Table of contents

Who is responsible for your personal data (Controller/Joint Controller)?

How to contact us regarding personal data matters?

On what basis and for what purpose do we process your personal data?

Information about the requirement to provide personal data.

To whom do we disclose your personal data?

Transfer of data outside the European Economic Area.

What rights do you have regarding your personal data?

Profiling and automated decision-making.

 

We make every effort to properly secure your personal data and to present to you in a transparent way how we use it.

Since 25 May 2018, European data protection regulations have been in force in the form of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119 of 4.05.2016, p. 1) (“GDPR”).

In this regard, we would like to inform you about the processing of your personal data that you provide to us in connection with your wish to receive marketing communication from us, including offers regarding our products and services.

This Privacy Policy, prepared by Polski Holding Hotelowy Sp. z o.o., with its registered office at ul. Komitetu Obrony Robotników 39G, 02-148 Warsaw, registered in the National Court Register under number 47774 (hereinafter the “Controller” or “PHH”), is addressed to users of our fan page on social media platforms, including those who post comments or click “like” on our profile, or who publish posts on it, which results in the transfer of personal data.

 

Who is responsible for your personal data (Controller/Joint Controller)?

1. The Controller of personal data is Polski Holding Hotelowy Sp. z o.o., with its registered office in Warsaw, ul. Komitetu Obrony Robotników 39G, 02-148 Warsaw, registered in the Register of Entrepreneurs of the National Court Register under KRS number 0000047774, whose registration files are maintained by the District Court for the Capital City of Warsaw in Warsaw, 14th Commercial Division of the National Court Register, holding NIP number: 5222482605, BDO: 000509129, share capital PLN 1,911,499,700.00.

   The joint controllers of personal data processed while using the PHH profile on social media platforms are:

   • for Facebook – Facebook Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland); Facebook’s data protection rules are available at: https://www.facebook.com/about/privacy, and the rules of joint controllership can be found at: https://www.facebook.com/legal/terms/page_controller_addendum

   • for LinkedIn – LinkedIn Ireland Unlimited Company (Wilton Place, Wilton Plaza, Dublin 2, Ireland); LinkedIn’s data protection rules are available at: https://pl.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy#choices

   • for Twitter – Twitter International Unlimited Company (One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland); Twitter’s data protection rules are available at: https://twitter.com/en/privacy

   • for Instagram – Facebook Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland); Instagram’s data protection rules are available at: https://www.facebook.com/about/privacy, and the rules of joint controllership can be found at: https://pl-pl.facebook.com/help/instagram/155833707900388

 

 

How to contact us regarding personal data matters?

In all matters related to personal data protection, including the exercise of rights connected with data processing, you may contact our Data Protection Officer electronically at the email address iod@phh.pl, or in writing at the address and details of the Controller indicated above.

 

On what basis and for what purpose do we process your personal data?

 

Information about the requirement to provide personal data.

Providing personal data is voluntary.

Failure to provide personal data may prevent us from responding to inquiries or carrying out the requested activities.

How long do we store your personal data?

Your personal data will be stored for no longer than is necessary for the purposes for which the data are processed, i.e.:

• data collected for the purpose of communication and responding to messages – for a period of 3 years from receipt of the message,

• data collected in connection with comments posted by you – until they are deleted by the author or by the owner of the respective social media platform,

• data collected for the conclusion and performance of a contract – for the duration of the contract, and if the contract is not concluded – for no longer than 6 months from the date the data were obtained,

• data collected for the purpose of fulfilling PHH’s legal obligations – for the period required by applicable law or until such obligations are fulfilled, no longer than the time in which PHH may bear legal consequences for failure to perform the obligation,

• data collected for the purpose of pursuing or defending against possible claims – for the period specified in law for the limitation of the particular type of claims,

• data collected for the purpose of carrying out direct marketing and for statistical purposes – for no longer than 3 years from the date of obtaining the data, or until an objection is raised.

 

To whom do we disclose your personal data?

1. Your personal data may be transferred to entities processing personal data on behalf of the Controller, i.e. service providers, including those supplying us with technical and organizational solutions enabling the management of our organization (in particular IT service providers, hosting providers, legal and accounting service providers, recipients of cookies), in the course of performing their activities, whereby such entities process the data on the basis of a contract with the Controller and only in accordance with the Controller’s instructions.
2. In the case of services provided by external companies, your personal data may be transferred to recipients established or processing personal data in countries outside the European Economic Area (EEA), only with the safeguards required by the GDPR as described below.

Transfer of data outside the European Economic Area

1. In the event that your personal data are transferred to third countries, i.e. to recipients established outside the European Economic Area in countries which, according to the European Commission, do not ensure adequate data protection (third countries not ensuring an adequate level of protection), the Controller transfers them using mechanisms compliant with applicable law, which include, among others:

   • EU Standard Contractual Clauses,

   • conducting a Transfer Impact Assessment (TIA),

   • applying additional security measures.

   More information about the safeguards implemented by the Controller to ensure that personal data are processed in compliance with the relevant regulations, as well as about the possibilities of obtaining a copy of the data or information on where the data are made available, can be obtained by contacting us in the manner indicated in point 1 above.

What rights do you have regarding your personal data ?

1. • Access to personal data. You may exercise the right of access to your data at any time.

   • Rectification and completion of data. You have the right to request the Controller to immediately rectify your inaccurate personal data and to request the completion of incomplete personal data.

   • Right to erasure. You have the right to request the Controller to immediately erase your personal data in each of the following cases:

     • when the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

     • when you object to the processing as referred to in point e) below and there are no overriding legitimate grounds for the processing of such data;

     • when the personal data have been unlawfully processed;

     • when the personal data must be erased in order to comply with a legal obligation under European Union or Polish law.

     The Controller will not, however, be able to erase your personal data to the extent that their processing is necessary (i) for exercising the right to freedom of expression and information, (ii) for compliance with a legal obligation requiring processing under European Union or Polish law, (iii) for the establishment, exercise or defence of claims.

   • Right to restriction of processing. You have the right to request the Controller to restrict processing in the following cases:

     • you contest the accuracy of the personal data – for a period enabling the Controller to verify the accuracy of the data;

     • the processing is unlawful and you oppose the erasure of the personal data, requesting instead the restriction of their use;

     • the Controller no longer needs the personal data for processing purposes, but they are needed by you for the establishment, exercise or defence of claims;

     • you have objected to the processing as referred to in point e) below – pending verification of whether the Controller’s legitimate grounds override your grounds for objection.

   • Right to object. You have the right to object to the processing of your personal data where the Controller processes the data on the basis of a legitimate interest (where your particular situation applies), including for direct marketing purposes. To the extent that the data are processed for direct marketing purposes, you may object at any time. To the extent that the data are processed for purposes other than direct marketing, the Controller may refuse to uphold the objection if it demonstrates the existence of compelling legitimate grounds for the processing which override your interests, rights and freedoms, or grounds for the establishment, exercise or defence of claims.

   • Right to withdraw consent. If your personal data are processed on the basis of your consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.

   • Right to data portability. To the extent that your data are processed for the purpose of concluding and performing a contract or processed on the basis of consent, and the processing is carried out by automated means, you have the right to receive from the Controller, in a structured, commonly used and machine-readable format, your personal data that you provided during the recruitment process. You also have the right to transmit this personal data to another controller.

   • Right to lodge a complaint. You have the right to lodge a complaint about the processing of your personal data by the Controller with the supervisory authority, which in Poland is the President of the Personal Data Protection Office.

   To exercise the above rights, please contact the Controller or the Data Protection Officer using the contact details indicated above, or contact the supervisory authority directly (with respect to the right to lodge a complaint with that authority).

Profiling and automated decision-making

The data provided will not be subject to automated decision-making; however, they may be subject to profiling for marketing and statistical purposes, which may result in tailoring informational and promotional content to the individual’s profile and previous choices, as well as for purposes and under the rules specified in the regulations of social media platforms.