing personal data is a contractual requirement only to the extent necessary for the performance of the contract in question or a requirement needed to conclude the contract. If the required personal data are not provided, this may result in failure to conclude the contractual relationship or may affect performance of the contract.
• Personal data are stored for the period necessary to enforce legal claims after termination of the contractual relationship, at least 5 years, and accounting documents are stored for 10 years. Personal data are provided mainly to the following recipients: Slovak Trade Inspection, courts and law enforcement authorities in the performance of their activities, payment service providers, postal operators, lawyers and other third parties to whom the Controller is obliged to provide data under a special legal regulation or contractual obligations, and authorized processors.

Processing of Personal Data Necessary to Fulfil the Controller’s Legal Obligation

• Under legal obligations, personal data are processed primarily for the purpose of ensuring the exercise of the rights of data subjects and keeping the relevant records that the Controller is required to keep in accordance with the provisions of the Regulation. The Data Subject is obliged to provide their personal data, particularly to the extent necessary for their precise identification in the Controller’s systems and contact details for informing them about the handling of their request (if a statement is requested). Personal data are retained for at least 5 years.
• Personal data are provided mainly to the following recipients: Office for Personal Data Protection of the Slovak Republic, lawyers, postal operator, courts and law enforcement authorities to the extent of the required cooperation, and authorized processors.
  Personal data are provided mainly to the following recipients: supervisory authorities, courts and law enforcement authorities in the performance of their activities, payment service providers, postal operators, lawyers, tax administrators (city/municipality) in tax collection, and other third parties to whom the Controller is obliged to provide data under a special legal regulation or contractual obligations, or legitimate interests.

Processing of Personal Data Based on the Data Subject’s Consent

• Based on granted consent, personal data are processed mainly for the purposes of non-targeted business-marketing communication by the Controller (so-called newsletters); organization of competitions and prize draws where the Controller is the organizer; and for other purposes defined in the specific consent.
• Providing personal data is voluntary, i.e., the person is not obliged to provide data to the Controller. If a person does not provide personal data, it will not be possible to communicate with them for the above purpose.
• Personal data are processed on the basis of consent for the duration of the relevant consent or until it is withdrawn. After the consent expires, the Controller will no longer process personal data for the purpose defined by the respective consent of the Data Subject.
• Personal data are provided mainly to the following recipients: third parties defined by the consent if the Data Subject has granted consent to provide their personal data to a third party, and authorized processors.

Processing of Personal Data Based on the Legitimate Interests of the Controller or a Third Party

• Within its legitimate interest or the legitimate interest of a third party, the Controller processes personal data primarily for handling routine correspondence with data subjects that does not concern the above purposes of processing. Personal data are retained for the period necessary to handle them and to protect the Controller’s legally protected interests (usually 2 years). Personal data are provided mainly to the following recipients: postal operator, couriers, other third parties in connection with the purpose of the correspondence, and authorized processors.
• Within its legitimate interest or the legitimate interest of a third party, the Controller processes personal data for monitoring publicly accessible areas using CCTV systems to ensure public order, protection of persons and property, and safety. The recordings are kept for 14 days. Personal data are provided mainly to the following recipients: lawyer, courts and law enforcement authorities to the extent of the required cooperation, and authorized processors.
• Within its legitimate interest or the legitimate interest of a third party, the Controller processes personal data for monitoring non-public areas (building back-offices, non-public areas of the Thermalpark thermal spa, etc.) using CCTV systems for the purpose of security, protection of persons and property, and safety of the Controller. The recordings are kept for 14 days.
  Personal data are provided mainly to the following recipients: lawyer, courts and law enforcement authorities to the extent of the required cooperation, and authorized processors.
• Within its legitimate interest or the legitimate interest of a third party, the Controller processes personal data for the necessary retention or archiving of created documentation and records, where the Controller sets retention periods primarily according to the periods determined by special legal regulations, or the retention periods are necessary for asserting legal claims and the Controller’s legally protected interests. Personal data are provided mainly to recipients in connection with the use of the retained document or record (e.g., supervisory authorities, courts and law enforcement authorities, etc.) and to authorized processors.
• Within its legitimate interest or the legitimate interest of a third party, the Controller processes personal data for handling damages and insurance claims. Personal data are retained for the period until the insurance claim is resolved. Documents related to the Controller’s accounting agenda are subsequently kept for 10 years.
  Personal data are provided mainly to the following recipients: lawyer, courts and law enforcement authorities to the extent of the required cooperation, the insurance company, and authorized processors.
• Within its legitimate interest or the legitimate interest of a third party, the Controller processes personal data for business-marketing communication if the Controller can demonstrate a relationship with the Data Subject. Personal data are processed for this purpose unless the Data Subject objects.
• Within its legitimate interest or the legitimate interest of a third party, the Controller processes personal data for the promotion of the Controller by publishing photographs, video recordings and promotional materials, where the Controller’s intention is not to make and publish likenesses of specific data subjects, but to promote its business activities by documenting the course of events. The Data Subject has the right to object to the publication of the relevant likeness or recording. The Controller undertakes not to unlawfully interfere with the rights of data subjects within this processing purpose.
• Within its legitimate interest or the legitimate interest of a third party, the Controller processes personal data for preparing internal analyses and statistics of the Controller, which usually consist of anonymized data that are not personal data of the Data Subject.

Rights of the Data Subject in the Processing of Their Personal Data

• The Data Subject has the right to information about the processing of their personal data; to obtain access to the personal data that are processed and stored about them; to request rectification of their incorrect, inaccurate or incomplete personal data; to request erasure of their personal data when they are no longer necessary or when processing is unlawful; to object to the processing of their personal data for marketing purposes or on grounds relating to their particular situation; to request restriction of processing of their personal data in specific cases; to receive their personal data in a machine-readable format and/or request their transfer to another controller; to withdraw their consent at any time without affecting the lawfulness of processing based on consent before its withdrawal, if such consent was given by the Data Subject; to request that decisions based on automated processing that concern them or significantly affect them and that are based on their personal data be made by natural persons and not automated technical means, if personal data are processed by the Controller in this way. The Data Subject has the right to express their opinion and to object to the Controller’s decision; to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement, and the right to an effective judicial remedy if they consider that the processing of their personal data is contrary to legal regulations – the supervisory authority in the Slovak Republic is the Office for Personal Data Protection of the Slovak Republic, with its seat at Hraničná 12, 820 07 Bratislava; to submit a request or complaint to the Controller in connection with the protection and processing of their personal data.
• Any Data Subject who wishes to submit a request or complaint and exercise their rights may do so:
• in writing at: THERMALPARK DS, s., Gabčíkovská cesta 237/38, 929 01 Dunajská Streda
• in person at the reception of the Thermalpark thermal spa
• electronically at: info@thermalpark.sk

Information on the Processing of Cookies on the website www.eshop.thermalpark.sk

A cookie is a small text file that visited websites send to the browser. Cookies are important. Without them, browsing the web would be much more complicated. Cookies in no case provide us with access to your computer or any information about you, except for data that you choose to share with us. They allow websites to remember information about your visit, for example to store your safe-search preferences, to select relevant ads, to track the number of visitors to the site, to simplify registration for new services and to protect your data. Your next visit to the site can thus proceed more easily and be more productive.