Privacy and Personal Data Protection Policy (GDPR)
1. Personal Data Controller
The Controller of your personal data is ZH Management Sp. z o.o., with its registered office in Gdańsk, 80-219, at Aleja Zwycięstwa 13A, Tax Identification Number (NIP): 9571158897, National Business Registry Number (REGON): 525433617, entered in the National Court Register under number 0001038842 (hereinafter referred to as the "Controller").
Contact details regarding personal data protection:
a. Email: kontakt@zlotyhoryzont.pl
b. Correspondence address: Złoty Horyzont Resort & SPA, ul. Górna 1958-580 Szklarska Poręba, with the note "Personal Data Protection."
2. Categories of Data Subjects
The Controller processes the personal data of the following categories of data subjects: 1. Guests – individuals making reservations and using the services of the Złoty Horyzont facility.
2. Newsletter subscribers – individuals who have signed up for the newsletter.
3. Contact persons – individuals submitting inquiries via contact forms, email, by phone, or in person.
4. Persons participating in telephone calls – calls may be recorded for security and service quality purposes.
5. Contractors and business partners – individuals conducting business activities and representatives of cooperating companies.
6. Employees and job applicants – within the scope of the recruitment and employment process.
3. Purposes and legal basis for processing
1) The Controller processes personal data for the following purposes: 1) Conclusion and performance of the contract (Article 6, paragraph 1, letter b of the GDPR) – processing reservations, providing accommodation and additional services.
2) Fulfillment of legal obligations (Article 6, paragraph 1, letter c of the GDPR) – in particular those arising from tax, accounting, and registration regulations.
3) Legitimate interests of the Controller (Article 6, paragraph 1, letter f of the GDPR) – including ensuring facility security (video surveillance), handling complaints, pursuing claims, recording telephone conversations to improve service quality and communication security. 4) Based on consent (Article 6, paragraph 1, letter a of the GDPR) – e.g., newsletter delivery, electronic marketing offers, processing data beyond the necessary scope.
4. Scope of data processed
Depending on the purpose of processing, we may process, among others:
1) Guests: first name and last name, contact details (telephone number, email), address, ID document details (if required by law), data regarding stay and preferences, payment data.
2) Subscribers: email address, first name and last name (if provided), marketing preferences.
3) Contact persons: name and surname, email address, telephone number, content of correspondence.
4) Persons participating in telephone conversations: voice, telephone number, content of conversation.
5) Contractors and partners: name and surname, business details, contact details, position.
6) Job candidates: data included in CVs, cover letters, and application documents (in accordance with the Labor Code and the scope of consent).
5. Recipients of personal data
Data may be transferred to:
1) entities providing IT, accounting, legal, marketing, and maintenance services to the Controller,
2) providers of reservation and payment systems,
3) telecommunications operators and call recording system providers,
4) banks and payment operators,
5) public authorities authorized by law (e.g., tax office, police),
6) other recipients – only to the extent required by law.
6. Data Retention Period
1) Guests: for the duration of the contract, and then for the limitation period for civil law claims (generally 6 years).
2) Subscribers: until the withdrawal of consent to receive the newsletter.
3) Contact persons: for the time necessary to process the inquiry, and then for the limitation period for claims.
4) Persons participating in telephone conversations: recordings are stored for a maximum of 3 months, unless longer storage is necessary to protect the Controller's rights or to pursue claims (e.g., in complaint proceedings).
5) Contractors and partners: for the duration of the cooperation and as required by law (e.g., tax regulations).
6) Video surveillance: recordings are stored for a maximum of 30 days, unless a longer period is required by law or evidence is needed.
7) Job candidates: for the duration of the recruitment process, and in the case of consent to future recruitment, until such consent is withdrawn.
7. Video Surveillance and Recording of Telephone Conversations
1) The Złoty Horyzont facility is under video surveillance to ensure the safety of guests and employees, and the protection of property.
2) Selected telephone lines are recorded to ensure the quality of service, call security, and the ability to resolve complaints. The caller is informed of the recording at the beginning of the call.
8. Rights of Data Subjects
Data subjects have the right to:
1) access their data,
2) rectify their data,
3) erase their data ("right to be forgotten"),
4) restrict processing,
5) transfer their data,
6) object to data processing (e.g., for marketing purposes),
7) withdraw consent at any time (without affecting the legality of previous processing).
9. Complaint to the Supervisory Authority
Data subjects have the right to lodge a complaint with the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw.
10. Automated Decision-Making
Personal data are not subject to automated decision-making, including profiling, that would have legal effects on the data subjects.
11. Voluntary provision of data
Providing data is voluntary, but in many cases necessary to conclude and perform a contract, use services, or process an inquiry. Failure to provide data may prevent the provision of services or response.