Consent to the Processing of Personal Data - GDPR

Letiště Praha, a. s., registered office at K letišti 1019/6, Ruzyně, Post Code 161 00, Praha 6, ID no.: 282 44 532, incorporated in the Companies Register kept by the Municipal Court in Prague, Section B, File 14003 (hereinafter the “Controller”) informs you, as the data subject (hereinafter the “data subject”) in accordance with Article 13 of the Regulation (EU) 2016/679 of the European parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter as “GDPR”), on the processing of his or her personal data:

Purpose of personal data processing

The personal data are obtained directly from the data subject at the moment of logging in to the "Flight Tracking" service. The Controller agrees to process accurate personal data solely for the purpose of:

• legitimate interests of the Controller [in accordance with Article 6(1)(f) of GDPR]. The Controller processes the personal data of the data subject only for the purpose of providing the "Flight Tracking" service. The reason for providing personal data by the data subject is his/her interest in information regarding the selected flight. Failure to provide personal data may result in the Controller being unable to inform the data subject about the flight in question.

The Controller agrees that it will not process the personal data in a manner which is incompatible with the above-specified purpose.

Scope of personal data

The Controller agrees to process personal data only to the extent necessary for the above-specified purpose for which the data are processed. The scope of the personal data covers:

• telephone number,
• email address,

(hereinafter as “Personal Data”).

Personal data processing period

The Controller agrees to process the Personal Data for the period necessary in relation to the purpose stated above, but no longer than for the duration of the provision of the "Flight Tracking" service. After the expiry of this period the Controller has the duty to destroy the Personal Data.

Categories of recipients of Personal Data and transfer of Personal Data

The Controller declares that the Personal Data shall only be made accessible to those employees of the Controller who are bound by the non-disclosure obligation in relation to these data as well as the security measures the disclosure of which would jeopardize the safety of these Personal Data.

The Controller also declares that it will not transfer the Personal Data to any third countries or any international organization.

Automated decision-making

Automated decision-making or profiling under Article 22 of GDPR shall not be used during the processing of the data subject’s Personal Data.

Rights of data subject

The Controller informs the Inquirer on his or her rights ensuing from the GDPR, particularly:

• right of access to Personal Data (the data subject has the right to obtain from the Controller confirmation as to whether or not the Personal Data concerning him or her are being processed pursuant to Article 15 of GDPR);
• right of rectification (the data subject has the right to obtain from the Controller without undue delay the rectification of inaccurate Personal Data concerning him or her and the right to have incomplete Personal Data completed under Article 16 of GDPR);
• right to erasure (the data subject has the right to obtain from the Controller the erasure of Personal Data concerning him or her without undue delay where one of the grounds specified in Article 17 of GDPR applies);
• right to restriction of processing (the data subject has the right to obtain from the Controller restriction of processing in the cases laid down in Article 18 of GDPR);
• right to object (the data subject has the right to object, on ground relating to his or her particular situation, at any time to processing of Personal Data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on these provisions under Article 21 of GDPR);
• right not to be subject to any decision based solely on automated processing (the data subject has the right not to be subject to any decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her under Article 22 of GDPR);
• right to lodge a complaint with a supervisory authority, which is the Office for the Protection of Personal Data, registered seat at Pplk. Sochora 727/27, Post Code 170 00, Praha 7.

Data protection officer

The Controller gives the User a contact to the data protection officer under Article 30(1)(a) of GDPR.

All your inquiries, suggestions or other submissions relating to the processing of your Personal Data may be addressed to the data protection officer, email address: dpo@prg.aero.

Conclusion

The Inquirer hereby declares that he or she was duly informed by the Controller on the processing of information in compliance with the provision of Article 13 of GDPR and that the provided Personal Data are accurate and true.

Validity:
Version: II

Letiště Praha, a. s., registered office at K letišti 1019/6, Ruzyně, Post Code 161 00, Praha 6, ID no.: 282 44 532, incorporated in the Companies Register kept by the Municipal Court in Prague, Section B, File 14003 (hereinafter the “Controller”) informs the inquirer as the data subject (hereinafter the “Inquirer”) in accordance with Article 13 of the Regulation (EU) 2016/679 of the European parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter as “GDPR”), on the processing of his or her personal data:

Purpose of personal data processing

The personal data are obtained directly from the Inquirer at the moment of the sending of the ninquiry, complaint or suggestion. The Controller agrees to process accurate personal data solely for the purpose of:

• legitimate interests of the Controller [in accordance with Article 6(1)(f) of GDPR]. The Controller processes the Inquirer’s personal data for the purpose of handling an inquiry,complaint or suggestion which was sent by the Inquirer. The reason for the provision of the personal data by the Inquirer to the Controller is the possibility to send the Inquirer an answer to his or her inquiry, complaint or suggestion, which would not be possible without the provision of these data. Non-provision of the personal data may result in the Controller not sending the answer.

The Controller agrees that it will not process the personal data in a manner which is incompatible with the above specified purpose.

Scope of personal data

The Controller agrees to process personal data only to the extent necessary for the above-specified purpose for which the data are processed. The scope of the personal data covers:

• first name and surname,
• email address,

(hereinafter as “Personal Data”).

Personal data processing period

The Controller agrees to process the Personal Data which it processes for the above-specified purpose for the period of handling the inquiry, complaint or suggestion and subsequently for 2 years (in the given case the Controller has a legitimate interest in the retention of these Personal Data after the clearance of the inquiry, complaint or suggestion in order to protect its rights in the event of potential court disputes). After the expiry of this period the Controller has the duty to destroy the Personal Data.

Categories of recipients of Personal Data and transfer of Personal Data

The Controller declares that the Personal Data shall only be made accessible to those employees of the Controller who are bound by the non-disclosure obligation in relation to these data as well as the security measures the disclosure of which would jeopardize the safety of these Personal Data.

The Controller declares that personal data will be transferred for the above purposes to Bloomreach CZ s.r.o., with registered office at Vlněna 526/5, Trnitá, 602 00 Brno, IČO: 059 27 927, registered in the commercial register maintained by the Regional Court in Brno, section C, file 127136 (hereinafter referred to as "Bloomreach"), as this company ensures the sending of business communications for the administrator. The obligation to maintain the confidentiality of personal data also applies to the relevant employees of Bloomreach.

The Controller also declares that it will not transfer the Personal Data to any third countries or any international organization.

Automated decision-making

Automated decision-making or profiling under Article 22 of GDPR shall not be used during the processing of the Inquirer’s Personal Data.

Rights of data subject

The Controller informs the Inquirer on his or her rights ensuing from the GDPR, particularly:

• right of access to Personal Data (the data subject has the right to obtain from the Controller confirmation as to whether or not the Personal Data concerning him or her are being processed pursuant to Article 15 of GDPR);
• right of rectification (the data subject has the right to obtain from the Controller without undue delay the rectification of inaccurate Personal Data concerning him or her and the right to have incomplete Personal Data completed under Article 16 of GDPR);
• right to erasure (the data subject has the right to obtain from the Controller the erasure of Personal Data concerning him or her without undue delay where one of the grounds specified in Article 17 of GDPR applies);
• right to restriction of processing (the data subject has the right to obtain from the Controller restriction of processing in the cases laid down in Article 18 of GDPR);
• right to object (the data subject has the right to object, on ground relating to his or herparticular situation, at any time to processing of Personal Data concerning him or her whichis based on point (e) or (f) of Article 6(1), including profiling based on these provisions under Article 21 of GDPR);
• right not to be subject to any decision based solely on automated processing (the data subject has the right not to be subject to any decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her under Article 22 of GDPR);
• right to lodge a complaint with a supervisory authority, which is the Office for the Protection of Personal Data, registered seat at Pplk. Sochora 727/27, Post Code 170 00, Praha 7.

Data protection officer

The Controller gives the User a contact to the data protection officer under Article 30(1)(a) of GDPR.

All your inquiries, suggestions or other submissions relating to the processing of your Personal Data may be addressed to the data protection officer, email address: dpo@prg.aero.

Conclusion

The Inquirer hereby declares that he or she was duly informed by the Controller on the processing of information in compliance with the provision of Article 13 of GDPR and that the provided Personal Data are accurate and true.

Validity:
Version: II

I as the Data Subject, hereby grant to Letiště Praha, a. s., with its registered office at K letišti 1019/6, Ruzyně, postal code 161 00, Praha 6, reg. No. (IČO): 282 44 532, registered in the Commercial Register administered by the Municipal Court in Prague, Section B, insert 14003 (hereinafter the Controller) pursuant to Art. 6 (1) a) and Art. 7 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) my free and clear consent to my personal data processing (hereinafter the Consent), under the below conditions:

Purpose of personal data processing

The Data Subject’s personal data will be processed subject to his/her consent. The reason for personal data provision by the data subject is the data subject´s interest in the purpose of personal data processing being fulfilled which would not be possible without the provision of personal data.

The Controller undertakes to process accurate personal data only for the following purpose:

• the sending of commercial messages (direct marketing).

The Controller undertakes not to process personal data in any manner contradicting the above purpose.

Scope of personal data

The Controller undertakes to process personal data only to the extent necessary in connection with the above purpose for which they are being processed. The scope of personal data provided under the consent is as follows:

• email address,

(hereinafter Personal Data).

Personal data processing period

Categories of recipients of Personal Data and transfer of Personal Data

The Controller represents that personal data will only be disclosed to the respective employees of the Controller who are obliged to maintain confidentiality in respect of these data as well as of the security measures the disclosure of which would put the security of such personal data at risk.

The Controller declares that for the above purposes personal data will be transferred to UAB “MailerLite”, with its registered office at Paupio Str. 46, Vilnius, Lithuania, company No. 302942057 (hereinafter the Processor), a company that is in charge of sending commercial messages on behalf of the Controller. The obligation to observe confidentiality of personal data also applies to the respective personnel of the Processor.

The Controller declares that personal data will be transferred for the above purposes to Bloomreach CZ s.r.o., with registered office at Vlněna 526/5, Trnitá, 602 00 Brno, IČO: 059 27 927, registered in the commercial register maintained by the Regional Court in Brno, section C, file 127136 (hereinafter referred to as "Bloomreach"), as this company ensures the sending of business communications for the administrator. The obligation to maintain the confidentiality of personal data also applies to the relevant employees of Bloomreach.

The Controller also represents that it will not transfer any personal data to any third countries or to any international organization.

Automated Decision-Making and Profiling

During the processing of your personal data, no automatic decision-making shall take place.

Prague Airport will use profiling (a form of automated processing of the customer’s personal data consisting of the use of personal data to evaluate certain personal aspects relating to the customer, in particular analyses or estimates of aspects regarding personal preferences and interests) in order to personalise the offer of services and products (targeted advertising).

 If you object to profiling, Prague Airport undertakes to stop profiling in relation to you.

Withdrawal of Consent to Personal Data Processing

The Data Subject has the right to withdraw his/her consent to the processing of personal data at any time without any restriction or damage, either at the address of the Controller's registered office or at the following email address: dpo@prg.aero.cz.

Rights of data subject

The Controller informs the Inquirer on his or her rights ensuing from the GDPR, particularly:

• the right of access to personal data (the Data Subject will have the right to obtain from the Controller confirmation as to whether or not any personal data concerning him or her are being processed pursuant to Art. 15 of the GDPR);
• the right to rectification (the Data Subject will have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her, as well as the right to have incomplete personal data completed pursuant to Art. 16 of the GDPR);
• the right to erasure (the data subject will have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay where one of the grounds specified in Art. 17 of the GDPR applies);
• the right to restriction of processing (the data subject shall have the right to obtain from the controller a restriction of processing in those cases specified in Art. 18 of the GDPR);
• the right to data portability (the Data Subject is entitled to obtain personal data concerning him/her which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the Controller to whom the personal data has been provided in those cases specified in Art. 20 of the GDPR);
• the right to object (the Data Subject has the right to object at any time to processing of personal data concerning you for marketing purposes (sending commercial messages) which is based on Art. 6(1)(e) or (f) of the GDPR, including profiling based on those provisions, pursuant to Art. 21 of the GDPR). If a Data Subject objects to the processing of his/her personal data, Prague Airport will stop processing their personal data for this purpose without further action;
• the right not to be subject to a decision based solely on automated processing (the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her pursuant to Art. 22 of the GDPR);
• the right to lodge a complaint with the supervisory authority, which is the Office for Personal Data Protection, with its seat at Pplk. Sochora 727/27, postal code 170 00, Praha 7.

Data protection officer

The Controller gives the User a contact to the data protection officer under Article 30(1)(a) of GDPR.

All your inquiries, suggestions or other submissions relating to the processing of your Personal Data may be addressed to the data protection officer, email address: dpo@prg.aero.

Conclusion

The Data Subject hereby declares to have been duly informed by the Controller about the processing of personal data in accordance with Art. 13 of the GDPR and that the personal data provided are true and accurate and are provided to the Controller voluntarily.

Validity:
Version: IV

Letiště Praha, a. s., with its registered office at K letišti 1019/6, Ruzyně, postal code 161 00, Praha 6, Registration No.: 282 44 532, incorporated in the Commercial Register administered by the Municipal Court in Prague, Section B, Entry 14003 (hereinafter “Controller”), informs the customer as the data subject (hereinafter “Customer”) in compliance with Art. 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter “GDPR”), about the processing of his or her personal data:

The Purpose of Personal Data Processing

Personal data are acquired directly from the Customer upon their sending of an order. The Controller undertakes to process accurate personal data only for the following purpose:

• performance of the contract (contract for the provision of services) [pursuant to article 6(1)(b) of the GDPR] and its further performance, including the handling of any claims made by the Customer arising from faulty performance. It is also necessary to process the Customer’s personal data in order to meet any legal obligations applicable to the Controller. The Controller is obliged to meet all legal obligations ensuing from legal regulations governing the rights and obligations related to consumer protection and bookkeeping. The grounds for the disclosure of personal data by the Customer to the Controller consist in the identification of the contracting parties necessary for the conclusion and performance of a contract (contractual requirement), which would not be otherwise possible without the provision of these data. The failure to provide personal data by the Customer may result in the non-performance or suspension of the performance on the part of the Controller.

• the sending of commercial communications (direct marketing) [pursuant to Recitals 47 and 70 and Art. 6(1)(f) of the GDPR]. In such a case of the processing of personal data, the Controller has a legitimate interest in the promotion of the services it provides. The reason for the provision of personal data by the Customer to the Controller is the Customer´s interest in receiving commercial communications which would not be possible without the provision of such personal data.

The Controller undertakes not to process personal data in any manner contradicting the above purposes.

The Scope of Personal Data

The Controller undertakes to process personal data only to the extent necessary in connection with the above purposes for which they are being processed. The extent of personal data is as follows:

• first and last name,
• email address,
• postal code,
• telephone number,

(hereinafter “Personal Data”).

The Period of Personal Data Processing

The Controller undertakes to process the personal data it processes for the purpose of performing the contract for a period of 5 years from the day when the personal data were received from the Customer. The Controller is obliged to retain the personal data in compliance with all generally applicable legal regulations, specifically pursuant to Act No. 235/2004 Coll., on Value Added Tax. After this period expires, the Controller is obliged to dispose of the personal data.

The Controller undertakes to process the personal data it processes for the purpose of sending commercial communications (direct marketing) for a period of 10 years from the day when the personal data were received from the Customer. After this period expires, the Controller is obliged to dispose of the personal data.

Pursuant to Recital 70 and Article 21 of the GDPR, the Controller expressly points out to the Customer that as far as the personal data being processed for the purposes of sending commercial communications (direct marketing) is concerned, the Customer is entitled to raise an objection to this processing of personal data at any time free of charge (including profiling, if it is related to this direct marketing), to the extent to which this processing is connected to direct marketing, regardless of whether this processing is initial or subsequent. If the Customer raises an objection to the processing of personal data for the purposes of sending commercial communications (direct marketing), the Controller undertakes to no longer process the personal data for these purposes.

The Categories of Recipients of Personal Data and the Transfer of Personal Data

The Controller represents that personal data shall only be disclosed to the respective employees of the Controller, who are obliged to maintain confidentiality in respect of these data as well as of the security measures the disclosure of which would put the security of such personal data at risk.

The Controller represents that each e-mail address, as an item of personal data, shall be handed over to UAB “MailerLite”, with its registered seat at Paupio str. 46, Vilnius, Lithuania, company number 302942057 (hereinafter the “Processor”) for the purposes of sending commercial communications, because this company provides the sending of commercial communications on behalf of the Controller. The obligation to observe confidentiality of personal data also applies to the respective personnel of the Processor.

The Controller declares that personal data will be transferred for the above purposes to Bloomreach CZ s.r.o., with registered office at Vlněna 526/5, Trnitá, 602 00 Brno, IČO: 059 27 927, registered in the commercial register maintained by the Regional Court in Brno, section C, file 127136 (hereinafter referred to as "Bloomreach"), as this company ensures the sending of business communications for the administrator. The obligation to maintain the confidentiality of personal data also applies to the relevant employees of Bloomreach.

The Controller also represents that it will not transfer any personal data to any third countries or to any international organizations.

Automated Decision-Making

During the processing of the personal data of the Customer, no automatic decision-making shall take place pursuant to
Art. 22 of the GDPR.

The Controller hereby draws the Customer´s attention to the fact that data profiling is going to be conducted (a form of automatic processing of the Customer´s personal data consisting of the use of personal data to evaluate certain personal aspects pertaining to the Customer, in particular analyses or estimates of aspects regarding personal preferences and interests). The Controller uses profiling only to personalize the offer of services (targeted advertising). If the Customer raises any objection against profiling, the Controller undertakes to refrain from conducting profiling in relation to the Customer.

The Rights of the Data Subject

The Controller hereby informs the Customer of the Customer´s rights ensuing from the GDPR, in particular of the following:

• the right of access to personal data (the data subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed pursuant to Art. 15 of the GDPR);
• the right to rectification (the data subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her, as well as the right to have incomplete personal data completed pursuant to Art. 16 of the GDPR);
• the right to erasure (the data subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay where one of the grounds specified in Art. 17 of the GDPR applies);
• the right to restriction of processing (the data subject shall have the right to obtain from the controller a restriction of processing in those cases specified in Art. 18 of the GDPR);
• the right to data portability (the Data Subject is entitled to obtain personal data pertaining to them and provided by them to the Controller in a structured, commonly used and machine-readable format, and they also have the right to hand these data over to another controller, without this being prevented by the Controller to whom these personal data have been provided, in cases stipulated in Art. 20 of the GDPR); the Customer may only exercise the right to data portability in case of processing personal data for the performance of the contract pursuant to Art. 20 of the GDPR.
• the right to raise an objection (for reasons connected to their specific situation, the data subject is entitled to raise an objection to the processing of personal data pertaining to them pursuant to Art. 6 (1) e) or f) of the GDPR, including profiling based on these provisions pursuant to Art. 21 of the GDPR); the Customer may exercise the right to raise an objection only if the personal data is processed for the purposes of sending commercial communications (direct marketing), which includes profiling, if related to such direct marketing pursuant to Art. 21 of the GDPR (as above);
• the right not to be subject to a decision based solely on automated processing (the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her pursuant to Art. 22 of the GDPR);
• the right to lodge a complaint with the supervisory authority, which is the Office for Personal Data Protection, with its seat at Pplk. Sochora 727/27, postal code 170 00, Praha 7.

The Data Protection Officer

The Controller gives the User a contact to the data protection officer under Article 30(1)(a) of GDPR.

All your inquiries, suggestions or other submissions relating to the processing of your Personal Data may be addressed to the data protection officer, email address: dpo@prg.aero.

Conclusion

The Customer hereby declares to have been duly informed by the Controller about the processing of personal data in accordance with Art. 13 of the GDPR and that the personal data provided are true and accurate.

Validity:
Version: V

Letiště Praha, a. s., registered office at K letišti 1019/6, Ruzyně, Post Code 161 00, Praha 6, ID no.: 282 44 532, incorporated in the Companies Register kept by the Municipal Court in Prague, Section B, File 14003 (hereinafter the “Controller”) informs the customer as the data subject (hereinafter the “Customer”) in accordance with Article 13 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC General Data Protection Regulation (hereinafter as “GDPR”), on the processing of his or her personal data:

Purpose of personal data processing

The personal data are obtained directly from the Customer at the time of the sending of the purchase order. The Controller agrees to process accurate personal data solely for the purpose of:

 fulfillment of the contract (contract for provision of services) [in accordance with Article 6(1)(b) of GDPR] and its subsequent performance, including the handling of Customer’s claims from defective performance, if any. The processing of Customer’s personal data is also necessary for the fulfillment of the legal obligation that applies to the Controller. The Controller has the duty to fulfill the legal obligations arising from the legal regulations defining the rights and obligations in connection with consumer protection and accountancy. The reason for the provision of personal data by the Customer to the Controller is the identification of the parties necessary for the entry into and performance of the contract (contractual requirement), which would not be possible without the provision of such data. The non-provision of the Customer’s personal data may result in the non-provision of the performance or the termination of the provision of the performance by the Controller.

 sending of commercial communications (direct marketing) [in accordance with point and point 70 and Article 6(1)(f) of GDPR]. In the given case of personal data processing the Controller has a legitimate interest in the promotion of the services it provides. The reason for the provision by the Customer of its personal data to the Controller is the Customer’s interest in the sending of commercial communications, which would not be possible without the provision of the personal data.

The Controller agrees that it will not process the personal data in a manner which is incompatible with the above-specified purposes.

Scope of personal data

The Controller agrees to process personal data only to the extent necessary for the above-specified purposes for which the data are processed. The scope of the personal data covers:

 first name and surname,

 date of birth (age),

 residence address,

 phone number,

 email address,

(hereinafter as “Personal Data”).

Personal data processing period

The Controller undertakes to process the Personal Data which it processes for the purpose of performing the contract for the period of 5 years from the day when the Personal Data are obtained from the Customer. The Controller has the duty to retain the Personal Data pursuant to generally binding legal regulations, specifically Act no. 235/2004 Coll., on Value Added Tax. After the expiry of this period the Controller has the duty to destroy the Personal Data.

The Controller undertakes to process the Personal Data which it processes for the purpose of sending commercial communications (direct marketing) for the period of 3 years from the day when the Personal Data are obtained from the Customer. After the expiry of this period the Controller has the duty to destroy the Personal Data.

 right to restriction of processing (the data subject has the right to obtain from the Controller restriction of processing in the cases laid down in Article 18 of GDPR);

 right to data portability (the data subject has the right to receive the Personal Data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from the Controller in the cases specified in Article 20 of GDPR); the Customer may only assert the right to data portability where the Personal Data are processed for the purpose of fulfilling the contract under Article of GDPR.

 right to object (the data subject has the right to object, on ground relating to his or her particular situation, at any time to processing of Personal Data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on these provisions under Article 21 of GDPR); the Customer may only assert the right to object where the Personal Data are processed for the purpose of sending commercial communications (direct marketing), which includes profiling to the extent that it is related to such direct marketing under Article 21 of GDPR (see above);

 right not to be subject to any decision based solely on automated processing (the data subject has the right not to be subject to any decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her under Article 22 of GDPR);

 right to lodge a complaint with a supervisory authority, which is the Office for the Protection of Personal Data, registered seat at Pplk. Sochora 727/27, Post Code 170 00, Praha 7.

Data protection officer

The Controller gives the User a contact to the data protection officer under Article 30(1)(a) of GDPR.

All your inquiries, suggestions or other submissions relating to the processing of your Personal Data may be addressed to the data protection officer, email address: dpo@prg.aero.

Conclusion

The Customer hereby declares that he or she was duly informed by the Controller on the processing of information in compliance with the provision of Article 13 of GDPR and that the provided Personal Data are accurate and true.

Validity:
Version: III

Letiště Praha, a. s., registered office at K letišti 1019/6, Ruzyně, Post Code 161 00, Praha 6, ID no.: 282 44 532, incorporated in the Companies Register kept by the Municipal Court in Prague, Section B, File 14003 (hereinafter the “Controller”) informs the customer as the data subject (hereinafter the “Customer”) in accordance with Article 13 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter as “GDPR”), on the processing of his or her personal data:

Purpose of personal data processing

The personal data are obtained directly from the Customer at the time of the sending of the purchase order. The Controller agrees to process accurate personal data solely for the purpose of:

• fulfillment of the contract (contract for provision of services) [in accordance with Article 6 (1)(b) of GDPR] and its subsequent performance, including the handling of Customer’s claims from defective performance, if any. The processing of Customer’s personal data is also necessary for the fulfillment of the legal obligation that applies to the Controller. The Controller has the duty to fulfill the legal obligations arising from the legal regulations defining the rights and obligations in connection with consumer protection and accountancy. The reason for the provision of personal data by the Customer to the Controller is the identification of the parties necessary for the entry into and performance of the contract (contractual requirement), which would not be possible without the provision of such data. The non-provision of the Customer’s personal data may result in the non-provision of the performance or the termination of the provision of the performance by the Controller.

• compliance with the legal obligation imposed on the Controller [in accordance with Article 6 (1)(c) of GDPR]. In this case, the Controller has a legal obligation to process the Customer's personal data pursuant to Act No. 235/2004 Coll., on Value Added Tax. The Customer's personal data are contained in the accounting document/invoice, which the Controller is obliged to keep.

• sending of commercial communications (direct marketing) [in accordance with point 47 and point 70 and Article 6(1)(f) of GDPR]. In the given case of personal data processing the Controller has a legitimate interest in the promotion of the services it provides. The reason for the provision by the Customer of its personal data to the Controller is the Customer’s interest in the sending of commercial communications, which would not be possible without the provision of the personal data.

The Controller agrees that it will not process the personal data in a manner which is incompatible with the above-specified purposes.

Scope of personal data

The Controller agrees to process personal data only to the extent necessary for the above-specified purposes for which the data are processed. The scope of the personal data covers:

• first name and surname,
• birthdate,
• home address,
• telephone number,
• email address,

(hereinafter as “Personal Data”).

Personal data processing period

The Controller undertakes to process the Personal Data which it processes for the purpose of performing the contract for the period of 10 years from the day when the Personal Data are obtained from the Customer. The Controller has the duty to retain the Personal Data pursuant to generally binding legal regulations, specifically Act no. 235/2004 Coll., on Value Added Tax. After the expiry of this period the Controller has the duty to destroy the Personal Data.

The Controller undertakes to process the Personal Data which it processes for the purpose of sending commercial communications (direct marketing) for the period of 3 years from the day when the Personal Data are obtained from the Customer. After the expiry of this period the Controller has the duty to destroy the Personal Data.

In accordance with point 70 and Article 21 of GDPR the Controller explicitly informs the Customer of the fact that in relation to Personal Data that are processed for the purposes of sending commercial communications (direct marketing) the Customer has the right to object to such processing of Personal Data (including profiling to the extent that it is related to such direct marketing), whether with regard to initial or further processing, at any time and free of charge. Where the Customer objects to the processing of Personal Data for the purposes of sending commercial communications (direct marketing), the Controller agrees that Personal Data shall no longer be processed for such purposes.

Categories of recipients of Personal Data and transfer of Personal Data

The Controller declares that the Personal Data shall only be made accessible to those employees of the Controller who are bound by the non-disclosure obligation in relation to these data as well as the security measures the disclosure of which would jeopardize the safety of these Personal Data.

The Controller declares that the Personal Data will be made available for the purposes
of order/reservation management to HOTELTIME SOLUTIONS a.s., incorporated in the Companies Register kept by the Municipal Court in Prague, Section B, File 7769 (hereinafter the “Processor”). The non-disclosure obligation in relation to Personal Data also applies to the relevant employees of the Processor.

The Controller declares that the Personal Data–email address shall for the purposes of sending commercial communications (direct marketing) be transferred to UAB “MailerLite”, registered office at Paupio str. 46, Vilnius, Lithuania, company number 302942057 (hereinafter the “Processor”), because this company provides the commercial communication distribution service to the Controller. The Personal Data non-disclosure obligation also applies to the relevant employees of the Processor.

The Controller declares that personal data will be transferred for the above purposes to Bloomreach CZ s.r.o., with registered office at Vlněna 526/5, Trnitá, 602 00 Brno, IČO: 059 27 927, registered in the commercial register maintained by the Regional Court in Brno, section C, file 127136 (hereinafter referred to as "Bloomreach"), as this company ensures the sending of business communications for the administrator. The obligation to maintain the confidentiality of personal data also applies to the relevant employees of Bloomreach.

The Controller also declares that it will not transfer the Personal Data to any third countries or any international organization.

Automated decision-making

Automated decision-making under Article 22 of GDPR shall not be used during the processing of the Customer’s Personal Data.

The Controller informs the Customer of the existence of profiling (a form of automated processing of the Customer’s Personal Data involving the use of the Personal Data for the evaluation of certain personal aspects relating to the Customer, in particular the analysis or prediction of aspects concerning personal preference and interests). The controller uses profiling only for the purpose of the personalization of the services offer (targeted advertising). If the Customer objects to the profiling, the Controller agrees to terminate the profiling of the Customer.

Rights of data subject

The Controller informs the Customer on his or her rights ensuing from the GDPR, particularly:

• right of access to Personal Data (the data subject has the right to obtain from the Controller confirmation as to whether or not the Personal Data concerning him or her are being processed pursuant to Article 15 of GDPR);
• right of rectification (the data subject has the right to obtain from the Controller without undue delay the rectification of inaccurate Personal Data concerning him or her and the right to have incomplete Personal Data completed under Article 16 of GDPR);
• right to erasure (the data subject has the right to obtain from the Controller the erasure of Personal Data concerning him or her without undue delay where one of the grounds specified in Article 17 of GDPR applies);
• right to restriction of processing (the data subject has the right to obtain from the Controller restriction of processing in the cases laid down in Article 18 of GDPR);
• right to data portability (the data subject has the right to receive the Personal Data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from the Controller in the cases specified in Article 20 of GDPR); the Customer may only assert the right to data portability where the Personal Data are processed for the purpose of fulfilling the contract under Article 20 of GDPR.
• right to object (the data subject has the right to object, on ground relating to his or her particular situation, at any time to processing of Personal Data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on these provisions under Article 21 of GDPR); the Customer may only assert the right to object where the Personal Data are processed for the purpose of sending commercial communications (direct marketing), which includes profiling to the extent that it is related to such direct marketing under Article 21 of GDPR (see above);
• right not to be subject to any decision based solely on automated processing (the data subject has the right not to be subject to any decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her under Article 22 of GDPR);
• right to lodge a complaint with a supervisory authority, which is the Office for the Protection of Personal Data, registered seat at Pplk. Sochora 727/27, Post Code 170 00, Praha 7.

Data protection officer

The Controller gives the User a contact to the data protection officer under Article 30(1)(a) of GDPR.

All your inquiries, suggestions or other submissions relating to the processing of your Personal Data may be addressed to the data protection officer, email address: dpo@prg.aero.

Conclusion

The Customer hereby declares that he or she was duly informed by the Controller on the processing of information in compliance with the provision of Article 13 of GDPR and that the provided Personal Data are accurate and true.

Validity:
Version: III

Letiště Praha, a. s., registered office at K letišti 1019/6, Ruzyně, Post Code 161 00, Praha 6, ID no.: 282 44 532, incorporated in the Companies Register kept by the Municipal Court in Prague, Section B, File 14003 (hereinafter the “Controller”) informs the user as the data subject (hereinafter the “User”) in accordance with Article 13 of the Regulation (EU) 2016/679 of the European parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter as “GDPR”), on the processing of his or her personal data:

Purpose of personal data processing

Personal data is obtained directly from the User at the time of logging in to the free wireless service (hereinafter referred to as the "Service"). The Controller undertakes to process accurate personal data for the sole purpose of:

• compliance with a legal obligation to which the controller is subject [in accordance with Article 6(1) (c) of the GDPR]. In this case, the Controller has a legal obligation to process the User's personal data based on the provisions of Section 97(3) of Act No. 127/2005 Coll, on electronic communications, as amended. The reason for the provision of personal data is set out in the provisions of Section 97(3) of Act No. 127/2005 Coll., on Electronic Communications, as amended; in accordance with this provision, the Controller is obliged to store operational and location data (data leading to the tracking and identification of the source and recipient of the communication) that are generated or processed in the provision of public communications networks and in the provision of publicly available electronic communications services. Failure of the User to provide personal data may result in the Administrator not allowing the User to use the Service.

• sending of commercial communications (direct marketing) [in accordance with point 47 and point 70 and Article 6(1)(f) of GDPR]. In the given case of personal data processing the Controller has a legitimate interest in the promotion of the services it provides.

The Controller agrees that it will not process the personal data in a manner which is incompatible with the above-specified purposes.

Scope of personal data

The Controller agrees to process personal data only to the extent necessary for the above-specified purposes for which the data are processed. The scope of the personal data covers:

• email address,
• operational and location data,

(hereinafter as “Personal Data”).

Personal data processing period

The Controller undertakes to process the personal data that it processes for the above-mentioned purposes for the period of use of the Service and then for a period of 3 years from the date of use of the Service by the User (in this case, the Controller has a legal obligation established by Act No. 127/2005 Coll., on electronic communications, as amended, to archive personal data for a period of 6 months from the date of use of the Service. The Controller then has a legitimate interest in preserving this personal data even after using the Service for reasons of protection of your rights in case of potential lawsuits). After the expiry of this period the Controller has the duty to destroy the Personal Data.

The Controller undertakes to process the Personal Data which it processes for the purpose of sending commercial communications (direct marketing) for the period of 10 years from the day when the Personal Data are obtained from the Customer. After the expiry of this period the Controller has the duty to destroy the Personal Data.

In accordance with point 70 and Article 21 of GDPR the Controller explicitly informs the Customer of the fact that in relation to Personal Data that are processed for the purposes of sending commercial communications (direct marketing) the Customer has the right to object to such processing of Personal Data (including profiling to the extent that it is related to such direct marketing), whether with regard to initial or further processing, at any time and free of charge. Where the Customer objects to the processing of Personal Data for the purposes of sending commercial communications (direct marketing), the Controller agrees that Personal Data shall no longer be processed for such purposes.

Categories of recipients of Personal Data and transfer of Personal Data

The Controller declares that the Personal Data shall only be made accessible to those employees of the Controller who are bound by the non-disclosure obligation in relation to these data as well as the security measures the disclosure of which would jeopardize the safety of these Personal Data.

The Controller declares that personal data will be transferred for the above-mentioned purposes to UAB "MailerLite", with registered office in Paupio str. 46, Vilnius, Lithuania, company number 302942057 (hereinafter referred to as "MailerLite"), as this company provides the sending of commercial communications for the administrator. The obligation to maintain the confidentiality of personal data also applies to the relevant employees of MailerLite.

The Controller declares that personal data will be transferred for the above purposes to Bloomreach CZ s.r.o., with registered office at Vlněna 526/5, Trnitá, 602 00 Brno, IČO: 059 27 927, registered in the commercial register maintained by the Regional Court in Brno, section C, file 127136 (hereinafter referred to as "Bloomreach"), as this company ensures the sending of business communications for the administrator. The obligation to maintain the confidentiality of personal data also applies to the relevant employees of Bloomreach.

The Controller also declares that it will not transfer the Personal Data to any third countries or any international organization.

Automated decision-making

Automated decision-making under Article 22 of GDPR shall not be used during the processing of the User’s Personal Data.

The Controller informs the User of the existence of profiling (a form of automated processing of the User’s Personal Data involving the use of the Personal Data for the evaluation of certain personal aspects relating to the User, in particular the analysis or prediction of aspects concerning personal preference and interests). The Controller uses profiling only for the purpose of the personalization of the services offer (targeted advertising). If the User objects to the profiling, the Controller agrees to terminate the profiling of the User.

Rights of data subject

The Controller informs the User on his or her rights ensuing from the GDPR, particularly:

• right of access to Personal Data (the data subject has the right to obtain from the Controller confirmation as to whether or not the Personal Data concerning him or her are being processed pursuant to Article 15 of GDPR);
• right of rectification (the data subject has the right to obtain from the Controller without undue delay the rectification of inaccurate Personal Data concerning him or her and the right to have incomplete Personal Data completed under Article 16 of GDPR);
• right to erasure (the data subject has the right to obtain from the Controller the erasure of Personal Data concerning him or her without undue delay where one of the grounds specified in Article 17 of GDPR applies);
• right to restriction of processing (the data subject has the right to obtain from the Controller restriction of processing in the cases laid down in Article 18 of GDPR);
• right to object (the data subject has the right to object, on ground relating to his or her particular situation, at any time to processing of Personal Data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on these provisions under Article 21 of GDPR); the Customer may only assert the right to object where the Personal Data are processed for the purpose of sending commercial communications (direct marketing), which includes profiling to the extent that it is related to such direct marketing under Article 21 of GDPR (see above);
• right not to be subject to any decision based solely on automated processing (the data subject has the right not to be subject to any decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her under Article 22 of GDPR);
• right to lodge a complaint with a supervisory authority, which is the Office for the Protection of Personal Data, registered seat at Pplk. Sochora 727/27, Post Code 170 00, Praha 7.

Data protection officer

The Controller gives the User a contact to the data protection officer under Article 30(1)(a) of GDPR.

All your inquiries, suggestions or other submissions relating to the processing of your Personal Data may be addressed to the data protection officer, email address: dpo@prg.aero.

Conclusion

The User hereby declares that he or she was duly informed by the Controller on the processing of information in compliance with the provision of Article 13 of GDPR and that the provided Personal Data are accurate and true.

Validity:
Version: V

I hereby grant, as the data subject, to the company Letiště Praha, a. s., registered office at K letišti 1019/6, Ruzyně, Post Code 161 00, Praha 6, ID no.: 282 44 532, incorporated in the Companies Register kept by the Municipal Court in Prague, Section B, File 14003 (hereinafter the “Controller”) in accordance with Article 6 paragraph 1 letter a) and Article 7 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter as “GDPR”) free and unequivocal consent to the processing of my personal data (hereinafter referred to as "consent") under the conditions set out below:

Content of consent to the processing of personal data

This consent is required unconditionally and is given of your own free will. Failure to grant this consent has no effect on the provision of other services by the Controller. Consent is given as voluntary and informed.

By submitting the form / clicking the checkbox, you grant a consent to the storage of marketing cookies and/or analytical cookies on your device, access to them, and subsequent processing of the IP address of the device from which you access our services.

Purpose of personal data processing

The personal data of the data subject will be processed based on his consent. The reason for providing the data subject's Personal data is the data subject's interest in fulfilling the purpose of personal data processing, which would not have been possible without the provision of personal data.

The Controller agrees to process accurate personal data solely for the purpose of:

• processing of marketing cookies and/or analytical cookies.

The Controller agrees that it will not process the personal data in a manner which is incompatible with the above-specified purposes.

Scope of personal data

Controller agrees to process personal data only to the extent necessary for the above-specified purposes for which the data are processed. The scope of the personal data covers:

• cookies,
• IP address,

(hereinafter as “Personal Data”).

Personal data processing period

The Controller undertakes to process personal data only for a period of 2 years from the date of consent, or until you withdraw your consent. After this period, the controller is obliged to dispose of personal data.

Categories of recipients of Personal Data and transfer of Personal Data

The Controller declares that the Personal Data shall only be made accessible to those employees of the Controller who are bound by the non-disclosure obligation in relation to these data as well as the security measures the disclosure of which would jeopardize the safety of these Personal Data.

The collected cookie files are processed by other processors:

• By the provider of Google Analytics, Google Adwords, operated by Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA;
• By the provider of the Facebook Pixel and Facebook Share service, operated by Facebook, based in Menlo Park, California, United States;

The collected cookie files are subsequently processed by the processor in the following ways:

• Google Analytics service: https://www.google.com/analytics/terms/us.html
• Facebook service: https://www.facebook.com/policies/cookies

The Controller declares that personal data will be transferred for the above purposes to Bloomreach CZ s.r.o., with registered office at Vlněna 526/5, Trnitá, 602 00 Brno, IČO: 059 27 927, registered in the commercial register maintained by the Regional Court in Brno, section C, file 127136 (hereinafter referred to as "Bloomreach"), as this company ensures the sending of business communications for the administrator. The obligation to maintain the confidentiality of personal data also applies to the relevant employees of Bloomreach.

The Controller also declares that it will not transfer the Personal Data to any third countries or any international organization.

Automated decision-making and profiling

Automated decision-making under Article 22 of GDPR shall not be used during the processing of the data subject’s Personal Data.

The Controller informs the data subject of the existence of profiling (a form of automated processing of the data subject’s Personal Data involving the use of the Personal Data for the evaluation of certain personal aspects relating to the data subject, in particular the analysis or prediction of aspects concerning personal preference and interests). The Controller uses profiling only for the purpose of the personalization of the services offer (targeted advertising). If the data subject objects to the profiling, the Controller agrees to terminate the profiling of the data subject.

Revocation of consent to the processing of personal data

The data subject has the right to revoke the consent given at any time without any limitation or damage with the processing of personal data, either in the "Cookie settings" section on the Controller’s website or at the email address dpo@prg.aero.

Rights of data subject

The Controller informs the data subject on his or her rights ensuing from the GDPR, particularly:

• right of access to Personal Data (the data subject has the right to obtain from the Controller confirmation as to whether or not the Personal Data concerning him or her are being processed pursuant to Article 15 of GDPR);
• right of rectification (the data subject has the right to obtain from the Controller without undue delay the rectification of inaccurate Personal Data concerning him or her and the right to have incomplete Personal Data completed under Article 16 of GDPR);
• right to erasure (the data subject has the right to obtain from the Controller the erasure of Personal Data concerning him or her without undue delay where one of the grounds specified in Article 17 of GDPR applies);
• right to restriction of processing (the data subject has the right to obtain from the Controller restriction of processing in the cases laid down in Article 18 of GDPR);
• right to data portability (the data subject has the right to receive the Personal Data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from the Controller in the cases specified in Article 20 of GDPR);
• right to object (the data subject has the right to object, on ground relating to his or her particular situation, at any time to processing of Personal Data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on these provisions under Article 21 of GDPR);
• right not to be subject to any decision based solely on automated processing (the data subject has the right not to be subject to any decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her under Article 22 of GDPR);
• right to lodge a complaint with a supervisory authority, which is the Office for the Protection of Personal Data, registered seat at Pplk. Sochora 727/27, Post Code 170 00, Praha 7.

Data protection officer

The Controller gives the data subject a contact to the data protection officer under Article 30(1)(a) of GDPR.

All your inquiries, suggestions or other submissions relating to the processing of your Personal Data may be addressed to the data protection officer – email address: dpo@prg.aero.

Conclusion

The data subject hereby declares that he or she was duly informed by the Controller on the processing of information in compliance with the provision of Article 13 of GDPR and that the provided Personal Data are accurate and true.

Validity: