The Bata Region


Rules for the Protection and Processing of Personal Data

According to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Identification of the Controller

The controller of your personal data is the company LUHAČOVSKÉ ZÁLESÍ, o.p.s., ID: 27735109, registered office at Osvobození 25, Slavičín 763 21, registered in the Commercial Register maintained by the Regional Court in Brno, section O, insert no. 329 (hereinafter referred to as the “Controller”).


These rules for the protection and processing of personal data (hereinafter referred to as the “Rules”) describe which personal data of natural persons, particularly customers (hereinafter referred to as the “Data Subject”), are processed during the Controller's activities.

These Rules specify the types of personal data we collect and process when you use our services or enter into another contract with us, as well as how your personal data are used, shared, and protected. Here you will also find an explanation of the options available to you regarding your personal data and how to contact us. Below, we inform you about the processing of your personal data and your rights in accordance with Article 12 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (also known as “GDPR”).

Personal data refer to all information about an identified or identifiable natural person; an identifiable natural person is a person who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, identification number, location data, online identifier, or one or more specific factors of physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

The Controller has not appointed a Data Protection Officer.

Processing Principles

In processing personal data, we adhere to and respect the highest standards of personal data protection and follow particularly the following principles:

We always process personal data for clearly and understandably defined purposes, using defined means, in a defined manner, and only for the time necessary for the purposes of processing. We process only accurate personal data and ensure that their processing corresponds to the set purposes and is necessary for fulfilling those purposes.

We process personal data in a manner that ensures the highest possible security of such data and prevents any unauthorized or accidental access to personal data, their alteration, destruction or loss, unauthorized transfers, or other unauthorized processing or misuse.

We always clearly inform you about the processing of personal data and your rights to accurate and complete information about the circumstances of this processing, as well as your other related rights. We observe appropriate technical and organizational measures to ensure a level of security appropriate to all possible risks; all persons who come into contact with your personal data are obliged to maintain confidentiality of information obtained in connection with processing these data.

Information on Personal Data Processing

Purposes of Processing and Legal Basis for Processings
We process personal data for the following purposes:

  1. if you have subscribed to our newsletter:
    information about events in the region (purpose no. 1);
  2. if you are a visitor to our website:
    analysis of your preferences, marketing (purpose no. 2);
  3. if you are representatives or employees of our partners or suppliers:
    conclusion and management of supplier-customer relationships (purpose no. 3);
    information about events in the region (purpose no. 4).

Legal Basis for Processings
The legal basis for processing personal data is Article 6(1) of GDPR as follows:

  1. The data subject has given consent to the processing of their personal data (purpose no. 1, 2);
  2. The processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract (purpose no. 3);
  3. The processing is necessary for the purposes of the legitimate interests pursued by the Controller or a third party (purpose no. 4).
Categories of Processed Personal Data
The Controller processes personal data to the extent necessary to fulfill the above purposes. This most often (but not exclusively) includes data that you provide to us or that we must process by law or because we pursue our legitimate interest, for example:

  • Identification data (e.g., name and surname, username and password, ID number, VAT number, and billing details);
  • Contact details (e.g., email address, phone number, organization you work for, workplace, delivery address);
  • Order data (e.g., data about goods and services you ordered, delivery and payment method including account number and complaint data);
  • Data about the device you use to view our website (especially data obtained from cookies such as device identification, operating system and its version, screen resolution, used browser and its version, IP address, and derived location);
  • Other data necessary for contract performance or provided to the Controller.

Method of Processing Personal Data
The method of processing personal data follows these principles:

  • The processing of personal data is carried out by the Controller except for such processing which, based on a data processing contract, is handed over to a Processor.
  • Processing is carried out at the Controller’s premises, branches, and registered office by the Controller’s authorized employees, or possibly by Processors.
  • Processing is done through computer technology, or manually in the case of personal data in paper form, adhering to all security principles for personal data management and processing. To this end, the Controller has adopted technical and organizational measures to ensure the protection of personal data, especially measures to prevent unauthorized or accidental access to personal data, their alteration, destruction or loss, unauthorized transfers, unauthorized processing, or other misuse.
  • All entities to which personal data may be disclosed respect the right of the Data Subjects to privacy and must comply with applicable legal regulations concerning personal data protection.

The Controller does not conduct automated individual decision-making or profiling of personal data.
Personal data of the Data Subjects will not be transferred to third countries (i.e., countries outside the EU and EEA).

Recipients of Personal Data
Personal data of the Data Subjects may be further disclosed to the following recipients/categories of recipients:

  • Suppliers and partners of the Controller (only if the Controller has signed a data processing agreement with the supplier and only if necessary for the above purposes);
  • Financial institutions and insurance companies;
  • State authorities in compliance with the Controller’s legal obligations as defined by applicable legal regulations.

Personal Data Processing Duration
Personal data will be processed only for the time necessary for the purposes of their processing. With regard to the above:

  • If specified by law or another generally binding legal regulation or administrative authority decision, personal data must be archived for at least the time specified for that purpose;
  • For the purpose of sending regional information, personal data will be processed until the Data Subject expresses disagreement with such processing;
  • In case of initiation and duration of judicial, administrative, or other proceedings in which the rights or obligations of the Controller concerning the relevant Data Subject are addressed, the processing period does not end before the conclusion of such proceedings;
  • For the fulfillment of contractual obligations from business contracts until the end of the 5th calendar year following the expiration of the warranty period according to the contract (if a quality warranty was agreed in the contract) and further for a period of 2 years in case of a possible business dispute;
  • In other cases, at least one year from their acquisition and a maximum of 5 years from their last use.

By the end of the calendar quarter following the expiration of the processing period mentioned above, the relevant personal data, whose purpose for processing has ceased, will be disposed of (by shredding or other means ensuring that unauthorized persons cannot access the personal data) or anonymized. In the case of processing based on consent, the Data Subject may be contacted by the Controller to renew their consent.

Your Rights

We comply with data protection laws applicable in the European Economic Area, which include the following rights if they apply:

  • Access to your personal data (under the conditions of Article 15 GDPR),
  • Rectification or erasure of personal data (under the conditions of Articles 16 or 17 GDPR),
  • Restriction of processing of personal data (under the conditions of Article 18 GDPR),
  • Objection to processing of personal data (under the conditions of Article 21 GDPR),
  • Right to data portability (under the conditions of Article 20 GDPR),
  • Right to withdraw consent to the processing of personal data (see below),
  • Right to lodge a complaint with a supervisory authority (see below).

Right to Lodge a Complaint
If you believe that your personal data are being processed in violation of the protection of the private and personal life of the Data Subject or in violation of legal regulations, you have the right to request an explanation from the Controller and/or request the rectification of the situation. The request must be submitted in writing by sending a letter or email, see contact below.

You also have the option to contact the supervisory authority directly, which is the Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Prague 7, Czech Republic, +420 234 665 555,

Right to Withdraw Consent
You are not obligated to give consent to the Controller for processing your personal data and you have the right to withdraw this consent at any time. If you withdraw your consent, we will cease processing the relevant personal data for purposes that require the respective consent. If you wish to withdraw your consent to the processing of personal data, you can do so in the manner defined in the "Contact Us" section.


A cookie is a small data file placed in your browser on the device (computer, smartphone, or tablet) you use to view the website. Cookies serve various purposes and some may contain your personal data. On our website, we use technical cookies (PHPSessionID, lang, cookies), which are necessary for the operation of the website (e.g., for responsive design). According to the opinions of the WP29 expert group at the EU, your consent is not required for such cookies. Cookies can be blocked or disabled, but parts of the website may not display correctly, and some parts may not function at all. Cookie settings for the most commonly used browsers can be found here:

Google Chrome
Internet Explorer a Edge

We also use analytical and advertising cookies from companies like:
Google (např._ga,_gid, NID),
OptinMonster (např. _omappvp, _omappvs),
Facebook (fr).

We use these cookies to track website traffic, advertising, and analyze visitor behavior, and their presence is not necessary for the proper functioning of our website. For these cookies (see the section "Purposes of Processing and Legal Basis for Processing," purpose no. 2), your consent is required, which can be granted according to the WP29 expert group by setting your browser to disable third-party cookies. For enabling/disabling this feature, please refer to the help section of your specific browser.

Contact Us

For any questions regarding data protection, withdrawal of consent for further processing of your personal data, or if you have any complaints, you can use the following options:

  • By written, officially certified communication delivered to the address of the Controller's headquarters
  • In person or by phone at the address: Luhačovské Zálesí, o.p.s., Masarykova 137, Luhačovice, tel.: 774 230 151,
  • By data message sent to the data box, ID: srfzndn, Luhačovské Zálesí, o.p.s.

We will update this Privacy Policy as needed based on feedback from our customers. When we post changes to this statement, we will update the "last updated" date at the end of this statement along with a description of the changes. If there are significant changes to this statement or in how our organization will use your personal data, we will notify you of these changes by placing a prominent notice before implementing the changes or by sending you a personal notification. We recommend regularly checking this statement to stay informed about how we protect your personal data.