Infotext to Customers of CPI Hotels Poland Sp. z o.o. on the Processing of Personal Data
In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – the “GDPR”), this document provides key information on your personal data that is processed by CPI Hotels Poland Sp. z o.o., with its registered office at Kościelna 12, 00-218 Warszawa, registered in the National Court Register maintained by the District Court for the Capital City of Warsaw in Warsaw, XII Commercial Division under number KRS: 0000503549, NIP: 7010418265, REGON: 147162409, share capital: PLN 50,000.00 (“CPI Hotels“ or “we“). CPI Hotels is the controller of your data.
CPI Hotels is represented in the market by the brand Mamaison Hotels & Residences.
- Which data do we process?
A) Customer data
On the basis of your booking information (or information for stays without a booking), we process the following personal data:
- identification and contact details (full name, permanent address, identity card number or other document number and, where applicable, email address and telephone number);
- For natural persons registered as a business: business registration status, registered address, Identification Number, Tax Identification Number, VAT payer information.
- For business trips of persons not registered as a business: information on the organization that arranged or paid the booking, as well as full name, telephone number and email address of the person for whom the reservation is made;
- Information on the purpose of your stay, or note that you are not subject to charges for a spa or leisure stay;
- Loyalty programme membership information;
- Information on your stay, services used and method of payment for services provided (for cashless payments, we process your bank account number or payment card details);
- For foreign nationals: date of birth, nationality, travel document number, visa number and permanent overseas address, in addition to the data above;
- For guests using our hotel car park: license plate number.
B) Image of guests on photographs from organised events
We take a reasonable volume of photographs (event shots) at our organised events and selected photos are subsequently published on our website for the promotional purposes of CPI Hotels. The main purpose is not to obtain pictures of the guests at each event, but rather to capture the general atmosphere at each event. We do not publish close-ups and do not add descriptions of the persons in attendance at each event.
Events are marked with a camera pictogram to advise guests in advance that photographs will be taken and our photographers are visibly distinguishable. In addition, photographs are only taken in the main event areas and visitors can always stay in areas where photographs are not taken. If you have any queries or would like clarification on the taking of photographs, please contact us via the contact details mentioned below.
C) Data obtained during a visit on our website (IP address, log data, statistical data, browser information, as well as other technical information).
D) Data obtained in connection with use of the wireless network (wi-fi) service in our facilities.
- On what basis and for what purpose do we process your personal information?
A) Processing necessary to comply with legal obligations
It is necessary to provide and process all of the above-mentioned personal data, save for email address, telephone number, image and loyalty programme membership information, so that we can comply with our legal obligations, in particular our obligations under the Act on Local Taxes, the Act on the Register of Population, as well as accounting and tax regulations (Art. 6(1)(c) GDPR).
B) Processing necessary for performance of contract
It is necessary to process your identification data (i.e. name, address of residence, ID card or document number), information on your stay and the services provided and the amount and method of payment so that we can perform the contract relating to your stay; this involves arranging orders and bookings, and entering into and performing contracts concerning the accommodation, as well as other services provided during your stay at CPI Hotels, including catering and related services (Art. 6(1)(b) GDPR).
C) Consequences of failing to provide data
Failure to provide the data mentioned above means that we cannot provide you with our accommodation services. We do not require your personal information to provide board and other services (with the exception indicated in point B) above, i.e. if these services are provided during your stay at CPI Hotels) and therefore we do not obtain or process your personal data for this purpose.
D) Processing necessary for our legitimate interests
We process your full name, email address and information on your stay on the basis of our legitimate interest in direct marketing activities, the sole purpose of which is to send you marketing and commercial correspondence in terms of news and sales.
We also process the above personal data to send satisfaction surveys at the end of your stay at our hotels to assess how far you are satisfied with our services and to continually improve the quality of the service we provide you with (Art. 6(1)(f) GDPR).
To assure security of property, security of our guests and security of information, on the basis of our legitimate interest, we also process CCTV footage (Art. 6(1)(f) GDPR).
Our guests do not doubt our services provided at our hotels. If such a case occurred, we would be forced to process data regarding the services that we provide insofar as this is necessary for exercising or defending legal claims in case of a dispute. Similarly, we would also be forced to process all necessary data in the event of failure to pay for our services or any damage caused to us (Art. 6(1)(f) GDPR).
E) Processing on the basis of consent
We process your IP address, as well as the technical information received during your visit to our website on the basis of your consent or on the permission settings on your browser – see separate infotext available at www.cpihotels.com/cookies.
We offer wi-fi services to our customers, who can choose between a paid connection option and a free connection option. When you choose a free connection, you are informed in advance that by accessing the free connection you agree that CPI Hotels will use your e-mail address only for the purposes of sending marketing communications that inform you of news, sales, etc.
You can opt out of receiving any further marketing communications at any time.
F) Processing of your data by automated means
We never perform automated decision making or otherwise process your personal data by any automated means that could produce legal effects for you or substantially affect you in any other way.
- Source of personal data
We obtain all of the above information from you directly as part of contract negotiations and through the provision of accommodation and board services.
Where another person has booked our services on your behalf (for business trips, this is usually an employer), we obtain your basic identification and contact details (including your full name and telephone number or email address) from that person directly.
Where your booking is made through a bookings site, your basic identification and contact details (including your full name and telephone number or email address) are passed to us by that booking site.
- How long do we process your personal data?
We process your personal data for the duration of your stay at our hotel. Once your stay is over, we will only process the following:
- Data that we are under obligation to process by law, for the length of time required by law only (e.g. the accounting and tax documents we issue to you will also contain certain personal data regarding you (full name, type of service provided, document issue date). We retain these documents for the sole purpose of fulfilling the obligations established in the relevant accounting and tax legislation, for the period set out in those regulations only.
- Your full name, email address and information about your stay, for the direct marketing purposes of CPI Hotels (e.g. to send communications on news and sales of our services, etc.) and to send satisfaction surveys. The data we process to send satisfaction surveys is only processed until surveys have been evaluated (a maximum of 1 month after the end of your stay). We will process your information mentioned above for direct marketing purposes until we are notified by you that you object to this processing.
- Data necessary for the purposes of exercising and defending legal claims. We will only process these data until a final decision has been made in the dispute and the obligations arising from the decisions have been fulfilled, or for the time in which a dispute regarding services provided could arise under applicable law.
- CCTV footage. In order to assure security of property, security of our guests and security of information we will process such data for the period of 3 months from the date when a given recording is made, unless video recordings are evidence in a proceeding conducted in accordance with the law or if CPI Hotels has been informed that they may constitute evidence in a proceeding, in which case the recordings storage period is extended until the final completion of the proceeding.
Once this period has expired, we will erase or destroy your personal data both in paper and electronic form.
- To whom do we transfer or disclose your personal data?
A) Transfer to third parties
We do not transfer or disclose your personal data to any third parties save for public authorities in relation to which we have a statutory disclosure obligation (in particular under the Act on Local Taxes, the Act on the Register of Population, as well as accounting and tax regulations).
Your personal data may be disclosed to data processors which provide certain support services (e.g. sending marketing materials, improving communication and offer segmentation, providing online hotel bookings and processing cookies, IT services, accounting services, legal and assistance services, CCTV services). This work is always carried out exclusively for our company based on our own guidelines. In selecting each processor, we take care as to their credibility and quality of service, as well as the security of personal data processed. Processing may only be performed within the framework of written contract between CPI Hotels and a processor that commits the processor to the same degree of personal data protection as is provided by CPI Hotels. At your request, we will inform you of all processors that we currently work with.
C) Transfer abroad
Our processors have their headquarters and process personal data in Poland or in another EU country. We do use processors in the territory of the USA, albeit only for sending and evaluating satisfaction surveys and for some booking systems. These are always renowned companies that belong to international hotel, booking or similar networks that provide services to hotels on a global scale.
In Commission Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield, the European Commission, together with the governing bodies of the United States of America, defined the “Privacy Shield” system as a special tool to ensure an adequate level of protection for personal data transferred to recipients in the United States of America. On the basis of this decision, U.S. companies that have committed to comply with the Privacy Shield Principles are adjudged to ensure an adequate level of protection for personal data. The above-mentioned U.S. processors have committed to comply with the Privacy Shield Principles. For more information, visit the programme’s official site at https://www.privacyshield.gov. The Privacy Shield Programme remains valid following the entry into force of the GDPR.
We do not transfer personal data outside of the EU in any other cases.
- How does CPI Hotels guarantee data privacy?
All persons coming into contact with personal data at our end are duty-bound to maintain confidentiality over the personal data processed and over the security measures used for their protection. This obligation will continue even if their legal contract with CPI Hotels or the processor is terminated.
- Your statutory rights
In accordance with the legislation in force as regards personal data protection, you have the following rights:
- the right to access your personal data that we process, including the right to obtain the following information from CPI Hotels:
- confirmation as to whether CPI Hotels processes your personal data;
- access to these personal data;
- information on the purposes of the processing;
- the categories of personal data processed;
- information on the recipients or potential recipients to whom your personal data will be disclosed;
- planned storage period and the criteria for establishing such period;
- the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data and the right to object to such processing;
- the right to file a complaint with the supervisory authority;
- where the personal data are not collected from the data subject (from you), all available information as to their source;
- information on automated decision making, including profiling;
- the appropriate safeguards when transferring personal data outside the EU;
- a copy of personal data, where these do not adversely affect the rights and freedoms of others.
- the right to correct your personal data if it is in any way incorrect, inaccurate or incomplete; CPI Hotels will correct your data within its technical capabilities without undue delay;
- the right to request the erasure of your personal data where provided for by the GDPR – e.g. if you have withdrawn your consent or objected to processing, if the personal data is processed unlawfully or where the personal data are no longer necessary in relation to the purposes for which they were processed. In such an event, you may request the erasure of your personal data. However, this option does not apply if the processing is necessary to fulfil legal obligations and under certain other cases provided for by the GDPR;
- the right to request the restriction of the processing of your personal data where provided for by the GDPR – e.g. where you contest the accuracy of the personal data, object to the processing, etc.;
- the right to the portability of the data you have provided to us, which we process by automated means on the basis of your consent, or to perform a contract with you or to implement pre-contractual measures at your request. In such cases, we will allow you to obtain your personal data in a structured, commonly used and machine-readable format or, if technically feasible, we will transmit them directly to the new controller determined by you;
- the right to object to the processing of your personal data, where such processing is necessary for the purposes of legitimate interests or for the purpose of a task carried out in the public interest or in the exercise of an official authority vested in the controller. If we do not demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims, then we shall no longer process your personal data. If you object against processing of your personal data for the purposes of direct marketing, it will not longer be possible to process your data for such purposes.
- the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except for cases expressly stated in the GDPR;
- where you feel that the processing of your personal data has been breached under the GDPR, you have the right to file a complaint with the supervisory authority, which in Poland is the President of the Office for Personal Data Protection (in Polish: Prezes Urzędu Ochrony Danych Osobowych), which has its registered office at ul. Stawki 2, 00-193 Warszawa.
- Our contact details
If you have any queries or questions as regards the processing of your personal data, please write to us at any time at CPI Hotels Poland Sp. z o.o., Kościelna 12, 00-218 Warszawa, or email our data coordinator at firstname.lastname@example.org. Alternatively, you can fill out our contact form at www.cpihotels.com.