Privacy Policy — The Legionnaire Boutique Art & History

1. Controller

G INVEST SLOVAKIA s.r.o.

Registered address Stupavská 20, 831 06 Bratislava – Rača, Slovak Republic Company ID (IČO) 50 575 414 Tax ID (DIČ) 2120383980 VAT ID (IČ DPH) SK2120383980 Commercial register Mestský súd Bratislava III, Sro, vložka č. 115111/B Managing director PhDr. Tomáš Gierat Contact email DPO Not designated (not required under Art. 37 GDPR for this processing)

The controller determines the purposes and means of processing your personal data in connection with accommodation services provided at The Legionnaire Boutique Art & History, Legionárska 3, 811 07 Bratislava.

2. What We Collect & Why

We process personal data only to the extent necessary for each purpose (GDPR Art. 5(1)(c) — data minimisation). No profiling, no marketing without separate consent.

Purpose	Legal Basis	Categories of Data	Retention
Accommodation contract Reservation, check-in, invoicing	Art. 6(1)(b) GDPRPerformance of contract	Name, email, phone, address, stay dates, payment data (processed via Booking.com / Airbnb)	5 years § 70 Act 563/2009 (tax records)
Guest register Statutory accommodation book (kniha ubytovaných)	Art. 6(1)(c) GDPR§ 24 Act No. 253/1998 Coll.	First name, last name, date of birth, document type & number, permanent address, dates of stay	5 years from end of calendar year of entry
Foreign nationals report Statutory notification to Border Police	Art. 6(1)(c) GDPR§ 113 Act No. 404/2011 Coll.	Name, date of birth, nationality, passport number, visa number, dates of stay	3 years from submission to police
Accommodation tax Local tax — City of Bratislava	Art. 6(1)(c) GDPR§ 37–38a Act 582/2004; VZN Bratislava č. 4/2023	Name, address, date of birth, document type & number, number of nights, exemption status	5 years from end of tax period
Security camera (CCTV) Protection of property and persons in common areas	Art. 6(1)(f) GDPRLegitimate interest — security	Video footage (no audio) — exterior and common areas only. No footage inside the apartment.	72 hours (auto-overwrite); up to 30 days if a security incident is reported

Payment card data is processed exclusively by the payment infrastructure of Booking.com B.V. or Airbnb Ireland UC — the Controller does not store card numbers.

CCTV — legitimate interest balancing test: The camera covers only the building entrance (public-facing exterior). The legitimate interest in protecting the property and guests' safety outweighs the privacy impact, which is minimised by the short retention period and the absence of interior monitoring. Guests are informed by a visible notice at the entrance.

3. Sources of Personal Data

Personal data is obtained from two sources:

Directly from the guest Via the online check-in form on this website.
Booking platforms Booking.com B.V. (Herengracht 597, 1017 CE Amsterdam, Netherlands) and Airbnb Ireland UC (8 Hanover Quay, Dublin 2, Ireland) — acting as independent controllers for their own purposes; they transmit reservation data to us as the accommodation provider. Guests who book through these platforms receive information on data processing from the platforms directly (GDPR Art. 14).

4. Recipients & Third Parties

Your data may be disclosed to the following recipients only to the extent required for the stated purpose:

Cudzinecká polícia SR Slovak Border and Alien Police — statutory obligation to report foreign nationals (§ 113 Act 404/2011).
Magistrát hl. mesta SR Bratislavy Department of Local Taxes — accommodation tax collection on behalf of the City of Bratislava (VZN č. 4/2023).
Finančná správa SR Slovak Financial Administration — tax and accounting obligations.
Accounting processor An external accountant acting as a data processor under Art. 28 GDPR, bound by a data processing agreement limiting their use of data strictly to accounting services.
Booking.com / Airbnb Independent controllers operating their own platforms. Data shared with them is governed by their respective privacy policies.

No personal data is sold, rented, or shared with any marketing third parties.

5. Your Rights

Under GDPR Chapter III, you have the following rights regarding your personal data. To exercise any right, contact us at . We respond within 30 days (extendable by 2 months for complex requests).

Art. 15

Right of Access

Obtain confirmation of whether your data is processed, and receive a copy of it.

Art. 16

Right to Rectification

Request correction of inaccurate or completion of incomplete personal data.

Art. 17

Right to Erasure

Request deletion of your data where processing is no longer justified. Note: data required by law cannot be erased before the mandatory retention period expires.

Art. 18

Right to Restriction

Request that processing be restricted (e.g. while accuracy is contested).

Art. 20

Right to Portability

Receive data you provided in a structured, machine-readable format (applies to contract-based processing).

Art. 21

Right to Object

Object to processing based on legitimate interest (Art. 6(1)(f)), including CCTV processing.

There is no automated decision-making (Art. 22 GDPR) involved in any processing activity described in this policy.

6. Supervisory Authority

You have the right to lodge a complaint with the competent supervisory authority at any time, without prejudice to any other administrative or judicial remedy:

Úrad na ochranu osobných údajov Slovenskej republiky
Office for Personal Data Protection of the Slovak Republic

Hraničná 12, 820 07 Bratislava 27, Slovak Republic
Phone: +421 2 3231 3214
Web: www.dataprotection.gov.sk
Email: statny.dozor@pdp.gov.sk

We encourage you to contact us directly first — most concerns can be resolved quickly and informally.

7. Obligation to Provide Data

Guest register & police reporting	Statutory obligation. Refusal to provide data means we cannot legally accommodate you.
Accommodation tax	Statutory obligation. Data is required to correctly calculate, collect, and report the local tax.
Contract fulfilment (booking)	Contractual requirement. Without name, email, and stay dates, no booking can be confirmed.
CCTV	No individual obligation — cameras monitor common areas automatically.

Providing data marked as optional in the check-in form has no consequence for your accommodation.

8. Automated Decisions & International Transfers

No automated decision-making or profiling (Art. 22 GDPR)

No transfers to third countries outside the EU/EEA

No transfers to international organisations

All data is stored and processed within the European Union. Booking.com B.V. and Airbnb Ireland UC are established in the EU/EEA and subject to GDPR.

9. Cookies & Tracking

No tracking or analytics cookies

No third-party advertising scripts

No fingerprinting or behavioural tracking

The check-in form on this website does not use any analytics, tracking cookies, or third-party scripts (other than Google Fonts, loaded for typography only and subject to Google's Privacy Policy). No personal data is sent to Google through font loading.

10. Contact

For all privacy-related requests, corrections, or complaints:

G INVEST SLOVAKIA s.r.o.
Stupavská 20, 831 06 Bratislava – Rača
Email:

Response time: within 30 calendar days of receipt. Where a request is complex or numerous, the period may be extended by a further two months (Art. 12(3) GDPR) — you will be informed of such extension within the first 30 days.