I. Principles of Personal Data Protection
1.1 When providing personal information, the user expresses their understanding of the protective principles, consents to their content, and acknowledges their overall validity.
1.2 The service operator is responsible for managing users’ personal information in accordance with Article 4(7) of the Regulation of the European Parliament and of the Council (EU) 2016/679, known as GDPR. The operator commits to adhering to the relevant legal regulations, including the GDPR.
1.3 Personal information refers to all data about an identifiable person. An identifiable person is one who can be determined directly or indirectly, for example, by means of a name, identification number, location, online identifier, or one or more specific factors of that physical person.
1.4 Certain personal information, such as name and address, contact details, are required for order processing. The aim of processing this data is to meet order requirements and to exercise rights and obligations arising from the contractual relationship between the Operator and the User. Another reason for processing is sending marketing communications and conducting other marketing activities. The legitimate reason for data processing is contract fulfillment according to Article 6(1)(b) GDPR, compliance with the legal obligations of the controller according to Article 6(1)(c) GDPR, and the legitimate interest of the Operator according to Article 6(1)(f) GDPR. The legitimate interest of the Operator is the use of personal information for direct marketing.
1.5 In fulfilling contractual obligations, the operator utilizes third-party services, such as email service providers (where data may be stored outside the EU) and web hosting providers. These subcontractors are vetted for secure data processing. The operator and the web hosting subcontractor have a data processing agreement, which obliges the subcontractor to secure the data and holds them responsible for any data protection breach.
1.6 The operator retains personal information for the period necessary to exercise rights and obligations from the contractual relationship and to enforce claims from these relationships (for a period of 15 years after the end of the contractual relationship). After this period, the data will be deleted.
1.7 The user has the right to request access to their personal information from the Operator according to Article 15 GDPR, to request their correction according to Article 16 GDPR, or to restrict processing according to Article 18 GDPR. The user has the right to delete data according to Article 17(1)(a), (c) to (f) GDPR. They also have the right to object to processing according to Article 21 GDPR and the right to data portability according to Article 20 GDPR.
1.8 If the user believes there has been a breach of their personal information protection, they have the right to file a complaint with the Office for Personal Data Protection.
1.9 The provision of personal information is not mandatory, but it is necessary for the conclusion and performance of a contract. Without providing this information, it is not possible to conclude or fulfill the contract.
1.10 The operator does not engage in automated individual decision-making according to Article 22 GDPR.
1.11 Interested parties in the Operator’s services consent by filling out the contact form:
· to use their personal information for the purposes of sending commercial communications, advertising materials, direct sales, market research, and direct product offers from the Operator and third parties, no more than once a week, and at the same time
· declare that they do not perceive the sent information as unsolicited advertising according to the law no. 40/1995 Coll., as amended, because they have given their explicit consent to the sending of this information.
· This consent can be revoked at any time in writing to info@boat-cruises-prague.cz
1.12 The operator uses so-called cookies to improve the quality of services, personalize the offer, collect anonymous data, and for analytical purposes on its web presentation. The user consents to the use of this technology by using the website.
II. Rights and Obligations Between the Controller and the Processor (Processing Agreement)
2.1 The operator is the processor of personal information of users’ clients according to Article 28 GDPR. The user is the controller of this information.
2.2 This document establishes mutual rights and obligations for processing personal information that the Operator has access to during the fulfillment of the contract by approving the terms and conditions on the website www.boat-cruises-prague.cz (hereinafter “contract”) concluded with the User.
2.3 The operator undertakes to process personal information for the User within the scope and for the purposes set out in Articles 2.4 – 2.7 of this document. Processing will be automated and will include collecting, storing on information carriers, preserving, blocking, and disposing of. The operator is not authorized to process personal information contrary to these conditions.
2.4 The operator undertakes to process for the User the following personal information:
ordinary personal data and special categories of data according to Article 9 GDPR, which the User has obtained in connection with their business activity.
2.5 The operator undertakes to process personal information for the purpose of handling inquiries and requests from clients obtained from the contact form.
2.6 Personal information may only be processed at the workplaces of the Operator or its subcontractors according to Article 2.8 of this document, within the European Union.
2.7 The operator undertakes to process personal information of the User’s clients for the time necessary to exercise rights and obligations from the contractual relationship between the Operator and the User and from enforcing claims from these relationships (for a period of 15 years after the end of the contractual relationship).
2.8 The user grants the Operator consent to use subcontractors as additional processors according to Article 28(2) GDPR, including the application hosting provider. The operator must inform the User in writing of all planned changes regarding the adoption of new processors or their replacement and allow the User to raise objections. The operator undertakes to impose on subcontractors the same obligations to protect personal information as are set out in these conditions.
2.9 The operator undertakes that the security of processing personal information will be ensured as follows:
· Personal information is processed in accordance with legal regulations and based on the User’s instructions, i.e., to perform all necessary activities for providing the web platform.
· The operator ensures technical and organizational protections of personal information to prevent unauthorized access, alteration, destruction, loss, unauthorized transmissions, or other processing or misuse. These measures correspond to the level of risk.
· The operator commits to maintaining confidentiality, integrity, availability, and resilience of the processing systems and services and ensuring the recovery of the availability of personal information and access to them in case of incidents.
· The operator confirms that the protection of personal information is part of the internal security guidelines.
· Access to personal information will only be granted to authorized personnel of the Operator and subcontractors, whom the Operator will define the conditions and scope of processing, and each person will use a unique identifier.
· Authorized personnel of the Operator are required to maintain confidentiality about personal information and security measures. The operator will ensure a demonstrable commitment to this obligation. This obligation will continue even after the end of the relationship with the Operator.
· The operator will assist the User in fulfilling his obligation to respond to requests for the exercise of data subject rights according to GDPR and in complying with obligations according to Articles 32 to 36 GDPR.
· After the termination of services associated with processing, the Operator will delete all personal information or return them to the User unless required to retain them under a special law.
· The operator will provide the User with all the information necessary to demonstrate compliance with the obligations under this contract and GDPR, allow audits and inspections conducted by the User or another auditor appointed by the User.
2.10 The user undertakes to promptly report all known facts that could adversely affect the proper and timely fulfillment of obligations and to provide the Operator with the necessary cooperation to fulfill these conditions.
III. Final Provisions
3.1 These conditions lose validity after the period specified in Articles 1.6 and 2.7 of this document.
3.2 The user expresses agreement with these conditions by ticking the box in the online form, thereby confirming that they have read the conditions, agree with them, and fully accept them.
3.3 The operator has the right to amend these conditions and is obliged to publish the new version on its websites without unnecessary delay or send it to the User’s email address.
3.4 The operator’s contact details for matters concerning these conditions: +420 737 717 896, info@boat-cruises-prague.cz
3.5 Relationships not explicitly governed by these conditions are subject to GDPR and the legal order of the Czech Republic, in particular the Civil Code no. 89/2012 Coll., as amended at the date of effectiveness.
These conditions take effect on January 1, 2024