Personal Data Processing Regulations - Guests of Hotel Białowieski

INFORMATION CLAUSE ON THE PROCESSING OF PERSONAL DATA

Based on Article 13 paragraphs 1 and 2 of the Regulation (EU) 2016/678 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) - hereinafter referred to as the Regulation, we inform that:

  1. The administrator of your personal data collected from Guests of the *** Białowieski Hotel is Nature Travel Czarny Sp.k. headquartered in Białystok, at ul. Wyszyńskiego 2/1 lok. 204, postal code 15-888, VAT ID 542-10-31-822, REGON 050379510.
  2. The person responsible for fulfilling obligations regarding personal data protection on behalf of the Hotel is the Reception and Floor Service Manager.
  3. The personal data administrator processes your personal data based on law, contract, or consent.
  4. Your personal data will be processed for the purpose(s) of providing hotel, recreational, and other services subject to the company's activity.
  5. In connection with the data processing for the purposes mentioned in point 4, the recipient of your personal data will be the *** Białowieski Hotel.
  6. Your personal data will be stored for the duration of your stay and for periods required by law.
  7. Regarding the processing of your personal data, you have the right to access your data, rectify them, delete them, restrict their processing, transfer them, as well as the right to object, along with other rights resulting from applicable laws.
  8. If the data processing is based on Article 6(1)(a) of the Regulation, i.e., consent to the processing of personal data, you have the right to withdraw this consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
  9. In case of information about unlawful processing of personal data within the unit, you have the right to lodge a complaint with the supervisory authority competent for data protection matters.
  10. Providing your personal data is a condition for granting hotel services.
  11. You are obliged to provide this data, and failure to do so will result in loss of service.
  12. Your personal data will not be processed in an automated manner and will not be profiled.

RULES FOR PROCESSING PERSONAL DATA OF GUESTS OF THE *** BIAŁOWIESKI HOTEL

  1. The legal basis of these rules is the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (OJ L119, p.1).
  2. These Rules apply to all persons employed, with access to and processing personal data of hotel guests, especially employees of reception, marketing, accounting, human resources, floor service, SPA, restaurant, kitchen, and housekeeping. The person responsible for fulfilling obligations regarding personal data protection on behalf of the Hotel is the Reception and Floor Service Manager.
  3. These rules concern exclusively persons who have provided the hotel with at least their first name, last name, and a third type of personal data such as phone number, e-mail address, or other personal data mentioned in these rules. Due to processing group and conference bookings where participants are identified solely by accommodation lists containing only first and last names, it is not possible to properly identify a person only on the basis of these two data, as they can repeat for different guests.

PURPOSES OF COLLECTING AND PROCESSING PERSONAL DATA

  1. Making a hotel reservation is equivalent to the person making the reservation consenting to the processing of personal data provided for the purpose of making the reservation.
  2. To properly manage accepted bookings, at the time of booking, the hotel collects and processes personal data such as: first name, last name, contact phone number, email address. These data are automatically provided via email as booking confirmation to the Hotel Reception and Marketing Department, and in justified cases also to SPA.
  3. The hotel does not collect or process biometric data, such as copies of identity documents containing the photo of the person presenting the document, guest photographs, and similar.
  4. In justified cases, at the time of reservation or later, the hotel collects other data, such as:
    1. Guest age, if it affects the cost of stay (children's discounts);
    2. Information on dietary preferences to prepare appropriate dishes for people on diets, not consuming meat, etc.;
    3. Credit card data when reservation is made through booking portals, where such data is necessary for a successful reservation and the hotel, depending on the type of reservation, may charge the card in advance or at an agreed time for the stay.
  5. At guest check-in, personal data contained in a photo ID document are obtained, including document number and/or address if indicated on the presented document. These data are collected as the parties to the contract and to enable the hotel to pursue any claims arising during the guests' stay. These data are collected from one person among those registering together in one hotel room.
  6. At check-in, the hotel collects information about guests' country of permanent residence to fulfill statistical obligations to the Central Statistical Office (GUS). This information is provided to GUS in the KT-1 report form, which contains only the number of persons by country of permanent residence.
  7. Personal data obtained by the hotel in the form of a payment confirmation copy and summaries containing first name, last name, and address if indicated on the presented document, are forwarded to the Białowieża Municipality Office to fulfill the obligation of maintaining records of persons liable to pay local tax. The Office is a separate controller of these data.
  8. For proper guest service during their stay, personal data in the form of paper printouts of summaries containing guests' names, dietary schemes, and other non-personal data such as room number and stay dates are provided to individual hotel departments: kitchen, restaurant, floor service.
  9. For the safety of persons and property, publicly accessible areas within and around the hotel such as corridors, restaurant, and pool area are subject to 24-hour monitoring. Monitoring data are processed solely for the protection of persons and hotel property.
  10. The hotel may also collect and store personal data such as name, surname, address of residence or company headquarters, VAT number in accounting documents when billing is based on an invoice.
  11. The hotel may use collected email addresses for sending commercial information. Such use may occur only after obtaining consent to receive commercial information. Consents remain valid until revoked.

STORAGE OF PERSONAL DATA

  1. Personal data are stored in two forms:
    1. electronically in the hotel computer system, on hotel servers and/or at the Nature Travel Czarny Sp.k. office, and in the email archive;
    2. in paper form as printed booking confirmations; summaries and documents generated from the hotel computer system.
  2. Personal data are stored in two locations:
    1. directly at the hotel;
    2. at the Nature Travel Czarny Sp.k. office in Białystok, housing the hotel's marketing and accounting departments.
  3. Personal data needed for current activities are at the disposal of individual hotel departments; archival data in electronic form are stored in the hotel computer system, while paper form is stored in the archive at both locations mentioned in point 17).
  4. Personal data listed in points 5) and 7) are stored electronically in the hotel computer system and/or on computer servers for 5 years, and confirmations prints in the archive for one year at the two locations mentioned in point 17).
  5. Personal data listed in points 8) and 9) are stored electronically in the hotel computer system for 5 years.
  6. Data listed in point 10) are stored electronically in the hotel computer system and/or by the collector of local tax appointed by the hotel, in accordance with the Białowieża Municipality Council regulations, until their settlement at the Białowieża Municipality Office, and in paper form in the hotel archive for 1 year after settlement at the Municipality Office.
  7. Summaries referred to in point 11) are not archived but destroyed immediately after use.
  8. Hotel monitoring recordings are stored electronically on hotel computer servers for about 30 days, depending on whether the recording was continuous or intermittent.
  9. Accounting documents are stored for 5 years in paper and electronic form at both locations mentioned in point 17).
  10. Email addresses mentioned in point 14) are added to the mailing list held electronically by the marketing department.
  11. Personal data mentioned in point 15) are not stored or archived by the hotel.
  12. Data stored beyond their storage period are permanently and effectively deleted or destroyed.

SECURITY MEASURES

  1. Access to personal data collected and processed by the hotel is granted only to employed staff according to their competencies. These data are not disclosed to third parties, except as described in points 9) and 10), and except for public authorities such as Police or Border Guard upon their written request.
  2. Personal data are disclosed to third parties exclusively by the person mentioned in point 2) of these rules or a person authorized by them, when justified by the vital interests of the persons the data concern and fulfilling cases indicated in the GDPR.
  3. Personal data needed for current work in paper form are at the disposal of employees according to their competencies in locations inaccessible to third parties.
  4. Archival personal data in paper form are stored in an archive accessible only to authorized persons.
  5. Personal data in electronic form are stored on the hotel computer server and in the hotel computer system. Access to these data is possible only from official computers using a separate, internal network secured by a password. Official computers are also password-protected and are under constant supervision of staff and/or hotel monitoring during work. The server operates in a location inaccessible to unauthorized persons.
  6. Personal data shared via email are stored for 2 years.
  7. Any case of violation of these rules should be reported immediately, no later than within 72 hours, to the person mentioned in point 2) of these rules. This person decides the risk level and the possibility of further forwarding this information to the Personal Data Protection Office and directly to the data subject, as well as on taking remedial actions.
  8. The hotel does not collect or process children's personal data, except for name, surname, and age.

RIGHTS OF DATA SUBJECTS

  1. Data subjects may obtain information at any time on the scope of collection and processing of their data, provided they are properly identified on the basis of at least their first name, last name, and a third type of data such as phone number or hotel stay date.
  2. Data subjects may exercise the right to change their personal data held and stored by the hotel and to be "forgotten" at any time. To do so, they must notify the hotel reception or marketing department, providing at least first name, last name, and a third type of data enabling identity verification.
  3. Data subjects have the right to lodge a complaint about non-compliance with these rules or data protection legislation to the personal data administrator or the President of the Personal Data Protection Office.