1. Personal Data Controller Information

We hereby inform you that the controller of your personal data at Aqua Resort Międzyzdrojeiscompany/tax_number

Contact with the Hotel regarding personal data protection is possible at the following e-mail address: rezerwacja@aqua-resort.pl

Information clauses on data processing:

1. Information clause for hotel guests,
2. Information clause in connection with monitoring,
3. Information clause in connection with recruitment,
4. Information clause for contractors.

Video Surveillance (CCTV):

1. Sample application for securing surveillance recordings.

2. Purposes and basis of personal data processing

To provide services in line with its business profile, the Hotel processes your personal data for various purposes, but always in accordance with the law. The personal data provided will be processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), commonly referred to as the GDPR. We collect personal data from you in the process of concluding a contract (making a reservation and providing services related to your stay at the Hotel) or from our partners on booking portals, if you have given us your consent. Below, you will find detailed data processing purposes and the legal basis.

A. In order to price the service, book the service and perform the service, as well as in the case of concluding other contracts related to the business profile, we may process personal data such as:

• Full name;
• Address (street, house/apartment number, postal code and city);
• Phone number;
• Email address;
• Company details including the Tax Identification Number (in the case of issuing a VAT invoice for the company);
• Registration number of the vehicle belonging to the Customer (in the case of using the hotel car park);
• Basic bank account details to confirm the transfer;
• Identity document number/PESEL;
• Nationality information;
• Your payment card number and other card details, as well as authentication details and other billing and account details related to mobile billing;
• Your booking reference number.

The legal basis for such data processing is Article 6(1)(b) of the GDPR, which allows the processing of personal data if they are necessary for the performance of a contract or for taking steps to enter into a contract.

Children's data such as name, surname, nationality and date of birth are collected only from their parents or legal guardians in order to determine their age and the discounts they are entitled to, and for statistical purposes (GUS obligation and local tax).

B. In order to process complaints, we process the following personal data:

• Full name;
• Address (street, house/apartment number, postal code and city);
• Phone number;
• Email address;
• Your booking reference number;
• Alternatively, your bank account number – if money is refunded.

The legal basis for such data processing is Article 6(1)(b) of the GDPR, which allows the processing of personal data if they are necessary for the performance of a contract or for taking steps to enter into a contract.

In order to personalize the service according to the user's personal preferences and to manage customer relationships before, during and after the stay, we process personal data such as:

• Monitoring the use of services (telephone, bar, pay TV, etc.);
• Room access management;
• E-mail address;
• Full name;
• Your booking reference number.

The legal basis for such data processing is Article 6(1)(b) of the GDPR, which allows for the processing of personal data if they are necessary for the performance of a contract or for taking steps to enter into a contract, and Article 6(1)(a) of the GDPR, which allows for the processing of personal data based on voluntary consent.

C. In order to issue an invoice and meet other obligations arising from tax law, such as storing accounting records for 5 years, we process personal data such as:

• Full name;
• Company name;
• Residential address or registered office address;
• Tax Identification Number;
• Booking reference number.

The legal basis for such data processing is Article 6(1)(c) of the GDPR, which allows for the processing of personal data if such processing is necessary for the Personal Data Controller to comply with its legal obligations.

D. In order to assess satisfaction with the services offered, audit, improve and modify our services, we process personal data such as:

• Email address;
• Booking reference number;
• Full name;
• Guest comments or suggestions.

The legal basis for such data processing is Article 6(1)(f) of the GDPR, which allows for the processing of personal data if the Personal Data Controller thereby pursues its legitimate interest (in this case, the Hotel's interest is to learn about customer opinions on the services provided in order to adapt them to the needs and expectations of those interested).

E. In order to ensure the safety of Hotel employees and guests and to prevent fraud, we process personal data such as:

• Data from the key card system;
• Image of a person obtained from video surveillance;
• Full name;
• Email address;
• Phone number;
• IP address.

The legal basis for such data processing is Article 6(1)(f) of the GDPR, which permits the processing of personal data if the Personal Data Controller thereby pursues its legitimate interest (in this case, the Hotel's interest is to ensure the safety of all persons staying on the Hotel premises). CCTV data is deleted no later than 30 days from the date of its recording.

F. In order to create registers and records related to the GDPR, including, for example, a register of customers who have filed an objection in accordance with the GDPR, we process personal data such as:

• Full name;
• Email address.

GDPR regulations impose specific documentation obligations on us to demonstrate compliance and accountability. For example, if you object to the processing of your personal data for marketing purposes, we must know who we should not target for direct marketing.

The legal basis for such data processing is Article 6(1)(c) of the GDPR, which allows for the processing of personal data if such processing is necessary for the Personal Data Controller to fulfil its legal obligations (provisions contained in the GDPR); and Article 6(1)(f) of the GDPR, which allows for the processing of personal data if, in doing so, the Personal Data Controller pursues its legitimate interests (in this case, the Hotel's interest is to have knowledge about individuals who exercise their rights under the GDPR).

G. In order to establish, pursue or defend against claims, we process personal data such as:

• Name and surname (if surname is provided) or company name;
• Address of residence (if provided);
• PESEL number or TIN (if specified);
• Email address;
• IP address;
• Booking reference number.

The legal basis for such data processing is Article 6(1)(f) of the GDPR, which allows for the processing of personal data if the Personal Data Controller thereby pursues its legitimate interest (in this case, the Hotel's interest is to possess personal data that will enable it to establish, pursue or defend against claims, including those of customers and third parties).

H. For analytical purposes, i.e. researching and analysing activity on the Hotel's website, we process personal data such as:

• Date and time of site visit;
• Type of operating system;
• Approximate location;
• Type of web browser used to view the website;
• Time spent on the website;
• Visited subpages;
• Subpage where the contact form was filled in.

The legal basis for such data processing is Article 6(1)(f) of the GDPR, which allows for the processing of personal data if the Personal Data Controller thereby pursues its legitimate interest (in this case, the Hotel's interest is to learn about customer activity on the website).

I. In order to use cookies on the website, we process such text information (cookies will be described in a separate section). The legal basis for this processing is Article 6(1)(a) of the GDPR, which allows for the processing of personal data based on voluntary consent (when you first visit the website, you will be asked to consent to the use of cookies).

J. In order to administer the website, we process personal data such as:

• IP address;
• Server date and time;
• Information about the web browser;
• Information about the operating system

– this data is automatically saved in server logs whenever the Hotel's website is accessed. Administering the website without the server and automatic recording would not be possible. The legal basis for such data processing is Article 6(1)(f) of the GDPR, which allows for the processing of personal data if the Personal Data Controller thereby pursues its legitimate interest (in this case, the Hotel’s interest is to administer the website).

3. Cookies

A. The hotel, like other entities, uses cookies on its website. These are short text files stored on the user's computer, phone, tablet, or other device. They can be read by our system, as well as by systems belonging to other entities whose services we use (e.g., Facebook, Google).

B. Cookies perform many functions on the website, most often useful ones, which we will try to describe below (if the information is insufficient, please contact us):

• ensuring security – cookies are used to authenticate users and prevent unauthorized use of the customer panel. Therefore, they protect user personal data from unauthorized access;
• Impact on website usage processes and efficiency – cookies are used to ensure the website operates efficiently and to enable you to use its features, which is possible, among other things, by remembering settings between subsequent visits. Cookies allow you to efficiently navigate the website and its individual subpages;
• Session status – Cookies often store information about how visitors use a website, such as which subpages they view most often. They also enable the identification of errors displayed on certain subpages. Cookies used to store so-called "session status" therefore help improve services and enhance the browsing experience;
• Maintaining session status – when a customer logs in to their panel, cookies enable the session to be maintained. This means that after switching to a different subpage, the user does not have to re-enter their login and password each time, which improves the comfort of using the website;
• Creating statistics – cookies are used to analyze how users use the website (how many open the website, how long they stay on it, which content is most interesting, etc.). This allows us to continually improve the website and tailor its operation to user preferences. To track activity and create statistics, we use Google tools, such as Google Analytics. In addition to reporting website usage statistics, the Google Analytics pixel can also be used, along with some of the cookies described above, to help display more relevant content to users across Google services (e.g., the Google search engine) and the entire web;
• Using social media features – we have a Facebook pixel on our website that allows you to like our Facebook fan page while using the website. However, to make this possible, we need to use cookies provided by Facebook.

C. Your web browser allows cookies to be used on your device by default, so please consent to our use of cookies upon your first visit. However, if you do not wish to use cookies while browsing the website, you can change your browser settings – either completely block the automatic handling of cookies or request notification each time a cookie is placed on your device. You can change your settings at any time.

D. While respecting the autonomy of all people using the website, we feel obliged to warn you that disabling or limiting the use of cookies may cause significant difficulties in using the website, e.g. the need to log in on each subpage, longer page loading times, limitations in the use of functionalities, limitations in liking the page on Facebook, etc.

4. Right to withdraw consent

A. If the processing of personal data is based on consent, you may withdraw this consent at any time.

B. If you would like to withdraw your consent to the processing of your personal data, please follow Section 10, Subsection F. If the processing of your personal data was based on consent, its withdrawal does not render the processing of your personal data up to that point unlawful. In other words, we have the right to process your personal data until you withdraw your consent, and its withdrawal does not affect the lawfulness of the processing carried out to date.

5. Requirement to provide personal data

A. Providing any personal data is voluntary and at your discretion. However, in some cases, providing certain personal data is necessary to meet your expectations regarding the use of the services.

B. To order a service at the Hotel, it is necessary to provide the data indicated in point 2 A of this privacy policy.

C. In order for you to receive an invoice for services, it is necessary to provide all the data required by tax law – without this we will not be able to issue the invoice correctly.

D. In order to contact you by phone regarding matters related to the provision of the service, it is necessary to provide your telephone number and e-mail address - without them we are unable to establish telephone contact or send you a booking confirmation.

6. Automated decision-making and profiling

We hereby inform you that we do not engage in automated decision-making, including profiling. The content of any inquiry submitted via the form is not evaluated by the IT system. The proposed price for the service is based on our hotel's price list.

7. Recipients of personal data

A. Like most businesses, we rely on the assistance of other entities in our operations, which often requires the transfer of personal data. Therefore, if necessary, we share your personal data with lawyers who cooperate with us and provide services, payment processing companies, an accounting firm, a hosting company, IT service providers, a company responsible for sending text messages, and an insurance company (should damages need to be remedied).

B. In addition, it may happen that, for example, on the basis of the relevant legal provisions or the decision of a competent authority, we will also have to transfer your personal data to other authorities or entities.

8. Transfer of personal data to third countries

A. Like most businesses, we use various popular services and technologies offered by entities such as Facebook, Microsoft, and Google. These companies are based outside the European Union and are therefore treated as third countries under the GDPR.

B. The GDPR introduces certain restrictions on the transfer of personal data to third countries. Since European regulations do not generally apply there, the protection of personal data of European Union citizens may unfortunately be insufficient. Therefore, every personal data controller is required to establish a legal basis for such transfer.

C. For our part, we assure you that when using services and technologies, we transfer personal data only to entities from the United States and only to those that have joined the Privacy Shield program, based on the European Commission's implementing decision of July 12, 2016 - more information on this topic can be found on the European Commission's website at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_pl. Entities that have joined the Privacy Shield program guarantee that they will comply with the high standards of personal data protection that apply in the European Union, therefore the use of their services and technologies in the processing of personal data is lawful.

D. We will provide you with additional explanations regarding the transfer of personal data at any time, in particular if this issue raises your concerns.

9. Duration of personal data processing

A. In accordance with applicable law, we do not process your personal data indefinitely, but only for the time necessary to achieve the designated purpose. After this period, your personal data will be irreversibly deleted or destroyed.

B. When we do not need to perform any operations on your personal data other than storing it (e.g., when we store the content of an order for the purpose of defending against claims), we additionally secure it through pseudonymization until it is permanently deleted or destroyed. Pseudonymization involves encrypting personal data, or a set of personal data, so that it cannot be read without an additional key, making such information completely useless to an unauthorized person.

C. Regarding the individual periods of personal data processing, we hereby inform you that we process personal data for the period of:

• duration of the contract – in relation to personal data processed for the purpose of concluding and performing the contract;
• 3 years or 6 years + 1 year – in relation to personal data processed for the purpose of establishing, pursuing or defending claims (the length of the period depends on whether both parties are entrepreneurs or not);
• 6 months – in relation to personal data collected when quoting a service and at the same time the contract was not concluded immediately;
• 5 years + 1 year – in relation to personal data related to the fulfillment of tax law obligations;
• until the consent is withdrawn or the purpose of processing is achieved, but no longer than 5 years – in relation to personal data processed on the basis of consent;
• until an effective objection is raised or the purpose of processing is achieved, but no longer than 5 years - in relation to personal data processed on the basis of the legitimate interest of the Personal Data Controller or for marketing purposes;
• until they become outdated or no longer useful, but no longer than for 3 years – in relation to personal data processed mainly for analytical purposes, the use of cookies and website administration.

D. We count periods in years from the end of the year in which we began processing personal data to streamline the process of deleting or destroying personal data. Separately counting the period for each concluded contract would entail significant organizational and technical difficulties, as well as significant financial outlays. Therefore, establishing a single date for deleting or destroying personal data allows us to manage this process more efficiently. Of course, if you exercise your right to be forgotten, such situations are considered individually.

E. The additional year related to the processing of personal data collected for the purpose of performing the contract is dictated by the fact that you may hypothetically submit a claim just before the expiry of the limitation period, the request may be delivered with a significant delay or you may incorrectly determine the limitation period for your claim.

10. Rights of data subjects

A. We hereby inform you that you have the following rights:

• access to your personal data;
• rectification of personal data;
• deletion of personal data;
• restriction on the processing of personal data;
• objection to the processing of personal data;
• right to be forgotten in cases where other legal provisions allow it;
• receiving a copy of the data
• transfer of personal data.

B. We respect your rights arising from personal data protection regulations and strive to facilitate their implementation to the greatest extent possible.

C. Please note that these rights are not absolute, and therefore, in certain situations, we may lawfully refuse to comply with them. However, if we refuse to comply with your request, we will do so only after a thorough analysis and only if refusing the request is necessary.

D. Regarding the right to object, we clarify that you have the right to object to the processing of your personal data at any time based on the legitimate interest of the Personal Data Controller (listed in section III) due to your specific situation. However, please note that, in accordance with the law, we may refuse to uphold your objection if we demonstrate that:

• there are legitimate grounds for processing that override your interests, rights and freedoms, or
• there are grounds for establishing, pursuing or defending claims.

E. Furthermore, you may object at any time to the processing of your personal data for marketing purposes. In such a situation, upon receipt of your objection, we will cease processing for this purpose.

F. You can exercise your rights in the following way:

• send an e-mail to the Personal Data Controller at: rezerwacja@aqua-resort.pl
• or hand over to the receptionist during a visit to our hotel.

11. Right to lodge a complaint

If you believe that your personal data is being processed contrary to applicable law, you may lodge a complaint with the President of the Office for Personal Data Protection.

12. Final Provisions

A. To the extent not covered by this Privacy Policy, personal data protection regulations apply.

B. The Hotel reserves the right to make changes to this Privacy Policy, provided that the version of the Privacy Policy in force at the time of booking the service shall apply to services provided before the change of the Privacy Policy.

C. Changes to the Privacy Policy shall not violate the rights acquired by Guests.

D. Information about changes to the Privacy Policy will be published on the Hotel’s website: [contact-page] 14 calendar days before these changes come into effect.

E. This Privacy Policy is effective from July 16, 2021.