With reference to art. 13 (1) and (2) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the “GDPR”), we hereby inform of the principles of processing of your personal data and your associated rights. These principles are to come into effect starting May 25th, 2018.
I. CONTROLLER
The Controller of personal data is Polish Travel Quo Vadis Sp. z o.o. with a registered office in Warsaw, ul. Ptasia 2, 00-138 Warsaw, entered in the Register of entrepreneurs of the National Court Register by the District Court for the capital city of Warsaw in Warsaw, 12th Commercial Division of the National Court Register, under the number KRS 0000148731; NIP 526-021-13-86; share capital PLN 252.000 (hereinafter referred to as “the Controller”).
II. THE OBJECTIVE AND LEGAL BASIS OF DATA PROCESSING.
The Controller shall process your personal data for the purpose of;
- Commencement, on your demand, of activities aimed at conclusion of an agreement with the Controller or performance of an agreement with the Controller (art. 6 (1) b GDPR) within the scope of services rendered by the Controller, such as: booking and sale of airline, railway, bus and ferry tickets, booking of accommodation, car rental, travel insurance, sale of trips, organization of MICE (meetings, incentives, conferences, events), complex organization of business trips.
- Moreover, under certain circumstances, it may turn out to be necessary to process your data due to the legitimate interests of the Controller (art. 6(1) f GDPR), in particular, for the following purposes:
- marketing of products and services of the Controller,
- in association with monitoring and improvement of quality of services rendered and products offered by the Controller, including monitoring of phone calls and meetings, analysis of your satisfaction with services rendered,
- in association of sales of receivables of the Controller payable by you and claims of the Controller,
- engaging in disputes, as well as proceedings before public authorities and other proceedings, including making of claims and defense against claims,
- In other cases, your personal data shall be processed solely on the basis of a previous consent, within the scope and for the purpose specified in such content.
III. THE OBLIGATION TO PROVIDE PERSONAL DATA.
- Disclosure of your personal data is voluntary, but necessary for performance of the agreement or undertaking of tasks on demand of the data subject prior to conclusion of the agreement with the Controller, is due to performance of obligations specified by legal provisions in force or is necessary for achievement of the purposes based on legitimate interests of the Controller.
- Non-disclosure of all of your required personal data shall make it impossible to conclude the agreement, preventing the Controller from rendering services on your behalf.
- To the extent, in which data is collected on the basis of your consent, disclosure of your personal data is voluntary.
IV. THE TYPE OF DATA PROCESSED.
- The personal data provided, in particular, your first name, surname, address, e-mail address, phone number, are processed to the extent necessary to commence, shape the content, amend, terminate and properly perform the services rendered by the Controller and to complete the orders placed.
- Under special circumstances, other additional data may be required, such as birth date or age, identity card number or other data necessary for the proper performance and quality of services rendered by the Controller and for completion of orders placed.
V. INFORMATION CONCERNING DATA SUBJECTS
In association with processing of your personal data for the purposes indicated in clause II, personal data may be made available to the following recipients or categories of recipients:
- 1. Entities participating in processes necessary for performance of agreements concluded with you, including:
- hotels or accommodation facilities, in the case of booking of accommodation,
- airlines, IATA (International Air Transport Association) and GDS (global distribution system) booking systems, such as Amadeus and Travelport, in the case of booking of airline tickets,
- railway and ferry operators in the case of booking of railway and ferry tickets,
- insurance companies in the case of purchase of tourist insurance policies,
- transport companies in the case of car rental or transfer booking,
- embassies in the case of visa arrangement services,
- travel guides and tour managers,
- other partners providing tourist services on the basis of the agreement concluded, including booking systems and tourism organizers and agents, cooperating with the Controller,
- entities that support the Controller in their business processes, including entities processing personal data on behalf of the Controller (the so-called processors) and partners of the Controller,
- public authorities and entities performing public tasks or working on the basis of orders of public authorities, to the extent and for the purposes based on legal provisions in force.
VI. THE PERIOD OF PROCESSING OF PERSONAL DATA
- The period of processing of your personal data depends on the purpose of data processing. The period of storage of your personal data is calculated on the basis of the following criteria:
- the legal provisions, which obligate the Controller to process data for a specific time period, v
- the period of rendering of services,
- the period necessary to defend the interests of the Controller,
- in the case of your consent for processing of data for marketing purposes, or after termination or expiry of the agreement, until the time of withdrawal of such consent.
VII. PROFILING AND AUTOMATED DECISION-MAKING
The Controller hereby declares that in their activity, they do not use automated data processing and profiling.
VIII. THE RIGHTS OF THE DATA SUBJECT
The Controller informs that all persons, whose personal data are processed, are entitled to specific rights based on GDPR. Therefore, you are entitled to the following rights:
- The right of access to personal data, including the right to obtain a copy of this data,
- The right to demand rectification of personal data, if such data is inaccurate or incomplete,
- The right to demand erasure of personal data (the so-called “right to be forgotten”) in the case when:
- the data is no longer necessary for the purpose, for which it was collected or otherwise processed,
- the data subject has objected against processing of data,
- the data subject has withdrawn their consent, serving as a basis for processing, and no other legal basis for processing of data exists,
- the data is being processed illegally,
- the data must be erased in order to meet the obligation based on legal provisions;
- The right to demand limitation of processing of personal data, if:
- the data subject has questioned the accuracy of personal data,
- processing of data is illegal, and the data subject has objected against erasure of data, demanding a limitation instead,
- the Controller no longer needs the data for their purposes, but the data subject needs this data for the establishment, exercise or defense of legal claims,
- the data subject has objected against processing of data, until it has been determined whether the legal basis, to which the Controller refers, is superior to the basis for the objection,
- The right to object against processing of personal data, including profiling, when:
- there are reasons associated with your special circumstances and
- processing of data is based on necessity resulting from a legitimate interest of the Controller, referred to in clause II above.
- The right to withdraw the consent for processing of personal data to the extent, in which such consent for processing of personal data has been granted. Withdrawal of the consent shall be of no effect upon legality of processing of data on the basis of the consent prior to its withdrawal.
- The right to submit a complaint to the appropriate supervision authorities in the case of finding that processing of personal data by the Controller violates the provisions of GDPR.
IX. TRANSFER OF PERSONAL DATA TO ENTITIES OUTSIDE THE EUROPEAN ECONOMIC AREA (EEA) OR TO INTERNATIONAL ORGANIZATIONS
The Controller, in justified cases, which are necessary due to the circumstances, may make your personal data available to entities located outside the EEA (USA, Singapore, India, China, Hong Kong and Canada), including: hotels, airlines, car rental companies, booking systems and international organizations, such as IATA (International Air Transport Association), GDS ( global distribution system), OTA ( online travel agent ), as well as other entities located outside the EEA or international organizations, to which such transfer is necessary for the purpose of performance of the Agreement (e.g. execution of your instructions associated with the agreement in the case of organization of a trip outside the EEA). In principle, transfer of data outside the EEA shall take place on the basis of standard contractual clauses, concluded with the recipient, which have been developed by the European Commission and ensure the highest applicable standards of protection of personal data, available on the market. You have the right to receive copies of this data through the agency of the Controller.