Obligation to Inform
This Policy serves to provide information about the terms and conditions, rules and regulations applicable to the processing of personal data of guests making use of the services provided by the hotels managed by Polski Holding Hotelowy sp. z o.o.
Table of Contents
9. Your rights
1. Data Controller
Your Data Controller is Polski Holding Hotelowy sp. z o.o. (PHH) with its registered office at ul. Komitetu Obrony Robotników 39G, 02-148 Warsaw, entered in the National Court Register under KRS number 0000047774.
2. Contact with the Data Controller
Any matters regarding the processing of your personal data, including the exercise of your rights by the Controller, may be voiced by contacting the Data Controller by email: firstname.lastname@example.org, by phone: 22 65 00 872, or by post: Inspektor Ochrony Danych [Data Protection Officer], Polski Holding Hotelowy sp. z o.o. Warsaw ul. Komitetu Obrony Robotników 39G, post code: 02-148.
3. Legal grounds for and purposes of data processing
As regards the use of hotel services, the legal grounds for processing your personal data for the purpose of the execution and performance of a hotel services agreement, including management of bookings, payments, invoicing, getting acquainted with your expectations and adapting our services to your individual needs, handling complaints, as well as for the purpose of compilation of statistical data of commercial nature and conducting customer satisfaction surveys, marketing activities, internal audits, and also for the purpose of ensuring safety throughout the hotel premises and data archiving, are:
a. for the data being the name and surname, address (including country of residence), e-mail address, phone number, date and place and the type of hotel services used – necessity to execute and perform the hotel services agreement (Art. 6(1)(b) GDPR);
b. for credit card payments: card type, number and expiry date, transaction date and amount, transaction confirmation number, card holder name and surname, in some cases card holder signature, card holder address; for service payments made via a wire transfer: transaction date and amount, bank account number, name and surname of the bank account holder – necessity to execute and perform the hotel services agreement (Art. 6(1)(b) GDPR);
c. for your preferences, individual needs regarding hotel services you have provided – your consent to data processing granted by applying for the adjustment of services to your preferences and needs (Art. 6(1)(a) GDPR);
d. for data being the name and surname, room number, dates of stay, payment amounts and forms – a legitimate interest of the Data Controller being the necessity to internally audit services with which you have been provided (Art. 6(1)(f) GDPR);
e. for data required for billing or invoicing purposes – legal obligations imposed on the Data Controller (Art. 6(1)(c) GDPR);
f. for the email address to which we send you our newsletter, offers, or promotions – your consent to personal data processing for marketing purposes (Art. 6(1)(a) GDPR), provided that you have granted the same, and also to the extent permitted under law – a legitimate interest of the Data Controller consisting in marketing activities undertaken for clients (Art. 6(1)(f) GDPR);
g. for your image recorded by CCTV cameras – a legitimate interest of the Data Controller being the necessity to protect the Company’s assets and ensure safety throughout the hotel premises (Art. 6(1)(f) GDPR);
h. for the email address and dates the hotel services were used – a legitimate interest of the Data Controller expressed in carrying out customer satisfaction surveys measuring the level of your satisfaction with the hotel services (Art. 6(1)(f) GDPR).
4. Processing of special categories of personal data
Under data protection laws, certain categories of personal data are deemed special categories of personal data which merit higher protection (sensitive data) and as such are therefore provided with greater protection and safety. Pursuant to the regulations, the following are considered to be special categories of personal data: (1) racial or ethnic origin; (2) political opinion; (3) religion or beliefs; (4) trade union membership; (5) sex life or sexual orientation; (6) physical or mental health status or condition; and (7) genetic and biometric data. The Data Controller does not collect or process your sensitive data except for where you provided us with them yourself, e.g. in relation to your request to adapt hotel services to your needs and preferences, and only where law permits it.
5. Source of personal data
Data are collected directly from you or from a person making a reservation on your behalf, from the franchisor’s booking system or through an intermediary participating in the hotel reservation, e.g. hotel booking websites or travel agents.
6. Personal data recipients and categories of personal data recipients
Your personal data may be transferred to the following recipients:
a) Entities commissioned to render services by the Data Controller;
b) Entities rendering marketing services for the Data Controller;
c) Franchisors of a given hotel chain.
Where such an obligation derives from mandatory laws, the Data Controller may also disclose your personal data to third parties, particularly to authorised authorities.
7. Data transfer to third countries
Where your data are transferred to a franchisor or a company in the franchisor’s group seated in the United States (or any other third country that does not ensure adequate levels of protection) in connection with the central hotel booking system, an audit of the quality of services with which you are provided in hotels conducted by the franchisor, an audit of franchise payments, an assessment of your satisfaction with hotel services, your participation in the franchisor’s loyalty program, the Data Controller shall transfer the data using the mechanisms complying with the applicable law (e.g. Standard EU Clauses).
8. Data retention period
The Data Controller stores your personal data for a period not longer than that necessary to meet the purpose for which the data were collected or (if necessary) to comply with the applicable law (particularly contract performance term, limitation period for claims).
9. Your rights
a) Access to personal data. You may exercise the right to access your data at any time.
b) Rectification and completion. You have the right to request the Controller to forthwith rectify inaccurate personal data or to complete the data that are incomplete.
c) Right to data erasure. You have the right to request the Controller to forthwith erase your personal data in any of the following situations:
• the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• the personal data have been unlawfully processed;
• the personal data have to be erased for compliance with a legal obligation provided for under the EU or Polish laws.
the Data Controller shall not be able to erase your personal data to the extent that processing is necessary for (i) exercising the right of freedom of expression and information; (ii) compliance with a legal obligation which requires processing under the EU or Polish laws, (iii) establishment, exercise or defence of legal claims.
d) Right to restriction of processing. You have the right to obtain from the Controller restriction of processing where:
• you have questioned the accuracy of personal data – for a period enabling the Controller to verify the accuracy of these data;
• the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
• the Controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims.
e) Right to withdraw consent. To the extent your personal data are processed based on your consent, you have the right to withdraw your consent at any time. A consent withdrawal shall not affect the lawfulness of the processing performed based on the consent before its withdrawal.
f) Right to data portability. You have the right to receive from the Controller your personal data which you have provided as part of the use of hotel services in a structured, commonly used and machine-readable format. You also have the right to send these data to another controller.
g) Right to file a complaint. You have the right to file a complaint regarding data processing by the Data Controller with a supervisory authority, i.e. Inspector General for Personal Data Protection (in Poland).
The rights referred to in items a)–g) above may be exercised by contacting the Data Controller.
10. Information about the existence of the obligation to provide data
The provision of personal data is required from you for the purposes of execution and performance of a contract made with the Data Controller and incomplete provision of data may mean that you will not be able to enjoy all the benefits offered by our chain of hotels.
11. Automated decisions
The Data Controller does not make automated decisions, profiling included, based on the personal data you provided.