Privacy and Cookies Policy
This Privacy and Cookies Policy sets out the rules for processing the personal data of Guests and Users of the Villa Gdynia Website, and the rules for using cookies, in accordance with the GDPR and the Polish Act on the Provision of Electronic Services.
1. Data Controller and definitions
The controller of the personal data of Guests/Users of the Website is: LA RIVA BEATA GAWINEK, VAT ID (NIP) 586-133-53-02, tel. +48 517 449 195. The Data Controller can be contacted: • by post: ul. Mikołaja Kopernika 57, 81-411 Gdynia, Poland, • by e-mail: recepcja@villagdynia.pl. User of the Website – a natural person visiting the page(s) presenting the Offer and enabling the conclusion of an accommodation rental agreement, or using the services or functionalities described in this Privacy and Cookies Policy. Service Provider – Beata Gawinek, La Riva Beata Gawinek, VAT ID (NIP) 586-133-53-02, ul. Mikołaja Kopernika 57, 81-411 Gdynia, Poland. Offer – the accommodation offered by the Service Provider for the purpose of concluding an accommodation rental agreement via the Website. Guest – a natural person with full legal capacity, a legal entity, or an organizational unit referred to in Article 33¹ of the Polish Civil Code, entering into an accommodation rental agreement with the Service Provider. Website – the online presentation of the Service Provider's Offer, enabling the conclusion of an accommodation rental agreement online. Newsletter – information, including commercial information within the meaning of the Polish Act of 18 July 2002 on the Provision of Electronic Services, sent by the Service Provider to the Guest/User electronically; receiving it is voluntary and requires the Guest's/User's consent. Account – a set of data stored on the Website and in the Service Provider's IT system relating to a given Guest/User and the reservations and agreements made by them, which the Guest/User can use to place orders and conclude agreements. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
2. Purposes, legal bases, and retention periods
In order to perform a distance accommodation rental agreement, the Service Provider processes: • information about the User's device, to ensure the services function correctly: the computer's IP address, information contained in cookies or other similar technologies, session data, web browser data, device data, and data on activity on the website, including on individual subpages; • geolocation information, if the Guest/User has consented to the Service Provider accessing their geolocation – used to provide more tailored product and service offers; • Users' personal data: first name, last name, registered address, correspondence address, e-mail address, phone number, VAT ID, bank account number, or other personal data whose provision is necessary to complete a reservation and which the Controller requires during the booking process. This information does not itself reveal the Guests'/Users' identity, but combined with other information it may constitute personal data, and the Controller therefore affords it the full protection provided for under the GDPR. This data is processed in accordance with Article 6(1)(b) GDPR, for the purpose of performing the service, i.e. the agreement for the provision of electronic services under the Terms & Conditions, and in accordance with Article 6(1)(a) GDPR, in connection with consent to the use of specific cookies or other similar technologies expressed through appropriate web browser settings in accordance with the Polish Telecommunications Law, or in connection with consent to geolocation. The data is processed until the Guest/User stops using the Website. The Controller undertakes to take all measures required under Article 32 GDPR – taking into account the state of the art, the cost of implementation, and the nature, scope, and purposes of processing, as well as the risk of varying likelihood and severity to the rights or freedoms of natural persons – implementing appropriate technical and organizational measures to ensure a level of security appropriate to that risk.
3. The Controller's marketing activities
The Data Controller may publish marketing information about its products or services on the Website. This content is displayed in accordance with Article 6(1)(f) GDPR, i.e. in accordance with the Controller's legitimate interest in publishing content related to the services it provides and promotional content for campaigns in which it is involved. This does not infringe the rights and freedoms of Guests/Users — Guests/Users expect to receive content of a similar nature, and in some cases this is precisely the purpose of their visit to the Website.
4. Recipients of Users' data
The Data Controller discloses Users' personal data only to processors, under data processing agreements concluded with them, for the purpose of providing services to the Controller, e.g. hosting and operation of the Website, IT services, and marketing and PR services.
5. Transfer of personal data to third countries
Personal data is not transferred to third countries.
6. Rights of data subjects
Every data subject has the right: • of access (Article 15 GDPR) – to obtain confirmation from the Controller as to whether their personal data is being processed, and if so, to access it and to information about the purposes of processing, the categories of data, the recipients or categories of recipients, the retention period or the criteria for determining it, and the right to request rectification, erasure, or restriction of processing, and to object to such processing; • to obtain a copy of the data (Article 15(3) GDPR) – the first copy is free of charge; the Controller may charge a reasonable fee, based on administrative costs, for further copies; • to rectification (Article 16 GDPR) – to request the rectification of personal data that is inaccurate, or the completion of incomplete data; • to erasure (Article 17 GDPR) – to request erasure of personal data where the Controller no longer has a legal basis for processing it, or the data is no longer necessary for the purposes of processing; • to restriction of processing (Article 18 GDPR) – where the data subject contests the accuracy of the data, the processing is unlawful, the Controller no longer needs the data, or the data subject has objected to processing — pending resolution of the relevant matter; • to data portability (Article 20 GDPR) – to receive, in a structured, commonly used, machine-readable format, the personal data they provided to the Controller, and to request that it be transmitted to another controller, where processing is based on consent or on a contract and is carried out by automated means; • to object (Article 21 GDPR) – to object to the processing of their data for the Controller's legitimate purposes, including profiling — the Controller will then assess whether there are compelling legitimate grounds for continued processing; • to withdraw consent at any time, without giving a reason — withdrawing consent does not affect the lawfulness of processing carried out before its withdrawal. To exercise the above rights, please contact the Data Controller using the contact details given in the "Data Controller and definitions" section, indicating which right, and to what extent, you wish to exercise.
7. Right to lodge a complaint
Every data subject has the right to lodge a complaint with the supervisory authority, which in Poland is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych), based in Warsaw at ul. Stawki 2, 00-193 Warsaw. The President of the UODO can be contacted: • by post: ul. Stawki 2, 00-193 Warsaw, Poland; • via the electronic submission box available at: https://www.uodo.gov.pl/pl/p/kontakt; • by phone: 606-950-000.
8. Data Protection Officer
A data subject may also contact the Controller's Data Protection Officer directly by e-mail or in writing, at the Controller's address given in the "Data Controller and definitions" section.
9. Changes to the Privacy Policy
This Privacy and Cookies Policy may be supplemented or updated in line with the Controller's ongoing needs, in order to provide Guests/Users with current and accurate information.
10. Cookies
The Website gathers information about Guests/Users and their behavior in the following ways: • through information voluntarily entered into forms, for purposes arising from the function of the specific form; • by storing cookie files ("cookies") on end devices; • by collecting web server logs through the Website's hosting provider (necessary for the Website to function correctly). Cookies are IT data, in particular text files, stored on the Guest's/User's end device and intended for use with the Website. Cookies usually contain the name of the website they come from, their storage time on the end device, and a unique number. The Website only uses cookies after the Guest/User has given prior consent. Consent to the Website's use of all cookies is given by clicking the "I agree, take me to the site" button on the cookie notice, or by closing that notice. Consent may cover only selected cookies — in that case, the "Cookie settings" option, available on the cookie notice, should be used. Disabling cookies necessary for authentication, security, or maintaining the Guest's/User's preferences may make it difficult, or in extreme cases impossible, to use the Website. If the Guest/User does not consent to the Website's use of cookies, they may use the "I do not consent" option, also available on the cookie notice, or change their web browser settings (which may cause the Website to function incorrectly). Cookie settings can be managed from within the settings of the browser being used (e.g. Internet Explorer, Chrome, Safari, Firefox, Opera) or the mobile device's operating system (Android, iOS, Windows Phone) — detailed instructions can be found in the help documentation for the relevant browser or system. The legal basis for processing personal data obtained from cookies is the Controller's legitimate interest in ensuring the high quality and security of its services. The Website uses two main types of cookies: "session" cookies and "persistent" cookies. Session cookies are temporary files stored on the end device until logout, leaving the Website, or closing the web browser. Persistent cookies are stored for the period specified in the cookie's parameters, or until deleted by the Guest/User. Cookies are used for the following purposes: • generating statistics that help understand how Guests/Users use the Website's pages, enabling improvements to their structure and content; • maintaining the Guest's/User's session (once logged in), so that they do not have to re-enter their login and password on every subpage; • determining the Guest's/User's profile in order to display product recommendations and tailored content within advertising networks, in particular the Google network. Limiting the use of cookies may affect some of the functionality available on the Website's pages. Cookies placed on the Guest's/User's end device may also be used by advertisers and partners cooperating with the Website, including advertising networks (in particular the Google network), to display advertisements tailored to how the Website is used. For this purpose, they may retain information about the Guest's/User's navigation path or the time spent on a given page. The rules for using cookies in statistics are described in the Google Analytics privacy policy. Information about preferences collected by the Google advertising network can be viewed and edited using the tool available at ads.google.com/preferences. The Website's pages contain plugins that may transmit Guests'/Users' data to controllers such as Facebook or Google. In order to properly perform a distance accommodation rental agreement, the Controller may share Guests'/Users' data with the online payment systems handling deposits on the Website.
11. Newsletter
The Guest/User may consent to receiving commercial information electronically by selecting the relevant option in the registration form, or at a later time, in the relevant section. Where such consent is given, the Guest/User will receive the Website's Newsletter, as well as other commercial information sent by the Service Provider, at the e-mail address they provided. The Guest/User may unsubscribe from the Newsletter at any time — on their own, by unchecking the relevant box on their Account page, by clicking the relevant link contained in every Newsletter, or via Customer Service.
12. Account
The Guest/User may not post on the Website, or provide to the Service Provider, content — including reviews and other data — of an unlawful nature. The Guest/User gains access to an Account after registering. During registration, the Guest/User provides the account type, first name, last name, company name, VAT ID, the details needed to issue a sales document, an e-mail address, and chooses a password. The Guest/User warrants that the data provided in the registration form is accurate. Registration requires reading the Terms & Conditions and confirming, in the registration form, that they have been accepted. At the moment Account access is granted, an agreement for the provision of electronic services relating to the Account is concluded between the Service Provider and the Guest/User for an indefinite period. Registering an Account on one of the Website's pages also registers access to the other pages on which the Website is available. The Guest/User may terminate the agreement for the provision of electronic services at any time, with immediate effect, by notifying the Service Provider by e-mail or in writing at the Data Controller's address. The Service Provider has the right to terminate the agreement for the provision of services relating to the Account if it ceases to provide, or transfers to a third party, the Website service, if the Guest/User violates the law or the Terms & Conditions, or in the event of the Guest's/User's inactivity for a period of 6 months. Termination takes effect subject to a seven-day notice period. The Service Provider may stipulate that re-registering an Account will require its permission.