PRIVACY POLICY

Privacy Policy of Hotele Warszawskie ‘Syrena’ Sp. z o.o.

Introduction

In connection with the activity conducted by Hotele Warszawskie ‘Syrena’ Sp. z o.o. consisting in provision of hotel and catering services, the priority of the Company is to exercise all diligence in order to guarantee the clients of our services, apart from a pleasant and successful stay in our hotels, also security in the field of protection of their personal data. Due to the content of the new personal data protection provisions, including in particular of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, our objective is to inform you duly on all aspects connected with entrusting us with your personal data. Consequently, we feel obliged to inform you on the manners of collection, acquisition and processing of your personal data in a reliable and clear way.

Basic definitions

‘GDPR’ - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

‘Personal data’ - shall mean information on an identified or identifiable natural person.

‘Personal data processing’ - shall mean every operation or a set of operations performed on personal data or on sets of personal data in an automated or non-automated way, such as gathering, recording, organisation, ordering, storage, adaptation or modification, collection, viewing, use, disclosure through sending, distribution or otherwise, adjustment or combination, limitation, deletion or destruction.

‘Controller’ - Hotele Warszawskie ‘Syrena’ Sp. z o.o. with registered office at Pl. Konstytucji 1, 00-647 Warszawa, entered in the Register of Entrepreneurs kept by the District Court for the capital city of Warsaw in Warsaw, 12th Commercial Division of the National Court Register, under National Court Register (KRS) number 0000052192, Tax Identification Number (NIP): 526 030 05 75, share capital: PLN 5,000,000.00, e-mail address: sekret@syrena.com.pl, telephone: +48 (22) 33 91 611 (hereinafter referred to as ‘HWS’).


Application this Policy

This Privacy Policy shall be applicable to all cases, in which HWS is the controller of the personal data and processes the personal data. It shall apply both to the cases, in which HWS processes the personal data acquired directly from the data subject and to the cases, in which we have acquired the personal data from other sources. HWS shall realise the information obligation towards you in compliance with art. 13 and 14 of GDPR.

Legal bases and type of the personal data processed by HWS

HWS shall each time indicate the necessary information in the field of the manner and legal bases for personal data processing. Becoming the Controller of your personal data, we particularly care about the fact that all issues connected with the process of personal data processing should be explained to you in a reliable, understandable and legible manner.

At the same time, we would like to indicate the fact that whenever we process the personal data on the basis of a legitimate interest of the data controller, we try to analyse and balance our interest and the potential impact on the data subject (both the positive and the negative one) as well as the rights of the data subject under the personal data protection provisions. We do not process the personal data on the basis of our legitimate interest in case when we conclude that the impact on the data subject would prevail over our interest (in such case, we may process the personal data if e.g. we possess a relevant consent or it is required or allowed by legal provisions).

In the field of processing of your personal data, HWS follows the rule stating that your personal data should be collected only and exclusively in the necessary scope. While developing this Policy, we analysed all processes resulting in acquisition of personal data. The data collected by HWS depending on the given process is:

  • contact data: name, surname, telephone number, e-mail address, residence address;
  • personal data: date of birth;
  • payment card numbers;
  • data relating to your preferences and tastes;
  • your image;
  • IP address;
  • dates of stays at our hotels;
  • your comments and suggestions;
  • data relating to your workplace;
  • data relating to members of your families.

At the same time, HWS reserves that only provision of the data determined within ‘contact data’ shall be necessary for realisation of the hotel and catering services. The other data is being provided voluntarily and only in order to meet the individual requirements of the client. 

 

We become the controller of your personal data in connection with:

  1. conclusion of a hotel service contract with you;
  2. conclusion of a conference, banquet and catering service contract with you;
  3. preparation of an offer for the services determined above for you;
  4. acquisition of your data via our websites.

In order to provide services in compliance with the scope of our activity, HWS always processes your personal data lawfully. The provided personal data shall be processed in compliance with GDPR.

 

Purposes of processing of your personal data

  • Purpose: conclusion and performance of a hotel and catering contract. This scope shall also include preparation of a valuation and booking of services.

Legal basis: art. 6 section 1 letter b of GDPR - processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. For the purposes of issuance of an invoice and fulfilment of other obligations under the tax law that HWS is subject to, e.g. storage of accounting documentation for the period of 6 years, the legal basis is art. 6 section 1 letter c of GDPR - processing is necessary for compliance with a legal obligation to which the controller is subject;

The data that is collected and processed is:

  • Name and surname
  • E-mail address
  • Address: country, city, postal code, street, house/flat number
  • Telephone number
  • Document number (ID/passport)
  • Data of the enterprise in case of use of services under a contract concluded with this enterprise (in case when this enterprise is the payer for the services)
  • Payment card number
  • IP address

Data of children, such as name, surname and date/year of birth, shall be collected solely from their parents or legal guardians in order to determine their age and the discounts that they are entitled to as well as in order to protect their vital interests (security ensuring). 

  • Purpose: ensuring of widely understood security to the guests and employees of the hotels owned by HWS through personal data processing, including monitoring.

Legal basis: art. 6 section 1 letter f of GDPR - processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child, as well as art. 6 section 1 letter d of GDPR - processing is necessary in order to protect the vital interests of the data subject or of another natural person.

The data that is collected and processed is:

  • Image of the person recorded/acquired from CCTV;
  • Name and surname;
  • E-mail address;
  • Telephone No.;
  • IP address;
  • Data from the key card system.

 

  • Purpose: addressing of marketing information as well as offers for products and services of HWS to you; examination of your satisfaction with the services rendered by HWS.

Legal basis: art. 6 section 1 letter a of GDPR - the data subject has given consent to the processing of his or her personal data for one or more specific purposes. HWS informs that the consent may be withdrawn at any time. Withdrawal of the consent shall not affect validity of the processing that took place before withdrawal of the consent. Legal basis of processing of your personal data in order to ensure improvement of quality of the services provided for hotel guests - art. 6 section 1 letter f - processing is necessary for the purposes of the legitimate interests pursued by the controller. Such interest is adjustment of the level of the provided services to the expectations of the guests, which is possible through learning of their opinions.

The data that is collected and processed is:

  • Name and surname;
  • E-mail address;
  • Telephone No.;
  • Comments and suggestions of the guests, questionnaires.

In case when you have consented to personal data processing for marketing purposes, HWS shall process the personal data for this purpose.

 

  • Purpose: determination, pursuit of the potential claims by HWS in connection with a loss suffered by HWS, caused by a guest, or defence against claims of a guest against HWS.

Legal basis: art. 6 section 1 letter f of GDPR - processing is necessary for the purposes of the legitimate interests pursued by the controller and the data shall be processed for the period corresponding to the prescription period of civil law and/or criminal claims.  

The data that is collected and processed is:

  • Name and surname;
  • Document number (ID/passport);
  • Residence address.

 

  • Purpose: connected with administration of the websites of the hotels owned by HWS, examination and analyses of activity on these websites. 

Legal basis:  art. 6 section 1 letter f of GDPR - processing is necessary for the purposes of the legitimate interests pursued by the controller.

The data that is collected and processed is:

  • IP address;
  • Date and time of the server;
  • Information on the browser;
  • Information on the operating system;
  • Date and time of visits on the website;
  • Approximate location;
  • Time spent on the website;
  • Visited sub-sites;
  • Sub-site, where the contact form has been completed.

The data determined above shall be saved automatically in so-called server logs. Lack of saving of this data shall exclude the possibility to administer these websites. The issues relating to the use of cookies have been described in the further part hereof.

 

Cookies

HWS uses the cookies and other tracking technologies on its websites:

www.poloniapalace.com

www.hotelmdm.pl

www.hotelmetropol.com.pl

www.syrena.com.pl

The websites determined above contain the booking form and the possibility to activate the newsletter.

Similarly to any other entities administering its websites, HWS uses so-called cookies.

Purpose: Cookies are small text files saved in the computer of the user or in another mobile device during their use of the web services. These files are inter aliaused for using of various functions provided for on the given website or for confirming that the given user has seen the specific contents from the given website. Among the cookies, it is possible to distinguish the ones that are necessary for operation of the websites of HWS as well as for efficient operation and use of the functions provided for the individual websites and sub-sites. Cookies are mainly:

  • used for efficient operation of the website;
  • used for optimisation of service and use of the website;
  • used for creation of statistics relating to the websites (number of entries, time of stay).  In order to track activity and to create statistics, HWS uses the following tools: Google tools, such as Google Analytics; apart from reporting of the statistics of the use of the website, the pixel Google Analytics tool may be also used - together with some of the cookies described above - for helping to display more accurate contents in Google services (e.g. in Google search engine) and in the entire network to the user;
  • used for making it possible to use the social functions - on the website, there is so-called Facebook pixel, which allows for liking of the HWS fanpage in this service during the use of the website. For this purpose, HWS has to use the cookies provided by Facebook;

 

Legal basis: art. 6 section 1 letter a - the data subject has given consent to the processing of his or her personal data for one or more specific purposes.

 

Giving of consent: the use of cookies is set by default by your web browser. The information relating to the use of cookies by HWS is displayed on the websites. We kindly request acceptance of the use of cookies through ticking of a proper message. In case of lack of your consent to the use of cookies upon browsing of the website, please change the settings in the web browser. The settings of the web browser may be changed at any time, but switching off or limitation of the service of cookies may result in pretty great limitations in the use of the website, e.g. longer time of loading of the website, limitations in the use of the functionalities (e.g. the booking form) or limitations in liking of the site on Facebook, etc.

 

Contractual/statutory requirement to provide the personal data

Provision of the personal data is voluntary and is only and exclusively up to you. However, for the purposes of conducting of its statutory activity by HWS, provision of some categories of the data is necessary and lack of this data may result in impossibility to perform the services which HWS undertakes to perform. In case of realisation of the objective relating to conclusion and performance of a contract consisting in provision of hotel services, it shall be necessary for conclusion of such contract to provide the data determined in the sub-point: ‘conclusion and performance of a hotel and catering service contract’, while the necessary data shall be:

  • Name and surname;
  • Residence address;
  • ID/passport number.

A failure to provide this personal data may result in the fact that HWS will refuse to conclude the hotel and catering service contract.

In case of making of a booking, it shall be necessary to provide at least the following personal data: name and surname and - in order to provide the possibility of contact for the purposes of agreeing on all issues connected with service realisation - e-mail address or telephone number. 

On the other hand, the statutory requirement is to provide the personal data being necessary for issuance of an accounting document (VAT invoice), which records sale for tax purposes.

Transfer of personal data outside EEA

In case of making of a booking on the website of the hotel, your data may be transferred to the owner of IStay2.0 booking system -Travelclick, 7 Times Square, New York, NY 10036, USA, which provides data encryption, using SSL protocol for this purpose, and secures the server, on which the data is being stored, by means of firewalls. At the same time, we would like to inform that other scope of protection of the personal data than on the area of EU is in force in the USA. For this reason, before implementation of the principles hereof, Hotele Warszawskie ‘Syrena’ Sp. z o.o. shall take the appropriate measures in order to secure the transfer of your personal data to an external recipient located in a country, in which the level of data protection is different than in the country, in which the personal data is being collected. Data flows to the United States take place to an entity belonging to the Safe Harbor programme. Consequently, we would like to assure you that your data is secure, yet within performance of the obligation resulting from art. 49.1.A) of GDPR, taking into account the obligation to inform you on the potential risk of the data transfer due to lack of a decision ascertaining an adequate level of protection determined in art. 45 section 3 of GDPR or lack of appropriate safeguards determined in art. 46 of GDPR, including binding corporate rules, we inform that while making a booking via the website of the hotel, you give consent to the transfer determined above. In case of lack of acceptance of the fact determined above, please contact a person responsible for data handling at odo@syrena.com.pl.

Making of automated decisions on the basis of the personal data, including profiling

HWS shall not make any automated decisions on the basis of the personal data, including profiling.

The personal data recipients shall be:

Entities supporting performance of the contract concluded between HWS and the guest in operational terms, such as: IT service, industry software providers, accounting software providers, entities supporting proper performance of hotel and catering services provided to the guests, entities performing services connected with protection of security of the guests, entities providing transport services, entities conducting postal and courier activity.

Moreover, the personal data of the guests may be provided to the entities providing advisory and audit services as well as legal, tax and accounting assistance to HWS.

Personal data processing term

The personal data acquired in connection with performance of the hotel and catering service contract shall be stored for the term of the contract and in the scope connected with defence or pursuit of claims - by the time of prescription of the civil law and criminal claims. Nevertheless, due to the applicable tax provisions, the term of processing of the personal data of the guests may not be shorter than the period of prescription of tax claims. The personal data acquired in connection with the monitoring shall be processed for the period of 30 days of its recording and then shall be permanently erased with the reservation that in case of a need to use the record as evidence in the proceedings conducted by the competent prosecution authorities, the record may be provided to these authorities and shall be permanently destroyed only after completion of the proceedings, in which it constitutes the evidence.

The data acquired on the basis of the consent for marketing purposes shall be processed for the validity term of the consent for marketing purposes.

Rights of the data subjects

Natural persons have specific rights relating to their personal data and HWS as the data controller shall be liable for realisation of these rights in compliance with applicable legal provisions. In case of any questions and requests relating to the scope and realisation of the rights as well as for the purposes of contacting us in relation to the issues determined above, please contact us at: odo@syrena.com.pl. We reserve the right to realise the entitlements determined above after positive verification of the identity of the person requesting performance of a given activity.

  • Access to personal data: natural persons shall have the right to access the data stored by us as the data controller. This right may be exercised through sending of an e-mail to the address: odo@syrena.com.pl.
  • Change of the personal data: the personal data processed by HWS may be changed, including updated, through sending of an e-mail to: odo@syrena.com.pl.  
  • Consent withdrawal: in case of processing of the personal data on the basis of a consent, natural persons shall have the right to withdraw this consent at any time. We inform on this right at every moment of collection of the consent and we allow for withdrawal of this consent in the same way as the one, in which it was given. In order to withdraw the consent, please send an e-mail to us to: odo@syrena.com.pl.
  • Right to restrict processing or right to object to personal data processing: natural persons shall have the right to restrict processing or object to processing of their personal data at any time, due to their special situation, unless processing is required by legal provisions. In relation to a request for restriction of data processing we inform that this right shall be vested e.g. in case when the given person ascertains that their data is incorrect. Then, they may request restriction of data processing for the period required for determination of the correctness of this data.
  • Other rights: right to request data erasure and right to data portability - in case of will to realise these rights, please send an e-mail to: odo@syrena.com.pl. The right to data erasure may be exercised when the data of a natural person will no longer be necessary for the purposes, for which it was collected by HWS, or when a natural person withdraws their consent to data processing by HWS. It shall also apply in case when a natural person objects to processing of their data or when their data is processed unlawfully. The data should be also erased for the purposes of fulfilment of an obligation resulting from a legal provision. The right to data portability shall be vested in case when the personal data of a person is processed on the basis of a consent of a natural person or a contract concluded with them as well as when this processing is performed in an automated way.

Please send any questions, objections or doubts relating hereto or to the manner of processing of the personal data by HWS as well as complaints relating to the issues determined above to odo@syrena.com.pl. You also have the right to lodge a complaint to the supervisory authority being the President of the Personal Data Protection Office (previously  Inspector General for Personal Data Protection), address: ul. Stawki 2, 00-193 Warszawa. Access to the data shall also be possible in the premises of Hotele Warszawskie ‘Syrena’ Sp. z o.o. Pl. Konstytucji 1 in Warsaw.

Amendments of this Privacy Policy

HWS shall review this Privacy Policy on a regular basis and shall amend it when it turns out to be necessary due to: new legal provisions, new guidelines of the authorities being responsible for supervision over the personal data protection processes, practices applied in the area of personal data protection (Codes of Good Practice if HWS is bound with such Codes). Amendments hereof shall also be made in case of changes of the technology used for personal data processing as well as in case of changes in the field of the manners, purposes or legal basis of personal data processing.