Pursuant to Article 13 and Article 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter “GDPR”), we inform you that:

1. The Controller of your personal data is Polski Holding Hotelowy Sp. z o.o. with its registered office in Warsaw at: ul. Komitetu Obrony Robotników 39G, 02-148 Warsaw, registered in the Register of Entrepreneurs of the National Court Register under KRS number 0000047774, whose registration files are maintained by the District Court for the Capital City of Warsaw in Warsaw, 14th Commercial Division of the National Court Register, holding NIP number: 5222482605, BDO: 000509129, share capital PLN 1,911,499,700.00 (hereinafter the “Controller”).

2. The contact person for all matters concerning the processing of personal data and the exercise of rights related to the processing of personal data at the Controller is the Data Protection Officer, who may be contacted via email: iod@phh.pl

3. Your personal data are processed for the following purposes:
   a) conducting the recruitment process for the position specified in the announcement, i.e. for the purpose of concluding an agreement and taking steps aimed at its conclusion, and collecting your specified data in accordance with Article 221 of the Labour Code:
   a. first name and surname, date of birth, contact details – pursuant to Article 221 § 1 points 1–3 of the Labour Code in conjunction with Article 6(1)(c) GDPR,
   b. education, professional qualifications and employment history – pursuant to Article 221 § 1 points 4–6 of the Labour Code in conjunction with Article 6(1)(b) GDPR,

b) conducting the recruitment process on the basis of your consent to the processing of your personal data, i.e. personal data other than those indicated in item b) above, provided in the CV, form, cover letter and other documents submitted as part of the recruitment process and not being special category data, or in the case of recruitment to conclude a civil-law agreement (if applicable – please note that providing such data in the aforementioned documents is sufficient to be deemed as consent to the processing of such data)
– pursuant to Article 6(1)(a) GDPR,

c) conducting the recruitment process on the basis of your explicit consent to the processing of your personal data specified in Article 9(1) GDPR (special category data, including health data, e.g. information on holding a disability certificate) (NOTE – if you include such data in the recruitment documents, please send explicit consent for their processing; otherwise the data will be immediately deleted),
– pursuant to Article 9(2)(a) GDPR,
d) fulfilment of other legal obligations of the Controller, including the exercise of rights under the GDPR – pursuant to Article 6(1)(c) GDPR,
e) establishment, defence or pursuit of claims – pursuant to Article 6(1)(f) GDPR.

4. Providing personal data to the extent resulting from Article 221 of the Labour Code is necessary for the recruitment process and follows from the indicated legal provisions. In all other respects, providing personal data is voluntary.

5. You have the right to:
   a) access your data, including requesting a copy of the data,
   b) rectify inaccurate data and request completion of incomplete data,
   c) erase data (“right to be forgotten”) if one of the following circumstances applies:
   i. the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
   ii. the data subject objects pursuant to Article 21(1) (in relation to processing based on a task carried out in the public interest or in the exercise of official authority by the Controller, or on the legitimate interest of the Controller or a third party) and there are no overriding legitimate grounds for the processing, or the data subject objects pursuant to Article 21(2) to processing (in relation to processing for direct marketing purposes);
   iii. the personal data have been unlawfully processed;
   iv. the personal data must be erased in order to comply with a legal obligation under the law of the European Union or the law of a Member State to which the Controller is subject;
   d) restrict processing, in the following cases:
   i. the data subject contests the accuracy of the personal data – for a period enabling the Controller to verify the accuracy of the data;
   ii. the processing is unlawful and the data subject opposes the erasure of the personal data, requesting instead the restriction of their use;
   iii. the Controller no longer needs the personal data for processing purposes, but they are needed by the data subject for the establishment, exercise or defence of claims;
   iv. the data subject has objected pursuant to Article 21(1) (in relation to processing based on a task carried out in the public interest or in the exercise of official authority by the Controller, or on the legitimate interest of the Controller or a third party) – pending verification of whether the Controller’s legitimate grounds override those of the data subject;
   e) data portability, if:
   i. the processing is based on consent or on a contract, and
   ii. the processing is carried out by automated means,
   a. the right to object:
   i. in any case where your data are processed for direct marketing purposes;
   ii. where your particular situation justifies objection to the processing of personal data, when the basis for processing is the legitimate interest pursued by the Controller, except where there are compelling legitimate grounds for the processing, overriding your interests, rights and freedoms, in particular the establishment, exercise or defence of claims,
   f) withdraw consent to the processing of personal data at any time, whereby the withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.
   The rights may be exercised, among others, by sending a request to the address of the Data Protection Officer (given in point 2 above), as well as by written correspondence or in person at the Controller’s registered office.

6. You have the right to lodge a complaint with the President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw, if you consider that the processing of personal data violates the GDPR or other legal provisions.

7. Your personal data are or may be transferred to the following categories of recipients:
   a) persons authorized by the Controller, employees and collaborators, members of the Controller’s bodies who must have access to personal data in order to perform their duties,
   b) service providers, including those supplying the Controller with technical and organizational solutions enabling the management of the Controller’s organization (in particular IT, postal, courier, legal, accounting, audit, security, data storage and recruitment service providers) on the basis of appropriate data processing agreements.

8. Your personal data will be stored:
   a. for recruitment purposes – for a period of 3 months from the end of the recruitment process. If you have given consent to the use of your personal data in future recruitment processes, the data will be used for 1 year from the date of consent,
   b. for the purposes of defence or pursuit of claims – for the period specified in legal regulations for the limitation of the particular type of claims,
   c. for the purposes of performing legal obligations – for the period required by applicable legal provisions or until those obligations are fulfilled, not longer than the time in which the Controller may bear legal consequences of failure to perform the obligation, with the effect calculated at the end of the given calendar year.

9. Your personal data will not be transferred to international organizations.

10. Data may be transferred to third countries (outside the European Economic Area), including the franchisor or companies within the franchisor’s group based in the United States (or another so-called third country not ensuring an adequate level of protection), in connection with the central hotel booking system, quality control of services provided to you in hotels and facilities, franchising fee audits, evaluation of your satisfaction with hotel services, your participation in the franchisor’s loyalty program. The Controller will transfer the data using mechanisms compliant with applicable law, which include, among others, the EU “Standard Contractual Clauses” and applying possible additional safeguards. The transfer of data as stated in the preceding sentence is necessary for the conclusion and performance of the agreement. More information on the safeguards implemented by the Controller to ensure the processing of personal data in accordance with the relevant provisions, and on the possibilities of obtaining a copy of the data or the place where the data are made available, can be obtained by contacting us in the manner indicated in this notice.

11. Your personal data are not subject to automated decision-making, including profiling.

12. If the Controller does not receive your personal data directly from you, the personal data were obtained from recruitment service providers and are processed to the extent of the data specified in point 3 above.