According to Article 13 and Article 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter “GDPR”), in connection with the receipt of your personal data as a hotel guest, we hereby inform you that:

1. The Controller of your personal data is Polski Holding Hotelowy Sp. z o.o. with its registered office in Warsaw at: ul. Komitetu Obrony Robotników 39G, 02-148 Warsaw, registered in the Register of Entrepreneurs of the National Court Register under KRS number 0000047774, whose registration files are maintained by the District Court for the Capital City of Warsaw in Warsaw, 14th Commercial Division of the National Court Register, holding NIP number: 5222482605, BDO: 000509129, share capital PLN 1,911,499,700.00 (hereinafter the “Controller”).

2. The contact person for all matters concerning the processing of personal data and the exercise of rights related to the processing of personal data at the Controller is the Data Protection Officer, who may be contacted via email: iod@phh.pl.

3. The processing of your personal data takes place for at least one of the purposes indicated below:
   a) pursuant to Article 6(1)(b) GDPR, as necessary for the performance of the hotel services agreement to which you are a party;
   b) pursuant to Article 6(1)(a) GDPR and Article 9(2)(a) GDPR, in order to avoid negative health consequences resulting from allergic reactions to meals served and to meet special needs within the hotel service provided, adapted to the degree of disability;
   c) pursuant to Article 6(1)(c) GDPR, as necessary to comply with the legal obligations incumbent on the Controller, in particular to ensure compliance with applicable financial-accounting-tax regulations, statistical obligations, the exercise of rights under GDPR and consumer rights;
   d) pursuant to Article 6(1)(f) GDPR, in order to pursue the legitimate interests of the Controller (protection of persons and property, establishment, pursuit and defence of possible claims, provision of commercial information and direct marketing, i.e. sending advertising and promotional offers in forms other than those indicated in item f) below);
   e) pursuant to Article 6(1)(f) GDPR and Article 9(2)(f) GDPR, in order to establish, pursue or defend claims related to the processing of special (sensitive) data;
   f) pursuant to separate consent and Article 10(2) of the Act on the provision of electronic services of 18 July 2002 (Journal of Laws of 2017, item 1219, as amended) or Article 172 of the Act of 16 July 2004 Telecommunications Law (Journal of Laws of 2017, item 1907, as amended) – for the purpose of sending commercial information (sending advertising and promotional offers) electronically or by telephone using terminal equipment.

4. The Controller processes the following categories of personal data: first name, surname, PESEL number or passport number, nationality, correspondence address, telephone number, email address, optionally car registration number, health data (regarding food allergies and disability), image.

5. You have the right to:
   a) access your data, including requesting a copy of the data,
   b) rectify inaccurate data and request completion of incomplete data,
   c) erase data (“right to be forgotten”) if one of the following circumstances applies:
   i. the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
   ii. the data subject objects pursuant to Article 21(1) (in relation to processing based on a task carried out in the public interest or in the exercise of official authority by the Controller, or on the legitimate interest of the Controller or a third party) and there are no overriding legitimate grounds for the processing, or the data subject objects pursuant to Article 21(2) to processing (in relation to processing for direct marketing purposes);
   iii. the personal data have been unlawfully processed;
   iv. the personal data must be erased in order to comply with a legal obligation under EU or Member State law to which the Controller is subject;
   d) restrict processing, in the following cases:
   i. you contest the accuracy of the personal data – for a period enabling the Controller to verify the accuracy of the data;
   ii. the processing is unlawful and you oppose the erasure of the personal data, requesting instead the restriction of their use;
   iii. the Controller no longer needs the personal data for processing purposes, but they are needed by you for the establishment, exercise or defence of claims;
   iv. you have objected pursuant to Article 21(1) (in relation to processing based on a task carried out in the public interest or in the exercise of official authority by the Controller, or on the legitimate interest of the Controller or a third party) – pending verification of whether the Controller’s legitimate grounds override your grounds for objection;
   e) data portability, if:
   i. the processing is based on consent or on a contract, and
   ii. the processing is carried out by automated means,
   f) withdraw consent to the processing of personal data at any time, whereby the withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal,
   g) object:
   i. in any case where your data are processed for direct marketing purposes;
   ii. where your particular situation justifies objection to the processing of personal data, when the basis for processing is the legitimate interest pursued by the Controller, except where there are compelling legitimate grounds for the processing which override your interests, rights and freedoms, in particular the establishment, exercise or defence of claims.

The rights may be exercised, among others, by sending a request to the Data Protection Officer (address given in point 2 above), as well as by written correspondence or in person at the Controller’s registered office.

6. You have the right to lodge a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw), if you consider that the processing of personal data violates the GDPR or other personal data protection regulations.

7. Your personal data are or may be transferred to the following categories of recipients:
   a) persons authorized by the Controller, employees and collaborators, members of the Controller’s bodies who must have access to personal data in order to perform their duties,
   b) service providers, including those supplying the Controller with technical and organizational solutions enabling the management of the Controller’s organization (in particular IT, postal, courier, legal, accounting, audit, security, data storage, tax-accounting, protection of persons and property), on the basis of appropriate data processing agreements,
   c) Franchisors.

8. Your personal data will be stored:
   a) for the purposes referred to in point 3(a) and (b) above – for the duration of the hotel services agreement concluded with you,
   b) for the purpose of establishing, pursuing and defending claims – for the period specified in legal regulations for the limitation of the particular type of claims,
   c) for the purpose of fulfilling legal obligations – for the period required by applicable legal provisions or until those obligations are fulfilled, no longer than the time in which the Controller may bear legal consequences of failure to perform the obligation,
   d) for the purpose of protecting persons and property – for a period of 30 days after the end of your stay at the hotel, unless CCTV devices have recorded an incident related to a breach of the security of persons and property – in such case, the retention period may be extended by the time necessary to complete the proceedings concerning the incident recorded by CCTV,
   e) for the purpose of sending commercial information and conducting direct marketing, i.e. sending advertising and promotional offers – until consent is withdrawn or an objection is raised, but no longer than 3 years from the date the data were provided, calculated at the end of the given calendar year.

9. Providing your personal data is voluntary, but necessary to perform the contract concluded with you, and failure to provide them will make it impossible to perform the contract.

10. Your personal data will not be transferred to international organizations.

11. Data may be transferred to third countries (outside the European Economic Area), including the franchisor or companies within the franchisor’s group based in the United States (or another so-called third country not ensuring an adequate level of protection), in connection with the central hotel booking system, quality control of services provided to you in hotels and facilities, franchising fee audits, evaluation of your satisfaction with hotel services, your participation in the franchisor’s loyalty program. The Controller will transfer the data using mechanisms compliant with applicable law, which include, among others, the EU “Standard Contractual Clauses” and applying possible additional safeguards. The transfer of data as stated in the preceding sentence is necessary for the conclusion and performance of the agreement. More information on the safeguards implemented by the Controller to ensure the processing of personal data in accordance with the relevant provisions, and on the possibilities of obtaining a copy of the data or the place where the data are made available, can be obtained by contacting us in the manner indicated in this notice.

12. If the Controller has not received your personal data directly from you, the data were obtained from your family member, employer or other data controllers, e.g. from the franchisor’s booking system or from entities intermediating in hotel reservations (e.g. hotel booking portals), or through travel agencies.

13. Your personal data are not subject to automated decision-making, including profiling.

In addition, please be informed that data subjects have the right to object to the processing of data for direct marketing purposes at any time, and in the case of processing data in the legitimate interest of the Controller – in the event of a special situation, in accordance with Article 21 GDPR.