Information we gather

CPI Hotels, a.s.
Bečvářova 2081/14
10000 Praha 10
Czech Republic
IC 47116757
DIC CZ47116757



Group Data Protection Policy


This Group Data Protection Policy (“Data Protection Policy”) stipulates the rules for personal data protection in the CPI PROPERTY GROUP (“CPIPG”) and its affiliated companies (“CPIPG companies”). It provides for the rules of personal data protection, including related obligations of the CPIPG companies. The Data Protection Policy reflects the data privacy rules required by the GDPR and other Member States’ national data privacy legislation.

The CPIPG companies take personal data protection seriously and handle the personal data with sufficient carefulness and responsibility when performing their business activities. A personal data breach may result in serious legal and economic consequences for the CPIPG companies, their employees and data subjects. It may also cause damage to the CPIPG companies’ reputation. Through the implementation of the Data Protection Policy across the CPIPG companies, the risks of, and arising from, breaching data protection will be minimised.

This Data Protection Policy is binding for the CPIPG companies and their employees. It relates to all personal data processing to which the GDPR and the Member States’ national legislation apply.

1.   Procedure and Competencies
The following articles describe the procedures followed by the CPIPG companies when processing the personal data. Furthermore, they provide a brief description of the split of the competencies and key roles in the CPIPG companies in the area of personal data processing.

1.1   General Obligation
The CPIPG companies have taken and shall continue to take appropriate technical and organisational measures in order to ensure the protection of the personal data against misuse, loss and damage, and to treat them in accordance with the GDPR and the Member States’ national legislation in the area of data privacy. The data protection applies to the processing of the personal data of the CPIPG companies’ partners, employees, their family members, job applicants, customers and other individuals whose personal data are processed by the CPIPG companies.

1.2   Basic Principles of Personal Data Protection
The CPIPG companies respect the basic principles stipulated by the GDPR in processing the personal data. The respective basic principles are listed below:

•      Lawfulness principle – at least one lawful basis has to be determined prior to processing the personal data;

•      Principle of limitation by purpose – process the personal data only for pre-defined purposes;

•      Data minimisation principle – processing of only necessary, relevant and adequate personal data for any legitimate purpose;

•      Correctness and transparency principle – open and transparent processing to the data subjects;

•      Integrity and confidentiality principle, application of the “need to know” principle – implementation of necessary organisational and technical measures in order to ensure the restriction of access to the personal data to prevent an unauthorised or unlawful processing;

•      Accuracy principle – processing of accurate and up-to-date personal data;

•      Controlled change management regime – a change of the current processing system to a new method is a subject to the DPO’s or controller’s consideration and a potential subsequent preparation of the Data Privacy Impact Assessment;

•      Definition of roles participating in the personal data protection in the CPIPG companies.

1.3   Lawful Bases and Personal Data Processing Purposes

The personal data processing is always based on the lawful bases, which include the consent to the personal data processing, compliance with a legal obligation, the performance of a contract, the legitimate interest, the public interest or the protection of the interests of the data subject.

1.4   Processing of Special Categories of Personal Data and Personal Data Relating to Criminal Issues
Special categories of personal data and personal data relating to criminal issues are especially sensitive and therefore a high degree of protection is applied. Any processing of special categories of personal data is consulted with the DPO.

1.5   Personal Data Transfer
The CPIPG companies may only make personal data available to third parties (including a personal data transfer within the group) under certain conditions. Personal data may only be available to a third party acting as a processor based on a personal data processing agreement. Personal data may also be available to another third-party acting as a controller or a joint-controller based on relevant contractual agreements.

In case there are requirements for rectification or erasure of the personal data or for processing restrictions, under certain circumstances, the CPIPG companies notify the relevant third parties to which the personal data were made available, unless this is not feasible or requires an inadequate effort. The CPIPG companies inform a data subject on the third parties to which the concerned personal data were disclosed, only if required to do so by the data subject.

Under certain conditions, the CPIPG companies can also transfer personal data to third countries outside the EEA or the European Union or to the international organisations. To assess legal conditions under which personal data may be transferred to third countries or to international organisations, the CPIPG companies address the DPO for consultations.

1.6   Rights of Data Subjects
The CPIPG companies take all necessary steps to execute the rights of the data subjects stipulated by the GDPR. In respect of the personal data processing, data subjects have the rights comprising the right of access to personal data, the right to rectification, processing restriction, portability or erasure of personal data, the right to object to the personal data processing and the right not to be a subject to a decision based exclusively on the automated personal data processing.

The data subjects can request the exercise of their rights via a written or oral request. In order to provide the sufficient protection of the personal data processed by the CPIPG companies and to prevent personal data misuse from taking place, the CPIPG companies have introduced rules for the verification of the identity of the data subjects stated below.


Written request
To request the exercise of the particular right in writing, the data subjects shall fill in the request form attached to this Data Protection Policy or available from the DPO. The data subjects’ signatures on the requests forms need to be officially certified. Depending on local law, data subjects may be able to have your signature certified e.g. at a notary office, post office, attorney-at-law, consulate or municipal/regional authority. The signature has to be officially certified in a country where the request is submitted to the given CPIPG company in person at the particular CPIPG company’s registered seat, sent via mail using a postal services provider or verified electronical means (e.g. data boxes in Czechia). Particularly when sending the request via mail using a postal service provider in the countries outside of the EEA or the European Union, data subjects may be contacted by the given CPIPG company in order to further verify the identity.


Oral request
Data subjects may also request the exercise of their particular right in person at the given CPIPG company’s registered seat. Their identity will be verified by the particular CPIPG company’s designated employee (e.g. at a front desk), based on the submission of one of the following documents: personal ID card, passport or other official document with a photo sufficiently eligible to enable your clear identification. 

The exercise of data subjects’ rights shall not affect the rights of the third parties. Should the requests submitted by data subjects be manifestly unfounded or excessive, in particular because of the repetitive character, the CPIPG companies may require a reasonable fee, not exceeding the necessary costs of the provision of the above stated information or arranging the exercising of the data subjects’ rights, for the purposes of responding to their request.

The CPIPG companies ensure sufficient communication and cooperation in order to process all received requests in adequate time. The CPIPG companies closely cooperate to provide the concerned data subject with a response within the statutory periods.

1.7   Roles and Responsibilities
The CPIPG companies and their statutory bodies are responsible for ensuring compliance with the GDPR and the relevant Member States’ national data privacy legislation.

1.8   DPO
The CPIPG companies listed in the appendix have appointed a DPO with the functional and organisational responsibility for compliance with the legal regulations and internal regulations of the CPIPG companies concerning the personal data protection

The DPO can be contacted via e-mail dpo@cpipg.com or via post at the address Vladislavova 1390/17, 110 00 Praha 1, Czechia.

1.9   Responsibilities of Data Owners and of All Employees
All data owners within the CPIPG companies and all employees are obliged to process the personal data in compliance with the CPIPG companies’ internal policies, the GDPR and other Member States’ national data privacy legislation.

1.10  Notification of a Personal Data Breach
The CPIPG companies report any alleged breach of the personal data security to the relevant DPO immediately, in any case no later than within 24 hours. If the breach of personal data meets the requirements for reporting to the respective supervisory authority and/or data subjects, the DPO fulfils this obligation within 72 hours from the personal data breach.

1.11  Personal Data Erasure
The CPIPG companies process personal data only for a necessary time. Personal data are erased or anonymised under the following circumstances:

•      Expiration of the purpose of the personal data processing without any other legitimate purpose for replacement;

•      Personal data are not further needed for the purpose for which they were processed;

•      Withdrawal of the data subject’s consent without any other lawful basis for processing;

•      Objection of the data subject against the processing without any other prevailing justified reasons; and

•      Unlawful processing of the personal data.

The CPIPG companies put an emphasis on observing the necessary security measures during erasure or anonymization.

1.12  Personal Data Publishing in Public Media and the Intranet
The CPIPG companies may publish personal data in the Intranet, the Internet or any other media only with a consent of the concerned data subject, unless there is another legal basis in specific cases.

1.13. Web cookies processing

As is common practice with almost all professional websites this site uses cookies, which are tiny files that are downloaded to your computer, to improve your experience. These paragraphs describe what information they gather, how we use it and why we sometimes need to store these cookies. We will also share how you can prevent these cookies from being stored however this may downgrade or 'break' certain elements of the sites functionality.

For more general information on cookies see the Wikipedia article on HTTP Cookies.

How We Use Cookies

We use cookies for a variety of reasons detailed below. Unfortunately, in most cases there are no industry standard options for disabling cookies without completely disabling the functionality and features they add to this site. It is recommended that you leave on all cookies if you are not sure whether you need them or not in case they are used to provide a service that you use.

Disabling Cookies

You can prevent the setting of cookies by adjusting the settings on your browser (see your browser Help for how to do this). Be aware that disabling cookies will affect the functionality of this and many other websites that you visit. Disabling cookies will usually result in also disabling certain functionality and features of this site. Therefore, it is recommended that you do not disable cookies.

The Cookies We Set

Email newsletters related cookies
This site offers newsletter or email subscription services and cookies may be used to remember if you are already registered and whether to show certain notifications which might only be valid to subscribed/unsubscribed users.

Orders processing related cookies
This site offers e-commerce or payment facilities and some cookies are essential to ensure that your order is remembered between pages so that we can process it properly.

Forms related cookies
When you submit data to through a form such as those found on contact pages or comment forms cookies may be set to remember your user details for future correspondence.

Site preferences cookies
In order to provide you with a great experience on this site we provide the functionality to set your preferences for how this site runs when you use it. In order to remember your preferences we need to set cookies so that this information can be called whenever you interact with a page is affected by your preferences.

Third Party Cookies

In some special cases we also use cookies provided by trusted third parties. The following section details which third party cookies you might encounter through this site.

This site uses Google Analytics which is one of the most widespread and trusted analytics solution on the web for helping us to understand how you use the site and ways that we can improve your experience. These cookies may track things such as how long you spend on the site and the pages that you visit so we can continue to produce engaging content.
For more information on Google Analytics cookies, see the official Google Analytics page.

Third party analytics are used to track and measure usage of this site so that we can continue to produce engaging content. These cookies may track things such as how long you spend on the site or pages you visit which helps us to understand how we can improve the site for you.

List of third party partners:

Sabre [Analytics/Measurement, Content Customisation, Cross Device Tracking, Optimisation] 
TrustYou [Analytics/Measurement, Content Customisation, Cross Device Tracking, Optimisation] 
Flip.to [Ad Targeting, Analytics/Measurement, Content Customisation, Cross Device Tracking, Optimisation] 
Affilired [Ad Serving, Ad Targeting, Analytics/Measurement, Content Customisation, Cross Device Tracking, Optimisation] 

SiteMinder [Ad Serving, Ad Targeting, Analytics/Measurement, Content Customisation, Cross Device Tracking, Optimisation] 
RateTiger [Ad Serving, Ad Targeting, Analytics/Measurement, Content Customisation, Cross Device Tracking, Optimisation] 

GetResponse [Analytics/Measurement, Content Customisation, Cross Device Tracking, Optimisation] 
GuestBook [Ad Serving, Ad Targeting, Analytics/Measurement, Content Customisation, Cross Device Tracking, Optimisation] 
MyHotelShop [Analytics/Measurement, Content Customisation, Cross Device Tracking, Optimisation] 
TripTease Ltd.[Ad Serving, Ad Targeting, Analytics/Measurement, Content Customisation, Cross Device Tracking, Optimisation]
Ve Interactive [Ad Serving, Ad Targeting, Analytics/Measurement, Content Customisation, Cross Device Tracking, Optimisation] 

YeildPlanet [Ad Serving, Ad Targeting, Analytics/Measurement, Content Customisation, Cross Device Tracking, Optimisation] 

From time to time we test new features and make subtle changes to the way that the site is delivered. When we are still testing new features these cookies may be used to ensure that you receive a consistent experience whilst on the site whilst ensuring we understand which optimisations our users appreciate the most.
As we sell services it's important for us to understand statistics about how many of the visitors to our site actually make a purchase and as such this is the kind of data that these cookies will track. This is important to you as it means that we can accurately make business predictions that allow us to monitor our advertising and product costs to ensure the best possible price.
We use adverts to offset the costs of running this site and provide funding for further development. The behavioural advertising cookies used by this site are designed to ensure that we provide you with the most relevant adverts where possible by anonymously tracking your interests and presenting similar things that may be of interest.
Several partners advertise on our behalf and affiliate tracking cookies simply allow us to see if our customers have come to the site through one of our partner sites so that we can credit them appropriately and where applicable allow our affiliate partners to provide any bonus that they may provide you for making a purchase.
We also use social media buttons and/or plugins on this site that allow you to connect with your social network in various ways. For these to work the following social media sites including; Facebook; Twitter; Google+; Instagram; LinkedIn; Pinterest, will set cookies through our site which may be used to enhance your profile on their site or contribute to the data they hold for various purposes outlined in their respective privacy policies.


2.   Basic Terms/Abbreviations
Data subject                         An identified or identifiable individual whose personal data are processed; an identifiable individual is an individual who can be identified either directly or indirectly, predominantly with reference to a certain identifier, such as a name, identification number, location data, online identifier or one or more special elements of the physical, physiological, genetic, psychical, economic, cultural or social identity of the individual.

Data controller                    A natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of personal data processing.

Processor                             A natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller.

Personal data                       Any information on the identified or identifiable individual.

Special category                  Personal data providing information on racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership and the processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

GDPR                                     Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Personal data processing   Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

DPO                                       Data Protection Officer.

Anonymised information   Information not relating to an identified or identifiable individual, including personal data anonymised so that the data subject is not or ceased to be identifiable.

Third party                            Any legal entity or individual who is not the Company’s employee, except for data subjects.

Consent                                 Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.


Appendix no. 1 – List of the CPIPG companies with appointed DPO

•      CPI Jihlava Shopping, a.s.

•      CPI Shopping Teplice, a.s.

•      CPI Shopping MB, a.s.

•      CPI Národní, s.r.o.

•      CB Property Development, a.s.

•      CPI BYTY, a.s.

•      CPI Property, s.r.o.

•      CPI Services, a.s.

•      Hraničář, a.s.

•      Olomouc City Center, a.s.

•      Best Properties South, a.s.

•      OC Spektrum, s.r.o.

•      CPI East,s.r.o.

•      CPI Office Prague, s.r.o.

•      IGY2 CB, a.s.

•      Marissa Tau, a.s.

•      Marissa Yellow, a.s.

•      Marissa Ypsilon, a.s.

•      CPI Hotels, a.s.

•      Projekt Zlatý Anděl, s.r.o.

•      Projekt Nisa, s.r.o.

•      KOENIG, s.r.o.

•      MB Futurum HK s.r.o.

•      Gewerbesiedlungs-Gessellschaft mbH

•      Buy-Way Dunakeszi Kft.

•      Europeum Kft.

•      Buy-Way Soroksár Kft.

•      CPI Hotels Hungary Kft.

•      Pólus Társasház Üzemeltető Kft.

•      Campona Shopping Center Kft.

•      Suncani Hvar d.d.

•      Gadwall Sp. z o.o. (Gadwall)

•      Central Tower 81 Sp. z o.o. (CT81)

•      CPI Poland Sp. z o. o. (CPI Poland)

•      CPI Hotels Poland sp. z o.o.

•      City Gardens Sp. z o.o. (CG)

•      Felicia Shopping Center SRL

•      CPI Facility Slovakia, a.s.

•      CPI Hotels Slovakia, s. r. o.

Подпишитесь на нас