Privacy Policy

PRIVACY POLICY UPDATE

On 25 May 2018, the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR) came into force. Pursuant to Art. 13 of the General Data Protection Regulation of 27 April 2016 (OJ EU L 119 of 04.05.2016), we hereby inform you as follows:

WHO IS A DATA CONTROLLER?

The controller of your personal data is the owner of Nadmorski Hotel****, i.e. HADEX Spółka Akcyjna with its registered office in Gdynia, ul. Ejsmonda 2, registered by the District Court for North Gdańsk in Gdańsk, 8th Commercial Division of the National Court Register, in the register of companies under the number 0000098882, VAT No (NIP): 586-001-12-53, which is an owner of the Nadmorski Hotel**** in Gdynia and website www.restauracja-strefa.pl (hereinafter referred to as the Company).

HOW TO CONTACT US?

By phone: +48 58 667 77 77;
By e-mail at: hotel@nadmorski.pl;
By mail at: Hotel Nadmorski, 81-409 Gdynia, ul. Ejsmonda 2.

WHAT ARE YOUR RIGHTS CONNECTED WITH PERSONAL DATA PROCESSING?

a) Right to give and withdraw your consent to:
the processing of your contact data, i.e. your e-mail address to be used to send marketing communication in an electronic way; you may give or withdraw your consent in person at the Company’s office, by phone, via the website, by e-mail or by mail.
b) Right to lodge:

an objection to the processing of your data for direct marketing purposes;

a reasonable objection to the processing of your personal data for the Company’s legitimate interest for reasons connected with your special situation;

c) Right to access your data, for example to obtain copies of data that are processed, including an electronic copy;
d) Right to the rectification (correction) of your personal data; if your data being in our possession are inaccurate or incomplete, the Company will correct them at your request;
e) Right to the erasure of your data if your data are no longer necessary for purposes they have been collected for and the Company does not have the basis to process such data, e.g. on the basis of your consent or to fulfil its legal obligation, if an effective objection to your data processing has been lodged or your data must be deleted by law;
f) Right to the portability of data provided you have provided to us in a machine-readable form, e.g. to share the data with another service provider;
g) Right to restriction of the processing of your data in the following circumstances (when you file a request, one of the following circumstances must be indicated):

if you have reservations about the accuracy of your data;
if you believe that we should not process your data, but you do not want us to delete such data;
if we no longer need your personal data, but you need them in connection with your claims;
if you have objected to the processing of your data and we must verify whether we should carry on processing the data.

You can exercise your rights by submitting a relevant instruction in person to the Company’s office, by mail, by e-mail or by phone.

The Company will immediately, however no later than within one month, inform you about actions taken in connection with your request. If necessary, this time limit may be extended by further two months given the complicated nature of your request or the number of requests filed with the Company.

To meet your request, we have the right to verify your identity so that your data are not released to an unauthorised person.

If your request turns out to be illegitimate or excessive, in particular because of its widespread character, the Company may charge you for a reasonable fee per request or may refuse to take any actions in connection with your request.

WHAT SHOULD YOU DO IF YOU BELIEVE THAT YOUR DATA ARE PROCESSED ILLEGALLY?

You may lodge a complaint with the supervisory authority, i.e. the Chairman of the Personal Data Protection Office (such a complaint shall be sent to: Urząd Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warsaw).

PURPOSE AND BASIS OF PERSONAL DATA PROCESSING

To provide services in accordance with its business profile, the Company processes your personal data for various purposes, however always in accordance with law. Detailed purposes and legal basis of personal data processing are as follows:

1. The data are collected from booking and/or contact forms via the restauracja-strefa.pl website in order to meet your order.

To improve certain functions of our www.restauracja-strefa.pl website, we have introduced a booking form and a contact form where you must give such personal data like your first name, surname, e-mail address, telephone number, invoicing data.

The above data are given voluntarily, but they are necessary to book a room or contact us via the website.

Please, note that you do not need to give such data if you do not want to take advantage of these functions.

The data are processed on the basis of Art. 6.1.a of the GDPR, which allows for personal data processing on the basis of your voluntary consent, and if the booking form is filled out on the basis of Art. 6.1.b, which allows for personal data processing if the data are necessary for the performance of a contract or in order to take steps aimed at entering into a contract.

2. The data are collected to enable you to use services offered by Restaurant Strefa Nadmorska.
To enable you to use the services offered by Restaurant Strefa Nadmorska, we process such personal data like:

your first and last name,
your telephone number,
your e-mail address,
information about your allergy.

In this case, your personal data will be processed to perform a contract and obligations thereunder on the basis of Art. 6.1.b, 6.1.c and 6.1.f and Art. 9.2.a, 9.2.f and 9.2.h of the GDPR.

3. The data collected by us to enter into and perform a contract.
To enter into and perform the contract, we process such personal data like:

your first and last name,
your place of residence,
your telephone number,
your bank account number.

The data are processed on the basis of Art. 6.1.b of the GDPR, which allows for personal data processing if the data are necessary for the performance of a contract or in order to take steps aimed at entering into a contract. If you decide to give other personal data, you are deemed to give your consent to such data processing. Then, the processing is based on Art. 6.1.a of the GDPR, which allows for personal data processing on the basis of your voluntary consent.

4. The data collected to issue invoices and fulfil other obligations under tax law.
To issue invoices and fulfil other obligations under tax law, like for example storing accounting documentation for 5 years, we process such personal data like:

your first and last name,
your business name,
your place of residence or a registered office of your company,
your unique taxpayer reference.

5. The data collected to keep registers and records connected with the GDPR.
To keep registers and records connected with the GDPR, including for example a record of persons that filed their objection in accordance with the GDPR, we process such personal data like:

your first and last name,
your e-mail address.

As, firstly, under the GDPR we have defined documentation obligations to prove compliance and accountability and, secondly, if you object, for example, to the processing of your personal data for marketing purposes, we must know to whom we must not address our direct marketing actions.

The data are processed on the basis of Art. 6.1.c of the GDPR, which allows for personal data processing if the processing is necessary for compliance with legal obligations to which the Data Controller is subject, and Art. 6.1.f of the GDPR, which allows for personal data processing if the processing is necessary for the purposes of the legitimate interests pursued by the Data Controller (in this case, the Company’s interest means obtaining information about persons that exercise their rights stemming from the GDPR).

6. The data collected to identify, pursue or defend claims.
To identify, pursue or defend claims, we process such personal data like:

your first name and surname or business name,
your place of residence or registered office,
your unique taxpayer reference,
your e-mail address,
your booking number.

The data are processed on the basis of Art. 6.1.f of the GDPR, which allows for personal data processing if the processing is necessary for the purposes of the legitimate interests pursued by the Data Controller (in this case, the Company’s interest means holding personal data which enable to identify, pursue and defend claims, including claims of persons taking advantage of the Company’s operations and third parties).

7. The data collected for archiving and evidence purposes.

your first and last name,
your e-mail address.

- to secure the information that may be used to prove facts that are important for legal reasons. The data are processed on the basis of Art. 6.1.f of the GDPR, which allows for personal data processing if the processing is necessary for the purposes of the legitimate interests pursued by the Data Controller (in this case, the Company’s interest means holding personal data which will let the Company prove certain facts connected with its services, e.g. if requested by a state authority).

8. The data collected on the basis of video monitoring.
To ensure the security of persons and property, the Company uses a video monitoring system and controls access to the Hotel and other facilities managed by the Company. Such data are not used for any other purposes. The personal data in the form recordings from the monitoring system and the data in the record of persons entering and exiting the facilities are processed to ensure the security and order within the hotel facilities and to defend or pursue the Company’s claims. The personal data are processed on the basis of the Data Controller’s legitimate interest (Art. 6.1.f of the GDPR).

9. The personal data collected during recruitment.
During recruitment procedures, the Company needs the personal data (e.g. in CVs) solely to the extent set out by law. Therefore, no further information should be given. If job applications contain additional data, such data will not be used or taken into account for recruitment or any other purposes. Your personal data are processed for the following purposes:

to fulfil obligations set out by law in connection with recruitment, including the regulations of the Labour Code, based on Art. 6.1.c of the GDPR in connection with the Labour Code;
to carry out recruitment procedures to the extent of data not required by law, including future recruitment purposes, based on Art. 6.1.a of the GDPR;
to identify, pursue or defend claims based on Art. 6.1.f of the GDPR.

10. The data collected during marketing for commercial and marketing communication purposes.
Your e-mail address kept in our database will be used for marketing purposes if you give such a consent during your registration with the hotel, subscription to our newsletter or during other online or direct promotional actions. You can withdraw your consent to storing your e-mail at any time.

Your personal data will be processed on the basis of our legitimate interest including:

the performance and maintenance of business contacts;
direct marketing of our products and services by e-mail or phone to provide you with valid offers and promotions conducted by our Company;
an internal market analysis and a customer satisfaction analysis;
the provision of data to the Nadmorski Hotel’s service providers.

You give consent to your personal data processing voluntarily. The data are processed on the basis of Art. 6.1.f of the GDPR.

11. The data collected automatically for analytic purposes, i.e. to survey and analyse activity on the Company’s website, we process such personal data like:

the date and time of your visit on your website,
a type of your operating system,
your approximate location,
a type of a browser you use to view our website,
time spent on the website,
sites you visit,
a site where the contact form is filled out.

The data are processed on the basis of Art. 6.1.f of the GDPR, which allows for personal data processing if the processing is necessary for the purposes of the legitimate interests pursued by the Data Controller (in this case, the Company’s interest means learning the activity of customers on the Company’s website).

12. To administer our website, we process such personal data like:

your IP address,
the date and time of the server,
information about your browser,
information about your operating system.

The data are recorded automatically in server logs every time the Company’s website is used. It would not be possible to administer the website without the server and automated record.

13. To use cookies.

Certain areas of the Company’s websites: www.nadmorski.pl and www.instytutgenesis.pl may use cookies, which are small text files sent to the user’s computer to identify the user in the way necessary to simplify or stop a given operation. www.nadmorski.pl uses the following types of cookies:

session cookies: they remain in the browser until it is closed or the user logs out from the website where the cookies are installed;
persistent cookies: they remain in the browser until they are deleted by the user of the Company’s website or for a period predefined in the cookies parameters.

WHO HAS ACCESS TO YOUR DATA?

1. The Data Controller protects your personal data on the basis of its internal procedures and recommendations in accordance with applicable legal acts on personal data protection, including in particular the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
2. The Data Controller may contract personal data processing to a third party. The Data Controller will use all efforts to enter into contracts solely with entities offering relevant security of personal data processing in accordance with the GDPR.
3.The Data Controller will use all efforts to adequately protect your personal data in accordance with Art. 46 of the GDPR.
4. Entities cooperating with the Data Controller will be, among others, entities providing website hosting, legal services, analytical tools, sales support, book-keeping services, customer service, marketing and promotion actions, as well as the Data Controller’s business partners.
5. We do not sell your personal data to third parties.
6. Your data may be only disclosed to competent public authorities if this is required by applicable legal regulations.
7. The Data Controller will ensure with due diligence that your personal data are processed within the European Union and, if they are transmitted outside the European Union, the Data Controller will take care that the data are not used for purposes other than they have been collected for and that the data are safely stored. We do neither process nor outsource the processing of personal data outside the European Union and, if this is necessary, we will ensure that the data are processed solely by entities providing for the adequate protection in accordance with the EU standards.

HOW DO WE PROTECT AND PROCESS YOUR PERSONAL DATA?

All your personal data are processed in accordance with applicable regulations.
Before processing your personal data, the Company must meet the information obligation set out by the GDPR.
Your personal data are processed for defined and lawful purposes.
Your personal data are processed in accordance with the principles of correctness of content and adequately to the purpose they have been collected for.
Your personal data are processed for no longer than necessary to achieve the processing goals.
Your personal data are not disclosed without your consent, unless to persons or entities authorised by the personal data protection regulations.
Your personal data are processed in the IT system and in a traditional way (in writing/on paper).
The Company verifies and ensures that all of your requests concerning the protection of your personal data are effectively met.
The Company ensures a relevant level of security of your data by the use of procedures corresponding to the risk of default to your rights and freedoms as a result of the processing of your personal data.

HOW WILL WE CONTACT YOU?

After online booking, you will receive an e-mail with confirmation from us. We may also contact you by phone if we have any important information about your booking.
If you have subscribed to or otherwise agreed to receive our newsletter, we will send you messages about offers of the Nadmorski Hotel**** in Gdynia by e-mail.
If you stay at our Hotel or use Instytut Genesis’ services, we will contact you for important reasons by phone or e-mail.

HOW CAN YOU INFORM US ABOUT CHANGES IN YOUR DATA?

You can inform us about changes in your data by phone or e-mail, by mail or via our contact form.

HOW LONG WILL WE STORE YOUR PERSONAL DATA?

1. In accordance with the applicable legal regulations, we process all your personal data for the period that is necessary to achieve our goal. After such a period, your personal data will be irrevocably deleted or destroyed.
2. If we do not need to make on your data operations other than storage, we will also protect the data through pseudonymisation till their permanent deletion or destruction.
3. As regards particular personal data storage periods, we will process your personal data:

during the term of the contract: with regard to all personal data collected by us to enter into and perform the contract;
for 3 years or 6 years + 1 year: with regard to personal data processes to identify, pursue or defend claims (the period is dependent on whether both parties are enterprises or not);
5 years: with regard to personal data connected with the fulfilment of tax obligations;
till the withdrawal of consent or the achievement of the processing goal, however no longer than for 3 years: with regard to personal data processed on the basis of your consent;
till the effective objection or the achievement of the processing goal, however no longer than for 5 years: with regard to personal data processed on the basis of the Data Controller’s legitimate interest or for marketing purposes;
until the data are out of date or useless, however no longer than for 3 years: with regard to personal data processed mainly for analytical, cookies or website administration purposes.

REQUIREMENT OF PERSONAL DATA SUBMISSION

You give your personal data voluntarily and at your own discretion. However, in certain cases, the personal data must be given to enable you to use our services or meet your expectations connected with the use of our services.

AUTOMATED DECISION-MAKING AND PROFILING

The Company identifies incidents of data profiling and has mechanisms ensuring that this process is compliant with law. If the Company identifies any incidents of profiling or automated decision-making, it follows the applicable principles in this area.

COOKIES AND SERVER LOGS

The Data Controller uses cookies, i.e. small text files, stored in the user’s device (e.g. computer, tablet, smartphone). Cookies may be read by the Data Controller’s telecommunications and IT system.
The Data Controller stores cookies in the user’s device and then obtains access to information contained therein for statistical and marketing (remarketing purposes) and to ensure that the Company’s websites operates correctly.
The Data Controllers hereby informs the users that they can set up their browser to disable the storage of cookies in their user device. In this case, the use of the Company’s website by the user may be difficult.
The Data Controller hereby informs you that cookies may be deleted by the user when recorded by the Data Controller by the use of relevant browser functions, special programmes or tools available in the user’s operating system.
Server logs are information about certain user behaviour. This data are only used to administer the website and provide the most effective services. Resources browsed by the user are identified with URL addresses.

In addition, the following data may be recorded:

an inquiry receipt time,
a response sending time,
a user station name: identified with an HTTP protocol,
information about errors during HTTP transactions,
URL addresses of a page previously visited by the user (referrer link) if the user moved to the website via the link,
information about the user’s browser,
Information about the IP address.

Such data are not associated with specific persons browsing the sites and are used solely for server administration purposes.

If you have any questions or doubts, please contact us by e-mail: hotel@nadmorski.pl.