Privacy & GDPR

Minorite Friary Prague

Privacy Policy and GDPR Information Notice

Effective date: 01/02/2025

This Privacy Policy explains how personal data is processed in connection with ticket sales, admissions, guided tours, self guided products, cultural and musical events, digital content, on site sales and related services provided for or at Minorite Friary Prague.

1. Data Controller

Controller: AGENTURA HELAS, s.r.o.

IČO: 26744279

DIČ: CZ26744279

Registered office: Malá Štupartská 635/6, 110 00 Praha 1, Czech Republic

Email: helas@helas.org

Phone: +420 220 570 708

Data box: ghtjnb5

The Controller processes personal data in accordance with Regulation EU 2016/679 General Data Protection Regulation GDPR and applicable Czech legislation.

2. Categories of personal data processed

We may process the following categories of personal data depending on the service used:

Identification data

Name and surname

Title

Date of birth where relevant for ticket category

Contact data

Email address

Telephone number

Postal address

Transaction data

Booking reference

Ticket ID

Payment status

Amount paid

Refund data

Billing details

Technical data

IP address

Device type

Browser type

Access logs

QR scan logs

Event related data

Seat allocation

Entry validation time

Attendance confirmation

Communication data

Email communication

Complaint records

Customer service records

CCTV data

Video recordings from security cameras located at the Venue

Marketing data

Newsletter subscription status

Consent records

Marketing interaction data

3. Purposes and legal basis for processing

Personal data is processed for the following purposes:

Contract performance

Processing bookings and ticket sales

Entry validation

Event administration

Customer support

Refund processing

Legal basis: Article 6(1)(b) GDPR performance of a contract

Legal compliance

Accounting obligations

Tax obligations

Archiving obligations

Fraud prevention

Legal basis: Article 6(1)(c) GDPR legal obligation

Legitimate interests

Venue security

Protection of property

Prevention of fraud

Defence of legal claims

Operational management

Capacity control

Legal basis: Article 6(1)(f) GDPR legitimate interest

Marketing communication

Sending newsletters or promotional information

Legal basis: Article 6(1)(a) GDPR consent or Article 6(1)(f) legitimate interest where permitted by law

4. CCTV monitoring

The Venue is monitored by a camera surveillance system for the purposes of:

Protection of property

Protection of visitors and staff

Prevention and investigation of unlawful acts

CCTV recordings are processed under Article 6(1)(f) GDPR legitimate interest.

Recordings are stored for a limited period unless required for investigation or legal proceedings.

Clear notice about CCTV monitoring is displayed at the Venue entrance.

5. Photography and video during events

During certain cultural or public events, photography and video recordings may be taken for documentation, archival and promotional purposes.

If individuals are identifiable, processing is based on legitimate interest or explicit consent where required.

Visitors who do not wish to appear in promotional materials may inform staff.

6. Data recipients

Personal data may be shared with:

Payment service providers including Stripe

Booking systems including Bokun

Online Travel Agencies

IT and hosting providers

Accounting and tax advisors

Legal representatives

Public authorities where required by law

Data is shared only to the extent necessary for service provision or legal compliance.

7. International transfers

Some service providers may process data outside the European Union.

In such cases, appropriate safeguards are applied in accordance with GDPR including Standard Contractual Clauses or adequacy decisions.

8. Data retention

Personal data is retained only for as long as necessary for:

Performance of contractual obligations

Compliance with legal requirements

Defence of legal claims

Accounting retention periods

CCTV recordings are retained for a limited operational period unless needed for investigation.

9. Data subject rights

Under GDPR, individuals have the right to:

Access their personal data

Request rectification

Request erasure where legally applicable

Request restriction of processing

Object to processing based on legitimate interest

Data portability where applicable

Withdraw consent at any time

Requests can be sent to helas@helas.org.

We may request identity verification before fulfilling requests.

10. Complaints

Individuals have the right to lodge a complaint with the supervisory authority:

Úřad pro ochranu osobních údajů

Pplk. Sochora 27

170 00 Praha 7

Czech Republic

11. Data security

The Controller implements appropriate technical and organisational measures to protect personal data including:

Secure booking systems

Access control

Encryption where appropriate

Staff confidentiality obligations

Internal data handling procedures

12. Automated decision making

We do not conduct automated decision making with legal or similarly significant effects within the meaning of Article 22 GDPR.

13. Changes to this Policy

This Privacy Policy may be updated from time to time. The version effective at the time of booking or visit applies unless mandatory law provides otherwise.

Controller: AGENTURA HELAS, s.r.o., IČO 26744279, DIČ CZ26744279, Malá Štupartská 635/6, 110 00 Praha 1, Czech Republic