+48 22 264 64 64
biuro@phh.pl
BIP

GUEST PRIVACY POLICY

Information Obligation

This document (“Guest Privacy Policy”) has been prepared by Polski Holding Hotelowy sp. z o.o. with its registered office in Warsaw (hereinafter referred to as the “Controller” or “we” or “PHH”).

The purpose of this Privacy Policy is to provide information about the conditions, principles and rules applied to the processing of personal data of guests using the services of hotels and facilities managed by Polski Holding Hotelowy sp. z o.o.

  1. Data Controller

  2. Contact with the Data Controller

  3. Legal basis and purposes of data processing

  4. Processing of special categories of personal data

  5. Source of personal data

  6. Recipients and categories of recipients of personal data

  7. Transfer of data to third countries

  8. Data retention period

  9. Your rights

  10. Information about the obligation to provide data

  11. Automated decision-making

  1. Data Controller
    The controller of your personal data is Polski Holding Hotelowy sp. z o.o., with its registered office at ul. Komitetu Obrony Robotników 39G, 02-148 Warsaw, registered in the National Court Register under number 47774.

  2. Contact with the Data Controller
    For matters related to the processing of your personal data, including exercising your rights, please contact the Controller by email at iod@phh.pl, by phone at +48 22 65 00 872, or by post: Data Protection Officer, Polski Holding Hotelowy sp. z o.o., ul. Komitetu Obrony Robotników 39G, 02-148 Warsaw.

  3. Legal basis and purposes of data processing
    The legal basis for processing your personal data in the context of using hotel services for the purposes of concluding and performing a hotel services agreement, including managing reservations, making payments, invoicing, understanding your expectations and tailoring services to your individual needs, handling complaints, as well as compiling commercial statistical data, conducting satisfaction surveys, marketing activities, internal audit, ensuring security on hotel premises and archiving data, is as follows:

a. in the scope of first name, surname, address including country of residence, email, phone number, dates and places of service use, type of services – necessity for the conclusion and performance of a hotel services agreement (Article 6(1)(b) GDPR),

b. in the case of payment for services by credit card: type, number and expiry date of the card, transaction amount and date, transaction confirmation number, cardholder’s name and surname, sometimes cardholder’s signature, cardholder’s address; in the case of payment by bank transfer: transaction amount and date, bank account number, account holder’s name and surname – necessity for the conclusion and performance of a hotel services agreement (Article 6(1)(b) GDPR),

c. in the scope of preferences and individual service needs you provide – your consent to the processing of personal data, expressed by requesting adaptation of services to those needs and preferences (Article 6(1)(a) GDPR),

d. in the scope of name and surname, room number, period of stay, amounts, form of payment – legitimate interest of the Controller consisting of the need for internal audit of services provided to you (Article 6(1)(f) GDPR),

e. in the scope of data necessary to issue an invoice – legal obligation of the Controller (Article 6(1)(c) GDPR),

f. in the scope of the email address to which we send you newsletters, offers and promotions – your consent to the processing of personal data for marketing purposes (Article 6(1)(a) GDPR), if such consent has been expressed, as well as, within the limits allowed by law, the Controller’s legitimate interest in marketing activities directed at clients (Article 6(1)(f) GDPR),

g. in the scope of your image captured on CCTV cameras – legitimate interest of the Controller consisting of the need to protect PHH property and ensure safety on hotel premises (Article 6(1)(f) GDPR),

h. in the scope of email address and dates of hotel service use – legitimate interest of the Controller in conducting surveys regarding your satisfaction with hotel services (Article 6(1)(f) GDPR).

  1. Processing of special categories of personal data
    Some categories of personal data are considered special under data protection regulations and as such are subject to a higher level of protection and security. The following categories of personal data are considered special: (1) race or ethnic origin; (2) political opinions; (3) religious or philosophical beliefs; (4) trade union membership; (5) sex life or sexual orientation; (6) physical or mental health or condition; and (7) genetic and biometric data. The Controller does not collect or process your special categories of personal data, except in situations where you provide such data yourself, e.g. in connection with a request to tailor hotel services to your needs and preferences, and only if permitted by law.

  2. Source of personal data
    Data is obtained directly from you but may also be obtained from a person making a reservation on your behalf, from a franchisor’s booking system or from an intermediary in booking hotels or facilities, e.g. hotel booking portals or travel agencies.

  3. Recipients and categories of recipients of personal data
    Your personal data may be shared with the following recipients:

a. entities providing services on behalf of the Controller,
b. entities providing marketing services,
c. franchisors of the given hotel network.

If required by mandatory provisions of law, the Controller may also disclose your personal data to third parties, in particular to authorized state authorities.

  1. Transfer of data to third countries
    If your personal data is transferred to a franchisor or a company within the franchisor’s group based in the United States (or another so-called third country that does not ensure an adequate level of protection), in connection with the central hotel booking system, quality control of services provided to you, franchising fee audits, evaluation of your satisfaction with hotel services, or your participation in the franchisor’s loyalty program, the Controller will transfer the data using mechanisms compliant with applicable law, which include, among others, the EU “Standard Contractual Clauses.”

  2. Data retention period
    The Controller retains your personal data for no longer than is necessary to achieve the purposes for which the data was collected or, if necessary, to comply with applicable law, in particular the duration of the contract and the limitation period for claims.

  3. Your rights
    a) Right of access to personal data – you may access your data at any time.
    b) Right to rectification and completion of data – you have the right to request immediate rectification of inaccurate personal data and completion of incomplete data.
    c) Right to erasure – you have the right to request immediate deletion of your personal data if: the data is no longer necessary for the purposes for which it was collected; the data is processed unlawfully; or the data must be erased to comply with a legal obligation under EU or Polish law. However, the Controller will not be able to erase your data to the extent that processing is necessary (i) for exercising freedom of expression and information, (ii) for compliance with a legal obligation, or (iii) for the establishment, exercise or defense of claims.
    d) Right to restriction of processing – you may request restriction of processing when: you contest the accuracy of the personal data – for a period allowing the Controller to verify the accuracy of the data; the processing is unlawful and you oppose the erasure of the data, requesting instead restriction of its use; the Controller no longer needs the personal data for processing purposes but you require it for the establishment, exercise or defense of claims.
    e) Right to withdraw consent – if processing is based on your consent, you have the right to withdraw it at any time, without affecting the lawfulness of processing carried out before withdrawal.
    f) Right to data portability – you have the right to receive your personal data, provided to the Controller in connection with hotel services, in a structured, commonly used, machine-readable format, and to transmit it to another controller.
    g) Right to lodge a complaint – you have the right to lodge a complaint with the supervisory authority, which in Poland is the President of the Personal Data Protection Office.

The rights referred to in a)–g) above may be exercised by contacting the Controller.

  1. Information about the obligation to provide data
    Providing your personal data is necessary to conclude and perform a contract with PHH. Failure to provide full data may result in your not being able to benefit from all the advantages offered by our network of hotels and facilities.

  2. Automated decision-making
    The Controller does not make automated decisions, including profiling, based on the personal data you provide.