In accordance with Article 13 and Article 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter “GDPR”), in connection with the receipt of your personal data as a hotel guest, we hereby inform you that:
1. The administrator of your personal data is Shellter Operator Sp. z o. o. 59-300 Lubin, ul. Słowiańska 17, registered in the register of entrepreneurs of the National Court Register under the KRS number: 0001149727, REGON: 540672862, for which the registration documentation is kept by the District Court for the capital city of Warsaw in Warsaw, 14th Commercial Division of the KRS, and the Tax Identification Number (NIP): 5222482605, (hereinafter referred to as the “Administrator”).
2. The contact person for all matters concerning the processing of personal data and the exercise of rights related to the processing of personal data by the Administrator is the Data Protection Inspector, who can be contacted via e-mail: iod@hotelshellter.pl
3. Your personal data is processed for at least one of the following purposes:
a) under art. 6 sec. 1 letter b) of the GDPR, as necessary for the performance of a contract for hotel services to which you are a party;
b) under art. 6 sec. 1 letter a) of the GDPR and art. 9 sec. 2 letter a) of the GDPR in order to meet special needs within the framework of the hotel service provided adapted to the degree of disability,
c) under art. 6 sec. 1 letter c) of the GDPR, as necessary to comply with the legal obligation incumbent on the Controller, in particular ensuring compliance of the Controller’s actions with the applicable financial, accounting and tax, statistical provisions, implementation of rights under the GDPR and consumer rights;
d) under art. 6 sec. 1 letter f) of the GDPR, in order to pursue legally justified interests pursued by the Administrator (protection of persons and property, determination, pursuit and defence of possible claims, providing
commercial information and conducting direct marketing, i.e. sending advertising and promotional offers in a form other than the one indicated in letter f) below);
e) on the basis of art. 6 sec. 1 letter f) and art. 9 sec. 2 letter f) of the GDPR, in order to determine, pursue or protect claims related to the processed special (sensitive) data;
f) on the basis of separately granted consent and art. 10 sec. 2 of the Act on the provision of services by electronic means of 18 July 2002 (consolidated text: Journal of Laws of 2017, item 1219, as amended) or art. 172 of the Act of 16 July 2004 – Telecommunications Law (consolidated text: Journal of Laws of 2017, item 1907, as amended) – for the purpose of sending commercial information (sending advertising and promotional offers) by electronic means or by telephone using terminal equipment.
4. The Administrator processes the following categories of personal data: first name, last name, PESEL number or passport number, nationality, correspondence address, telephone number, e-mail address, optionally car registration number, health data (disability data), image.
5. You have the right to:
a) access the content of your data, including requesting a copy of the data,
b) rectify incorrect data and request that incomplete data be supplemented,
c) delete the data (“right to be forgotten”) if one of the following circumstances applies:
i. the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
ii. the data subject objects under Article 21 paragraph 1 (in connection with the processing of data on the basis of a task carried out in the public interest or in the exercise of official authority by the Controller or the legitimate interest of the Controller or a third party) and there are no overriding legitimate grounds for processing, or the data subject objects under Article 21 paragraph 2 to the processing (in connection with the processing of data for direct marketing purposes);
iii. the personal data were processed unlawfully;
iv. the personal data must be deleted in order to comply with a legal obligation under Union law or the law of a Member State to which the Controller is subject;
d) restrictions of processing, in the following cases:
i. the data subject contests the accuracy of the personal data – for a period enabling the Administrator to verify the accuracy of such data;
ii. the processing is unlawful and the data subject objects to the deletion of the personal data, requesting instead the restriction of their use;
iii. the Administrator no longer needs the personal data for the purposes of processing, but they are necessary for the data subject to establish, pursue or defend claims;
iv. the data subject has filed an objection under Article 21 paragraph 1 (in connection with the processing of data on the basis of a task carried out in the public interest or in the exercise of official authority by the Administrator or the legitimate interest of the Administrator or a third party) to the processing – until it is determined whether the legitimate grounds on the part of the Administrator override the grounds for the objection of the data subject;
e) data transfer, if:
i. the processing takes place on the basis of consent granted or on the basis of a contract and
ii. the processing is carried out in an automated manner,
f) withdraw consent to the processing of personal data at any time, whereby the withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of consent before its withdrawal,
g) the right to object:
i. in each case when your data are processed for the purposes of direct marketing;
ii. in the event of your special situation in the scope of personal data processing, when the basis for data processing is a legally justified interest pursued by the Administrator, and the right to object cannot be exercised in the event of important legally justified grounds for processing, overriding your interests, rights and freedoms, in particular the determination, pursuit or defense of claims.
The rights can be exercised, among others, by sending a request to the address of the Data Protection Inspector (given in point 2 above), as well as by written correspondence with a note on the envelope IOD or in person at the Administrator’s office (
6. You have the right to lodge a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw) if you believe that the processing of your personal data violates the provisions of the GDPR or other legal provisions regarding personal data.
7. Your personal data are or may be transferred to the following categories of recipients:
a) persons authorised by the Administrator, employees and associates, members of the Administrator’s bodies who must have access to personal data in order to perform their duties,
b) service providers, including those providing the Administrator with technical and organisational solutions enabling the management of the Administrator’s organisation (in particular providers of ICT, postal, forwarding, legal, accounting, auditing, data security and storage, tax and accounting, personal and property protection services), on the basis of relevant data processing entrustment agreements;
8. Your personal data will be stored:
a) for the purposes referred to in points 3 a) and b) above – for the period of performance of the agreement concluded with you for the provision of hotel services,
b) for the purposes of any determination, pursuit and defense of claims – for the period specified in the provisions of law for the limitation of a particular type of claim,
c) for the purposes of fulfilling legal obligations – for the time required by applicable provisions of law or until these obligations are fulfilled, no longer than the period in which the Administrator may suffer legal consequences of failure to fulfill the obligation,
d) for the purposes of protecting people and property – for a period of 30 days from the end of the stay at the hotel, unless the video monitoring devices have recorded an event related to a breach of the security of people and property – then the period of data storage may be extended by the time necessary to complete the proceedings concerning the event recorded by the video monitoring,
e) for the purposes of providing commercial information and conducting direct marketing, i.e. sending advertising and promotional offers – until the withdrawal of consent or submission of an objection, but no longer than for a period of 3 years from the date of data provision, with effect from calculated at the end of a given calendar year.
9. Providing your personal data is voluntary, but necessary for the performance of the contract concluded with you, and failure to provide them will make it impossible to perform the contract concluded.
10. Your personal data will not be transferred to third countries.
11. If the Controller did not receive your personal data directly from you, the personal data were obtained from your family member, employer or other personal data controllers, e.g. from entities intermediating in hotel bookings (e.g. hotel booking portals) or through travel agencies.
13. Your personal data are not subject to automated decision-making, including profiling. We also kindly inform you that the persons whose data are processed have the right to object to the processing of their data for direct marketing purposes at any time, and in the event of data processing in the legitimate interest of the Administrator – in the event of a special situation in accordance with Article 21 of the GDPR.
