Personal Data Protection Policy
Regulations governing the processing of personal data
As of 25 May 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (commonly referred to as the “GDPR”), has become applicable. The GDPR applies in the same scope in all Member States of the European Union, including Poland.
The controller of personal data is the Organizer.
In order to provide services in line with its business profile, the Organizer processes personal data for various purposes, always on a lawful basis and in accordance with the law. Personal data are processed for the purpose of:
- performing the services provided by the Organizer (Article 6(1)(b) GDPR, which allows the processing of personal data where it is necessary for the performance of a contract or for taking steps at the request of the data subject prior to entering into a contract)
- verifying the Customer’s identity, i.e. the participant of the trip or the person indicated in the agreement as the “Payer” (legal basis: Article 6(1)(c) GDPR)
- handling complaints (Article 6(1)(b) GDPR, which allows the processing of personal data where it is necessary for the performance of a contract or for taking steps prior to entering into a contract)
- sending e-mail notifications containing commercial information (Article 6(1)(a) GDPR, which allows the processing of personal data where the person has given consent; Article 6(1)(f) GDPR, which allows the processing of personal data where the Controller pursues its legitimate interests)
- financial settlements and accounting reporting, such as keeping accounting documentation for 5 years (Article 6(1)(c) GDPR, which allows the processing of personal data where such processing is necessary for the Controller to comply with legal obligations)
- creating GDPR-related registers and records (Article 6(1)(c) GDPR, which allows the processing where necessary to comply with legal obligations; Article 6(1)(f) GDPR, which allows the processing where the Controller pursues its legitimate interests)
- establishing, pursuing or defending claims (Article 6(1)(f) GDPR, which allows the processing where the Controller pursues its legitimate interests), generally for up to 6 years due to applicable limitation periods for claims (legal basis: Article 118 et seq. of the Civil Code)
The data processed include: first name(s), last name, date of birth, gender, e-mail address, phone number, home address, bank account number (in the case of refunds), PESEL number (participant’s qualification card). If required due to the destination of the trip, data from an identity document (ID card or passport) are also processed, namely: place of birth, citizenship, facial image, series and number of the document, issuing authority, date of issue and expiry date.
The Organizer uses the support of other entities, which often involves the need to transfer personal data. Therefore, where necessary, we provide Customers’ personal data to cooperating entities that perform services for the Organizer (e.g. payment service providers, subcontractors of tourist services, the hosting provider, or the insurance company). In addition, based on legal provisions or a decision of an authority, the Organizer may be obliged to provide personal data to other entities, public or private.
For the purpose of performing the agreement concluded with the Organizer, it may happen that data will be transferred to a third country outside the EEA, where personal data may be protected to a lesser extent than within the EEA. The need to transfer such data may result from the destination of the tourist event.
In accordance with the GDPR, personal data will be stored/processed for the period necessary to achieve the specified purpose. After that period, personal data will be irreversibly deleted or destroyed. The specific data processing periods are as follows:
- for the purpose of concluding and performing an agreement for tourist services — for the duration of the agreement
- for the purpose of establishing, pursuing or defending claims — for 3 years or 6 years
- for the purpose of fulfilling obligations under tax law — for 5 years
- based on the Controller’s legitimate interests or for marketing purposes — until an effective objection is raised or the purpose of processing is achieved
Rights available to the Customer:
- the right to request access to and rectification of their personal data (Articles 15 and 16 of the Regulation),
- the right to data portability (Article 20 of the Regulation),
- the right to erasure of data in the cases specified in the Regulation (Article 17 of the Regulation)
- the right to restriction of processing (Article 18 of the Regulation).
- the right to object to the processing of personal data (Article 21 of the Regulation). If an objection is raised before the performance of the agreement or during its performance, it will result in the inability to perform some or all services under the agreement and may be treated as termination of the agreement.
- the right to withdraw consent, where processing is based on consent (Article 6(1)(a) of the Regulation). In such case, please send us an e-mail to: biuro@wedrowiec.krakow.pl
- the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates the provisions of the Regulation