top of page

+48 12 619 00  00 | bc@hik.krakow.pl

Holiday Inn Krakow City Centre
PRIVACY POLICY

Privacy Policy

Undertaking to protect the data and privacy of persons

The protection of the personal data and privacy of Our Guests, Trading Partners and website Users is of vital importance to the HOTEL due to the nature of the services we provide.

For the purposes of this Privacy Policy, a Guest or User will mean a former, current and potential Guest or User of a product or service offered by the HOTEL, visiting the website https://hik.krakow.pl.

The Rules

We use personal data in a lawful, fair, appropriate and transparent manner.
We only collect as many personal data as necessary – and always for lawful purposes.
We only store the necessary quantity of data – for no longer than required.
We protect personal data using appropriate security measures.

TABLE OF CONTENTS:

  1. GENERAL PROVISIONS

  2. THE PURPOSE, BASIS AND DURATION OF PROCESSING

  3. THE RECIPIENTS OF THE DATA

  4. THE RIGHTS OF THE DATA SUBJECT

  5. SOCIAL MEDIA

  6. COOKIES AND ANALYTICS

  7. FINAL PROVISIONS

1. GENERAL PROVISIONS

1. 1. This Privacy Policy is for information purposes only, which means that it does not create any obligations for the Service Recipients, Guests, Trading Partners, or Visitors. The Privacy Policy primarily contains rules concerning the processing of personal data by the Controller, including the bases, purposes and scope of personal data processing and the rights of the data subjects.

1.2. The Controller of personal data collected via: https://hik.krakow.pl, Social Media and directly from Guests visiting our Hotel is: GEMO Sp. z o.o. with its registered office in Krakow, Wielopole 4, 31-072 Krakow, hereinafter referred to as the Hotel.

 

Hereinafter referred to as the “Controller” or ”HOTEL”

  • postal address: ul. Wielopole 4, 31-072 Krakow,

  • phone (+48.6190000)

1.3. We have appointed a Data Protection Officer, Dorota Gross, who can be contacted regarding the protection of your data and the handling of related matters by email: dpo[at]hik.krakow.pl, in writing to the address of our registered office as indicated in clause 1.2.

1.4. The use of the Controller's Websites is voluntary. The same applies to the provision of data necessary for the conclusion of Contracts, including contracts for the supply of services within the scope of the Controller's business. The provision of personal data in this case is a contractual requirement and if the data subject wishes to conclude a given contract with the Controller, he/she is obliged to provide the required data. Generally applicable laws impose an obligation on the Controller to process personal data (e.g. to process data for the purpose of maintaining tax or accounting records), and failure to provide such data will prevent the Controller from fulfilling those obligations.

1.5. The Controller takes special care to protect the interests of the persons whose personal data it processes, and in particular is responsible for ensuring, and ensures, that the data it collects are: (1) processed lawfully; (2) collected for specified, legitimate purposes and are not further processed in a way that is incompatible with those purposes; (3) accurate and relevant to the purposes for which they are processed; (4) kept in a form that permits identification of the data subjects and for no longer than is necessary to achieve the purpose of the processing; and (5) processed in a manner that ensures adequate security of personal data, including protection against unauthorised or unlawful processing and

accidental loss, destruction or damage, by appropriate technical or organisational means.

1.6. Having regard to the nature, scope, context and purposes of the processing and the risk of interference with the rights or freedoms of natural persons of varying probability and seriousness, the Controller implements appropriate technical and organisational measures to ensure that the processing is carried out in accordance with the Regulation and to be able to demonstrate this. These measures are reviewed and updated as necessary. The Controller applies technical measures to prevent the acquisition and modification by unauthorised persons of personal data transmitted electronically.

2. THE PURPOSE, BASIS AND DURATION OF PROCESSING

2. 1. Activities relating to personal data processing:

  • registration and service of guests,

  • management of systems and services,

  • data verification,

  • pursuance of claims in respect of the Controller’s business activities,

  • preservation of information in case of legal necessity to prove the facts,

  • fulfilment of tax obligations, including the bookkeeping obligation,

  • provision of marketing services,

  • ensuring the highest quality of the provided services, conducting video surveillance.

2.2. In each case, the purpose, basis, duration and scope of processing and the recipients of the personal data processed by the HOTEL result from the actions taken by you in relation to the services or activities listed below.

Purpose of data processing:

GUEST REGISTRATION

Basis of processing and data retention period: 

Art. 6(1)(b) OF THE GDPR - CONTRACT/ACCEPTANCE OF HOTEL RULES AND REGULATIONS on the basis of the Civil Code.
Data are stored for a period of 6 years. 

Activities aiming to identify and register the Guest in order to provide the service.

Maximum scope of data processing: 

HOTEL REGISTRATION CARD:

Forename, surname, residential address, telephone number, email address.

 

Purpose of data processing:

PROVISION OF SERVICES

Basis of processing and data retention period: 

Art. 6(1)(b) OF THE GDPR - CONTRACT on the basis of the Civil Code.
Data are stored for a period of 6 years.

Activities aiming to ensure the performance of the contract or taking of actions prior to the conclusion of the contract.

Maximum scope of data processing:  

CONTRACT/PURCHASE ORDER:

Forename and surname or name of the Trading Partner, address, contact details.

Purpose of data processing:

BILLING FOR SERVICES

Basis of processing and data retention period: 

Art. 6(1)(c) OF THE GDPR -  LEGAL OBLIGATION on the basis of the Accounting Act.

Data are stored for a period of 6 years.

Activities relating to billing for the provided services.

Maximum scope of data processing: 

INVOICES AND BILLS:

Forename and surname, address, company name/registered office, Tax Identification Number (NIP), value and date of service.

Purpose of data processing:

MARKETING

Basis of processing and data retention period: 

Art. 6(1)(f) - LEGITIMATE INTEREST
Data are stored for up to 6 years or as long as the Controller's legitimate interest exists in connection with marketing activities.

Maximum scope of data processing: 

MAIL: IP address, forename and surname, telephone number, email address.

Purpose of data processing:

PURSUANCE OF RIGHTS

Basis of processing and data retention period: 

Art. 6(1)(f) OF THE GDPR - LEGITIMATE INTEREST
Data are stored until the rights or claims relating to the performance of the services expire.

Maximum scope of data processing: 

DOCUMENTATION: Data necessary for the proceedings

Purpose of data processing:

OPINIONS OF THE GUESTS

Basis of processing and data retention period: 

Art. 6(1)(f) OF THE GDPR - LEGITIMATE INTEREST

Data are stored for up to 30 days or until an objection is made to the processing of those data.

The satisfaction survey is conducted on the basis of the consent given, on the hotel registration card, where the Provision of Services by Electronic Means Act of 18 July 2002 serves as the legal basis, in connection with the tasks carried out and the legitimate interests of the Hotel.

Maximum scope of data processing: 

SURVEY: Forename and surname, telephone number, email address

Purpose of data processing:

VIDEO SURVEILLANCE

Basis of processing and data retention period: 

Art. 6(1)(f) OF THE GDPR - LEGITIMATE INTEREST
Video surveillance data are stored for a maximum of 10 days.

The video surveillance covers the hotel premises in order to protect the persons and property therein.

Maximum scope of data processing: 

IMAGE RECORDING: Data from video surveillance on the premises of the HOTEL.

Purpose of data processing:

CORRESPONDENCE

Basis of processing and data retention period:  

Art. 6(1)(f) OF THE GDPR - LEGITIMATE INTEREST

Maximum scope of data processing: 

MAIL, LIST:

Identification data, forename and surname, postal address, email address, IP address, data from correspondence.

  • The data are permanently deleted or anonymised after the end of the aforementioned periods.

2.3 Legislation:

Personal data are processed by the Controller in accordance with the applicable laws, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) - hereinafter referred to as the “GDPR” or “GDPR Regulation”. The official text of the GDPR Regulation: http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679

 

  • The Hotel Services and Services of Tour Managers and Tourist Guides Act of 29 August 1997;

  • The Provision of Services by Electronic Means Act of 18 July 2002;

  • The Accounting Act of 29 September 1994;

  • The Civil Code Act of 23 April 1964;

  • The Goods and Services Tax Act of 11 March 2004;

  • The Telecommunications Law Act of 16 July 2004;

  • The Consumer Rights Act of 30 May 2014;

  • The Personal Data Protection Act of 10 May 2018;

  • Hotel and car park rules and regulations; 

  • Regulation (EU)2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC (GDPR).

3. THE RECIPIENTS OF THE DATA

3.1. The recipients of the data include entities acting for the Hotel on the basis of separate contracts:

  • the suppliers of technical/organisational solutions connected with the provision of services/management of the HOTEL (including the providers of ICT, courier/postal, and logistics services),

  • the providers of transport services as well as travel agencies and tour operators;

  • the providers of legal and advisory services;

  • HOWAZIT with its registered office at 42 Ben Yehuda St., Herzeliya, Israel 4680444, is the recipient of data relating to the Guests’ opinions and the satisfaction survey.

3.2. The recipients and separate Controllers of the Guests’ personal data are:

  • with respect to reservations: InterContinental Hotels Group. The PRIVACY STATEMENT is available here: https://www.ihg.com/content/pl/pl/customer-care/privacy_statement

  • with respect to leaving an opinion on the Hotel, Google LLC registered in Mountain View, California, who is a separate data controller, is also a recipient of the data.

  • entities entitled to receive data on the basis of law;

 

3.3. Personal data of the Guests will be transferred outside the European Economic Area.

Pursuant to Article 45 of Regulation 2016/679 on the Protection of Personal Data (GDPR), the European Commission assesses the level of protection of personal data during transfers to a third country taking into account, , the rule of law, respect for human rights in the third country, as well as the presence of an independent supervisory authority and international obligations, in particular in the field of personal data protection. If the European Commission considers that the level of protection is adequate, it may adopt a decision that data transfers to that country may take place without special authorisation.

On the basis of previous decisions, the European Commission has recognised an adequate level of protection for the following countries: Andorra, Argentina, Canada (commercial activities), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay, and the United Kingdom. A decision adoption procedure for South Korea is also underway.

On 10 July 2023, the EC issued another adequacy decision, stating that the level of personal data protection provided by the US legislation is equivalent to that of the EU.

  • InterContinental Hotels Group is an international company that provides services worldwide. Details of data processing are described above in clause 3.

  • The entity that acts as a processor and provides services relating to the guest satisfaction survey, Howazit, is registered in Israel.

  • The entity and separate data controller used to collect opinions, Google LLC, is registered in the USA. Google is on the list of organisations participating in the DPF (Data Privacy Framework).

4. THE RIGHTS OF THE DATA SUBJECTS

 

4.1. The right to request from the Controller access to personal data, their rectification or erasure, or restriction of processing, the right to object to processing, the right to data portability, and the right to withdraw consent at any time.

4.2. The provision of personal data is obligatory on the basis of the law (Guest registration); the refusal to provide data may result in the refusal to provide the service. Otherwise, it is voluntary.

4.3. The right to lodge a complaint to a supervisory authority – the person whose data are processed by the Controller has the right to lodge a complaint to a supervisory authority in the manner and in accordance with the procedure set out in the provisions of the GDPR Regulation and Polish law, in particular the Personal Data Protection Act. The President of the Office for Personal Data Protection is the supervisory authority in Poland.

5. SOCIAL MEDIA

5.1. Information concerning the processing of personal data in the context of social media activities. In relation to the use of social media, the Controller hereby informs you that: 1) it processes personal data, in particular when a Visitor comments on or shares the Controller’s post, 2) sends a message to the Controller, 3) posts a review or becomes a follower,

5.2. Personal data will be processed when it is necessary for the purposes arising from the Controller's legitimate interests, which are considered to include: 1) direct marketing; 2) conducting measurements, statistics and analyses (e.g. in order to adapt the content to the preferences and interests of all Users); 3) ensuring security, functionality and stability; 4) detecting abuse occurring during the use of the websites; 5) pursuing and defending against claims, defending against the liability of collective entities for criminal offences.

5.3. The Controller may process personal data for the purpose of carrying out marketing activities in accordance with the legitimate interest until an objection to the processing is made. The data are provided voluntarily each time in the form of an identifier, the content of comments or messages and photos of social media Users.

5.4. Personal data collected by Facebook, Messenger, Instagram (Meta), Tweeter, Linkedin, i.e. post history and activity history, are subject to retention in accordance with the terms and conditions of use of those portals. 

5.5. Data profiling.

Personal data may be subject to profiling with respect to the operation of the website, which will involve the automated analysis or prediction of a person's behaviour on the website. Details are described in the COOKIES AND ANALYTICS section.

6. COOKIES AND ANALYTICS

6.1. Cookies are small pieces of text information in the form of text files that are sent by a server and stored on the website visitor's side (e.g. on the hard drive of a computer or laptop or a smartphone memory card – depending on the device used by the person visiting our sites). Detailed information on Cookies as well as the history of their creation can be found, among other things, here: https://en.wikipedia.org/wiki/HTTP_cookie.

6.2. The Controller may process the data contained in Cookies when visitors use the websites for the following purposes:

  • To store data from the Contact Forms filled in by the visitors;

  • To adapt the content of the website to the individual preferences of the Service Recipient (e.g. as regards colours, font size, site layout) and to optimise the use of the websites;

  • To keep anonymous statistics showing how the websites are used.

6.3. By default, most web browsers available on the market accept the storing of Cookies. You can determine the conditions for the use of Cookies via the settings of your own browser. This means that you can, for instance, partially restrict (e.g. temporarily) or completely disable the storage of Cookies.

6.4. Detailed information on how to change the settings for Cookies and how to delete them yourself in the most popular web browsers is available in the help section of your browser and on the following pages (simply click on the link):

in the Chrome browser, in Firefox

in Internet Explorer

in Opera

in Safari

in Microsoft Edge

6.5. The Controller may use the services of Google Analytics, Universal Analytics, provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). Those services help the Controller to keep statistics and analyse website traffic. The data collected are processed by the above services in order to generate statistics that help administer the websites and analyse traffic. Those data are aggregated.

6.6. It is possible for a person to easily block the provision of information to Google Analytics about his/her activity on the website of the Online Shop – to that end you can, for example, install a browser add-on provided by Google Ireland Ltd. available here: https://tools.google.com/dlpage/gaoptout?hl=pl.

7. FINAL PROVISIONS

 

7.1. The http://hik.krakow.pl sites and the HOLIDAYINNKRAKOWCITYCENTER Fanpage may contain links to other websites. The Controller urges that when you go to other websites, you should read the privacy policy established there. This privacy policy applies only to the Controller's websites and the HOTEL's Fanpage.

7.2. Automated decision-making by the HOTEL, including profiling, is based on the principles of creating preferences of the Guests in order to adapt the services to their needs and to prepare the provided marketing content. The Controller hereby informs you that during profiling it does not make use of the data left in the hotel registration card.

7.3. However, the Guest always has the right not to be subject to such a decision and to request human intervention. To do so, please contact the Hotel.

7.4. Statement by the Controller

 

The HOTEL represents and warrants that the organisational and technical measures it applies to ensure the security of personal data processing comply with the requirements set out in the GDPR, in particular the provisions of Article 32 of the GDPR. 

In order to exercise your rights or obtain information relating to data protection, please send a message to: dpo[at]hik.krakow.pl

Detailed information will be available at the reception desk of the HOTEL

bottom of page