Privacy policy
Information Obligation
This document („Guest Privacy Policy”) has been prepared by the PHH Hotele spółka z ograniczoną odpowiedzialnością (further on referred as the „Controller” or „we”, or „PHH Hotele”)
The aim of this Privacy Policy is to provide information about the terms, principles, and rules applied to the processing of personal data of guests utilizing services offered by hotels and facilities managed by PHH Hotele sp. z o. o..
1. The Controller
The controller of your personal data is PHH Hotele spółka z ograniczoną odpowiedzialnością, with registered seat in Warsaw (00-906), ul. Żwirki i Wigury 1, registered in the National Court Register of Entrepreneurs maintained by the District Court for the Capital City of Warsaw in Warsaw, XIV Economic Division of the National Court Register under the number: 0000219989, tax identification number (NIP): 6762278406, NBRN (REGON): 356882180, share capital: PLN 132 155 842.
2. Contact with the data Controller
For matters concerning the processing of your personal data, including the exercise of your rights, we invite you to contact the Data Controller via email at the following address iod@phh.pl or postal address: Data Protection Officer, Polski Holding Hotelowy sp. z o.o., ul. Komitetu Obrony Robotników 39G, 02-148 Warszawa.
3. Legal basis and purposes of data processing
Your personal data will be processed for at least one of the following purposes:
a) based on Article 6(1)(b) of the GDPR, as necessary for the performance of the contract for hotel services of which you are a party;
b) based on Article 6(1)(a) of the GDPR and Article 9(2)(a) of the GDPR, to avoid negative health effects resulting from an allergic reaction to the served meals and to meet the special needs of the hotel service provided, tailored to the degree of disability;
c) based on Article 6(1)(c) of the GDPR, as necessary to fulfill the legal obligation imposed on the Controller, in particular to ensure compliance with the applicable financial, accounting, tax, statistical regulations, implementation of rights under the GDPR and consumer rights;
d) based on Article 6(1)(f) of the GDPR, for the purpose of the legitimate interests pursued by the Controller (protection of persons and property, determination, investigation and defense of any claims, transmission of commercial information, and direct marketing, i.e., sending commercial and promotional offers in a form other than indicated in point f) below);
e) based on Article 6(1)(f) and Article 9(2)(f) of the GDPR, for the purpose of establishing, pursuing or defending legal claims related to processed special (sensitive) data;
f) based on a separately given consent and Article 10(2) of the Act of 18 July 2002 on the provision of electronic services (consolidated text: Journal of Laws of 2017, item 1219, as amended) or Article 172 of the Act of 16 July 2004 Telecommunications Law (consolidated text: Journal of Laws of 2017, item 1907, as amended) - for the purpose of sending commercial information (sending commercial and promotional offers) by electronic or telephone means using end devices.
4. Processing of particularly sensitive personal data
Some categories of personal data are considered particularly sensitive according to data protection regulations and as such, they are subject to a higher level of protection and security. In accordance with the regulations, the following categories of personal data are considered as particularly sensitive: (1) race or ethnic origin; (2) political opinions; (3) religious or philosophical beliefs; (4) trade union membership; (5) sex life or sexual orientation; (6) physical or mental health or conditions; and (7) genetic and biometric data. The Controller does not collect or process your particularly sensitive data, except in situations where you provide such data yourself, for example, in connection with a request to tailor hotel services to your needs and preferences, and only when permitted by law.
5. Source of personal data
The data is obtained directly from you but may also be obtained from a person making a reservation on your behalf, family members, employer, from the franchisor's reservation system, or through an intermediary handling the hotel or facility reservation, such as hotel reservation portals or travel agencies.
The data we may process includes: name, surname, address including country of residence, email, phone number, dates and locations of service usage, type of services used. In case of payment by credit card: card type, number, expiration date, transaction amount and date, transaction confirmation number, cardholder's name, sometimes cardholder's signature, cardholder's address; in case of payment by bank transfer: transaction amount and date, bank account number, account holder's name, health data (if you have consented to their processing), TIN number, name of the business and its address, image.
6. Recipients and categories of personal data recipients
Your personal data may be disclosed to the following recipients:
a) people authorized by the Controller, employees, and associates, members of the Controller's bodies who require access to personal data to fulfill their duties,
b) service providers, including those providing the Controller with technical and organizational solutions enabling the management of the Controller's organization (especially providers of IT, postal, shipping, legal, accounting, auditing, data security, and storage services, legal and tax accounting service providers, personal and property protection services), based on appropriate data processing agreements; entities supporting the Controller.
c) Franchisors.
7. Transfer of data to third countries
In case of transferring your personal data to the franchisor or a company within the franchisor's group based in the United States (or another so-called third country without providing an adequate level of protection) in connection with the central reservation system for hotel services, managed by the franchisor for quality control of services provided to you in hotels and facilities, monitoring franchise fees, assessing your satisfaction with hotel services, and your participation in the franchisor's loyalty program, the Controller will transfer data using mechanisms compliant with applicable law, including, among others, the 'Standard Contractual Clauses' of the EU, and applying possible additional safeguards. The data transfer according to the previous paragraph is necessary for the conclusion and execution of the contract.
8. Data retention period
The Controller stores your personal data:
a) for the purposes related to the performance of the contract and the provision of services - for the duration of the contract with you for the provision of hotel services,
b) for the purposes of potential establishment, investigation, and defense of claims - for the period specified by the law for the expiration of a given type of claim,
c) for the purposes related to the performance of legal obligations - for the time required by the applicable law or until the performance of these obligations, but not longer than the time during which the Controller may incur legal consequences for failing to perform the obligation,
d) for the purposes of protecting persons and property - for a period of 30 days from the end of the stay in the hotel, unless CCTV devices have recorded an event related to the violation of persons and property safety - then the data storage period may be extended for the time necessary to complete the proceedings related to the event recorded by the CCTV,
e) for the purposes of sending commercial information and direct marketing, i.e., sending advertising and promotional offers - until consent is withdrawn or objection is filed, but not longer than 3 years from the date of providing the data,
with the effect calculated at the end of each calendar year.
9. Your entitlements
a) Access to personal data. At any time, you may exercise the right to access your data
b) Rectification and completion of data. You have the right to request the Controller to promptly correct any of your personal data that is incorrect and to request the completion of incomplete personal data.
c) Right to erasure of data. You have the right to request the Controller to promptly erase your personal data in each of the following cases:
• when personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
• when personal data is processed unlawfully;
• when personal data must be erased to comply with a legal obligation under European Union law or Polish law.
The Controller, however, will not be able to delete your personal data to the extent that its processing is necessary (i) for exercising the right to freedom of expression and information, (ii) for compliance with a legal obligation requiring processing under European Union law or Polish law, (iii) for establishing, pursuing, or defending legal claims.
d) Right to restrict processing of data. You have the right to request the Controller to restrict processing in cases where:
• you challenge the accuracy of personal data – for a period enabling the Controller to verify the accuracy of the data;
• processing is unlawful, and you oppose the erasure of personal data, instead requesting the restriction of their use;
• the Controller no longer needs the personal data for processing purposes, but they are needed by you for establishing, exercising, or defending legal claims.
e) Right to withdraw consent. To the extent that the processing of your data is based on your consent, you have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
f) Right to data portability. You have the right to receive the personal data concerning you, which you provided to the Controller in a structured, commonly used, and machine-readable format, and you have the right to transmit those data to another controller.
g) Right to lodge a complaint. You have the right to lodge a complaint regarding the processing of personal data by the Controller to the supervisory authority, which in Poland is the President of the Office for Personal Data Protection (Prezes Urzędu Ochrony Danych Osobowych).
The rights mentioned in points a) to g) above can be exercised by contacting the Controller.
10. Information regarding the obligation to provide data
Providing your personal data is necessary for the conclusion and performance of the contract with PHH Hotele, and incomplete provision of this data may result in not obtaining all the benefits offered by our network of hotels and facilities.
11. Automated decision-making
The Controller does not engage in automated decision-making, including profiling, based on the personal data you provide.