In compliance with the provisions of Article 13(1) and (2) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: GDPR), we provide you with key information regarding the processing of your personal data.
1. Personal data controller
The controller of your personal data is “POMORZANIN” Sp. z o.o. based in Gdańsk – Operator of Prawdzic Resort & Wellness, ul. Piastowska 198, 80-341 Gdańsk, entered into the Register of Entrepreneurs kept by the District Court Gdańsk-North in Gdańsk, 7th Commercial Division under number 0000152691, NIP: 8520500813, REGON: 00807933700000, hereinafter referred to as the “Resort”.
2. Purpose of personal data processing.
Your personal data is processed for the purpose of performing the contract concluded by you with the Controller and the Resort, as well as other services provided by the resort at the guest's request (including spa services and/or catering services) (Art. 6(1)(b) GDPR). Regardless of this basis, the processing of data is necessary to fulfill a legal obligation incumbent on the controller – i.e., for tax and accounting purposes (Art. 6(1)(c) GDPR), and it is also necessary for purposes arising from the legitimate interests of the controller (Art. 6(1)(f) GDPR) - in particular:
If the Guest has consented to the processing of personal data for marketing purposes, the Resort processes personal data for this purpose, i.e. to send marketing information and offers about its products and services to the guest (Art. 6(1)(a) GDPR).
Personal data will not be transferred to third countries or international organizations outside the European Economic Area.
3. Recipients of personal data.
Recipients of your data are public administration authorities for the purpose of collecting local fees, providers of ICT services, companies providing support and operation of the Administrator's IT tools and systems (e.g. software maintenance), professional advisors (e.g. law firms), companies providing accounting services to the Administrator, auditors (e.g. independent statutory auditors), insurance companies.
4. Categories of processed personal data.
The Administrator may process the following categories of your personal data for the above purposes:
The Data Controller processes special categories of data, so-called sensitive data (i.e., health data), when:
Processing sensitive data is necessary to protect the vital interests of the data subject, e.g., to protect health or life. If consent to provide sensitive data (i.e., health data) is not given, the Resort will not be able to perform the spa service.
5. Duration of personal data processing.
Your personal data will be processed for the period necessary for proper handling of the contract concluded by you, establishing, asserting or defending claims of the Administrator, archiving data as required by law, unless laws (e.g. accounting or tax regulations) require the administrator to process this data for a longer time. In any case, the longer data processing period applies. For marketing purposes, data will be processed for the duration of the consent. Data from monitoring will be stored for 30 days and then permanently deleted, unless due to a special circumstance (e.g. accident, criminal offense) it is necessary to store monitoring footage for longer than 30 days.
6. Cookies and automated processing of personal data
When using the Administrator's website, cookies are saved on the user's end device. Cookies are small text files saved in the user's browser, which in certain cases may contain personal data such as IP address or data about the user's activity.
The Administrator uses cookies:
The legal basis for processing personal data obtained through cookies is Art. 6(1)(f) GDPR – the Administrator's legitimate interest in operating the website and marketing communication.
The user may at any time change their web browser settings to restrict or completely block the use of cookies. Restricting the use of cookies may, however, affect the proper functioning of the website and availability of some functions.
The Administrator does not store cookies on its own servers, and data from cookies is read only during the user's active session. Data from cookies is not combined with other personal data held by the Administrator and is not transferred outside the European Economic Area.
You have the right to delete cookies saved on your end device.
7. Profiling
The personal data controller informs that when using the website, user profiling occurs within the meaning of Art. 4(4) GDPR. Profiling is based on data obtained from cookies and information provided by the user (e.g., email address in the newsletter subscription form) and aims to present tailored marketing and promotional content. The legal basis for such processing is the user’s consent (Art. 6(1)(a) GDPR) and the legitimate interest of the Administrator (Art. 6(1)(f) GDPR). The user has the right to object to profiling and to withdraw consent at any time.
8. Guest rights
You have the right to access your personal data, request their correction, and also – in cases provided for by GDPR – deletion or restriction of processing, object to their processing, and the right to data portability. You have the right to lodge a complaint with the President of the Personal Data Protection Office if you believe that the processing of your personal data violates data protection law (in particular the GDPR). Your data will not be transferred by the Administrator to recipients in third countries or international organizations. You have the right to withdraw any consent you previously gave at any time.
9. Contact with the controller
Contact with the Administrator is possible via:
