1. Administrator of personal data HBH BIAŁYSTOK spółka z ograniczoną odpowiedzialnością, 15-281 Białystok, ul. Legionowa 28 lok. 202, NIP : 542-323-41-33, which can be contacted at the email address of the email@example.com or the address of the registered office given above – processes personal data of its contractors and hotel guests in accordance with applicable regulations:
2nd Purposes and grounds for the processing of personal data :
a) The administrator processes personal data in order to conclude and perform the contract, including the contract for the provision of hotel services or to take action for the request of the data subject, before its conclusion – on the basis of Art. Article 6 (1) 1 lit.b GDPR,
b) personal data are processed to fulfill legal obligations incumbent on the Administrator, including tax and accounting obligations – on the basis of Art. Article 6 (1) 1 lit.c GDPR,
c) personal data processed in connection with the consent given, to the extent and for the purpose specified in the content of the consent (e.g. directing and sending marketing information and offers about the administrator’s products and services by e-mail and telephone) – on the basis of Art. Article 6 (1) 1 lit. a GDPR,
d) personal data may be processed for purposes resulting from legitimate interests pursued by the Administrator or a third party, e.g. pursuing claims and defending against claims, contact, conducting surveys regarding the satisfaction of hotel guests with the services provided, conducting direct marketing – on the basis of Art. Article 6 (1) 1 lit. f GDPR;
4th The administrator obtains personal data directly from data subjects. The source of some personal data may be the administrator’s contractor, who provides us with ordinary data necessary for the performance of the contract, including contact details, in particular email, telephone – this applies, for example, to persons representing the contractor / his employees appointed to perform the contract concluded between us.
5. The recipients of personal data will be exclusively:
a) entities authorized to obtain personal data on the basis of legal provisions,
b) other entities which, on the basis of relevant contracts, provide services to the Administrator, including IT suppliers, post office, courier companies, law firm, bank, travel agencies;
6th Personal data will be stored for the period necessary to achieve the purposes indicated in point 3, after that time until the claims arising from them are time-barred and for the purposes resulting from the obligation to store financial and tax documentation for the period resulting from the article. 70 § 1 in connection with Art. 86 § 1 of the Tax Ordinance of 29 August 1997, i.e. for a period of 5 years from the end of the calendar year in which the deadline for payment of the tax expired;
Data processed on the basis of consent – will be stored until its revocation.
7. The data subject has the right to request from the Administrator:
a) access to personal data,
b) the right to rectify them,
c) delete or limit processing,
e) the right to data portability,
f) the right to withdraw consent at any time, if the data were processed on the basis of consent, without affecting the lawfulness of the processing that was carried out on the basis of consent before its withdrawal,
8th The data subject has the right to object to the processing, then the Administrator will cease to process it, unless he is able to demonstrate that in relation to these data there are valid legitimate grounds for processing, overriding the interests, rights and freedoms of the data subject or grounds for establishing, pursuing and defending claims,
9th. The data subject has the right to lodge a complaint with the supervisory authority,
10th Providing personal data to the extent required by law is a statutory requirement, in the remaining scope it is voluntary. The consequence of not providing personal data will be the refusal to conclude a contract,
11th Personal data will not be subject to automated decision-making, including profiling. They will not be transferred outside the European Union.
12. The administrator also processes data of other categories of persons, e.g. its employees, job candidates, etc. Each data subject shall receive information from the controller in accordance with the principles laid down in Article 200. 13 and 14 GDPR.