Privacy policy

Privacy policy for customers of Hotel Oliwski Sp. z o.o.

  1. Details of the Personal Data Administrator We kindly inform you that your personal data is processed by Hotel Oliwski Sp. z o. o. with its registered seat at the address: ul. Piastowska 1, 80-332 Gdańsk, entered into the National Court Register under KRS number 0000248072, with NIP tax identification number 5842575206, hereinafter referred to as “the Administrator”. You can contact the Administrator for details on personal data protection by e-mail, at: daneosobowe@oliwski.pl.
  2. Purpose and grounds for processing personal data The Administrator processes your personal data for various purposes, yet always lawfully, in order to ensure provision of our services to you in line with the scope of our activities. Below you’ll find the detailed purposes of processing personal data and its legal grounds. For the purpose of contacting you electronically we process the following personal data:
    • full name/company name,
    • telephone number,
    • e-mail address,

    The legal grounds for such personal data processing is art. 6 section 1 item a of GDPR, which allows for processing personal data if the data subjects agrees to have its personal data processed for one or more purposes; For the purpose of booking we process the following personal data:

    • full name,
    • e-mail address,
    • telephone number,
    • payment card number,

    The legal grounds for such personal data processing is art. 6 section 1 item b of GDPR, which allows for processing personal data if processing is necessary for performing an agreement, to which the data subject is a party or for undertaking actions requested by the data subject before entering into an agreement; For the purpose of issuing a VAT invoice/receipt for a service we process the following personal data:

    • full name/company name,
    • address of residence/company address,
    • NIP tax identification number,

    The legal grounds for such personal data processing is art. 6 section 1 item c of GDPR, which allows for processing personal data if processing is necessary to comply with the administrator’s legal obligations; For marketing purposes we process the following personal data:

    • full name/company name,
    • telephone number,
    • e-mail address,

    The legal grounds for such personal data processing is art. 6 section 1 item a of GDPR, which allows for processing personal data if the data subject has agreed to having their personal data processed for one or more purposes; For the purpose of keeping records related to GDPR, including a register of customers who have objected pursuant to GDPR we process the following personal data:

    • name,
    • e-mail address,

    because: firstly, the provisions of GDPR oblige us to keep specific records in order to manifest compliance and accountability; secondly, if you do not object against processing your personal data for marketing purposes, we must know who does not wish to receive direct marketing. The legal grounds for such personal data processing include: art. 6 section 1 item c of GDPR, which allows for processing personal data if such processing is necessary for the Personal Data Administrator to comply with its legal obligations; art. 6 section 1 item f of GDPR, which allows for data processing if it enables the Personal Data Administrator to pursue its legitimate interest (in this case, the Company’s interest requires knowledge concerning the individuals who exercise their rights resulting from GDPR); For the purpose of archiving and keeping proof we process the following personal data:

    • full name (if it has been provided),
    • e-mail address,

    — for the purpose of securing the information, which might lead to demonstration of facts of legal significance. The legal grounds for such personal data processing is art. 6 section 1 item f of GDPR, which allows for processing personal data if it enables the Personal Data Administrator to pursue its legitimate interest (in this case, the Company’s interest lies in holding personal data, which allows to prove certain facts related to provision of services – for instance, if a national authority so requires); For analytical purposes, i.e. to examine and monitor activity on the Company’s website we process the following personal data:

    • viewing time and date,
    • operating system type,
    • approximate location,
    • type of web browser used to visit the site,
    • time spent on site,
    • visited subpages,
    • the subpage, on which the contact form has been filled in.

    The legal grounds for such personal data processing is art. 6 section 1 item f of GDPR, which allows for processing personal data, if it enables the Personal Data Administrator to pursue its legitimate interest (in this case the Company’s interest lies in obtaining information on customer activity on its website); We process such information for the purpose of using cookies on our website (cookies shall be described in a separate paragraph). The legal grounds for such personal processing is art. 6 section 1 item a of GDPR, which allows for processing personal data based on a voluntarily given consent (a request for consent to use of cookies is displayed at first visit to the website); For website administration purposes we process the following personal data:

    • IP address,
    • server date and time,
    • web browser data,
    • operating system data

    — this information is collected automatically by the so-called server logs at each visit on the Company’s website. Administration of a website without using a server and without such automatic storage would not be possible. The legal grounds for such personal data processing is art. 6 section 1 item f of GDPR, which allows for processing personal data, if it enables the Personal Data Administrator to pursue its legitimate interest (in this case the Company’s interest lies in website administration);

  3. Cookies
    1. Similarly to other entities, the Administrator uses so-called cookie files (short text information saved on the user’s computer, telephone, tablet or other device) on its website. They might be read by our system and systems owned by other entities, the services of which we use (such as Facebook or Google).
    2. Cookies have many functions that we are going to describe in more detail below (if the information is not sufficient, feel free to contact us):
      • security — cookie files are used to authenticate users and prevent unauthorised access to customer panel. Thus, they are used to protect user personal data from unauthorised access;
      • influence on processes and efficiency of website use — cookies enhance smooth operation of a website and enable use of its functionalities, which is possible due to remembering the settings between visits to the site. They allow the user to navigate the site and individual subpages effectively;
      • session status — cookie files frequently include information on how users use the website, e.g. what subpages they tend to visit most often. They also enable identification of errors displayed on some subpages. Hence, cookie files used for saving the so-called “session status” contribute to the quality of services and improve comfort of browsing;
      • maintaining session status — when a client logs into their panel, cookie files enable maintaining the session. This means that visiting another subpage does not require re-entering login and password, which contributes to comfort of use;
      • Production of statistics — cookie files are used to analyse how users use the website (how many open the website, how long they stay there, what contents spark most interest, etc.). This allows us to continue improving our website and adapting its functioning to users’ preferences. In order to track activity and produce statistics we use Google tools such as Google Analytics; aside from reporting site use statistics pixel Google Analytics, combined with the aforementioned cookies, can also be helpful in adapting the contents of displayed Google services (e.g. in Google browser) and in the entire network to the given user’s preferences;
      • using social media features — our website has a so-called Facebook pixel, which allows you to like our fanpage while visiting the website. However, to make it possible, you need to use cookie files provided by Facebook.
    3. It is important to note that many cookie files are anonymised, which means that without additional information we are not able to identify you based on the cookies.
    4. Your web browser accepts cookies in your device by default, so we shall ask you for consent to use of cookies during your first visit. However, if you do not wish that we use cookies while you browse our page, you can change the settings in your web browser – automatically block support of cookies or demand notification of each use of cookies in your device. You can change the settings any time.
    5. We respect the autonomy of all users of our website, however, we feel obliged to remind you that disabling or limiting the use of cookies might result in rather serious difficulties in using the website – e.g. by logging on to each subpage, longer page loading time, restrictions in use of site functionalities, restrictions in liking the site on Facebook etc.
  4. Right to withdraw consent
    1. If your data is processed based on your consent, you can withdraw the consent any time, at your absolute discretion.
    2. If you wish to withdraw your consent to processing your personal data, all you need to do is:
      • send an e-mail to the Administrator directly, at: daneosobowe@oliwski.pl,
      • at the address: ul. Piastowska 1, 80-332 Gdańsk, – Hotel Oliwski Sp. z o.o., with note: dane osobowe (personal data),
    3. If your personal data has been processed based on your consent, its withdrawal shall not render previous personal data processing illegal. In other words, we have the right to process your personal data by the time you withdraw your consent, withdrawal of which does not affect lawfulness of previous processing.
  5. Requirement to provide personal data
    1. Provision of any personal data is voluntary and depends entirely on your decision. However, in certain cases providing specific personal data is necessary to meet your expectations as to use of the Administrator’s services.
    2. In order to book, you need to provide your full name, telephone number and/or e-mail address – without that we shall not be able to book a service for you.
    3. If you need an invoice for our services, you need to provide all data required by tax laws: your full name or company name, address of residence or company address and NIP tax identification number – we shall not be able to issue a correct invoice without that.
    4. We need to know your full name and telephone number in order to contact you by telephone to discuss completion of the service.
    5. You need to provide your full name and e-mail address so that we can send you information (including marketing information) electronically.
  6. Automated decision making and profiling We kindly inform you that we do not use automated decision making, including decision making based on profiling. The contents of requests sent via the contact form is not assessed by an IT system. The offered price of the service does not in any way result from an assessment made by any IT system.
  7. Recipients of personal data
    1. Similarly to most entrepreneurs, we frequently use support of other entities in our activities, which often requires transferring personal data. For the above reasons we transfer your personal data, whenever it is necessary, to the following entities: lawyers who provide services to us, prompt payment service providers, the hosting company, the IT services provider, the company responsible for sending our newsletter and the insurance company (if repairing damage is necessary).
    2. In addition, it might occur that we are required to provide your personal data to other public or private entities pursuant to applicable laws or a decision of a competent authority. This is why it is very difficult for us to predict who might request that we disclose your personal data. However, we can assure you that we examine each request for sharing personal data very carefully and thoroughly to avoid disclosing the information to an unauthorised person.
  8. Transfer of personal data to third countries
    1. Similarly to most entrepreneurs, we use various popular services and technologies offered by entities such as Facebook, Microsoft, Google and Zendesk. These companies are seated outside of the European Union, therefore, pursuant to GDPR, they shall be deemed as third countries.
    2. GDPR introduces certain restrictions as to transfer of personal data to third countries such countries fail to apply the European data protection laws, therefore protection of personal data of EU citizens might not be sufficient. This is why all personal data administrators are obliged to define the legal basis for such processing.
    3. We guarantee that if we use such services and technology, we transfer personal data only to US entities which participate in Privacy Shield program, pursuant to the implementing decision of the European Commission of July 12th 2016 — for more details you can read the information on European Commission’s website: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_pl. Entities that participate in Privacy Shield program guarantee compliance with high standards of data protection applying in the EU, which is why using their services and technologies in processing of personal data is legal.
    4. We can provide you with additional information on transfer of your personal data, in particular if that issue raises your concern.
    5. You reserve the right to obtain copies of your personal data transferred to a third country at any time.
  9. Period of processing personal data
    1. Pursuant to the applicable laws we do not process your personal data indefinitely, but for the time necessary to achieve a specific objective. After the lapse of such period your personal data shall be irretrievably removed or destroyed.
    2. Whenever we find we do not need to perform any operations on your personal data other than their storage (e.g. when we store the contents of an order to defend ourselves against claims), we provide extra protection of your data by the time of irretrievably removing or destroying them – by way of pseudonymisation. Pseudonymisation consists in encrypting personal data or a set of personal data so that they cannot be read without an additional key, which makes such information completely useless for an unauthorised person.
    3. As regards specific periods of processing personal data, we kindly inform you that we process personal data for:
      • the term of the agreement – for personal data processed for the purpose of concluding and performing an agreement;
      • 3 years or 6 years, or 10 years + 1 year – for personal data processed for the purpose of establishing, assertion or defence against claims (the length of the period depends on whether both parties are entrepreneurs or not);
      • 12 months – for personal data collected pursuant to the data subject’s willingness to use a service, which has not been provided; 5 years – for personal data related to compliance with the tax laws;
      • by the time of withdrawing the consent or attaining the objective of processing, but not longer than for 5 years – for personal data processed pursuant to the data subject’s consent;
      • by the time of an effective objection or attaining the objective of processing, but not longer than 5 years – for personal data processed pursuant to the legitimate interest of the Personal Data Administrator or for marketing purposes;
      • by the time of obsolescence or loss of usefulness, but not longer than for 3 years – for personal data processed mostly for analytical purposes, use of cookies and website administration.
    4. The periods defined in years are calculated form the year, in which data processing started, in order to facilitate the process of removal or destroying of the personal data. Separate calculation of the term for each concluded agreement would entail major organisational and technical difficulties as well as significant expenses, which is why setting one date for removal or destruction of personal data allows us to manage that process more effectively. Of course, if you use your “right to be forgotten”, such situations are handled individually.
    5. The additional year related to processing personal data collected for the purpose of exercising the agreement results from the fact that you might hypothetically submit a claim immediately before the lapse of the limitation period, the claim might be delivered with substantial delay or you might miscalculate the limitation period of your claim.
  10. Rights of data subjects
    1. We kindly inform you that you reserve the right to:
      • access your personal data;
      • correct your personal data;
      • have your personal data removed;
      • restrict processing of your personal data;
      • object against processing of your personal data;
      • transfer your personal data.
    2. We respect all your rights resulting from the personal data protection laws and try to make exercising these rights as easy for you as possible.
    3. We indicate that the listed rights do not have an absolute nature, therefore we might lawfully refuse exercising them in specific cases. However, if we refuse to follow your request, it only happens after a thorough analysis and only when it such refusal is absolutely necessary.
    4. As regards your right to object, we inform you that you always reserve the right to object against processing of your personal data pursuant to the legitimate interest of the Personal Data Administrator (these have been listed in item III) due to specific circumstances. You need to remember, however, that we might lawfully refuse to follow your request if we prove that:
      • there are legitimate grounds for processing, which prevail over your interest, rights and freedoms, or
      • there are grounds for establishing, assertion or defence against claims.
    5. Moreover, you can object against processing of your personal data for marketing purposes at any time. In such situation we shall stop processing your data for that purpose after receiving your objection.
    6. You can exercise your rights by:
      • sending an e-mail to the Administrator directly, at: daneosobowe@oliwski.pl
      • at the address: ul. Piastowska 1, 80-332 Gdańsk, – Hotel Oliwski Sp. z o.o., with note: dane osobowe (personal data),
  11. The right to lodge an appeal If you believe that your personal data are processed unlawfully, you can lodge an appeal to the President of the Personal Data Protection Authority.
  12. Final provisions
    1. Applicable personal data protection laws shall apply to any matters not covered by this Privacy policy.
    2. We shall notify you about any changes introduced to this Privacy policy electronically, by way of placing the Policy on the administrator’s website: www.hoteloliwski.pl
    3. This Privacy policy shall apply from May 25th 2018.