Privacy notice under Regulation of the European Parliament and of the council (EU) no.
2016/679 on the protection of natural persons with regard to the processing of personal
data and instruction to data subjects (hereinafter as “GDPR”).
Personal data controller
Company: Bar and Books Wine & Spirits s.r.o.
Registered office at: Haštalská 795/1, Staré Město, 110 00 Praha 1
ID No.: 26718740
Tax ID no.: CZ26718740
Which has been incorporated in the Companies Register kept by the City court in Prague, file no. C 89368 (hereinafter the “Controller”).
In all matters relating to the processing of personal data, you can contact us at the following e-mail address: firstname.lastname@example.org.
Extent of personal data processing
Personal data are processed to the extent to which they were provided to the Controller by
the relevant data subject in connection with the entry into a contractual or other legal
relationship with the Controller or which the Controller has otherwise collected and
processed in compliance with legal regulations or in order to perform the statutory
obligations of a controller.
- identification data: firstname and surname,
- contact information: billing and delivery address, e-mail address, and phone
Sources of personal data
- Directly from data subjects (reservations and e-shopping, e-mails, phone, website contact form, social networks, visiting cards etc.)
Categories of the personal data processed
- payment terminal provider,
- financial institutions,
- state and other bodies performing statutory obligations imposed by applicable legalregulations;
Purpose of personal data processing
- Making your order if you buy something from us. Li>
- Making your booking if you make a reservation with us li>
- Send news from our bar based on your consent. li>
- Send news from our bar based on our so-called legitimate interest (if you are our customer). li>
- Performance of legal obligations.
Personal data processing period
In accordance with the time limits specified in the relevant contracts, the Controller’s filing
and shredding rules and in applicable legal regulations the data are processed for a period
necessary to perform the rights and obligations ensuing from an obligational relationship as
well as applicable legal regulations.
Manner of processing and protecting personal data
The Controller has adopted technical and organizational
measures to ensure the protection of the personal data, including in particular measures
preventing unauthorized or accidental access to, alteration, destruction or loss or
unauthorized transfers or unauthorized processing as well as other misuse of the personal
The Controller processes data with data subject’s consent with the exception of the cases
defined by law where the processing of personal data does not require data subject's
consent. In accordance with Article 6(1) GDPR a controller may process the following data
without data subject’s consent:
- processing is necessary for the performance of a contract to which the data subject is
party or in order to take steps at the request of the data subject prior to entering into
- processing is necessary for the compliance with a legal obligation to which the
controller is subject,
- processing is necessary in order to protect the vital interests of the data subject or of
another natural person,
- processing is necessary for the performance of a task carried out in the public
interest or in the exercise of official authority vested in the controller,
- processing is necessary for the purposes of the legitimate interests pursued by the
controller or by a third party, except where such interests are overridden by the
interests or fundamental rights and freedoms of the data subject which require
protection of personal data;
Rights of data subjects
1) In accordance with Article 12 GDPR the Controller informs a data subject upon the data
subject’s request on the right to access his or her personal data and to the following
- purpose of processing,
- category of the personal data concerned,
- recipient or the category of the recipients to whom the personal data were or will be
- planned period for which the personal data will be retained,
- all available information on the source of the personal data,
- if not acquired from the data subject, information on whether automated decision-
making, including profiling, is used.
2) Each data subject who finds out or considers that the Controller or a processor engages
in the processing of his or her personal data which is in conflict with the protection of the
data subject’s private and personal life or in conflict with law, in particular if the personal
data are inaccurate with regard to the purpose of the processing, the data subject may:
- Ask the Controller for explanation.
- Demand that the Controller rectifies the situation. This may in particular involve
the blocking, rectification, supplementation or erasure of the personal data.
- Where the data subject’s application under paragraph 1 is recognized as
legitimate, the Controller shall rectify the defective situation without delay.
- If the Controller dismisses the data subject’s application under paragraph 1, the
data subject has the right to turn directly to the supervisory office, that is, the
Office for Personal Data Protection.
- The procedure under paragraph 1 does not rule out the option that the data
subject may submit his or her objection directly to the supervisory office.
- The Controller has the right to demand for the provision of information an
adequate payment not exceeding the costs necessary for the provision of the