The Personal Data Controller (PDC) is the civil partnership Termy Gorce s.c. Poręba Wielka 875, contact phone: +48 570 008 500, email: administracja@termygorce.pl, website: www.termygorce.pl.

Personal data – all information about an identified or identifiable natural person through one or more specific factors determining physical, physiological, genetic, mental, economic, cultural or social identity, including device IP, location data, online identifier and information collected via cookies and other similar technology.

Policy – this Privacy Policy.

GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Act – the Act of 10 May 2018 on the Protection of Personal Data (Sejm print 240).

Website – the website operated by the Controller at www.termygorce.pl

User – any natural person visiting the Website or using one or more of the services or functionalities described in the Policy.

In connection with the User's use of the Website, the Controller collects data to the extent necessary to provide the individual services offered, as well as information about the User's activity on the Website. The detailed rules and purposes for processing personal data collected during the User's use of the Website are described below.

For the purpose of providing electronic services in the scope of making available to Users the content collected on the Website, information about services provided by "Termy Gorce", reservations and purchase of entry tickets to the "Termy Gorce" thermal pools, and making contact forms available – the legal basis for processing is the necessity of processing for the performance of a contract (Art. 6(1)(b) GDPR); for the purpose of handling the purchase of entry tickets to the Termy Gorce thermal pools – the legal basis for processing is the necessity of processing for the performance of a contract (Art. 6(1)(b) GDPR); for the purpose of handling complaints – the legal basis for processing is the necessity of processing for the performance of a contract and handling any claims (Art. 6(1)(b) GDPR); for analytical and statistical purposes – the legal basis for processing is the legitimate interest of the Controller (Art. 6(1)(f) GDPR) consisting in analysing User activity and preferences in order to improve the functionalities used and services provided; for the purpose of possible establishment and pursuit of claims or defence against them – the legal basis for processing is the legitimate interest of the Controller (Art. 6(1)(f) GDPR) consisting in the protection of its rights; for the Controller's marketing purposes – the legal basis for processing is the legitimate interest of the Controller (Art. 6(1)(f) GDPR) consisting in delivering requested marketing communications, including in the form of newsletters, i.e. e-mail messages containing information about current offers, promotions or competitions.

The User's activity on the Website, including their personal data, is recorded in system logs (a special computer programme used to store a chronological record containing information about events and actions relating to the IT system used to provide services by the Controller). Information collected in logs is processed in connection with the provision of services. The Controller also processes them for technical purposes, in particular data may be temporarily stored and processed in order to ensure the security and correct functioning of IT systems, e.g. in connection with making backup copies, testing changes in IT systems, detecting irregularities or protection against abuse and attacks.

The Controller provides the possibility of contacting it using electronic contact forms available at www.termygorce.pl. Using the form requires providing personal data necessary to contact the User and respond to the enquiry. The User may also provide other data to facilitate contact or handling of the enquiry. Providing data marked as mandatory is required in order to accept and handle the enquiry, and failure to provide it results in the inability to handle it. Providing other data is voluntary.

Personal data are processed: for the purpose of identifying the sender and handling their enquiry submitted via the available form – the legal basis for processing is the necessity of processing for the performance of a service contract (Art. 6(1)(b) GDPR); for analytical and statistical purposes – the legal basis for processing is the legitimate interest of the Controller (Art. 6(1)(f) GDPR) consisting in keeping statistics of enquiries submitted by Users via the Website in order to improve its functionality.

Sending e-mail notifications about interesting offers or content, which in some cases contain commercial information; conducting other types of activities related to direct marketing of services (sending commercial information electronically and telemarketing activities).

For the purpose of carrying out marketing activities, the Controller may in some cases use profiling. This means that through automated data processing, the Controller assesses selected factors concerning natural persons in order to analyse their behaviour or create a forecast for the future.

The Controller processes Users' personal data for marketing purposes in connection with directing contextual advertising and commercial information to Users (i.e. advertising and commercial information that is not tailored to the User's preferences). The processing of personal data takes place in connection with the implementation of the Controller's legitimate interest (Art. 6(1)(f) GDPR).

The Controller does not process Users' personal data, including in particular personal data collected via cookies and other similar technologies, for marketing purposes in order to direct behavioural advertising to Users (i.e. advertising that is tailored to the User's preferences).

The User should bear in mind that consent to the use of cookies may be expressed through the appropriate configuration of the browser, and may also be withdrawn at any time, in particular by clearing the cookie history and disabling cookie support in the browser settings.

If the User has consented to receive marketing information via e-mail or other electronic communication means, the User's personal data will be processed for the purpose of sending such information. The legal basis for data processing is the legitimate interest of "Termy Gorce" consisting in sending marketing information within the scope of the consent given by the User. The User has the right to object to the processing of data for the purposes of direct marketing, including profiling. The data will be stored for this purpose for the duration of the legitimate interest of the Company, unless the User objects to receiving marketing information.

Consent to carry out marketing activities may be withdrawn at any time.

The Controller processes personal data of Users visiting the Controller's profiles on social media (Facebook, YouTube, Instagram, Pinterest). Such data are processed exclusively in connection with the operation of the profile, including for the purpose of informing Users about the Controller's activity and promoting various events, services and products, as well as for the purpose of communicating with users via the functionalities available on social media.

The legal basis for the processing of personal data by the Controller for the purpose indicated above is its legitimate interest (Art. 6(1)(f) GDPR) consisting in promoting its own brand and building and maintaining a community associated with the brand.

Cookies are small text files installed on the device of a User browsing the Website. Cookies collect information that facilitates the use of the website – e.g. by remembering the User's visits to the Website and the actions taken by the User.

The Controller uses so-called service cookies primarily in order to provide the User with services provided electronically and to improve the quality of such services. In connection with this, the Controller and other entities providing analytical and statistical services on its behalf use cookies, storing information or gaining access to information already stored in the User's telecommunications end device (computer, phone, tablet, etc.). Cookies used for this purpose include:

cookies with data entered by the User (session identifier) for the duration of the session (user input cookies); authentication cookies used for services requiring authentication for the duration of the session (authentication cookies); cookies used to ensure security, e.g. used to detect authentication abuses (user-centric security cookies); session cookies for media players (e.g. flash player cookies) for the duration of the session (multimedia player session cookies); persistent cookies used to personalise the User's interface for the duration of the session or slightly longer (user interface customisation cookies); cookies used to remember the contents of the shopping basket for the duration of the session (shopping cart cookies); cookies used to monitor traffic on the website, i.e. data analytics, including Google Analytics cookies (these are files used by Google to analyse how the User uses the Website, to create statistics and reports on the functioning of the Website). Google does not use the collected data to identify the User or combine this information to enable identification. Detailed information on the scope and rules of data collection in connection with this service can be found at: https://www.google.com/intl/pl/policies/privacy/partners.

The Controller also uses cookies for marketing purposes, including in connection with directing behavioural advertising to Users. For this purpose, the Controller stores information or gains access to information already stored in the User's telecommunications end device (computer, phone, tablet, etc.). The use of cookies and the personal data collected through them for marketing purposes, in particular in the scope of promoting the services and goods of third parties, requires the User's consent. This consent may be expressed through the appropriate configuration of the browser, and may also be withdrawn at any time, in particular by clearing the cookie history and disabling cookie support in the browser settings.

The period of data processing by the Controller depends on the type of service provided and the purpose of processing. As a rule, data are processed for the duration of service provision, until the consent given is withdrawn or an effective objection to data processing is raised in cases where the legal basis for data processing is the legitimate interest of the Controller.

The period of data processing may be extended if processing is necessary for the establishment and pursuit of any claims or defence against them, and after that time only in the case and to the extent required by law. After the processing period, data are irreversibly deleted or anonymised.

Right to information about the processing of personal data – on this basis, the Controller provides the person submitting such a request with information about the processing of personal data, including in particular the purposes and legal bases for processing, the scope of data held, the entities to which personal data are disclosed and the planned date of deletion; Right to obtain a copy of data – on this basis, the Controller provides a copy of the processed data relating to the person submitting the request; Right to rectification – on this basis, the Controller removes any inconsistencies or errors relating to the processed personal data, and supplements or updates them if they are incomplete or have changed; Right to erasure – on this basis, a request may be made for the deletion of data whose processing is no longer necessary for any of the purposes for which they were collected; Right to restriction of processing – on this basis, the Controller ceases to carry out operations on personal data, with the exception of operations consented to by the data subject and their storage, in accordance with the adopted retention rules, or until the reasons for restricting data processing cease to apply (e.g. a decision is issued by the supervisory authority permitting further processing of data); Right to data portability – on this basis, to the extent that data are processed in connection with a concluded contract or given consent, the Controller provides the data supplied by the data subject in a format that allows them to be read by a computer. It is also possible to request that these data be sent to another entity – provided that there are technical capabilities on both the Controller's and that other entity's side; Right to object to processing of data for marketing purposes – the data subject may at any time object to the processing of personal data for marketing purposes, without the need to justify such an objection; Right to object to other purposes of data processing – the data subject may at any time object to the processing of personal data based on the legitimate interest of the Controller (e.g. for analytical or statistical purposes or for reasons related to property protection). An objection in this regard should contain justification and is subject to assessment by the Controller; Right to withdraw consent – if data are processed on the basis of consent, the data subject has the right to withdraw it at any time, which however does not affect the lawfulness of processing carried out prior to the withdrawal of such consent; Right to lodge a complaint – if it is considered that the processing of personal data violates the GDPR or other provisions on personal data protection, the data subject may lodge a complaint with the President of the Personal Data Protection Office.

The request should, as far as possible, precisely indicate what the request concerns, i.e. in particular: what right the person submitting the request wishes to exercise (e.g. right to receive a copy of data, right to erasure, etc.); which processing process the request concerns (e.g. use of a specific service, activity on the website, receipt of a newsletter containing commercial information at a specific email address, etc.); what processing purposes the request concerns (e.g. marketing purposes, analytical purposes, etc.). If the Controller is unable to determine the content of the request or identify the person submitting the request on the basis of the notification made, it will ask the applicant for additional information. A response to notifications will be provided within one month of receipt. If it is necessary to extend this period, the Controller will inform the applicant of the reasons for such extension. The response will be given to the email address from which the request was sent, and in the case of requests sent by post, by ordinary letter to the address indicated by the applicant, unless the content of the letter indicates a wish to receive feedback to an email address (in which case an email address should be provided).

In connection with the provision of services, personal data will be disclosed to external entities, including in particular providers responsible for the operation of IT systems, entities such as banks and payment operators, entities providing accounting, legal, audit and consulting services, couriers, marketing agencies (in the scope of marketing services).

If the User's consent is obtained, their data may also be made available to other entities for their own purposes, including marketing purposes.

The Controller reserves the right to disclose selected information about the User to the relevant authorities or third parties who submit a request for such information, based on the appropriate legal basis and in accordance with applicable law.

The level of personal data protection outside the European Economic Area (EEA) differs from that provided by European law. For this reason, the Controller transfers personal data outside the EEA only when necessary and with an appropriate level of protection ensured, primarily by: cooperating with entities processing personal data in countries for which an appropriate decision of the European Commission has been issued; applying standard contractual clauses issued by the European Commission; applying binding corporate rules approved by the competent supervisory authority; in the case of data transfer to the USA – cooperating with entities participating in the Privacy Shield programme, approved by a decision of the European Commission.

The Controller always informs of the intention to transfer personal data outside the EEA at the stage of their collection.

The Controller continuously conducts risk analysis to ensure that personal data are processed by it in a secure manner – ensuring in particular that only authorised persons have access to the data and only to the extent necessary for the tasks performed by them. The Controller ensures that all operations on personal data are recorded and carried out only by authorised employees and associates. The Controller takes all necessary measures to ensure that its subcontractors and other cooperating entities also guarantee the application of appropriate security measures whenever they process personal data on behalf of the Controller.

Contact with the Controller is possible via email: administracja@termygorce.pl or the correspondence address Termy Gorce s.c. Poręba Wielka 875. The Controller has not appointed a Data Protection Officer.

The Policy has been in force since 01.03.2021 and is regularly reviewed and updated as necessary.