Privacy

PRIVACY POLICY I. GENERAL PROVISIONS 1. This Privacy Policy concerns the processing and protection of personal data provided by users who are natural persons using products and services offered by Grano Group Spółka Z O.O. 2. The website at www.granohotels.pl is operated by the company Grano Group, headquartered in Pinczyn, ul. Gajowa 31B, 83-251 Pinczyn, registered in the Register of Entrepreneurs of the National Court Register under number KRS 0000629533, having the tax identification number (NIP) 5922266884, REGON number 365002163, with a share capital of PLN 5,000,000. 3. The administrator of users’ personal data is Grano Group, headquartered in Pinczyn, ul. Gajowa 31B, 83-251 Pinczyn, registered in the Register of Entrepreneurs of the National Court Register under number KRS 0000629533, having the tax identification number (NIP) 5922266884, REGON number 365002163, with a share capital of PLN 5,000,000 (hereinafter "Administrator"). 4. The Administrator has appointed a Data Protection Officer. The Data Protection Officer can be contacted in all matters related to personal data processing in writing at: Swojska 14, 80-867 Gdańsk or by email: rodo@granohotels.pl 5. The Administrator processes users' personal data in accordance with applicable law, in particular in compliance with the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter "GDPR") and the Act on Personal Data Protection of 10 May 2018. 6. Personal data processing by the Administrator means an operation or a set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collecting, recording, organizing, ordering, storing, adapting or modifying, retrieving, reviewing, using, disclosing by transmission, dissemination or otherwise making available, aligning or combining, restricting, deleting or destroying. 7. When processing users’ personal data, the Administrator uses appropriate technical and organizational measures that ensure adequate security against unauthorized or unlawful processing of personal data and against accidental loss, destruction, or damage. II. PURPOSES OF PERSONAL DATA PROCESSING 1. The Administrator processes users’ personal data for various purposes, always in accordance with applicable law. 2. The Administrator processes users' personal data to the necessary extent for the purposes of: a. responding to inquiries submitted by users via the contact form, b. taking actions before concluding a contract at the request of the data subject or executing a contract for the provision of services offered by the Administrator, of which the data subject is a party based on Art. 6(1)(b) GDPR, c. accepting reservations via the online booking system, d. taking actions before concluding a contract at the request of the data subject based on Art. 6(1)(b) GDPR, e. fulfillment of products or services provided by the Administrator based on Art. 6(1)(b) GDPR, f. fulfilling legal obligations imposed on the Administrator (including tax, archival, complaint handling) based on Art. 6(1)(c) GDPR, g. marketing of products and services of the Administrator and products and services of entities belonging to the Grano Hotels Network, including sending commercial information to an email address, if the Client consents by ticking the appropriate box during reservation or inquiry submission via the contact form, h. realization of the legitimate interest of the Administrator of personal data in special cases based on Art. 6(1)(f) GDPR, e.g., debt collection or video surveillance monitoring of movement on the premises. III. TYPES OF PERSONAL DATA PROCESSED 1. According to the principle of data minimization, the Administrator processes only those categories of personal data that are necessary to achieve the purposes referred to in point II section 2 of this Privacy Policy. 2. For actions before the conclusion of a contract, contract conclusion and execution related to the use of products and services offered by the Administrator, the Administrator processes the user's personal data: a. first name and last name, b. address data (street with building number, apartment, city with postal code, voivodeship, country), c. date of birth, d. email address, e. phone number, f. tax identification number (NIP) if the user runs a business, g. IP address. 3. When responding to user inquiries sent via the contact form, the Administrator processes the following personal data: a. first name and last name, b. email address, c. phone number, d. IP address. 4. For marketing activities of the Administrator's products and services and products and services of entities belonging to the Grano Hotels Network, including sending commercial information, the Administrator processes the following personal data: a. first name and last name, b. email address, c. IP address. 5. Providing personal data by the user is voluntary; however, in the case of concluding a contract regarding the use of products and services offered by the Administrator, failure to provide certain data will prevent the execution of the contract or the provision of specific services by the Administrator. IV. LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA Users’ personal data is processed based on: 1. Art. 6(1)(a) GDPR – when users have given consent to the processing of their personal data for specific purpose(s), 2. Art. 6(1)(b) GDPR – when processing is necessary for the performance of a contract between the Administrator and the user or to take steps at the user's request prior to entering into a contract, 3. Art. 6(1)(c) GDPR – when processing is necessary for compliance with a legal obligation of the Administrator, 4. Art. 6(1)(f) GDPR – when processing is necessary for the legitimate interests pursued by the Administrator or a third party, in particular in cases of claims enforcement or defense, ensuring the security of the Administrator's property and resources (e.g., video monitoring on premises). V. DATA RETENTION PERIOD 1. Users' personal data are processed by the Administrator for the period necessary to achieve the purposes for which the data are processed or until the processing is required by law. 2. If the legal basis for processing users' personal data is consent, the Administrator processes the data until the consent is withdrawn, and after withdrawal for the period of the statute of limitations of any claims of both users and the Administrator. 3. If the legal basis is contract performance, the Administrator processes the data for the duration of the contract and afterwards for the statute of limitations period for claims. 4. If the legal basis is legitimate interest, the Administrator processes the data until an effective objection is made against such processing. VI. INFORMATIONS ABOUT PERSONAL DATA RECIPIENTS OR CATEGORIES OF RECIPIENTS Users' personal data may be transferred to the Administrator's subcontractors, i.e., entities used by the Administrator in its business, contract performance, and service provision, including providers of IT services, postal and courier services, booking systems, payment services, accounting firms, marketing agencies. These entities process personal data based on a contract with the Administrator and comply with data protection laws. Additional personal data may be provided to authorized entities under applicable law, particularly judiciary authorities. VII. INFORMATION ABOUT AUTOMATED DECISION-MAKING, INCLUDING PROFILING The Administrator may use automated decision-making, including profiling, for marketing purposes and offer customization. VIII. INFORMATION ABOUT INTENT TO TRANSFER PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS The Administrator does not intend to transfer users’ personal data to third countries or international organizations. IX. INFORMATION ABOUT USERS’ RIGHTS REGARDING THE PROCESSING OF THEIR PERSONAL DATA Users have the following rights regarding the processing of their personal data by the Administrator: 1. The right to request access to their personal data – users can obtain inspection and access; also details about processing purposes, legal basis, data held, recipients, and planned deletion time. 2. The right to rectification – correction of inaccurate personal data processed by the Administrator. 3. The right to complete incomplete personal data processed. 4. The right to erasure (