APPENDIX NO. 7
TO THE INFORMATION SECURITY POLICY
ZAMEK GIŻYCKO Ltd.
KLAUZULA INFORMACYJNA
GENERAL RULES OF PERSONAL DATA PROCESSING BY THE ADMINISTRATOR OF PERSONAL DATA – ZAMEK GIŻYCKO LTD. BASED IN WARSAW ST BRUNO HOTEL**** BASED IN GIŻYCKO
Hereby, acting on its own behalf, the Administrator – ZAMEK GIŻYCKO Ltd. registered in Warsaw, ST. BRUNO Hotel **** with headquarters in Giżycko, 1 St. Brunon Street, 11-500 Giżycko, Hotel Zamek ** with headquarters in Giżycko, 1 Moniuszko Street, acting pursuant to Art. 13 of the Regulation of the European Parliament and of the European Council (EU) 2016/679 of 27 April 2016. on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (General Data Protection Regulation), kindly informs you as follows:
ZAMEK GIŻYCKI Ltd. processes personal data in accordance with applicable law, in particular in accordance with Regulation (EU) 2016/679 of the European Parliament and of the European Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free flow of such data and repealing Directive 95/46 / EC (General Data Protection Regulation), hereinafter referred to as “GDPR”.
2) CASTLE GIŻYCKI Ltd. limits the processing of personal data to the minimum necessary to achieve the purpose for which they are obtained.
3) Personal data obtained by ZAMEK GIŻYCKI Ltd. are processed for the following purposes:
a) taking action before concluding a contract;
b) performance of concluded contracts;
c) Performing the Administrator’s legal obligations;
d) legitimate interests of the Administrator, i.e .:
establishing and maintaining contacts with business partners;
submitting offers concerning its services and products;
Detecting and preventing possible fraud;
ensuring the safety of property and people;
establishing, investigating and defending claims;
creating compilations, analyzes and statistics for internal purposes;
providing hotel services;
handling complaints;
handling inquiries and notifications that you send to us (eg via the contact form);
managing the security of your transactions;
providing the best customer service.
4) Personal data may also be processed based on the data subject’s consent for the purpose specified in the declaration of consent. The consent granted may be withdrawn at any time, such withdrawal of consent shall not affect the lawfulness of the use of the data prior to the withdrawal of such consent.
5) The subject of processing may also be personal data obtained by the Administrator from other sources permitted by law, e.g.
a) from banks and other institutions;
b) from public sources, including KRS and CEIDG registers.
6) When using the Administrator’s websites, information identifying the telecommunication network endpoint or the data communications system from which the connection was made (including time stamp, IP address) may be stored.
7) Personal data is stored for the period resulting from the purpose for which they were collected, and then for the period after which the claims resulting from this purpose expire and for the period in which the law requires the storage of data. The administrator may also store personal data for longer only for legitimate reasons, if the law allows such storage.
8) Personal data obtained by the Administrator, taking into account the provisions in force in this regard, may be disclosed to the following recipients:
a) entities operating ICT systems or providing ICT tools;
b) entities providing advisory, consulting, auditing, debt collection, legal, tax, accounting, HR and payroll services;
c) entities engaged in payment activities;
d) entities performing physical protection of the Administrator’s facilities;
e) to postal or courier companies;
f) entities conducting debt collection or purchasing receivables;
g) to other entities, if the disclosure of data is necessary for legal reasons.
9) All persons whose personal data are processed by the Administrator have the following rights under the GDPR:
a) The right to obtain access to personal data and a copy of the data (Article 15 GDPR),
b) The right to request correction or supplementation of personal data (Article 16 GDPR),
c) the right to request the deletion of personal data (Article 17 of the GDPR),
d) the right to request the restriction of the processing of personal data (Article 18 of the GDPR)
e) the right to request the transfer of data (Article 20 of the GDPR),
f) the right to object (Article 21 of the GDPR).
The scope of each of these rights and the situations in which they can be exercised result from applicable law.
You can exercise the above-mentioned rights by submitting an application directly at the registered office of the Company – 51 Hoża Street, 00-581 Warsaw, or at the premises of the ST. BRUNO Hotel **** – 1 St. Brunon Street, 11-500 Giżycko, by sending an application to the following e-mail address: j.madej@hotelstbruno.pl or via the contact form at www.hotelstbruno.pl/kontakt
The administrator is obliged to respond to the request without undue delay, not later than within one month from the date of its receipt, and if he does not intend to comply with such request, provide the reason.
Apart from the rights described above, the data subject shall also have the right to file a complaint with the President of the for Personal Data Protection Office, should they consider that the processing of their personal data violates the provisions of law.
Management Board