Privacy Policy
Słoneczna Rapsodia
Personal Data Administrator
1. The Personal Data Administrator within the meaning of Article 4 point 7 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016 on the protection of natural persons in relation to the processing of personal data and on the free flow of such data and the repeal of Directive 95/46/EC (RODO) is Apartament Słoneczna Rapsodia, Grzegorz Mrózek, Al. Tysiąclecia 7a, 34-700 Rabka-Zdrój entered in the register of entrepreneurs of the Central Registration and Information on Business Activity kept by the Minister of Development.
2. Contact with Personal Data Administrator: biuro@slonecznarapsodia.pl
3. The Personal Data Administrator pursuant to Article 32(1) of the RODO shall observe the principle of personal data protection and shall use appropriate technical and organizational measures to prevent accidental or unlawful destruction, loss, modification, unauthorized disclosure of or unauthorized access to personal data processed in connection with its operations.
4. Provision of personal data is voluntary, but necessary in order to establish cooperation and/or enter into a contract with the Personal Data Administrator.
5. The Personal Data Administrator processes personal data only to the extent necessary for the proper provision of services or to take action at the request of the data subject.
Purpose and basis of personal data processing
The Administrator processes personal data for the following purposes:
a) preparation of a commercial offer in response to a customer’s interest, which is a legitimate interest of the Personal Data Administrator (Article 6(1)(f) RODO);
b) to conclude and execute contracts with customers, on the basis of the agreement concluded (Article 6(1)(b) of the RODO);
c) provision of services electronically through the Web Portal, based on the concluded agreement (Article 6(1)(b) RODO);
d) handling of the complaint process, based on the obligation of the Personal Data Administrator under applicable laws (Article 6(1)(c) of the DPA);
e) accounting related to the issuance and acceptance of billing documents, based on the provisions of tax law, including the Accounting Act of 29/09/1994 and the Value Added Tax Act of 11/03/2004 (Article 6.1.c of the DPA);
f) archiving data for possible establishment, investigation or defense against claims or the need to prove facts, which is a legitimate interest of the Personal Data Administrator (Article 6(1)(f) RODO);
g) contact by phone or email, in particular in response to inquiries made to the Personal Data Administrator, which is a legitimate interest of the data controller (Article 6(1)(f) RODO);
h) sending technical information regarding the operation of the Web Portal and services used by the customer, which is a legitimate interest of the Personal Data Administrator (Article 6(1)(f) of the DPA);
i) marketing of the Personal Data Administrator own products, which is its legitimate interest (Article 6(1)(f) of the DPA) or is based on previously granted consent (Article 6(1)(a) of the DPA).
Recipients of data. Transfer of data to third countries
1. Recipients of personal data processed by the Personal Data Administrator may be entities cooperating with the Personal Data Administrator, when this is necessary for the performance of a contract concluded with the data subject.
2. Recipients of personal data processed by the Personal Data Administrator may also be subcontractors – entities whose services are used by the Personal Data Administrator for data processing, e.g. IT service providers (including hosting services, reservation systems).
3. The data administrator may be obliged to provide access to personal data under applicable laws, in particular to provide access to personal data to authorized state authorities or institutions.
4. Personal data will not be transferred to entities located outside the European Economic Area.
Period of storage of personal data
1. The Data Ddministrator shall keep personal data for the duration of the contract concluded with the data subject and after its termination for purposes related to the assertion of claims related to the contract, the performance of obligations under applicable laws, but for no longer than the statute of limitations under the provisions of the Civil Code.
2. The Data Ddministrator shall keep personal data for purposes other than those indicated in paragraph 1 for a period of 3 years, unless consent to data processing has been previously withdrawn, and data processing cannot be continued on any other basis than the consent of the data subject.
Rights of the data subject
1. Every data subject has the right:
a) access – to obtain confirmation from the Personal Data Administrator as to whether his personal data is being processed. If data about a person is processed, he or she is entitled to access it and obtain the following information: the purposes of the processing, the categories of personal data, information about the recipients or categories of recipients to whom the data have been or will be disclosed, the duration of data storage or the criteria for determining it, the data subject’s right to request rectification, erasure or restriction of the processing of personal data, and the right to object to such processing (Article 15 RODO);
b) to obtain a copy of the data – to obtain a copy of the data being processed, with the first copy being free of charge, and for subsequent copies the Personal Data Administrator may charge a reasonable fee based on administrative costs (Article 15(3) of the RODO);
c) to rectify – to request the rectification of personal data pertaining to it that is incorrect or the completion of incomplete data (Article 16 RODO);
d) to erasure – to request the deletion of her personal data if the Personal Data Administrator no longer has a legal basis for processing it or the data are no longer necessary for the purposes of processing (Article 17 of the DPA);
e)to restrict processing – to request restriction of processing of personal data (Article 18 RODO) when:
– the data subject questions the accuracy of the personal data – for a period allowing the Personal Data Administrator to verify the accuracy of the data,
– the processing is unlawful, and the data subject objects to the erasure of the data, requesting restriction of its use,
– the Personal Data Administrator no longer needs the data, but they are needed by the data subject to establish, assert or defend claims,
– the data subject has objected to the processing – until it is determined whether the legitimate grounds on the part of the Personal Data Administrator override the grounds of the data subject’s objection;
f) to data transfer – to receive in a structured, commonly used, machine-readable format the personal data concerning him or her that he or she has provided to the Adminstrator, and to request that the data be sent to another Personal Data Administrator if the data are processed on the basis of the data subject’s consent or a contract with him or her, and if the data are processed by automated means (Article 20 RODO);
g) to object – to object to the processing of his or her personal data for legitimate purposes of the Personal Data Administrator, on grounds related to his or her particular situation, including profiling. The Personal Data Administrator shall then assess the existence of valid legitimate grounds for the processing that override the interests, rights and freedoms of the data subject, or grounds for establishing, asserting or defending claims. If, according to the assessment, the interests of the data subject outweigh the interests of the Personal Data Administrator, the Personal Data Administrator will be obliged to cease processing for those purposes (Article 21 of the DPA).
2. In order to exercise the aforementioned rights, the data subject should contact, using the contact information provided, the Personal Data Administrator and inform him/her of which right and to what extent he/she wishes to exercise it.
3. The data subject has the right to file a complaint with the supervisory authority, which is the President of the Office for Personal Data Protection in Warsaw.
Automated decision-making. Profiling
Personal data will not be processed by automated means, including profiling.