Family Holidays 2024

1.   Data of the Data Controller 

We kindly inform you that your Data Controller at the Artus Resort, belonging to the Company Przedsiębiorstwo Usług Turystycznych WIKA, having its seat in Karpacz, ul. Wilcza 9, 58-540 Karpacz, Poland, entered into the Central Register of Business Activity and Information, NIP (Tax Identification Number): PL 884-110-97-39, REGON (Business Registry Number): PL 891526918, hereinafter referred to as the Hotel, is Barbara Bronicka Jaskólska.

You can contact the Hotel on the matter of the protection of your personal data by e-mail: ado@artusresort.pl.

2.   Purposes and grounds for processing personal data 

In order to provide services in accordance with its business profile, the Hotel processes your personal data for various purposes, but always in accordance with the law. The provided personal data shall be processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), referred to as GDPR for short. We collect personal data either from you in the process of entering into a contract (booking the stay and providing services in connection with your stay at the Hotel) or from our partners from booking portals, if you have given your consent thereto. Below, you can find detailed purposes of processing your personal data backed up with legal grounds therefor. 

A.   For the purpose of quoting a service, booking a service and proving a service as well as in case of concluding other contracts related to our business profile, we may process the following personal data: 

·     Forename and surname;

·     Address (street, number of house/flat, postal code and city); 

·     Telephone number;

·     E-mail address;

·     Company data together with the Tax Identification Number (if there is a VAT invoice issued to the company); 

·     Registration number of the vehicle owned by the Customer (if they use the hotel car park); 

·     Basic bank account data for confirming the transfer; 

·     Identity document number/Personal Identification Number; 

·     Nationality information;

·     Your payment card number and other data of your card as well as credentials and other billings and accounts linked to mobile billing; 

·     Booking number.

The legal basis for such processing is Article 6 section 1 letter b of the GDPR, which enables personal data processing if it is necessary for the performance of the contract or taking steps to enter into a contract. 

Children’s data such as forename, surname, nationality and date of birth is collected exclusively from their parents or legal guardians in order to define their age and the discounts to which they are entitled as well as for statistical purposes (Statistics Poland GUS and visitor’s tax). 

B.   For the purpose of considering complaints, we process the following data: 

·     Forename and surname;

·     Address (street, number of house/flat, postal code and city); 

·     Telephone number;

·     E-mail address;

·     Booking number;

·     Possibly your bank account number – if a refund is made.

The legal basis for such processing is Article 6 section 1 letter b of the GDPR, which enables personal data processing if it is necessary for the performance of the contract or taking steps to enter into a contract. 

In order to handle the personalisation of your personal preferences and to manage the relationship with you before, during and after your stay, we process the following personal data: 

·     Monitoring the use of services (telephone, bar, pay TV, etc.);

·     Managing the room access;

·     E-mail address;

·     Forename and surname;

·     Booking number.

The legal basis for such processing is Article 6 section 1 letter b of the GDPR, which enables personal data processing if it is necessary for the performance of the contract or taking steps to enter into a contract as well as Article 6 section 1 letter a od the GDPR, which enables personal data processing on the basis of a voluntarily given consent. 

C.   In order to issue an invoice and fulfil other obligations under tax law, such as for instance keeping accounting records for 5 years, we process the following personal data: 

·     Forename and surname;

·     Company;

·     Address of residence or address of the seat; 

·     Tax Identification Number;

·     Booking number.

The legal basis for such processing is Article 6 section 1 letter c of the GDPR, which allows to process personal data if it is necessary for the Data Controller to fulfil their legal obligations; 

D.  In order to survey the Guests’ satisfaction with the offered services as well as make audits and improve or modify our services, we process the following personal data: 

·     E-mail address;

·     Booking number;

·     Forename and surname;

·     Comments or suggestions of the Guests.

The legal basis for such processing is Article 6 section 1 letter f of the GDPR, which allows to process personal data if, by doing so, the Data Controller pursues their legitimate interest (in this case, the legitimate interest of the Hotel consists in learning the opinion of their customers on the provided services so that they can adjust them to the needs and expectations of those concerned); 

E.   In order to ensure the safety of the Hotel’s employees and Guests as well as to prevent fraud, we provide the following personal data: 

·     Data from the room card system; 

·     Image of the person from the video surveillance system;

·     Forename and surname;

·     E-mail address;

·     Telephone number;

·      IP address.

The legal basis for such processing is Article 6 section 1 letter f of the GDPR, which allows to process personal data if, by doing so, the Data Controller pursues their legitimate interest (in this case, the legitimate interest of the Hotel consists in ensuring the safety of all the persons on the Hotel’s premises). The video surveillance data shall be deleted after maximally 30 days of being recorded.

F.    In order to create records and registers related to the GDPR, including, for example,                      a register of customers who have objected under the GDPR, we process the following personal data:  

·     Forename and surname;

·     E-mail address.

The provisions of the GDPR impose certain documentation obligations on us to demonstrate compliance and accountability. If you object to the processing of your personal data for marketing purposes, we need to know to whom not to apply direct marketing.

The legal basis for such processing is Article 6 section 1 letter c of the GDPR, which allows to process personal data if such processing is necessary for the Data Controller to comply with their obligations under the law (the provisions contained in the GDPR) as well as Article 6 section 1 letter f of the GDPR, which allows to process personal data if, by doing so, the Data Controller pursues their legitimate interest (in this case, the legitimate interest of the Hotel consists in having knowledge of the persons who exercise their rights under the GDPR);

G.  For the purpose of establishing, pursuing or defending against claims, we provide the following personal data:

·     Forename and surname (if surname has been provided) or if need be, the company name;

·     Address of Residence (if provided); 

·     Personal Identification Number or Tax Identification Number (if provided); 

·     E-mail address;

·      IP address;

·     Booking number.

The legal basis for such processing is Article 6 section 1 letter f of the GDPR, which allows to process personal data if, by doing so, the Data Controller pursues their legitimate interest (in this case, the legitimate interest of the Hotel consists in having personal data to establish, pursue or defend against claims, including claims of the Customers and third parties); 

H.  For analytical purposes, i.e. researching and analysing the acitivities on the website belonging to the Hotel, we process the following personal data:

·     Date and time of visiting the website; 

·     Type of operating system; 

·     Approximate location;

·     Type of web browser used to view the website; 

·     Time spent on the website;

·     Sub-pages visited;

·     Sub-page where the contact form was completed. 

The legal basis for such processing is Article 6 section 1 letter f of the GDPR, which allows to process personal data if, by doing so, the Data Controller pursues their legitimate interest (in this case, the legitimate interest of the Hotel consists in finding out the customer activity on the website);  

I.     In order to use cookies on the website, we process the following text information (cookies shall be described in a separate section). The legal basis for such processing is Article 6 section 1 letter a of the GDPR, which allows to process personal data based on                     a voluntarily granted consent (when you first access the website, you are asked whether you agree to the use of cookies); 

J.     In order to administrate the website, we process the following personal data: 

·      IP address;

·     Server date and time;

·     Web browser information;

·     Operating system information.

— this data is automatically saved in the so-called server logs, every time the website belonging to the Hotel is used. Administering the website without using the server and without the automatic saving would be impossible. The legal basis for such processing is Article 6 section 1 letter f of the GDPR, which allows to process personal data if, by doing so, the Data Controller pursues their legitimate interest (in this case, the legitimate interest of the Hotel consists in administering the website);

3.    Cookies

A.   The Hotel uses the so-called cookies on its website, as do other entities, thus, short text information saved on your computer, mobile phone, tablet or other device. This data can be read by our system as well as by systems belonging to the entities whose services we use (e.g. Facebook, Google). 

B.   Cookies perform a great many functions on the website, mostly useful, which we shall try to describe below (if this information is insufficient, please contact us); 

·     ensuring safety – cookies are used to authenticate users and prevent unauthorised use of the control panel. Thus, they are used to protect personal data of the users from unauthorised access of third parties; 

·     impact on the processes and efficiency of using the website – cookies are used to make the website work efficiently and to make using functions available thereon possible, amongst other by remembering your settings between visits to the website. In this way, the website and all its subpages can be navigated efficiently; 

·     session status – cookies often store information about how visitors use the website, e.g. which subpages they view most often. They also allow to identify errors displayed on certain subpages. Cookies used to save the so-called session status help to improve services and raise the comfort of viewing websites; 

·     maintaining status session – if the customers logs in to their panel, cookies make it possible to maintain the session. It means that if you move to another subpage, there is no need to re-enter your login and password again, which makes using the website more comfortable;  

·     creating statistics — cookies are used to analyse the manner in which users use the website (how many open the website, how long they stay thereon, which content is of the most interest to them etc.). In this way, the website can be continuously improves and better adapted to the preferences of Users. We use Google tools, such as Google Analytics, to follow the acitivities and create statistics. Apart from reporting website usage statistics, the Google Analytics pixel can also be used, together with some of the cookies described above, to help display more relevant content to the user on Google services (e.g. Google Search) and all throughout the Internet; 

·     use of social features – on our website, we use the so-called Facebook pixel, which allows you to like our fanpage when using the website. However, to make it possible, we need to use cookies delivered by Facebook. 

C.   By default, your web browser allows the use of cookies on your device, which is why we ask you to agree to the use of cookies when you first visit our website. If you do not wish to use cookies when viewing a website, you can always change the settings of your browser by blocking the automatic use of cookies or request a notification each time cookies are placed on your devices. You can change your settings at any time. 

D.   While respecting the autonomy of all the persons using the website, we still feel obliged to warn you that disabling or restricting the use of cookies may result in serious difficulties in using the website, e.g. in the form of having to log in to every subpage, longer loading times, restrictions on the use of functionalities, restrictions on liking our Facebook profile etc. 

4.   Right to withdraw consent

A.      If the processing of your personal data is based on your consent, you may withdraw this consent at any time. 

B.      If you would like to withdraw your consent to the processing of personal data, please follow point 10 subpoint F. If you withdraw your consent, the processing of your personal data based thereon thus far shall not be illegal. In other words, we have the right to process your personal data up until you withdraw your consent and if you do, it does not affect the lawfulness of the processing of your personal data up to this moment. 

5.   Requirement to provide personal data

A.      Providing any data is voluntary and at your discretion. However, in some cases, providing personal data is necessary to meet your expectations in the scope of using our services. 

B.      In order to request a service from the Hotel, you need to provide personal data mentioned in point 2 A of this Privacy Policy. 

C.      If you wish to receive an invoice for your services, you need to provide us with all your data required by the tax law – without this data, we shall not be able to issue your invoice correctly. 

D.     You need to provide us with your telephone number and e-mail address so that we can contact you regarding the service. Without this data, we shall not be able to call you or e-mail you to confirm your booking.  

6.   Automated decision-making and profiling 

We kindly inform you that we do not carry out automated decision-making, neither based on profiling nor otherwise. The content of the enquiry sent via the contact form is not evaluated by the IT system. The suggested price of the service is based on our hotel price list. 

7.   Recipients of personal data 

A.   Like most businesses, we also use the assistance of other entities, which sometimes involves the transfer of personal data. Therefore, if need be, we transfer your personal data to our cooperating lawyers who provide services, to companies which handle fast payments, an accounting company, a hosting company, companies providing IT services, a company responsible for sending SMS as well as an insurance company (should there be a need for a damage repair). 

B.   Furthermore, it may happen that for example based on a relevant provision of law or                    a decision issued by a competent authority, we will have to transfer your personal data also to other entities or authorities.  

8.   Transfer of personal data to third countries 

A.   Like most businesses, we use various popular services and technologies, offered by such entities like: Facebook, Microsoft, and Google. These companies are based outside the European Union, and are therefore treated as third countries under the provisions of the GDPR. 

B.   The GDPR introduces certain restrictions when it comes to the transfer of personal data to third countries, because European Union rules do not, in principle, apply there and thus, the protection of personal data of the European Union citizens may be insufficient. For this reason, every data controller is obliged to define a legal basis for such transfers.  

C.   For our part, we assure you that when you are using services and technologies, we only transfer our personal data to entities in the United States and exclusively those who joined the Privacy Shield programme, based on the European Commission’s implementing decision of 12 July 2016  - you can read more about it on the website of the European Commission at:  https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_pl. The entities that have joined the Privacy Shield programme guarantee that they will comply with the high data protection standards which apply in the European Union, thus, using their services and technologies offered by them in the process of personal data processing is lawful. 

D.  We will provide you with further clarification on the matter of the transfer of your personal data, especially if this matter is of concern to you.  

9.   Period of processing personal data

A.   In accordance with the current legislation, we do not process your personal data "indefinitely", but for a time period necessary to achieve the stated purpose. After this period has expired, your data will be irreversibly deleted or destroyed.  

B.   When we do not need to perform any operations on your personal data other than storing it (e.g. when we store the content of the order for the purpose of defending against claims), we additionally secure the data – until it is permanently deleted or destroyed – with pseudonymisation. Pseudonymisation consists in encrypting personal data or a set of personal data in such a way that it cannot be read without an additional key, and thus, such information is completely useless for an unauthorised person. 

C.   Regarding the specific processing periods for personal data, we kindly inform you that we process your personal data for the following time periods: 

·     the duration of the contract – in relation to the personal data processed for the purpose of concluding and performing a contract; 

·     3 years or 6 years + 1 year — in relation to the personal data processed to establish, pursue claims or to defend them (the length of the period depends on whether both parties are entrepreneurs or not); 

·     6 months — with regard to the personal data which was collected when the service was priced, and at the same time, the contract was not immediately concluded; 

·     5 years +1 year — with regard to the personal data connected with fulfilling the tax law obligations; 

·     until the consent is withdrawn or the purpose of processing is achieved, but for no longer than 5 years – in relation to the personal data processed based on a consent given; 

·     until an effective objection is lodged or the purpose of processing is achieved, but maximally for 5 years – with regard to the personal data processed based on a legitimate interest of the Data Controller or for marketing purposes; 

·     until it is obsolete or is no longer relevant, but for a maximum of 3 years – with regard to the personal data processed mostly for analytical purposes, using cookies and administering the website. 

D.   In order to facilitate the process of deleting or destructing personal data, we count the periods in years beginning from the end of the year in which we started the processing of your personal data. Counting the period separately for every contract concluded would involve major organisational and technical difficulties, as well a significant financial outlay, so establishing a single date for deleting or destroying personal data makes this process much easier to manage for us. Of course, if you exercise your right to be forgotten, your case shall be dealt-with individually. 

E.    The additional year associated with the processing of personal data collected for the purpose of performing the contract is dictated by the fact that, hypothetically, you may make     a claim moments before the expiry of the limitation period, the demand may be delivered with a material delay or you can misstate the limitation period for your claim. 

10. Entitlements of data subjects 

A.   We kindly inform you that you have the right to: 

·     access your personal data;

·     rectify your personal data;

·     erase your personal data;

·     restrict the processing of your personal data;

·     object to the processing of your personal data;

·     be forgotten when other legal provisions allow it; 

·     receive a copy of your personal data;

·     transfer your personal data.

B.   We respect your rights under the data protection law and strive to facilitate exercising them to the greatest extent possible. 

C.   We would like to point out the fact that the aforementioned rights are not absolute, thus, in certain cases, we may lawfully refuse you. However, if we refuse to fulfil the request, we carefully analyse the case first and refuse to accept your claim only if rejecting the consent is necessary. 

D.   Regarding your right to object, we would like to explain the fact that you have at any time the right to object to the processing of your personal data based on a legitimate interest of the Data Controller (they have been listed in point III) in relation to your particular situation. However, you must bear in mind that, in accordance with the regulations, we may refuse to accept your objection if we prove that: 

·     there are legitimate grounds to the processing which override your interests, rights and freedoms or 

·     there are grounds to establish, pursue or defend against claims. 

E.    Furthermore, you can object at any time to the processing of your personal data for marketing purposes. In such case, after receiving your objection, we will no longer process your personal data for this purpose. 

F.   You can exercise your rights in the following ways: 

·     send an e-mail to the Data Controller: ado@artusresort.pl

·     or give your message to the receptionist when you visit our hotel. 

11. Right to lodge a complaint 

If you believe that your personal data is processed against the applicable law, you can lodge               a complaint with the President of the Personal Data Protection Office. 

12. Final provisions

A.   To all matters not settled by this Privacy Policy, the data protection regulations shall apply. 

B.   The Hotel reserves the right to introduce changes to this Privacy Policy with the proviso that the services provided before amending the Privacy Policy shall be subject to the version thereof being in force at the moment of booking the service. 

C.   Changes to the Privacy Policy may not affect the acquired rights of Guests. 

D.  The information about changing the Privacy Policy shall be published on the website of the Hotel: www.artusresort.pl 14 calendar days prior to the effective date of such changes.

E.   This Privacy Policy is effective as of 25 May 2018. 

n