Information notice for clients concerning the processing of their personal data

Dear clients,
We are subject to a number of obligations concerning the protection of your personal data, resulting from the valid legislation: Act 101/2000 on protection of personal data and amendment of certain acts, as amended,  and, most importantly, from Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), becoming effective on 25 May 2018. Please rest assured that we pay maximum attention to compliance with them; early and in advance, we would like to give you the essential information about how your personal data are processed.

1. What data do we process?
In your case, the following data are processed by THERMAL-F, a.s., identification number 25401726, with registered office at I.P. Pavlova 2001/1, Karlovy Vary:

For your therapeutic stays in our spa:
- personal contact details contained in the registration form you filled in when starting your stay in our spa:

  • first name and last name, optionally with an academic degree,
  • birth date,
  • your principal/permanent address,
  • additionally with foreign nationals, the details required by the law on registration of stays by foreign nationals (nationality, passport/ID number, visa number)

- the data contained in the suggested spa therapy programme, on top of your contact details:

  • details of your health insurance company,
  • number of health insurance beneficiary,
  • details of the physician filing the suggestion,
  • details of your employer,
  • details of your diagnosis,
  • details of the suggested stay duration,

- details of your previous therapeutic stays: data about the therapeutic services rendered to you across our facilities, as well as additional data required by health insurance companies for refunds of therapeutic services within the therapy/rehabilitation programmes;
- with paying private guests, including also the data of your payments (optionally including your bank account number or your credit/debit card number).

If you are a member to our loyalty programme/club, additionally:
- details of this membership as stated in the application for the loyalty programme/club, along with details of any benefits used.
We do not process any other data relating to you.

 

2. Due to what reason, for what purpose, and for how long are your personal data processed?
The details contained in the suggested therapy plan as well as the registration form, along with details of the stay duration are processed due to the legal relationship arising between you and this spa, with its purpose being spa therapy and rehabilitation, combined with complementary services (accommodation, catering etc.). The purpose of this processing is to serve these services.

Similarly, details of your previous therapeutic stays are processed under the same legal provisions; with therapy and rehabilitation covered by the health insurance in part of in full, details of our health services rendered to you across our facilities to health insurance must be also reported by us to your insurance company, along with additional details requested by health insurance companies. We must also ensure the data verification by health insurance companies.

Regarding foreign nationals, we process the data required to register stays of foreign nationals, as stipulated by Act 326/1999 on stays of foreign nationals in the Czech Republic and repealing some acts, as amended. This processing is done by us solely for the sake of compliance with said legal obligation, including the submission of the details from your registration form to the immigration police.

Where your consent has been given to processing your contact details and details of your stays in our facilities, the data are processed upon your consent (and in analogy, if you are member to our loyalty plan/club). The purpose behind the processing is our ability to inform you about our offers of services and products.

The invoices and bills we issue to cover the care provided also contain certain personal details (client's full name, type of service provided, date of invoice/bill). Such documents are kept by us solely in order to comply with the relevant provisions of accountancy and tax law for the periods specified under such provisions.

The services provided have never been questioned by health insurance companies or private fee-paying patients. Should such a situation occur though, we would be legally required to process the details of the care provided during the dispute, for the sole purpose of protecting our rights in such a dispute. Should we process your data in such a mode, we will inform you about the fact with no undue delay.

Where details are processed following your consent, the processing time is limited to the duration of your consent, typically 10 years, unless the consent is withdrawn earlier.

 

3. Who is your personal data made accessible or presented to?
Your personal data is made accessible solely to the relevant health insurance company for the sake of verification, which is mandatory for health insurance companies under the general legislation (Act 48/1997 on public health system and the modification of certain relevant acts, as amended). If you are paying private guest, your personal details are not made accessible to anybody.

With foreign nationals, we submit the personal data stated in the registration form to the immigration police.

We may submit your personal data to third parties who ensure additional services for us: mail delivery, debt collection, and legal services. Such third parties are deemed processors of personal data; we provide them with only the personal data necessary for the specific purpose (mail delivery, debt collection, legal services) and only relating to those clients to whom such specific complementary activity applies. The processors of personal data ensuring these activities are carefully selected, replaced and complemented on an ongoing basis. Because of such updates and changes, upon your request in writing or by email, we are ready to provide you with a current list of such parties who may be considered for submission of your private data as specified above.

Your personal data are never tranferred to any foreign country.

 

4. Your rights under applicable law
Please note that under the currently applicable law on protection of personal data, you are granted these rights:
- The right to access to your personal data processed by us.
- The right to amend your personal data provided they are false and inaccurate in any way.
- Should you find or believe that your personal data are processed by us in a manner that is detrimental to the protection of your privacy and personal life or in breach of the law, in particular should your data be inaccurate in terms of the processing purpose, you have the right to request an explanation from us and request us to remedy such a situation (e.g. by blocking, modifying, completing or deleting your personal data).
- The right to request erasure of your personal data or limitation of their processing.
- The right to object to their processing in order to assess if there was a breech of the legal duties imposed on us by current law.
- Where you personal data is processed upon your consent, you have the right to withdraw your consent.
- Apart from the rights above, you also have the right to file a complaint with the supervisory authority, that being the Office for Personal Data Protection at Pplk. Sochora 27, 170 00 Praha 7.
- You also have the right to transfer the data that were provided by you to us and that are processed by us owing to the necessity of their processing for the sake of contract performance. Should you wish to transfer your data to a different administrator, we will enable you to receive your personal data in a structured, commonly used and machine-readable format, or, if feasible, we will transfer the data directly to that different administrator.

In case of any unclarity or questions relating to the processing of your personal data, please feel free to contact us any time in writing at this address: THERMAL-F, a.s.,   I.P. Pavlova 2001/1, Karlovy Vary; or by calling 359 002 251; and by emailing the person in charge at gdpr@thermal.cz.