Information on the Processing of Personal Data
1. Data Controller
The data controller is PHU DEAL, with its registered office in Kiełczów, postal code 55-093; ul. Północna 1; NIP: 911 133 60 50; REGON 020669450; entered into the register of entrepreneurs of the Central Register and Information on Economic Activity of the Republic of Poland; contact regarding the protection of personal data is possible via e-mail: recepcja@fivestarsbb.com.
2. Purposes and Legal Bases for Processing Personal Data
In order to provide services in line with the profile of activity, the FIVE STARS B&B processes personal data — for various purposes, but always in accordance with the law. The provided personal data will be processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), abbreviated as GDPR. We obtain personal data from you in the process leading to the conclusion of a contract or from our partners from booking portals, if you have given your consent. Below you will find the specified purposes of processing personal data along with the legal bases.
2.1. In order to provide a service quote, make a reservation, and perform the service, as well as when entering into other agreements related to the business profile, we may process such personal data as:
- First and Last Name;
- Address (street, house/apartment number, postal code, and city);
- Phone number;
- E-mail address;
- Company details along with VAT number (in case of issuing a VAT invoice to a company);
- Basic bank account details for payment confirmation;
- ID/passport number and PESEL (Personal Identification Number);
- Information regarding nationality;
- Your payment card number and other card details, as well as authentication data and other billing-related information, associated with mobile payments;
- Reservation number.
The legal basis for such processing of data is Article 6(1)(b) of the GDPR, which allows the processing of personal data if it is necessary for the performance of a contract or for taking steps prior to entering into a contract. Children’s data such as name, nationality, and date of birth are collected exclusively from their parents or legal guardians in order to determine their age and entitlement to discounts, as well as for statistical purposes (GUS obligation).
2.2. In order to personalize the service according to the user’s personal preferences and manage customer relationships before, during, and after the stay, we process such personal data as:
- Monitoring the use of services (accommodation, breakfast buffet, parking);
- Room access management;
- E-mail address;
- First and Last Name;
- Reservation number.
The legal basis for such processing of data is Article 6(1)(b) of the GDPR, which allows the processing of personal data if it is necessary for the performance of a contract or for taking steps prior to entering into a contract, and Article 6(1)(a) of the GDPR, which allows the processing of personal data based on freely given consent.
2.3. In order to issue invoices and fulfill other obligations arising from tax law, such as storing accounting documentation for 5 years, we process such personal data as:
- First and Last Name;
- Company name;
- Residential address or registered office address;
- VAT number;
- Reservation number.
The legal basis for such processing of data is Article 6(1)(c) of the GDPR, which allows the processing of personal data if such processing is necessary for compliance with a legal obligation by the Data Controller.
2.4. In order to assess satisfaction with the services offered, conduct audits, improve and modify our services, we process such personal data as:
- E-mail address;
- Reservation number;
- First and Last Name;
- Guest comments or suggestions.
The legal basis for such processing of data is Article 6(1)(f) of the GDPR, which allows the processing of personal data if it is necessary for the legitimate interests pursued by the Data Controller (in this case, the interest of the Establishment is to understand customers’ opinions about the services provided in order to adapt them to the needs and expectations of the interested parties).
2.5. In order to handle complaints, we process such personal data as:
- First and Last Name;
- Address (street, house/apartment number, postal code, and city);
- Phone number;
- E-mail address;
- Reservation number;
- Optionally, bank account number — if a refund is made.
The legal basis for such processing of data is Article 6(1)(b) of the GDPR, which allows the processing of personal data if it is necessary for the performance of a contract or for taking steps prior to entering into a contract.
2.6. In order to ensure the safety of the employees and guests of the Establishment, prevent fraud, we process such personal data as:
- Data from the key card system;
- Facial image obtained from CCTV monitoring;
- First and Last Name;
- E-mail address;
- Phone number;
- IP address.
The legal basis for such processing of data is Article 6(1)(f) of the GDPR, which allows the processing of personal data if it is necessary for the legitimate interests pursued by the Data Controller (in this case, the interest of the Establishment is to ensure the safety of all individuals on the premises). CCTV monitoring data is deleted no later than 20 days from the date of recording.
2.7. In order to create records and registers related to the GDPR, including, for example, a register of customers who have objected in accordance with the GDPR, we process such personal data as:
- First and Last Name;
- E-mail address.
The GDPR imposes certain documentary obligations on us to demonstrate compliance and accountability. If you submit, for example, an objection to the processing of your personal data for marketing purposes, we need to know who not to target with direct marketing. The legal basis for such processing of data is Article 6(1)(c) of the GDPR, which allows the processing of personal data if such processing is necessary for compliance by the Data Controller with a legal obligation (provisions contained in the GDPR); and Article 6(1)(f) of the GDPR, which allows the processing of personal data if it is necessary for the legitimate interests pursued by the Data Controller (in this case, the interest of the Establishment is to have knowledge about individuals who exercise their rights under the GDPR).
2.8. In order to establish, investigate, or defend against claims, we process such personal data as:
- First and Last Name (if provided) or, alternatively, the company name;
- Residential address (if provided);
- PESEL (Personal Identification Number) or VAT number (if provided);
- E-mail address;
- IP address;
- Reservation number.
The legal basis for such processing of data is Article 6(1)(f) of the GDPR, which allows the processing of personal data if it is necessary for the legitimate interests pursued by the Data Controller (in this case, the interest of the Establishment is to possess personal data that will allow it to establish, investigate, or defend against claims, including those of customers and third parties).
2.9. For analytical purposes, i.e., the study and analysis of activity on the website belonging to the FIVE STARS B&B Establishment, we process such personal data as:
- Date and time of website visits;
- Type of operating system;
- Approximate location;
- Type of internet browser used to browse the website;
- Time spent on the website;
- Visited subpages;
- Subpage where the contact form was filled out.
The legal basis for such processing of data is Article 6(1)(f) of the GDPR, which allows the processing of personal data if it is necessary for the legitimate interests pursued by the Data Controller (in this case, the interest of the Establishment is to understand the activity of customers on the website).
2.10. In order to use cookies on the website, we process textual information as described in point 3.
The legal basis for such processing is Article 6(1)(a) of the GDPR, which allows the processing of personal data based on freely given consent (upon first entry to the website, a request for consent to use cookies appears).
2.11. In order to administer the website, we process such personal data as:
- IP address;
- Date and time of the server;
- Information about the internet browser;
- Information about the operating system.
This data is automatically recorded in server logs each time the website belonging to the FIVE STARS B&B Establishment is used. Administering the website without using a server and without this automatic recording would not be possible. The legal basis for such processing of data is Article 6(1)(f) of the GDPR, which allows the processing of personal data if it is necessary for the legitimate interests pursued by the Data Controller (in this case, the interest of the Establishment is to administer the website).
3. Cookies
3.1. FIVE STARS B&B, like other entities, uses so-called cookies on its website, which are short text information stored on the user’s computer, phone, tablet, or other device. They can be read by our system, as well as by systems belonging to other entities whose services we use (e.g., Facebook, Google).
3.2. Cookies serve many functions on the website:
- Security provision – cookies are used to authenticate users and prevent unauthorized access to the client panel. They are therefore used to protect the user’s personal data from unauthorized access;
- Influence on the processes and performance of using the website – cookies are used to ensure the smooth operation of the website and to enable the use of available functions, which is possible, among other things, thanks to remembering settings between successive visits to the website. Thanks to them, you can efficiently navigate the website and its subpages;
- Session state – information about how visitors use the website is often stored in cookies, e.g., which subpages they most frequently view. They also allow the identification of errors displayed on some subpages. Cookies used to store the “session state” help improve services and increase browsing comfort;
- Session maintenance – if a client logs into their panel, cookies enable the session to be maintained. This means that after going to another subpage, there is no need to re-enter the login and password each time, which contributes to the convenience of using the website;
- Statistics creation – cookies are used to analyze how users use the website (how many open the website, how long they stay on it, which content generates the most interest, etc.). This allows for constant improvement of the website and adjustment of its operation to user preferences. To track activity and create statistics, we use Google tools such as Google Analytics; in addition to reporting website usage statistics, the Google Analytics pixel can also be used, along with some of the cookies described above, to help show the user more relevant content in Google services (e.g., Google Search) and across the web.
3.3. By default, the web browser allows the use of cookies on your device, so when visiting our website, please consent to the use of cookies. However, if you do not wish to use cookies when browsing the website, you can change the settings in your web browser to completely block automatic handling of cookies or request notification each time cookies are placed on your device. Settings can be changed at any time.
3.4. Respecting the autonomy of all users of the website, we feel obliged to warn that disabling or limiting the use of cookies may cause quite serious difficulties in using the website, e.g., the need to log in on each subpage, longer loading times, limitations in using functionalities, etc.
4. Right to Withdraw Consent
4.1. If the processing of personal data is based on consent, you may withdraw this consent at any time.
4.2. If you decide to withdraw your consent to the processing of personal data, you should follow point 9.6. If the processing of your personal data was based on consent, its withdrawal does not affect the legality of the processing of personal data up to that point. In other words, until the consent is withdrawn, we have the right to process your personal data, and its withdrawal does not affect the lawfulness of the processing carried out before.
5. Requirement to Provide Personal Data
5.1. Providing any personal data is voluntary and depends on your decision. However, in some cases, providing certain personal data is necessary to meet your expectations regarding the use of services.
5.2. To book a service at the Facility, it is necessary to provide the data indicated in point 2.1 of this privacy policy.
5.3. In order to receive an invoice for services, it is necessary to provide all data required by tax law – without this, we are unable to properly issue an invoice.
5.4. In order to be able to contact you by phone regarding the implementation of the service, it is necessary to provide a telephone number and email address – without this, we are unable to establish telephone contact or send a reservation confirmation.
6. Automated Decision Making and Profiling
We inform that we do not make automated decisions, including profiling. The content of the inquiry sent via the form is not subject to assessment by the computer system. The proposed service price is provided based on the FIVE STARS B&B price list.
7. Recipients of Personal Data
7.1. Only authorized employees of FIVE STARS B&B and entities cooperating with the Facility under appropriate agreements have direct access to your personal data. This includes companies providing services for the Facility or our Guests, such as IT support companies providing software or IT services, accounting, legal, or auditing services, marketing services, postal and courier services, transportation companies, and taxi services to ensure Guests receive the ordered transportation, as well as insurance companies (in case damage repair is necessary).
7.2. Additionally, it may happen that, for example, based on the relevant legal provision or decision of the competent authority, we will have to disclose your personal data to other authorities or entities.
8. Data Processing Period
8.1. In accordance with applicable law, we do not process your personal data “indefinitely”, but for the time necessary to achieve the specified purpose. After this period, personal data will be irreversibly deleted or destroyed.
8.2. Regarding the specific periods of processing personal data, please be informed that we process personal data for the following periods:
- duration of the contract — concerning personal data processed for the purpose of concluding and performing the contract;
- 3 years or 10 years + 1 year — concerning personal data processed for the purpose of establishing, pursuing, or defending claims (the length of the period depends on whether both parties are entrepreneurs or not);
- up to 6 months — concerning personal data collected for service estimation purposes, provided that no contract is concluded immediately;
- 5 years — concerning personal data related to fulfilling tax obligations;
- until consent is withdrawn or the purpose of processing is achieved, but no longer than 5 years — concerning personal data processed based on consent;
- until effective objection is raised or the purpose of processing is achieved, but no longer than 5 years — concerning personal data processed based on the legitimate interest of the Data Controller or for marketing purposes;
- until becoming outdated or irrelevant, but no longer than 3 years — concerning personal data processed mainly for analytical purposes, cookie usage, and website administration.
8.3. The periods in years are counted from the end of the year in which we started processing personal data to facilitate the process of deleting or destroying personal data. Separate calculation of the term for each concluded contract would involve significant organizational and technical difficulties, as well as substantial financial outlays. Therefore, establishing a single date for deleting or destroying personal data allows us to manage this process more efficiently. Of course, in the event of your exercise of the right to be forgotten, such situations are considered on an individual basis.
8.4. The additional year associated with the processing of personal data collected for the purpose of executing the contract is due to the hypothetical situation where you may submit a claim shortly before the limitation period expires, the demand may be delivered with a significant delay, or you may incorrectly determine the limitation period of your claim.
9. Data Subject Rights
9.1. We kindly inform you that you have the right to:
- access your personal data;
- rectify your personal data;
- erase your personal data;
- restrict the processing of your personal data;
- object to the processing of your personal data;
- be forgotten in cases permitted by other applicable laws;
- obtain a copy of your data;
- data portability.
9.2. We respect your rights arising from data protection regulations and strive to facilitate their implementation to the highest possible extent.
9.3. Please note that the mentioned rights are not absolute, and therefore in some situations, we may legally refuse to fulfill them. However, if we refuse to comply with your request, it is only after careful analysis and only when refusal is necessary.
9.4. Regarding the right to object, we clarify that at any time you have the right to object to the processing of your personal data based on the legitimate interests of the Data Controller in relation to your particular situation. However, it should be noted that according to the regulations, we may refuse to consider the objection if we demonstrate that:
- there are legitimate grounds for processing that override your interests, rights, and freedoms, or there are grounds for establishing, exercising, or defending legal claims.
9.5. Additionally, at any time, you can object to the processing of your personal data for marketing purposes. In such a case, upon receiving the objection, we will cease processing for this purpose.
9.6. You can exercise your rights in the following ways:
- by sending an email to the Data Controller at: recepcja@fivestarsbb.com
- or by sending correspondence to the address of the FIVE STARS B&B: 50-079 Wrocław, ul. Ruska 35
10. Right to Lodge a Complaint
If you believe that your personal data is being processed in violation of applicable law, you may lodge a complaint with the President of the Personal Data Protection Office.
11. Final Provisions
11.1. Matters not regulated by this Privacy Policy are governed by the provisions on personal data protection.
11.2. The Property reserves the right to make changes to this Privacy Policy; however, the version of the Privacy Policy in force at the time of making a service reservation applies to services rendered before the change.
11.3. Changes to the Privacy Policy may not violate the rights acquired by Guests.
11.4. Information about the Privacy Policy is published on the Property’s website: www.fivestarsbb.com, and is available at the Property’s Reception.
11.5. This version of the Privacy Policy is effective as of May 20, 2021.