1. OUR OBJECTIVE:
1.1. The existing personal data protection regulations were amended as of 25 May 2018; the currently applicable data protection regulations are set out in the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, “GDPR”).
2.2. All actions taken by the Controller are governed by laws generally applicable in Poland, including data protection regulations, in particular the General Data Protection Regulation “GDPR”.
2.3. The Controller ensures transparency of data processing with a focus on ensuring that data are collected only to the extent necessary for the identified purposes and processed only for the necessary period of time.
3. SECURITY MANAGEMENT:
3.1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons, the Controller applies appropriate technical and organisational measures ensuring protection of processed personal data adequate to the threats and to the categories of processed personal data, in particular protects data from unauthorised access, unauthorised removal, unlawful processing, alteration, loss, damage and destruction.
4. PERSONAL DATA CONTROLLER:
4.1. The personal data controller, i.e., the body which alone determines the purposes and means of the processing of personal data, is the Director of the Warsaw Tourist Office (Stołeczne Biuro Turystyki, SBT) established in Warsaw.
4.2. The Controller may be contacted as follows:
a) by mail at Pl. Defilad 1 (X piętro), 00-901 Warszawa;
b) by e-mail at: firstname.lastname@example.org
5. DATA PROTECTION OFFICER:
5.1. The Controller has appointed a Data Protection Controller who can be contacted as follows:
a) by e-mail: email@example.com;
b) by phone: 22 656 64 86.
6. RULES OF PROCESSING OF PERSONAL DATA COLLECTED DURING THE USER’S ACTIVITY ON THE TOURIST PORTAL:
6.1. what data are processed:
a) your device IP address, the URL address of the request, the domain name, the device identifier, the type of your browser, the language of your browser, the number of clicks, the period of time of your visit on the website, the date and time of use of the tourist portal, the type and version of your operating system, the resolution of your screen, data recorded in journal logs and other similar information;
b) collected information may constitute personal data and may be recorded in cookies or other technologies active when you use our portal. In general, our cookies and data in access logs are not used to identify the user knowingly;
6.2. sources of data and the purpose of the processing:
- cookies are small text files saved on the user’s computer or other mobile device when the user is active online;
- cookies are used to collect, among others, your IP address, the type of your operating system, the type of your browser;
- cookies are not a risk to your computer or smartphone, do not affect their functioning, do not alter the configuration of end devices or any software on end devices;
b) access logs:
the Controller collects information regarding the use of the portal by users by performing an analysis of access logs. Such information is collected for the purposes of administering the tourist portal, in particular to identify server issues, analyse security breaches and manage the portal. This source is used to collect the following data:
- the IP address of the computer sending the request;
- the time of the request;
- the first line of the http request;
- the http response status code;
- the number of bites sent by the server;
- the URL address of the website previously visited by the user (referrer link) if the portal has been accessed via a link;
- information regarding the user’s browser;
- information regarding errors in the execution of the http transaction;
- the IP address is collected for statistical purposes, i.e., to collect and analyse demographic statistics of tourist portal users (e.g., the region from which it has been accessed). Based on information so collected, in special cases, aggregate general statistical reports are generated, containing visitor statistics of our portal. Such reports do not contain data which would permit user identification (allow us to identify you).
6.3 tools used:
a) cookies are also used to generate anonymous visitor statistics of our portal users. For this purpose, the Controller uses third-party services. Our portal uses Google Analytics from Google Inc. (“Google”), USA. Information generated by cookies regarding your use of the portal/website (for a full description, visit https://policies.google.com/privacy?hl=en) is transferred to and saved on Google servers in the USA. Data collected for such purposes are used to:
- monitor traffic on our tourist portal;
- collect aggregate anonymous statistics which help us understand the way users use our portal and to improve its structure and content; social media plugins:
6.4. our portal uses social media plugins which redirect users in particular to social networks including Facebook, Twitter, Instagram, YouTube. You can use their functions to share or recommend content published on our portal. However, the use of such functions may have consequences as the social networks may access your data; in particular, social networks are informed that the user visits our tourist portal from a specific IP address or device ID. This can happen whether or not the user subscribes to the social network and whether or not the user is logged in the social network at such time;
6.5. legal basis of the processing:
a) the processing of your personal data is based on our legitimate interests (Article 6(1)(f) of the GDPR): facilitation of the use of electronic services and improvement of functionalities, and establishment, exercise, enforcement or defence of legal claims before courts and other public bodies
6.6. storage period:
a) your personal data will be stored for a period necessary to achieve the purposes defined in 6.2-6.3 and thereafter for a period of time and to the extent required by generally applicable legislation;
6.7. voluntary provision of data;
a) remember that you can manage cookies used by us and/or our third-party providers by changing the settings of your internet browser. The limitation of cookies on a device will render impossible or largely hinder the proper use of our Detailed information regarding cookies settings and deactivation in a browser is available from the browser vendor on its website;
b) you can stop the saving of data collected by means of cookies and data (including the IP address) collected in connection with the use of the website by Google and prevent the processing of such data by Google by downloading and installing the browser plugin available at: https://tools.google.com/dlpage/gaoptout?hl=en#_blank;
c) remember: when you are logged in a social network, the network may automatically add your visit on the portal to your user profile. This also happens when you share (like, recommend, etc.) any content on our website. If you log out of the social network for the duration of your visit on the portal, the social network will be unable to add the visit to your profile.
7. LINKS TO THIRD PARTY WEBSITES:
8. RULES OF THE PROCESSING OF PERSONAL DATA COLLECTED IN CONNECTION WITH A CONTRACT:
8.1. what data are processed:
a) in order to conclude a licence contract concerning the use of images and audiovisual materials published on our portal page https://warsawtour.pl/en/media-library/ with the download option (see the rules), you are not required to provide your personal data such as your full name, e-mail address or address details;
b) however, if you contact us during the performance of the contract, then the Controller will process personal data that you may provide during such contacts or in e-mail or postal communications or by phone (including your full name and e-mail address);
8.2. the purpose of the processing:
a) we will process your data for the purposes of the performance of the concluded licence contract, to handle your requests and questions, and to execute and defend legal claims, including claims of third parties;
8.3. legal basis of the processing:
a) the processing of your personal data is based on:
- a contract concluded between you and us – personal data processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6(1)(b) of the GDPR);
- applicable legislation (Article 6(1)(c) of the GDPR) – processing is necessary for compliance with a legal obligation to which the Controller is subject;
- our legitimate interests (Article 6(1)(f) of the GDPR) – processing is necessary for the establishment, exercise, enforcement or defence of legal claims before courts are other public bodies;
8.4. storage period:
a) your personal data will be stored for the term of the licence contract subject to extension for a period of limitation of your or our claims if the processing is necessary for the establishment, exercise or defence of legal claims;
8.5. voluntary provision of data:
a) the provision of your personal data is voluntary but it is necessary for the exercise of the rights and obligations under the concluded licence contract including for communicating with you under the contract, e.g., to reply to your questions.
9. PROCESSING OF PERSONAL DATA OF PERSONS CONTACTING THE WARSAW TOURIST OFFICE BY E-MAIL OR BY PHONE:
9.1 the purpose of the processing:
a) personal data you provide when contacting us are processed to reply to your questions and for the execution and defence of legal claims;
9.2. what data are processed:
a) if you contact us, we will process your personal data including your e-mail address, full name, phone number (if any), position;
9.3. legal basis of the processing:
a) the processing of your personal data is based on our legitimate interests (Article 6(1)(f) of the GDPR) – communicating with users of the tourist portal and defence of legal claims;
9.4. storage period:
a) your personal data will be processed no longer than necessary to reply to your questions and may be further processed until the expiry of legal claims;
9.5. voluntary provision of data:
a) if you contact us, the provision of your personal data is voluntary but it is necessary to reply to your question.
10. DATA RECIPIENTS:
10.1. the group of recipients of your personal data processed by the Controller depends at each time on the scope of services you use. Furthermore, the group of recipients depends on your consent or the legislation and it is specified as a result of your actions during your use of our tourist portal.
a) your data are processed at the request of the Controller by providers of advisory, consulting, audit services, legal assistance, marketing support, hosting or ICT services, software or hardware maintenance services for the Controller as well as software vendors including traffic analysis systems for the portal;
b) in connection with the use of social media plugins, your use of such links allows social networks to download data including data saved in cookies;
c) in connection with the Controller’s use of Google Analytics, your data may be transferred to Google Inc. (“Google”), USA;
d) to the extent necessary, where required by generally applicable legislation and in compliance with such legislation, your data, including without limitation your IP address, are made available to law enforcement bodies, regulatory bodies and other public administration bodies (e.g., the Public Prosecutor’s Office, the President of the Personal Data Protection Office, the President of the Office of Competition and Consumer Protection).
11. TRANSFER OF DATA OUTSIDE EEA:
11.1. Your personal data will be transferred outside the European Economic Area to Google Inc., USA. Data will be transferred according to regulations ensuring personal data protection approved by the European Commission.
12. AUTOMATED DECISION-MAKING
12.1. Information collected by the Controller in connection with your activity on our portal may be processed by automated means (including profiling); however, it neither produces legal effects concerning you as a natural person nor similarly significantly affects you.
12.2. The Controller uses no automated decision-making involving your data.
13. RIGHTS OF DATA SUBJECTS:
Information regarding actions taken following a request of the data subject is provided by the Controller within one month. If the time limit needs to be extended, the Controller informs the data subject about the reasons for the delay.
13.1 the right of access to your personal data (Article 15 of the GDPR):
a) you have the right to obtain from the Controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, to obtain:
- access to your personal data;
- information regarding the purpose of the processing, the categories of personal data concerned, the recipients or categories of recipients of such data, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period, the rights available under the GDPR, the right to lodge a complaint with a supervisory authority, the source of the data, automated decision-making, including profiling, and the safeguards in relation to the transfer of the data outside the European Union;
- a copy of the personal data undergoing processing;
13.2 the right of rectification of your personal data (Article 16 of the GDPR):
a) the right includes your right to:
- obtain from the Controller without undue delay the rectification of inaccurate personal data concerning you;
- have incomplete personal data completed, including by means of providing a supplementary statement (taking into account the purposes of the processing);
13.3 the right to erasure of your personal data (Article 17 of the GDPR):
a) you have the right to obtain from the Controller the erasure of personal data concerning you without undue delay and the Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;
- the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR (services offered directly to children);
b) the right to be forgotten is not an absolute right: it is limited to the extent of Article 17(3) of the GDPR;
13.4 the right to restriction of processing of your personal data (Article 18 of the GDPR):
a) the restriction of processing of personal data means the restriction of the processing with the exception of storage. Any processing of such data with the exception of storage is allowed only where any of the following applies:
- you have given your consent;
- for the purposes of establishment, execution or defence of claims;
- for the protection of rights of another natural or legal person;
- for reasons of important public interests of the Union or of a Member State;
b) the Controller has the obligation to restrict the processing where any of the following applies:
- the accuracy of the personal data is contested by the data subject in accordance with Article 16 of the GDPR – in that case, the processing is restricted automatically for a period enabling the Controller to verify the accuracy of the personal data;
- the processing is unlawful (there is no basis for the processing under Article 6 or Article 9 of the GDPR) and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the data subject requests the Controller to restrict the processing of data which should be erased according to the restriction of data storage but they are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to the processing pursuant to Article 21(1) of the GDPR – in that case, the processing is restricted automatically for a period enabling the Controller to verify whether the legitimate grounds of the Controller override those of the data subject, i.e., to verify the legitimacy of the objection;
13.5 the right to data portability (Article 20 of the GDPR):
a) you can exercise the right to data portability if both of the following apply:
- the processing is based on consent (pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) of the GDPR) or a contract (pursuant to point (b) of Article 6(1) of the GDPR); and
- the processing is carried out by automated means.
b) The Controller will provide the personal data concerning you in a machine-readable format;
c) you may request the transmission of such data to another controller provided that such transmission is technically feasible for the Controller and such other controller. Direct transmission from controller to controller is possible provided that secure communication is feasible between their systems and the receiving system has the technical capacity to receive incoming data;
13.6 the right to object (Article 21 of the GDPR):
a) you have the right to object at any time to processing of personal data concerning you:
- if the processing is based on legitimate interests pursued by the Controller (Article 6(1)(f) of the GDPR), including profiling, on grounds relating to your particular situation;
- if personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing;
b) in the case of an objection to the processing of personal data based on legitimate interests pursued by the Controller, the Controller shall no longer process the personal data. However, the Controller may perform an assessment of the existence of compelling legitimate interests which are not overridden by the interests or rights and freedoms of the data subject or the existence of any grounds for the establishment, execution or defence of legal claims. In such cases, the Controller may further process the data subject to the objection. If you disagree with the Controller’s assessment, you have the right to lodge a complaint with a supervisory authority;
c) in the case of an objection to the processing of personal data for direct marketing purposes, the Controller shall no longer process the personal data. However, notwithstanding the objection, the data may be further processed for other purposes including without limitation the exercise of legal claims against the data subject;
13.7 the right to withdraw consent (Article 7(3) of the GDPR):
a) you have the right to withdraw your consent at any time;
b) if consent is withdrawn, the personal data may no longer be processed on that basis. However, the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal;
13.8 the right to lodge a complaint with a supervisory authority, i.e., the President of the Personal Data Protection Office:
a) you have the right to lodge a complaint with a supervisory authority responsible for personal data protection.