Privacy Policy
I
[Content of the Controller privacy policy]
1. The Controller’s privacy policy is information regarding the processing of personal data and other information concerning users of the / website (hereinafter referred to as the “Site”). At the same time, the Controller has included in this privacy policy all information that data subjects should receive in accordance with the GDPR.
2. The privacy policy contains information about the processing of data obtained by the Site. Detailed information on the use of cookies or other similar technologies can also be found in the cookie policy.
3. The privacy policy contains information on the privacy of users of the contact form service.
4. The Privacy Policy contains information regarding the processing of Personal Data and other information regarding users of Facebook and Instagram on the Controller’s fanpage. At the same time, the Controller has included in this Privacy Policy all information that data subjects should receive in accordance with the GDPR.
5. The Privacy Policy contains information regarding the processing of Personal Data contained in electronic correspondence.
II
[Data Controller]
The Controller of the personal data of the users of the Site is Businessman Fun Club Ltd. which is the owner of Hotel BoniFaCio Spa & Sport Resort ****. The Controller can be contacted:
1) at the mailing address: Warsaw (02-202), Drawska Street 22 floor 1 lok 1.23
2) at e-mail address: recepcja@hotelbonifacio.pl
III
[Purposes, legal bases and time of processing personal data]
Personal Data are processed by the Controller for various purposes, to various extents and on various legal bases provided for in the GDPR. Below is information on the processing of Personal Data, grouped according to the purposes for which the data is processed by the Controller.
Operation of the Site
1. In order to provide the service of the Site, Controller processes:
- Information regarding the user's device in order to ensure the correct operation of the services: the IP address of the computer, information contained in cookies or other similar technologies, session data, browser data, device data, data on activity on the Site, including on individual subpages.
2. This information does not contain data on the identity of users, but in combination with other information may constitute personal data, and therefore the controller covers it with the full protection afforded under the GDPR.
3. The data is processed in accordance with Article 6(1)(b) of the GDPR in order to perform the service of the Site, i.e. the contract for the provision of electronic services, and in accordance with Article 6(1)(a) of the GDPR in connection with the consent to the use of certain cookies or other similar technologies expressed by the relevant settings of the Internet browser in accordance with the Telecommunications Law. The data is processed until the user's use of the Site is terminated.
Service usage statistics
1. In order to improve the quality of its services, the Controller processes statistical information regarding the use of the Website, including information about the session, IP number, amount of time spent on individual subpages, use of individual service functionalities, information about the device and web browser. The Controller uses cookies or other similar technologies and statistical tools.
2. This data is processed in accordance with art. 6 sec. 1 letter f) of the GDPR in the legitimate interest of the Controller consisting in facilitating the use of the Website, improving the quality and functionality of the services provided, and the processing of this data does not violate the rights and freedoms of users. Information about users is not used for any additional purposes, and due to the specificity of the website service, adapting the way the content of the website is displayed, facilitating the use of the website and improving the quality of services provided on the website is not only a market standard, but also an expectation of users towards website providers.
3. In addition, the user may withdraw the expressed consent at any time by changing the settings of the web browser regarding the admissibility of using cookies or other similar technologies.
4. This data is processed as part of the Controller’s current activities, but no longer than for 60 days from receiving the information. After this time, the Controller may continue to process general statistical data, which will be devoid of any information regarding individual users.
5. The period of availability of statistical data may, however, be longer than 60 days, but this is beyond the Controller’s decision-making scope. The Controller will not use them any longer, but will have potential access to them until they are deleted by the tool provider.
6. The Controller uses Google Analytics – a tool for analyzing website statistics developed by Google Inc. ("Google"). Google Analytics uses so-called "cookies" – text files saved on the user's computer that enable analysis of the use of the website by users. The information obtained in this way (including the user's IP address) is sent to a Google Inc. server in the USA and stored there. Google may transfer information to third parties, provided this is in accordance with the law or in the event that third parties process such data on Google's behalf. Google ensures that your IP address will not be associated in any way with other Google Inc. data. For detailed information on the terms of use and privacy policy, we encourage you to visit the website: http://www.google.com/analytics/terms/de.html or http://www.google.com/intl/de/analytics/privacyoverview.html. Google Analytics has been extended on this website to include the code "gat._anonymizeIp();" to collect anonymous IP addresses (so-called "IP masking"). You can block cookies on your computer by changing the settings in your browser. In this case, some functions of the website may not function properly. By using this website, you consent to the processing of data about you by Google in the manner described above and for the purposes indicated above. You can prevent Google from collecting the data generated by the cookie and related to your use of the website (including your IP address) and from processing this data by downloading and installing the browser plug-in available at the following address: (http://tools.google.com/dlpage/gaoptout?hl=de).
7. The Site also uses the free conversion tracking function available in Google Ads. Google takes care to protect the data of its customers and users in this regard. Whenever a user clicks on an ad, Google places a cookie on their computer, which expires after 540 days.
Marketing activities
The Controller may post marketing information about its services on the website. The Controller displays this content in accordance with Article 6 paragraph 1 letter f) of the GDPR, in accordance with the legitimate interest of the Controller in publishing content related to the services provided. At the same time, this activity does not violate the rights and freedoms of users, users expect to receive content of similar content, and sometimes even expect it or it is their direct purpose of visiting the Website.
Providing a response, handling the matter
1. The content of correspondence and contact information are processed for the time necessary to handle the user's matter, including sending marketing information about the services selected by the user, and for no longer than 3 months after handling the matter for archiving purposes, in the event of the need to defend against potential claims against the Controller.
2. These data will then be processed for the purpose of implementing the online contact form service provided by means of - art. 6 sec. 1 letter b) of the GDPR.
3. In the scope of sending commercial information by electronic means, the data will be processed on the basis of consent expressed by an express confirmatory action (art. 6 sec. 1 letter a) in connection with art. 4 item 11 of the GDPR), consisting in completing the appropriate field for entering the e-mail address or telephone number.
E-mail correspondence
The legal basis for the processing of data contained in e-mail correspondence is:
• The legitimate interest of the data controller and senders of electronic messages (Article 6, paragraph 1, letter f) of the GDPR) - in relation to incidental correspondence, consisting in enabling electronic contact with the controller;
• Necessity for the performance of a contract concluded with our clients or contractors (Article 6, paragraph 1, letter b) of the GDPR) in the scope of correspondence conducted for the purpose of performing the contract;
• Voluntarily expressed consent - if the correspondence sent contains data of special categories. The expressed consent may be withdrawn at any time, without giving a reason, but without affecting the lawfulness of its processing before its withdrawal;
• Voluntarily expressed consent through a clear affirmative action - if the sender of the message asks for information regarding the Controller’s brand, its services, the answer given to the sender will contain the information requested by the sender, and sending the inquiry will mean consent to the Controller sending commercial information to the sender at the e-mail address provided by the sender to the extent necessary to provide the answer (Article 10 of the Act on the provision of services by electronic means); the expressed consent may be withdrawn at any time, without giving a reason, but commercial information sent after sending the inquiry about it, and before the withdrawal of consent, will be sent in accordance with the law; withdrawal of consent may prevent the full answer to the question asked;
• The legitimate interest of the Controller consisting in pursuing claims or defending against claims, in accordance with generally applicable legal provisions, in particular the Civil Code (Article 6 paragraph 1 letter f) and Article 9 paragraph 2 letter f) of the GDPR)
Managing a fanpage
1. The Controller processes the Personal Data of users in order to enable them to use the fanpage. The Controller has information about:
- liking the fanpage;
- activity on the fanpage;
- content of comments and posts posted by users;
2. This data is processed in accordance with Article 6, paragraph 1, letter b) of the GDPR in order to provide the service.
Contact with users – Messenger
1. In order to enable the Controller to contact the user, the Contoller processes information about people contacting the Contoller via Facebook Messenger, in particular the first name, last name or username on Facebook, the content of correspondence (messages, threads). Messages are not stored by the Controller in places other than Facebook.
2. These data are processed in accordance with art. 6 sec. 1 letter f) of the GDPR, in the legitimate interest of the Controller and users, consisting in the need to ensure contact between users and the Controller, and the processing of these data does not violate the rights and freedoms of users.
3. The content of correspondence and information about the contact are processed for the time necessary to resolve the user's case and for no longer than 3 months after the case has been resolved for archiving purposes in the event of the need to defend against potential claims against the Controller. After this time, they are deleted from the Controller’s fanpage, after which the Controller will no longer be able to access this data.
Provision of services
The legal basis for data processing in connection with the provision of services is:
• Necessity to perform the contract concluded with our clients or contractors (Article 6, paragraph 1, letter b) of the GDPR), including:
a) providing access to the services offered by the Controller,
b) enabling the use of the functionalities available there.
The data will be stored for the duration of the contract, and after its expiry for the period necessary for:
a) after-sales customer service (e.g. handling complaints) - until the limitation period for claims arising from the contract,
b) securing or pursuing claims to which the Controller is entitled - until the limitation period for the Controller’s claims,
c) fulfillment of a legal obligation by the Controller, whereby the data processed for accounting purposes and for tax reasons will be processed by the Contoller for a period of 5 years, counted from the end of the calendar year in which the tax obligation arose,
• Legitimate interest of the Data Controller (Article 6, paragraph 1, letter f) of the GDPR
The Controller has considered that it is in accordance with the legitimate interests of the Controller or a third party to process Personal Data for the purpose of:
a) absolutely necessary to prevent fraud and ensure network and information security,
b) selecting services to meet the needs of the Controller's customers,
c) optimizing products or services based on customer comments and opinions about them,
d) considering complaints,
e) archival (evidence) to secure information in the event of a legal need to prove specific facts (e.g. before a tax authority),
f) possible determination, investigation or defense against claims,
g) customer satisfaction surveys and determining the quality of the Controller's services and service,
h) the possibility of using video surveillance in places where services offered by the Controller under a service agreement are provided, in order to prevent theft, acts of vandalism or other violations of order, security or generally accepted standards of behavior.
The Controller processes personal data only for specific, explicit and legitimate purposes, and your personal data is not further processed in a manner incompatible with these purposes.
• Protection of the vital interests of the data subject or another natural person (Article 6, paragraph 1, letter d) of the GDPR)
a) The Controller has the right to process the Personal Data of customers in order to protect their vital interests or the vital interests of another natural person, i.e. those that are of significant importance to the life of the customer or another natural person.
b) the above catalogue includes primarily humanitarian purposes, in particular natural disasters and man-made disasters, as well as purposes related to the need to save life, health or property protection (e.g. the Controller may contact the customer to return a lost wallet or in connection with an event to your detriment or to the detriment of another natural person, if the customer was a participant or witness to it).
c) However, the Controller will not process special categories of Personal Data (including health data) on this basis, unless the client expressly consents to the processing of the Data for this purpose or is physically or legally incapable of giving such consent, and the processing of personal data is absolutely necessary to protect his or her vital interests or the vital interests of another natural person (Article 9 paragraph 2 letter a) or c) of the GDPR).
• Voluntarily expressed consent (Article 6, paragraph 1, letter a) of the GDPR) – required in particular for:
a) processing of Personal Data of customers by the Controller for the purpose of:
- direct marketing of products or services of the Contoller or entities cooperating with the Contoller (the Contoller’s partners), implemented by: sending commercial information using electronic means of communication (e.g. by sending you a commercial offer to the e-mail address provided by you in the registration form) – the requirement to obtain consent is provided for in Article 10 of the Act of 18 July 2002 on the provision of services by electronic means,
- contacting customers using telecommunications terminal equipment and automatic calling systems (e.g. by presenting you with a commercial offer during a telephone conversation) – the requirement to obtain your consent is provided for in Article 172 of the Act of 16 July 2004 - Telecommunications Law. - processing of customers' Personal Data concerning health by the Contoller - the requirement to obtain your explicit consent to the processing of personal data for this purpose is provided for in Article 9 paragraph 2 letter a) of the GDPR.
IV
[Recipients of personal data]
1. The Contoller may disclose the content of correspondence solely for the purpose of pursuing its claims in the proceedings and discloses the personal data of users and the personal data contained in the contact form and the content of correspondence to entities cooperating with the Contoller on the basis of written agreements entrusting the processing of personal data, in order to perform the tasks and services specified in the agreement for the benefit of the Contoller, in particular in the scope of e-mail handling, hosting, Website handling, IT services, debt collection, legal or advisory services, administrative handling.
V
[Transfer of personal data to third countries]
Personal data will not be processed in third countries.
VI
[Rights of data subjects]
1. Every data subject has the right to:
1) access – to obtain from the controller confirmation of whether their personal data are being processed. If personal data are processed, they are entitled to access them and to obtain the following information: about the purposes of processing, categories of personal data, recipients or categories of recipients to whom the data have been or will be disclosed, the period of data storage or the criteria for determining them, the right to request rectification, deletion or restriction of the processing of personal data of the data subject and to object to such processing (Article 15 of the GDPR)
2) to receive a copy of the data – to obtain a copy of the data subject to processing, with the first copy being free of charge, and for subsequent copies the controller may impose a reasonable fee resulting from administrative costs (Article 16 of the GDPR).
3) to rectify – to request the rectification of personal data concerning her that is incorrect, or to complete incomplete data (Article 17 of the GDPR). 4) to delete data – to request the deletion of her personal data if the controller no longer has a legal basis for their processing or the data are no longer necessary for the purposes of processing (Article 18 of the GDPR).
4) to delete data – request the deletion of their personal data if the Contoller no longer has a legal basis for processing them or the data is no longer necessary for the purposes of processing (Article 18 of the GDPR).
5) to restrict processing – request the restriction of the processing of personal data (Article 18 of the GDPR), when:
6) the data subject questions the accuracy of the personal data – for a period allowing the Contoller to verify the accuracy of this data;
7) the processing is unlawful and the data subject objects to their deletion, requesting the restriction of their use;
8) the Contoller no longer needs this data, but they are needed by the data subject to establish, pursue or defend claims;
9) the data subject has objected to the processing – until it is determined whether the legitimate grounds on the part of the Contoller override the grounds for the objection of the data subject;
10) to transfer data – to receive personal data concerning them, which they have provided to the controller, in a structured, commonly used machine-readable format, and to request that these data be sent to another controller, if the data are processed on the basis of the consent of the data subject or a contract concluded with them and if the data are processed in an automated manner (Article 20 of the GDPR).
11) to object – to object to the processing of their personal data for the legitimate purposes of the controller, for reasons related to their specific situation, including profiling. In such a case, the controller assesses the existence of important legitimate grounds for processing, overriding the interests, rights and freedoms of the data subjects or grounds for establishing, pursuing or defending claims. If, according to the assessment, the interests of the data subject are more important than the interests of the controller, the controller will be obliged to cease processing the data for these purposes (Article 21 of the GDPR).
12) to withdraw consent at any time and without giving a reason, but the processing of personal data carried out before the withdrawal of consent remains lawful. Withdrawal of consent will result in the controller ceasing to process personal data for the purpose for which the consent was given.
13) to withdraw consent at any time and without giving a reason, but the processing of personal data carried out before the withdrawal of consent remains lawful. Withdrawal of consent will result in the controller ceasing to process personal data for the purpose for which the consent was given.
2. In order to exercise the above-mentioned rights, the data subject should contact the controller using the contact details provided and inform them which right and to what extent they wish to exercise.
VII
[President of the Personal Data Protection Office]
The data subject has the right to lodge a complaint with the supervisory authority, which in Poland is the President of the Personal Data Protection Office with its registered office in Warsaw, ul. Stawki 2, who can be contacted in the following manner:
1) by mail: ul. Stawki 2, 00-193 Warsaw;
2) via the electronic mailbox available on the website: https://www.uodo.gov.pl/pl/p/kontakt;
3) by phone: (22) 531 03 00;
VIII
[Method of using "cookies"]
1. The Contoller informs that on its website it uses the mechanism of "cookies" files, which are saved by the Contoller’s server on the hard drive of the end device (e.g. computer, smartphone, tablet) when the customer uses the website.
2. The use of "cookies" files is intended to improve the operation of the Contoller’s website on the end devices of its customers. This mechanism does not destroy the end device and does not cause changes to the configuration of this device or the software installed on it. "Cookies" files are not intended to identify the customer by the Contoller.
3. The Contoller uses "cookies" files for the purpose of:
• remembering information about the end device,
• verifying and developing its offer,
• statistical.
4. The Client may at any time disable the "cookies" mechanism in the web browser of his end device. However, the Contoller informs that disabling "cookies" may cause difficulties or prevent the use of the Contoller’s website
IX
[Changes to the privacy policy]
The privacy policy may be supplemented or updated in accordance with the current needs of the Controller in order to provide current and reliable information to users regarding their personal data and information about them. Users will be informed of any changes to the privacy policy on the Site.
KLUB BFC