1. Data of the Personal Data Administrator

We kindly inform you that the administrator of your personal data inWilla ElżbiecinaisWilla Elżbiecina sp. z o. o. company/tax_number

Contact with the Hotel regarding the protection of personal data is possible at the e-mail address:rezerwacja@willa-elzbiecina.pl

2. Purposes and grounds for the processing of personal data

In order to provide services in accordance with the business profile, the Hotel processes your personal data — for various purposes, but always in accordance with the law. The personal data provided will be processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), referred to as GDPR for short. We collect personal data from you in the process aimed at concluding a contract (booking a stay and providing services related to your stay in the Hotel) or from our partners from booking portals, if you have given such consent. Below you will find detailed purposes of personal data processing together with legal bases.

A. In order to make a valuation of the service, to book the service and to perform the service, as well as in the case of concluding other agreements related to the business profile, we may process personal data such as:

• Name and Surname;
• Address (street, house/apartment number, postal code and city);
• Phone number;
• Email address;
• Data of the Enterprise together with the TIN (in the case of issuing f-ry VAT per enterprise);
• Registration number of the vehicle belonging to the Customer (when using the hotel car park);
• Basic bank account details to confirm the transfer;
• Identity Document No. /PESEL;
• Nationality information;
• Your payment card number and other card details, as well as credentials and other billing and account data associated with mobile billing;
• Reservation number.

The legal basis for such data processing is Art. 6 para. 1 lit. b GDPR, which allows the processing of personal data if they are necessary for the performance of a contract or to undertake actions aimed at concluding a contract.

Children's data such as name, surname, nationality and date of birth are collected only from their parents or legal guardians in order to determine their age and their discounts, and for statistical purposes (GUS duty and local fee).

B. In order to process a complaint, we process personal data such as:

• Name and Surname;
• Address (street, house/apartment number, postal code and city);
• Phone number;
• Email address;
• Reservation number;
• Alternatively, bank account number — if the money is refunded.

The legal basis for such data processing is Art. 6 para. 1 lit. b GDPR, which allows the processing of personal data if they are necessary for the performance of a contract or to undertake actions aimed at concluding a contract.

In order to personalise the service according to your personal preferences and manage your relationship with you before your stay during and after your stay, we process personal data such as:

• Monitoring the use of services (telephone, bar, pay TV, etc.);
• Management of access to rooms;
• E-mail address;
• Name and Surname;
• Reservation number.

The legal basis for such data processing is Article 6 (1) (b) of the GDPR, which allows the processing of personal data if they are necessary for the performance of a contract or to undertake actions aimed at concluding a contract and is Article 6 (1) (a) of the GDPR, which allows the processing of personal data, on the basis of voluntary consent.

C. In order to issue an invoice and meet other obligations under tax law, such as keeping accounting records for 5 years, we process personal data such as:

• Name and surname;
• Company;
• Residential address or registered office address;
• TIN number;
• Reservation number.

The legal basis for such data processing is Art. 6 para. 1 lit. c GDPR, which allows the processing of personal data if such processing is necessary for the Personal Data Controller to fulfill its obligations under the law;

D. For the purpose of assessing satisfaction with the services offered, auditing, improving and modifying our services, we process personal data such as:

• Email address;
• Reservation number;
• Name and surname;
• Guest comments or suggestions.

The legal basis for such data processing is Art. 6 para. 1 lit. f GDPR, which allows processing personal data if this way the Personal Data Controller pursues its legitimate interest (in this case, the interest of the Hotel is to know the opinions of customers about the services provided in order to adapt them to the needs and expectations of the interested parties);

E. In order to ensure the safety of employees and guests of the Hotel, to prevent fraud, we process such personal data as:

• Data from the key card system;
• The image of a person obtained from video surveillance;
• Name and surname;
• Email address;
• Phone number;
• IP address.

The legal basis for such data processing is Art. 6 para. 1 lit. f GDPR, which allows processing personal data if this way the Personal Data Controller pursues its legitimate interest (in this case, the interest of the Hotel is to ensure security for all persons staying at the Hotel). Data from CCTV is deleted a maximum of 30 days from the date of registration.

F. In order to create registers and records related to the GDPR, including e.g. the register of customers who have objected in accordance with the GDPR, we process personal data such as:

• Name and surname;
• Email address.

The provisions of the GDPR impose on us certain documentation obligations to demonstrate compliance and accountability. If you object, for example, to the processing of your personal data for marketing purposes, we need to know to whom not to use direct marketing.

The legal basis for such data processing is Art. 6 para. 1 lit. c GDPR, which allows the processing of personal data if such processing is necessary for the Personal Data Administrator to fulfil its obligations under the law (provisions contained in the GDPR); and, Article 6 (1) lit. f of the GDPR, which allows the processing of personal data, if this way the Personal Data Controller pursues its legitimate interest (in this case, the interest of the Hotel is to have knowledge on persons who exercise their rights under the GDPR);

G. In order to establish, investigate or defend against claims, we process personal data such as:

• Name and surname (if surname is given) or possibly company;
• Address of residence (if specified);
• PESEL number or TIN (if specified);
• Email address;
• IP address;
• Reservation number.

The legal basis for such data processing is Art. 6 para. 1 lit. f GDPR, which allows the processing of personal data if this way the Personal Data Controller pursues its legitimate interest (in this case, the interest of the Hotel is to have personal data that will allow to establish, assert or defend against claims, including customers and third parties);

H. For analytical purposes, i.e. research and analysis of activity on the website belonging to the Hotel, we process personal data such as:

• Date and time of site visits;
• Type of operating system;
• Approximate location;
• The type of web browser used to browse the site;
• Time spent on the site;
• Visited subpages;
• Subpage where the contact form was filled in.

The legal basis for such data processing is Art. 6 para. 1 lit. f GDPR, which allows processing personal data if this way the Personal Data Controller pursues its legitimate interest (in this case, the interest of the Hotel is to know the activity of customers on the website);

I. In order to use cookies on the website, we process such text information (cookies will be described in a separate section). The legal basis for such processing is Article 6 (1) (a) of the GDPR, which allows the processing of personal data on the basis of voluntary consent (when you first enter the website, a request for consent to the use of cookies appears);

J. In order to administer the website, we process personal data such as:

• IP address;
• Server date and time;
• Information about the web browser;
• About the operating system

— these data are stored automatically in the so-called server logs, each time you use the website belonging to the Hotel. It would not be possible to administer the website without the use of a server and without this automatic recording. The legal basis for such data processing is Art. 6 para. 1 lit. f GDPR, which allows the processing of personal data if this way the Personal Data Controller pursues its legitimate interest (in this case, the interest of the Hotel is to administer the website);

3. Cookies

A. Hotel on its website, like other entities, uses so-called cookies, i.e. short text information, stored on your computer, phone, tablet or other device of the user. They can be read by our system, as well as by systems belonging to other entities whose services we use (e.g. Facebook, Google).

B. Cookies perform many functions on the website, most often useful, which we will try to describe below (if the information is insufficient, please contact us):

• ensuring security — cookies are used to authenticate users and prevent unauthorized use of the customer panel. They are therefore used to protect your personal data from unauthorized access;
• impact on the processes and efficiency of using the website — cookies are used to make the website work smoothly and to make it possible to use the functions available on it, which is possible, among other things, by remembering settings between subsequent visits to the website. Thanks to them, you can navigate efficiently on the website and individual subpages;
• session status — Cookies often store information about how visitors use the website, e.g. which subpages they display most often. They also allow you to identify errors displayed on certain subpages. Cookies used to save the so-called “session state” therefore help to improve services and increase the experience of browsing;
• maintaining the status of the session — if the client logs in to his panel, cookies allow you to maintain the session. This means that after switching to another subpage, you do not need to re-enter the login and password each time, which promotes the comfort of using the website;
• creating statistics — cookies are used to analyze how users use the website (how many open a website, how long they stay on it, which content arouses the most interest, etc.). Thanks to this, you can constantly improve the website and adapt its operation to the preferences of users. In order to track activity and create statistics, we use Google tools such as Google Analytics; in addition to reporting website usage statistics, Google Analytics pixel may also be used, together with some of the cookies described above, to help you display more relevant content on Google services (e.g. Google Search) and across the web;
• use of social functions — on the website we have the so-called Facebook pixel, which allows you to like our fan page on this website while using the website. However, in order for this to be possible, we need to use cookies provided by Facebook.

C. Your web browser permits the use of cookies on your device by default, therefore, upon the first visit, please give your consent to the use of cookies. However, if you do not wish to use cookies when browsing the website, you can change the settings in the web browser — completely block the automatic handling of cookies or request notification of each time cookies are placed on the device. Settings can be changed at any time.

D. Respecting the autonomy of all people using the website, however, we feel obliged to warn that disabling or limiting the use of cookies can cause quite serious difficulties in using the website, e.g. the need to log in to each subpage, longer loading period of the page, restrictions on the use of functionality, restrictions on liking the Facebook page, etc.

4. Right to withdraw consent

A. If the processing of personal data takes place on the basis of consent, you can withdraw this consent at any time.

B. If you would like to withdraw your consent to the processing of personal data, for this purpose it is necessary to follow point 10 (F.) If the processing of your personal data was carried out on the basis of consent, its withdrawal does not make the processing of personal data illegal until that moment. In other words, until the withdrawal of consent, we have the right to process your personal data and its cancellation does not affect the lawfulness of the previous processing.

5. Requirement to provide personal data

A. Providing any personal data is voluntary and depends on your decision. However, in some cases, the provision of certain personal data is necessary to meet your expectations regarding the use of the services.

B. In order to order a service at the Hotel, it is necessary to provide the data indicated in point 2 A of this privacy policy.

C. In order for you to receive an invoice for services, it is necessary to provide all data required by tax law — without this we are unable to properly issue an invoice.

D. In order to be able to contact you by phone in matters related to the provision of the service, it is necessary to provide a telephone number and e-mail address — without this we are not able to make telephone contact or send a confirmation of the reservation.

6. Automated decision making and profiling

We kindly inform you that we do not make automated decision-making, including based on profiling. The content of the query, which is sent via the form, is not subject to evaluation by the IT system. The proposed price of the service is provided on the basis of the price list of our hotel.

7. Recipients of personal data

A. Like most entrepreneurs, in our activities we use the help of other entities, which often involves the need to provide personal data. Accordingly, if necessary, we transfer your personal data to lawyers who cooperate with us, fast payment companies, accounting firm, hosting company, IT service companies, company responsible for sending SMS messages, as well as to an insurance company (if it is necessary to repair the damage).

B. In addition, it may happen that, for example, on the basis of the relevant law or decision of the competent authority, we may also have to transfer your personal data to other authorities or entities.

8. Transfer of personal data to third countries

A. Like most entrepreneurs, we use various popular services and technologies offered by entities such as Facebook, Microsoft, Google. These companies are based outside the European Union and are therefore treated as third countries in the light of the GDPR.

B. The GDPR introduces certain restrictions on the transfer of personal data to third countries, because, as a rule, European legislation does not apply there, the protection of personal data of citizens of the European Union may unfortunately be insufficient. Therefore, each controller of personal data is obliged to establish the legal basis for such transfer.

C. For our part, we assure you that when using the services and technologies, we only transfer personal data to entities in the United States and only to those who have joined the Privacy Shield program, based on the European Commission's Implementing Decision of 12 July 2016. For more information, please refer to the European Commission's website at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_pl. Entities that have joined the Privacy Shield program guarantee that they will comply with the high standards of personal data protection applicable in the European Union, therefore the use of their services and offered technologies in the process of processing personal data is lawful.

D. We will provide you with additional clarification at any time regarding the transfer of personal data, in particular where this issue is of concern to you.

9. Period of personal data processing

A. In accordance with applicable law, we do not process your personal data “indefinitely”, but for the time that is needed to achieve the stated purpose. After this period, your personal data will be irreversibly deleted or destroyed.

B. In a situation where we do not need to perform operations on your personal data other than storing it (e.g. when we store the content of an order for the purpose of defending against claims), we additionally protect it until permanently deleted or destroyed — by pseudonymisation. Pseudonymization consists in such encryption of personal data or a set of personal data that without an additional key it is impossible to read them, and therefore such information becomes completely useless for an unauthorized person.

C. Regarding individual periods of personal data processing, we kindly inform you that we process personal data for the period of:

• the duration of the contract — in relation to personal data processed in order to conclude and perform the contract;
• 3 years or 6 years + 1 year — in relation to personal data processed for the purpose of establishing, pursuing or defending claims (the length of the period depends on whether both parties are entrepreneurs or not);
• 6 months — in relation to personal data that was collected during the valuation of the service and at the same time the contract was not concluded immediately;
• 5 years +1 year — in relation to personal data related to the fulfillment of obligations under tax law;
• until the consent is withdrawn or the purpose of processing is achieved, but not longer than 5 years — in relation to personal data processed on the basis of consent;
• until the effective objection or the purpose of processing is achieved, but not longer than 5 years — in relation to personal data processed on the basis of the legitimate interest of the Personal Data Controller or for marketing purposes;
• until obsolete or loss of usefulness, but not longer than 3 years — in relation to personal data processed mainly for analytical purposes, the use of cookies and administration of the website.

D. Periods in years are counted from the end of the year in which we started processing personal data to improve the process of erasing or destroying personal data. Separately counting the deadline for each contract concluded would involve significant organizational and technical difficulties as well as a significant financial outlay, so setting a single date for the deletion or destruction of personal data allows us to manage this process more efficiently. Of course, if you exercise your right to forget, such situations are considered individually.

E. An additional year related to the processing of personal data collected for the purposes of performance of the contract is dictated by the fact that hypothetically you may submit a claim just before the expiry of the limitation period, the request may be served with a significant delay or you may misstate the limitation period for your claim.

10. Powers of data subjects

A. We kindly inform you that you have the right to:

• access to your personal data;
• rectification of personal data;
• erasure of personal data;
• restriction of the processing of personal data;
• objection to the processing of personal data;
• to be forgotten in cases where other legal provisions permit it;
• Receiving a copy of the data
• transfer of personal data.

B. We respect your rights under the provisions on the protection of personal data and try to facilitate their implementation as much as possible.

C. We point out that these rights are not absolute, and therefore, in certain situations, we may lawfully refuse you to fulfil them. However, if we refuse to take into account the request, then only after careful analysis and only in a situation where the refusal to take into account the request is necessary.

D. Regarding the right to object, we explain that at any time you have the right to object to the processing of personal data on the basis of the legitimate interest of the Personal Data Controller (these are mentioned in point III) in connection with your special situation. However, you must remember that in accordance with the regulations we may refuse to take into account your objection if we demonstrate that:

• there are legitimate grounds for processing that override your interests, rights and freedoms or
• there are grounds for establishing, pursuing or defending claims.

E. In addition, you may object to the processing of your personal data for marketing purposes at any time. In such a situation, upon receipt of an objection, we will cease processing for this purpose.

F. You can exercise your rights in the following ways:

• send an e-mail to the Personal Data Administrator to the following address:rezerwacja@willa-elzbiecina.pl
• or hand over to the receptionist during a visit to our hotel.

11. Right to lodge a complaint

If you believe that your personal data is being processed contrary to applicable law, you may lodge a complaint with the President of the Office for Personal Data Protection.

12. Final Provisions

A. To the extent not regulated by this Privacy Policy, the provisions relating to the protection of personal data shall apply.

B. The Hotel reserves the right to make changes to this Privacy Policy, provided that the version in force at the time of booking the service shall apply to services made prior to the amendment of the Privacy Policy.

C. Changes to the Privacy Policy shall not violate the rights acquired by the Guests.

D. Information about the change of the Privacy Policy will be published on the Hotel's website:[contact-page]14 calendar days prior to the entry into force of these changes.

E. This Privacy Policy is effective from 16.07.2021.