1. Introductory Provisions
- 1.1 The data controller pursuant to Article 4 (7) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the “GDPR”) is CineStar s.r.o., Company ID No.: 26435675, with the registered office at Radlická 3185/1c, Smíchov, 150 00 Prague 5 (hereinafter the “Controller”).
- 1.2 Contact details of the Controller:
- >Address: Radlická 3185/1c, Smíchov, 150 00 Prague 5
- Phone: 800 288 288
- 1.3 Personal data mean any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular, by reference to an identifier such as a name, identification number, location data, online identifier or to one or more factors specific to the physical, physiological, economic, cultural or social identity of that natural person.
2. Sources and Categories of Processed Personal Data
- 2.1 The Controller processes personal data provided by you or personal data acquired by the Controller on the basis of a completed ticket reservation online, registration on the website or registration in the mobile application.
- 2.2 The Controller processes your identification and contact information and data necessary for the performance of the agreement under the CC loyalty programme.
- 2.3 Mobile application.
3. Legal Basis and Purpose of Personal Data Processing
- 3.1 The legal basis for the processing of personal data is:
- the performance of the agreement between you and the Controller under Article 6 (1)(b) of the GDPR;
- the legitimate interest of the Controller pursuant to Article 6 (1)(f) of the GDPR;
- Your consent to the processing for the purpose of providing direct marketing (in particular, sending of commercial messages and newsletters) pursuant to Article 6 (1)(a) of the GDPR in conjunction with Section 7 (2) of Act No. 480/2004 Sb., on certain information society services, in the case there is no order of goods or services.
- In the case of consent-based processing, you will always be notified of this type of processing and will be given the opportunity to give or deny your consent to such processing. The consent is always given as a voluntary act of free will, and you are entitled to withdraw your consent in part or in full at any time with prospective effect. We will not carry out the processing without the corresponding consent.
- 3.2 The purpose of the processing of personal data is:
- the processing of your ticket reservation; the reservation of tickets requires personal data necessary for the successful processing of the order (first and last name, email, mobile phone number); the personal data is used to verify the reservation and send the information on such reservation via email and SMS (performance of an agreement between you and the Controller pursuant to Article 6 (1)(b) of the GDPR);
- processing of your e-ticket; e-ticket is a ticket with a numerical barcode, which the customer receives in PDF format for printing to the provided email address and via an SMS to the provided mobile phone number, always after the ticket is ordered online and paid for (performance of an agreement between you and the Controller pursuant to Article 6 (1)(b) of the GDPR);
- processing of your e-ticket in the case of registration in the CineStar mobile app; when registering in the application, personal data is required for the successful processing of the order (first and last name, email and mobile phone number); the personal data is also used to verify the order and send the information on the completed order via email and SMS (performance of an agreement between you and the Controller pursuant to Article 6 (1)(b) of the GDPR);
- registration in the CC loyalty programme; when registering for the CC loyalty programme, the personal data necessary for the successful processing of the order are required (first and last name, phone number, email, gender, date of birth); the provision of personal data is a necessary requirement for the execution and performance of the agreement; if the personal data is not provided, the agreement cannot be concluded or performed by the Controller (performance of an agreement between you and the Controller pursuant to Article 6 (1)(b) of the GDPR);
- We process your date of birth as a part of the loyalty programme in order to verify the registration in the CC loyalty programme so that we may send you birthday presents or inform you of the availability of such presents (performance of an agreement between you and the Controller pursuant to Article 6 (1)(b) of the GDPR and the Controller’s legitimate interest pursuant to Article 6 (1)(f) of the GDPR).
- If you are our customer, your data (email, age, gender, purchasing behaviour: place of purchase (multiplex), movie or other performance, movie category, membership period, frequency of movie admissions, similarities with our other customers) may be used for the evaluation of what is relevant for you and what could interest you. Based on our legitimate interest, we may send you marketing offers for goods or services you have purchased from us or information you have requested from us via email or SMS messages. You can unsubscribe from commercial electronic messages at any time.
- If you subscribe to our commercial messages, your personal data may be used for direct marketing purposes, i.e. sending of commercial electronic messages (via email or SMS).
- YOU CAN OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA FOR DIRECT MARKETING PURPOSES AT ANY TIME, AND YOUR PERSONAL DATA WILL NO LONGER BE PROCESSED FOR SUCH PURPOSES.
- consent to the processing of personal data for sending commercial messages and other marketing activities;
- a) consent to the processing of personal data for non-personalised advertising;
- b) consent to the processing of personal data for non-personalised advertising: in order to send you information and advertising that is relevant to your personal interests, we analyse your ticket purchases, your participation in our promotional events and your use of our electronic services. For these purposes, we process the following personal data: email, age, gender, purchasing behaviour: place of purchase (multiplex), movie or other performance, movie category, membership period, frequency of movie admissions, similarities with our other customers.
- processing for the purpose of website traffic statistics (the Controller’s legitimate interest pursuant to Article 6 (1)(f) of the GDPR).
- 3.3 The Controller is not involved in automated individual decision-making within the meaning of Article 22 of the GDPR.
4. Data Retention Period
- 4.1 The Controller retains personal data
- Performance of the agreement - for the period necessary for the exercise of rights and fulfilment of obligations arising from the contractual relationship established between you and the Controller and for the exercise of claims under such contractual relationships (for the duration of the contractual relationship and for a period of ten years following the termination of the contractual relationship).
- Compliance with legal obligations - for the period stipulated in the relevant legal regulations.
- Sending of commercial messages, offers of services and products and targeting of advertisement - for the duration of the consent to the processing of personal data, or until the consent to the processing of the personal data is withdrawn, or in accordance with special legal regulations (Act No. 480/2004 Sb. – if you have not refused such messages, we are entitled to process your email address within the meaning of Section 7 (3) of this Act).
- Protection of the legitimate interest of data controllers or third parties - for a maximum period of three years as of the start of the processing unless special legal regulations stipulate otherwise or unless there is a justified need to retain the data for a longer period in relation to a specific case.
- 4.2 Upon the lapse of the retention period, the Controller will erase the personal data.
5. Recipients of Personal Data (Subcontractors of the Controller)
- 5.1 The recipients of personal data are persons
- involved in the provision of services and processing of payments under the agreement,
- operating the online store and providing other services associated with the operation of the online store,
- providing marketing services.
- 5.2 The Controller uses a non-EU company based in Canada for direct marketing mailing services. Transferred personal data: first and last name, email address. If the country to which your personal data is transferred does not provide an adequate level of data protection, we will ensure appropriate security measures (we use standard contractual arrangements) to ensure that your data is adequately secure.
- 5.3 The Controller does not intend to transfer other personal data to a third country (non-EU countries) or to an international organisation.
6. Third-Party Websites
7. Your Rights
- 7.1 Under the conditions set out in the GDPR, you have
- the right to access your personal data pursuant to Article 15 of the GDPR;
- the right to rectify your personal data pursuant to Article 16 of the GDPR or to restrict processing pursuant to Article 18 of the GDPR;
- the right to erase personal data pursuant to Article 17 of the GDPR;
- the right to object to the processing pursuant to Article 21 of the GDPR;
- the right to data portability pursuant to Article 20 of the GDPR;
- 7.2 You also have the right to file a complaint with the Office for Personal Data Protection if you believe that your right to the protection of personal data has been violated.
8. Personal Data Security Conditions
- 8.1 The Controller declares that it has taken the appropriate technical and organisational measures to secure the personal data.
- 8.2 The Controller has taken technical measures to secure data storage and personal data repositories in printed form.
- 8.3 The Controller declares that personal data can only be accessed by persons authorised by the Controller.
9. Final Provisions