Information on the processing of personal data for clients

The protection of your personal data is our primary obligation. This document is to inform you about how we handle your personal data in accordance with the applicable legislation, in particular the Regulation of the European Parliament and the Council of the EU No. 2016/679 – General Data Protection Regulation (GDPR) and on the basis of Act 110/2019 Coll., which implements this directive into Czech law.

  1. Personal data controller
    The data controller for the cottage “Mlynářka” at the address Černý Důl 100, postcode: 543 44, which is an establishment with the identification number 101300564 Pavlína Sobotíková, identification number 08386293, with the registered office at Mělnická 280, postcode: 250 65 Líbeznice (hereinafter referred to as the “Controller”). The Controller has not appointed a data protection officer because the legal grounds for the appointment have not been fulfilled.
  2. Reason for collecting personal data
    In connection with the provision of these services, we are obliged to collect personal data about you to the extent necessary for the provision of accommodation services, which are required by Act 565/1990 Coll. on fees and registration activities according to which we manage and pay local fees. It is also Act No. 326/1999 Coll. on the residence of foreigners in the Czech Republic, which requires accommodation providers to register their guests with the Foreigners Police and to keep a register. If we collect and process your personal data in excess of the obligations imposed on us by law, we will always request your written consent in advance.
  3. What client personal data we process and the purpose of the processing
    The controller collects and processes the following personal data:

    1. identification data
    2. contact data
    3. other data necessary for the performance of the contract or legal obligations (e.g. signature, bank account number, bank card number).
    4. We process your personal data in particular for the purpose of providing our services and also to enable us to comply with the obligations imposed on us by law. The processing of your personal data is necessary for the performance of a contract, for the implementation of measures taken prior to entering into a contract or for the fulfilment of legal obligations to which we are subject. In addition, we may also process your personal data if we have a legitimate interest in processing it, in particular for the protection of property (e.g. by operating a CCTV system), the defence and exercise of our rights, prudence, ensuring the needs and protection of our clients, control mechanisms or other measures necessary for the operation of the Controller, and to inform you about our service offerings. If you do not wish to receive information about our services, you do not need to subscribe to our website newsletter or you can unsubscribe at any time. In other cases, we process clients’ personal data only with your consent, which is completely voluntary and not a condition for the provision of our services. The client may withdraw the consent already given at any time. The scope of the processing corresponds to the purpose for which we obtained the personal data from you or the purpose of which we informed you in advance.

  4. Recipients of personal data
    We do not pass on your personal data to other persons without your knowledge, unless we are required to do so by law, by a decision of a public authority or unless it is necessary to protect the rights of the Controller. The Controller may delegate the processing of data to a third party, called a processor. The processing is only possible on the basis of a contract which obliges the processor to the same level of protection of personal data as the Controller itself provides. The processing of personal data is carried out by the Controller, but personal data is also processed for the Controller by an IT service provider or other providers of processing software, services and applications, which are not currently used by the Controller.
    We do not transfer your personal data abroad.
  5. Sources of obtaining personal data
    We primarily process data that you have provided to us in connection with the provision of our services (bookings and accommodation tickets), as well as data from third parties authorised to handle and transfer such data and other sources in order to protect the rights and legitimate interests of the Controller.
  6. Processing period
    We keep your personal data for the period of time required by law. In order to protect the rights and legitimate interests of the Controller, longer retention periods are set for certain types of personal data. The general retention period for CCTV footage is 14 days. Personal data processed on the basis of your consent is processed for the period for which consent is given.
  7. Obligation to provide personal data to the Controller
    The provision of personal data is voluntary, as is the conclusion, booking or contract with us. However, your personal data is necessary for the fulfilment of particularly legal obligations in the provision of our services and without this data we cannot provide our services. This includes in particular the proper and correct completion of accommodation tickets.
  8. Your rights in relation to the processing and transfer of personal data
    In accordance with applicable legislation, you can exercise your rights as a data subject, which include the right to:

    1. access to data
    2. to request information from us as to whether and what personal data we process about you,
    3. to request a copy of the personal data processed
    4. to have your personal data rectified
    5. to request restriction of processing
    6. request that we erase your personal data
    7. object to the processing of personal data on the grounds of legitimate interest
    8. withdraw consent by sending an email or letter to the Data Controller
    9. to data portability if the personal data is processed by automated means on the basis of your consent or for the performance of a contract
    10. in case of doubt about the lawful processing of personal data, file a complaint with the Office for Personal Data Protection ( or apply to the court.
  9. Privacy policy
    The Controller ensures that all personal data is protected in accordance with applicable law and secured against misuse or unauthorised access by third parties. All persons who come into contact with your personal data in the course of their work or contractual duties are bound to comply with the legal regulations and policies of the Administrator regarding the handling, processing, security and protection of personal data processed in the operation of the “Mlynářka” cottage and have been informed of these legal standards and policies.
  10. Retention of personal data
    1. We only use a secure connection via a certified internet provider
    2. We only use a legal and updated operating system on all computers where personal data is processed
    3. We only use legal and up-to-date software on all computers where personal data is processed
    4. We use software to protect against data loss or theft (Firewall, Antimalware/Ransomware, Antivirus programs)
    5. We use strong passwords to access computers and cloud storage. Where possible, we use biometric authentication (fingerprint).
    6. Cloud backup at Google Inc.
    7. Email boxes at Google Inc., Wedos s.r.o. and Český hosting s.r.o.
    8. We process tax documents and accounting in the accounting software Money