Privacy

How do we process your personal data? – GDPR Information Clause

The administrator of your personal data - "ADMINISTRATOR" - is Hotel Cesarski SPA Sp. z o.o. ul. Stanisława Wyspiańskiego 34A 72-600 Świnoujście NIP 8551570571

Contact with the Administrator is possible via email: rodo@cesarskieogrody.pl, phone +48 / 91 - 88 88 500 ext. 556 or in writing at the company headquarters address. The Administrator uses personal data for the following purposes:

  1. Conclusion and performance of the binding contract – for the duration of the contract and settlements after its termination (legal basis: Art. 6(1)(b) GDPR, abbreviated as "performance of the contract");
  2. Fulfillment of legal obligations incumbent on the Administrator (legal basis: Art. 6(1)(c), e.g.:
    a) issuing and storing invoices and accounting documents,
    b) responding to letters and inquiries within the time and form prescribed by regulations,
  3. Necessary for the realization of the Administrator's legitimate interests (monitoring the premises to ensure security, marketing of our products and/or services, pursuing claims), in accordance with Art. 6(1)(f) GDPR,
  4. Sending marketing communications, commercial information concerning the Administrator, including maintaining customary contact (e.g., holiday cards, product offers, telephone calls, cooperation offers, information about provided services, products, events, etc.) – the legal basis for processing personal data in this case is Art. 6(1)(a) and (f) GDPR, i.e., the consent of the data subject (subject to such consent being given) or the Administrator’s legitimate interest.

Filling in the form involves providing certain personal data by the User. Providing personal data is voluntary; however, failure to provide data marked as necessary will make it impossible to handle the matter sent via the contact form. If data processing is necessary for the execution of a contract to which the data subject is a party, or to take actions at the request of the data subject before concluding a contract, providing the necessary and specific scope of data is required. Consent to receive commercial information via electronic means of communication is voluntary.

Period of processing and storage of personal data:

  • for the duration of fulfilling obligations, e.g., issuing an invoice (legal basis: Art. 6(1)(c) GDPR; abbreviated as "legal obligation");
  • for the period required by law to store data, e.g., tax data (legal basis: Art. 6(1)(c) GDPR) or
  • for the period during which the Administrator may face legal consequences of non-fulfillment of obligations, e.g., receiving a financial penalty from state offices or further contractors of the Administrator (legal basis: Art. 6(1)(f) GDPR; abbreviated as "legitimate interest");
  • for the duration of the contract (legal basis: performance of the contract), and then for the period after which claims arising from the contract expire, and in case of the Administrator pursuing claims or notifying competent authorities – for the duration of such proceedings (legal basis: legitimate interest of the Administrator Art. 6(1)(f) GDPR);
  • Establishing, defending, and pursuing claims, including the sale of the Administrator's receivables from the contract to another entity – for the period after which claims arising from the contract expire (legal basis: legitimate interest of the Administrator Art. 6(1)(f) GDPR);
  • Direct marketing – for the duration of the contract (legal basis: legitimate interest of the Administrator Art. 6(1)(f) GDPR);
  • Creation of summaries, analyses and statistics for the Administrator’s internal needs; this includes, in particular, reporting, marketing research, service development planning – for the duration of the contract, and then no longer than the period after which claims arising from the contract expire (legal basis: legitimate interest of the Administrator Art. 6(1)(f) GDPR);
  • Verification of creditworthiness – for the period necessary to make such an assessment when concluding, extending or expanding the scope of this or another contract and to consider related claims (legal basis: performance of contract Art. 6(1)(b) GDPR); this also applies to data obtained by the Administrator from other sources;

To conclude a contract and prepare an offer, the Administrator requires providing data necessary to conclude the contract (if you do not provide them, the contract will not be concluded, and no offer will be presented). Additionally, the Administrator may request optional data that do not affect contract conclusion (if not received, the Administrator may not be able, e.g., to call the contact number, supervise contract performance, or respond to an offer inquiry). Providing data at contract conclusion is not a statutory requirement.

To whom does the Administrator transfer your data?

Your personal data is transferred to:

  1. Entities processing data on behalf of the Administrator, participating in the performance of Administrator's tasks:
    a) managing the Administrator’s IT systems or providing IT tools to the Administrator,
    b) subcontractors supporting the Administrator,
    c) entities providing advisory, consulting, audit, legal, tax, accounting services acting on the Administrator’s behalf;
  2. Other data controllers processing data on their own behalf:
    a) entities conducting postal or courier activities;
    b) entities conducting payment activities (banks, payment institutions);
    c) entities cooperating with the Administrator in handling accounting, tax, legal matters – to the extent they become data controllers;
Your personal data may be obtained directly from you (during a visit to the branch, via forms on the website, by phone or in writing). They may also be obtained from other entities if you have consented to this.
Will your data be transferred outside the European Economic Area (EEA)? Currently, the Administrator does not plan to transfer data outside the EEA (covering the European Union, Norway, Liechtenstein, and Iceland).
Automated decision-making The Administrator does not make automated decisions having significant effects on you.
Your rights You may submit a request to the Administrator (regarding personal data) to:
  1. Rectify (correct) data;
  2. Delete data that are processed unlawfully or published on the Administrator’s websites;
  3. Restrict processing (suspend operations on data or not delete data – according to the submitted request);
  4. Access data (information about data processed by the Administrator and a copy of the data);
  5. Data portability to another data controller or to you (to the extent specified in Art. 20 GDPR).
You can exercise these rights by sending a request by mail or electronically to the Administrator’s address. To ensure you are entitled to submit the request, the Administrator may ask for additional information allowing the authentication of the requester. The scope of each right and the situations in which they may be exercised result from the law. Which right you may use depends, e.g., on the legal basis of data processing by the Administrator and the purpose of processing.
Right to object Regardless of the rights mentioned above, you may object at any time to the processing of your data (including profiling) for the purpose of direct marketing. After receiving the objection, the Administrator is obliged to stop processing data for this purpose. In special cases, you may object at any time to the processing of your personal data by the Administrator (including profiling), if the legal basis for data use is the legitimate interest of the Administrator or public interest. In such a case, after considering your objection, the Administrator cannot process the personal data covered by the objection on that basis, unless the Administrator demonstrates that there are:
  1. important legitimate grounds for processing that override your interests, rights, and freedoms or
  2. grounds for establishing, exercising, or defending legal claims.
Consent
If the use of your personal data by the Administrator is not necessary to perform a contract, fulfill a legal obligation, or does not constitute the legitimate interest of the Administrator, the Administrator may ask for your consent to specific uses of your data. You can withdraw your consent at any time (this will not affect the lawfulness of processing before consent withdrawal).
Complaint
You have the right to file a complaint to the President of the Personal Data Protection Office if you believe that the processing of your personal data violates the law.
Cookies Cookies are small text files placed on your computer’s hard drive to identify your computer on our servers. If your browser is set to accept cookies, we will use cookies to recognize your computer during visits to the website to provide a more personalized and improved service experience and enhance the quality of the site. You can configure your browser to block cookies.
Google Analytics Monitoring your activity on the website – your personal data will be processed in an automated manner (including profiling), but this will not have any legal effects on you. Profiling refers to processing data (also automated) to predict personal preferences and interests.
The entity uses Google Analytics service offered by Google Inc. (1600 Amphitheatre Parkway Mountain View, CA 94043, USA) to analyze user behavior on our website. Google Analytics uses cookies stored on the user’s computer to analyze their use of the service. Information obtained by the cookie about the user’s way of using the service is usually transmitted to Google servers and stored there. Users can disable all cookies or delete some of them by appropriate browser software settings. Please note that in this case, the user may not fully benefit from all service features. Additionally, the user can prevent Google from collecting data obtained by the cookie and related to their use of the service (including IP address) and from processing such data by Google by downloading and installing a browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=pl.
Google Analytics also collects IP addresses to ensure secure use of the service and to recognize which countries, regions, and cities users come from (geolocation based on IP).
Data are stored in an encoded format optimized for performance, not in traditional file systems or databases. They are distributed across many physical and logical volumes, ensuring redundancy and convenient access, thereby protecting against external interference. Data of all Google users (consumers, businesses, and even Google’s own data) are distributed in a shared infrastructure consisting of many homogeneous computers located in Google data centers.
Google Analytics additionally ensures secure transmission of its JavaScript libraries and measurement data. Google Analytics uses by default the HTTP Strict Transport Security (HSTS) mechanism, which instructs browsers supporting HTTP over SSL (HTTPS) to use this encrypted protocol for all communication between users, services, and Google Analytics servers.
Our site uses the anonymizeIP function in Google Analytics. This means IP addresses are further processed after shortening to exclude the possibility of linking them to specific individuals. If, for collected personal data about a user, it is possible to link them to a specific person, such linking is immediately excluded, and the personal data is promptly deleted.
We use Google Analytics to analyze website usage and improve it regularly. Thanks to the obtained statistics, we can improve our offer and make it more interesting for users. The legal basis for using Google Analytics is Art. 6(1)(f) GDPR.
You can find Google's privacy policy at this link: https://policies.google.com/privacy?hl=pl. Remember that Google changes this policy from time to time, so always make sure it's the current version.
How we protect data The Administrator applies appropriate technical and organizational measures ensuring the security of the processed personal data proportional to threats and categories of data protected.
The service is secured with security measures aimed at protecting personal data we process from modification, destruction, unauthorized access and disclosure or acquisition, as well as loss, and processing in violation of regulations specifying principles of personal data processing.
Access to personal data processing is granted only to a limited number of company employees authorized by the data administrator.
Contact Any questions related to processing and protection of personal data of System Users and use of cookies, including concerning this "Privacy Policy" should be addressed to the data Administrator.
Users can also contact us to obtain information on if and to what extent the Administrator processes User data, the purposes and methods of personal data processing of the Service User, as well as due to exercising their rights according to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Changes in policy This Policy is effective from the above-specified date. From time to time we may change this Policy, and if we do, we will post all changes on this page. If you continue using our website after changes are made, you agree to the changed Policy.

List of data processing entities

  • We use the following analytical tools: Google
  • We use the following marketing tools: Facebook Google