This section provides information on the processing and protection of personal data pursuant to Regulation (EU) No. 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation) and Act of the Slovak Republic No. 18/2018 Coll. on the protection of personal data and on the amendment and supplementation of certain acts (hereinafter referred to as: “Act on the Protection of Personal Data”).
The operator LUNYS, s.r.o., with its registered office at Hlavná 4512/96, 059 51 Poprad, Company ID: 36472549 (hereinafter referred to as the “operator”), has adopted appropriate technical and organizational measures to ensure the protection of the rights of data subjects, which declare the lawful processing of personal data. The operator has also implemented a transparent system for recording security incidents and any questions from the data subject, as well as from other persons.
If necessary, the data subject can also obtain individual information by phone at: +421 915 778 656 or by e-mail: pravnik@lunys.sk.
1. Operator
LUNYS, s.r.o.
Hlavná 4512/96
059 51 Poprad
IČO: 36472549
We process your data for our own purposes as the Operator. This means that we determine the purpose for which we collect your personal data, determine the means of processing and are responsible for their proper implementation.
2. Processors
In certain cases, the operator may also process the personal data of data subjects through processors who are authorized to process personal data in accordance with Article 28 of the GDPR.
The processors process the personal data of the data subjects on behalf of the Controller. The processing of personal data by the processor does not have a negative impact on the exercise and application of the rights of the data subject. The Controller uses only processors providing appropriate technical, organizational and other measures so that the processing meets the requirements of the GDPR and that the protection of the rights of the data subject is fully ensured.
When processing the personal data of the data subjects, the Controller uses the following categories of processors:
a supplier providing technical solutions, web hosting services, maintenance and support of IT systems used by the Controller
a supplier providing services in the area of accounting and tax obligations of the Controller
Categories of recipients of personal data: persons acting on the basis of the controller's authorization, legal representative, auditor, state administration and public authorities for the exercise of control and supervision.
3. Purpose of processing personal data
As the controller, we only process personal data that we can substantiate with a legitimate legal basis and a defined purpose:
• When responding to an inquiry, suggestion or question sent via an electronic form: In order to provide a response to your question or inquiry, we process personal data on the basis of Art. 6 (1) (f) of the GDPR – legitimate interest of the controller. As a data subject, you have the right to object to such processing at any time.
• When booking apartments or requesting a quote: The legal basis for data processing is Art. 6 (1) (b) of the GDPR – data processing is necessary to take the necessary steps prior to concluding the contract, i.e. as part of the booking process.
• After concluding the contract or confirming the booking, for necessary communication related to the accommodation: Data processing is again carried out in accordance with Art. 6 (1) (a) of the GDPR. b) GDPR, which is necessary for the fulfillment of the contractual relationship.
• Taking and publishing a photo or review of the data subject for the purpose of promoting services: Based on your consent to the processing of personal data pursuant to Art. 6 (1) (a) GDPR, we may process your likeness, review or photo for the purpose of promoting our services on the website or social networks. You may withdraw your consent at any time.
• Sending a newsletter: Based on your consent to the processing of personal data pursuant to Art. 6 (1) (a) GDPR, we may process your e-mail address for the purpose of sending a newsletter with information about our services, news and special offers. You may withdraw your consent at any time.
• Processing data for the purposes of invoicing and recording accommodation in accordance with legislative obligations: Based on Art. 6 (1) (a) GDPR, we may process your e-mail address for the purpose of sending a newsletter with information about our services, news and special offers. You may withdraw your consent at any time. c) GDPR, we process personal data that is necessary to fulfill obligations under the relevant legal regulations (e.g. Act No. 431/2002 Coll. on Accounting, as amended, or Act No. 595/2003 Coll. on Income Tax and Act No. 563/2009 Coll. on Tax Administration).
4. Scope of processed personal data
When responding to an inquiry, suggestion or question sent via an electronic form:
Name and surname
Email address
Telephone number (if provided)
Content of the message or inquiry
When booking apartments or requesting a quote:
Name and surname
Contact details (email address, telephone number)
Reservation details (e.g. number of persons, arrival and departure dates, special requests)
After concluding a contract or confirming a reservation, for necessary communication related to accommodation:
Name and surname
Contact details (email address, telephone number)
Accommodation details (e.g. arrival and departure dates, reservation number)
Making and publishing a photo or review of the data subject for the purpose of promoting services:
Likeness (photo)
Name or initials (in the case of a review)
Content of the review or reviews
Newsletter sending:
Email address
Data processing for the purposes of invoicing and accommodation registration in accordance with legislative obligations:
Name and surname
Contact details
Residential address (if required)
Payment details (e.g. account number or invoice number)
Accommodation details (e.g. arrival and departure dates, services provided
5. Processing and storage period of your personal data
We also process your personal data that we have processed or are processing pursuant to Article 6(1)(b) of the GDPR Regulation – within the framework of fulfilling the obligations of the controller, for the purpose of fulfilling our legal obligations relating to taxes and accounting. These obligations arise from generally binding legal regulations, such as Act No. 431/2002 Coll. on Accounting, as amended, or Act No. 595/2003 Coll. on income tax and Act No. 563/2009 Coll. on tax administration. We must store the data for the period specified in these legal regulations. We follow the principle of minimization of personal data storage pursuant to Art. 5, paragraph 1, letter e) of the GDPR Regulation, and therefore your personal data that is not subject to archiving under special legal regulations will be deleted or anonymized.
Personal data processed on the basis of consent pursuant to Art. 6, paragraph 1, letter a) of the GDPR Regulation, for example for including the data subject in the register of job applicants or for the purpose of sending current marketing news, are processed for a period of 3 years or until the consent is revoked. In the event that the end of the data processing period is approaching, we contact the data subject with the possibility of renewing and extending the consent for another processing period. If the data subject does not consent or does not respond to the contact, we will stop processing the personal data – we will automatically remove them from the records, we will technically delete the electronic data from the systems and we will shred the physical documents.
Personal data processed on the basis of legitimate interest pursuant to Art. 6 para. 1 letter f) of the GDPR Regulation, which were obtained in response to a submitted inquiry, suggestion or question for the purpose of providing feedback to the data subject, are deleted immediately after completion, unless they have subsequently been forwarded to a pre-contractual or contractual relationship.
As the Controller, we will ensure the deletion of personal data without undue delay after: all contractual relationships between you and us as the controller have been terminated; and/or
- all your obligations towards the controller have ceased; and/or
- all your complaints and requests have been resolved; and/or
- all other rights and obligations between you and us as the controller have been settled; and/or
- all processing purposes set out in legal regulations or processing purposes for which you have given us consent, if the processing was carried out on the basis of the consent of the data subject, have been fulfilled; and/or
- the period for which consent was granted has expired or the data subject has withdrawn his/her consent; and/or
- the data subject's request for erasure of personal data has been granted and one of the reasons justifying the granting of this request has been fulfilled; and/or
- a decisive legal event has occurred for the termination of the purpose of processing and at the same time the protective retention period defined with regard to the principle of minimization of the period of storage of personal data has also expired;
- and at the same time the legitimate interest of the operator no longer exists, all obligations set out in generally binding legal regulations that require the storage of the data subject's personal data (in particular for the purposes of archiving, tax control, etc.) have ceased to exist, or which would not be possible to fulfil without their storage.
We do not systematically process any accidentally obtained personal data for any purpose defined by us. If possible, we will inform the data subject to whom the accidentally obtained personal data belongs about their accidental acquisition and, depending on the nature of the case, we will provide them with the necessary cooperation leading to the restoration of control over their personal data. Immediately after these necessary actions aimed at resolving the situation, we will immediately destroy all accidentally obtained personal data in a secure manner.
If you are interested in further information about the specific retention period of your personal data, please contact us using the contact details provided.
6. Disclosure of data
Our company does not disclose the personal data obtained under any circumstances.
7. Cross-border transfer and profiling of personal data
Cross-border transfer and profiling of personal data is not carried out and is not intended to be carried out in the future.
8. Rights and obligations of the data subject
The data subject is obliged to provide only complete and truthful data.
The data subject undertakes to update their data in the event of a change, no later than before the first order following the change occurs.
The data subject undertakes that if they provide personal data of a third party (name, surname, telephone number), they do so only with their consent and the data subject is familiar with the procedures, rights and obligations set out on this page.
As a data subject, you have the right to decide on the handling of your personal data to the extent specified. You can exercise the above rights in person at the Controller's registered office or by telephone - in writing (by post / e-mail).
We will try to respond to you as soon as possible, but we will always respond to you no later than 30 days from the receipt of your request. The applicable legal regulations and the GDPR Regulation or the Act provide you with, in particular:
Right of access - You have the right to request confirmation from us as to whether your personal data is being processed, and if so, to obtain a copy of this data and additional information pursuant to Art. 15 of the Regulation or Section 21 of the Act. In the event that we obtain a large amount of data about you, we may require you to specify your request for the specific data that we process about you.
Right to rectification – In order to ensure that we only process current personal data about you, we need you to notify us of any changes as soon as possible. If we process incorrect data about you, you have the right to request their correction.
Right to erasure – If the conditions of Article 14 of the Regulation or Section 23 of the Act are met, you may request the erasure of your personal data. You may therefore request erasure, for example, if you have withdrawn your consent to the processing of personal data and there is no other legal basis for the processing, or if we process your personal data unlawfully, or the purpose for which we processed your personal data has ceased to exist and we do not process them for another compatible purpose. However, we will not delete your data if it is necessary for the establishment, exercise or defence of legal claims.
Right to restriction of processing – If the conditions of Article 18 of the Regulation or Section 23 of the Act are met. § 24 of the Act, you can request us to restrict the processing of your personal data. You can therefore request a restriction, for example, while you are contesting the accuracy of the processed data or if the processing is unlawful and you do not want us to delete the data, but you need their processing to be restricted while you exercise your rights. We continue to process your data if there are grounds for demonstrating, exercising or defending legal claims.
Right to portability – If the processing is based on your consent or carried out for the purpose of fulfilling a contract concluded with you and is carried out by automated means, you have the right to receive from us your personal data that we have obtained from you in a commonly used machine-readable format. If you are interested in this and it is technically possible, we will transfer your personal data directly to another controller. This right will not apply to processing carried out for the performance of a task carried out in the public interest or in the exercise of official authority.
Right to object to processing – If we process your personal data for the performance of a task carried out in the public interest or in the exercise of official authority vested in us, or if the processing is carried out on the basis of our legitimate interests or the legitimate interests of a third party, you have the right to object to such processing. Based on your objection, we will restrict the processing of your personal data and, unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims, we will no longer process the personal data and will erase your personal data. You have the right to object at any time to the processing of your personal data for direct marketing purposes, including profiling to the extent that it is related to such direct marketing. After you have raised an objection, we will no longer process your personal data for this purpose.
Right to lodge a complaint – If you believe that the processing of your personal data is in breach of the Regulation or the Act, you have the right to lodge a complaint with one of the competent supervisory authorities, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement. For the territory of the Slovak Republic, the supervisory authority is the Office for Personal Data Protection, with its registered office at: Hraničná 4826/12, 820 07 Bratislava, Slovak Republic, website: www.dataprotection.gov.sk, tel.: +421 /2/ 3231 3220.
Right to withdraw consent – If the processing of your personal data is based on consent, you have the right to withdraw this consent at any time. Withdrawal of consent does not affect processing already carried out. If at any time later you decide that you are interested in receiving commercial and marketing offers from us about our products and services again, you can re-grant your withdrawn consent (or objection) at any time, using any of the contact methods listed above.
9. Contact details of the Personal Data Protection Office
Personal Data Protection Office of the Slovak Republic
Address:
Hraničná 12
820 07, Bratislava 27
Slovak Republic
IČO: 36 064 220
Registration office:
Monday - Thursday: 8:00 - 15:00
Friday: 8:00 - 14:00
Telephone consultations in the field of personal data protection:
Tuesday and Thursday from 8:00 to 12:00 +421 2 323 132 20
Secretariat of the Chairman of the Office +421 2 323 132 11
Secretariat of the Office +421 2 323 132 14
Fax: +421 2 323 132 34
Spoken:
mobile: 0910 985 794
e-mail: hovorca@pdp.gov.sk
E-mail:
a) generally: statny.dozor@pdp.gov.sk
b) for the provision of information pursuant to Act No. 211/2000 Coll.: info@pdp.gov.sk
c) website: webmaster@pdp.gov.sk
d) for submitting requests for the provision of information pursuant to Act No. 211/2000 Coll. on free access to information, please use the online form.
e) email address through which the Office will provide you with advice in the area of personal data protection. It is intended for children, youth, students, teachers, parents who suspect that their personal data has been misused: ochrana@pdp.gov.sk
A sample proposal for initiating proceedings on personal data protection can be found on the Office's website (https://dataprotection.gov.sk/uoou/sk/content/konanie-o-ochrane-osobnych-udajov).
In Poprad, on 1.3.2025