JEWISH POLAND BOUTIQUE TRAVEL
PRIVACY POLICY
1. KEY DEFINITIONS AND TERMS
1.1 Controller of Personal Data: F.H.U. Fornit 2 Mariusz Czułno (trading as “Jewish Poland Boutique Travel”), with its registered office in Poland at ul. Morelowa 6, 35-232 Rzeszów, NIP (Taxpayer Identification Number): 8131566812. Contact with the Controller is possible via its e-mail address: contact@boutiquetravelhub.com.
1.2 Legal Basis: The Controller operates in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR), effective from 25 May 2018, and the Act of 10 May 2018 on the protection of personal data.
1.3 Guest: any natural person who discusses services offered by the Controller via the Controller’s e-mail address, contact forms, or other agreed means of communication, concludes the Agreement issued by the Controller from the Controller’s e-mail address, and/or participates in services provided by the Controller. Only individuals with full legal capacity may act as Guests. The Agreement pertains to the realization of services chosen by the Guest and provided by the Controller in accordance with the Controller’s General Terms and Conditions.
1.4 Source of Personal Data: Personal data processed by the Controller originates from the Guest. The Controller may also process data of third parties based on access requirements, if the conclusion, performance, amendment, or termination of the Agreement necessitates involvement of such third parties, e.g., the Guest’s legal representative.
1.5 Accuracy of Data: The Guest ensures that the personal data shared with the Controller are accurate, complete, and up-to-date for the intended purposes.
1.6 Recipients of Personal Data: Recipients of the Guest’s personal data include the Controller and may involve other tour operators, travel agencies, and service providers (e.g., accommodation providers, tour guides, transport services) whose services the Operator utilizes to enter into and execute the Agreement. Recipients may also include entities authorized under applicable laws. The Controller ensures that any sharing or entrusting of data to other entities complies with legal requirements.
1.7 Transfer of Personal Data: The Controller reserves the right to transfer the Guest’s personal data to a third country if the Agreement includes services planned or executed in that third country. The Guest acknowledges that countries outside the European Union may not provide an adequate level of personal data protection within the meaning of Article 45 of the GDPR.
1.8 Data Security: The Controller prioritizes the protection of individuals' interests by ensuring that personal data are: a) processed lawfully, b) collected for specified, lawful purposes and not subject to further processing that contradicts these purposes, c) secured through appropriate technical and organizational measures to ensure data security.
1.9 Voluntary Provision of Data: Providing personal data by the Guest or their legal representative is voluntary but necessary for the Tour Operator to plan the Guest's trip, draft, conclude, and execute the Agreement, and amend or terminate the Agreement. Failure to provide personal data will prevent the Tour Operator from taking these actions.
2. SCOPE OF PERSONAL DATA
2.1 The scope of personal data includes, but is not limited to, the Guest’s given name, family name, billing address, telephone number, and e-mail address.
2.2 Personal data may also include, but is not limited to, bank account details if such information is necessary to collect payment for a contractual service.
2.3 Personal data may also include, but is not limited to, the Guest’s date of birth, occupational status, and gender if such information is required to prove the Guest’s entitlement to a booked service or its reduced price.
2.4 Personal data may also include, but is not limited to, the Guest’s mobility and dietary restrictions if such information is required to arrange appropriate transport, accommodation, or dining services.
2.5 In addition, the Tour Operator may request other data as a consequence of the realization of the contractual service. Such optional data may include, but is not limited to, emergency contact details for the Guest’s relatives. The information about data processing contained in this document will remain valid.
3. RIGHTS OF THE GUEST
3.1 According to Articles 15-22 of the GDPR, the Controller guarantees the Guest the rights to: a) access their personal data, b) rectification of the data; c) erasure of the data (‘right to be forgotten’), d) restriction of processing, e) data portability, f) object to processing, g) obtain information.
3.2 These rights can be exercised in the following cases:
(a) Right to rectification - if the data are incorrect or incomplete;
(b) Right to erasure - when the data are no longer necessary for the purposes for which they were originally collected; when the Guest withdraws their consent for data processing; when the Guest objects to data processing; when the data are unlawfully processed; when the data must be deleted due to binding legal provisions;
(c) Right to restriction of processing - when the data are incorrect, for a period allowing verification of their correctness; when the data are unlawfully processed but the Guest does not request erasure; when the data are no longer necessary but might be useful for the Guest's defence or pursuing claims;
(d) Right to data portability - when the data are processed based on the Guest's consent or the Agreement the Guest entered, and the processing is conducted automatically;
(e) Right to object to processing - until the objection is verified as legitimate; when personal data processing is based on a legitimate interest or for statistical purposes, and the objection is justified by the Guest's specific situation; when personal data are processed for direct marketing purposes.
3.3 The Guest has the right to lodge a complaint against data processing with the President of the Personal Data Protection Office [Urząd Ochrony Danych Osobowych], ul. Stawki 2, 00-193 Warszawa, tel. 22 5310300, fax. 22 5310301, kancelaria@uodo.gov.pl, if the Guest considers that the processing of their personal data violates data protection laws.
3.4 The Controller has not appointed a Data Protection Officer within the meaning of chapter IV section 4 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
4. PROCESSING OF PERSONAL DATA
4.1 The Guest’s personal data are processed on the basis of Article 6(1)(a) of the GDPR for the purposes of: a) replying to inquiries or contact requests submitted to the Tour Operator by e-mail, phone, through contact forms, and by other means of communication with the Tour Operator, b) proposing and planning trips.
4.2 The Guest’s personal data are processed on the basis of Article 6(1)(b) of the GDPR for the purposes of: a) concluding, performing, and settling the Agreement or taking steps prior to concluding the Agreement, including sending booking requests and inquiries to publicly available addresses about cost estimates for accommodation services, tour guidance services, transport services, and other services offered for tourists or visitors, b) placing an order for services performed as part of the Agreement.
4.3 The Guest’s personal data are processed on the basis of Article 6(1)(c) of the GDPR for the purposes of fulfilling contractual obligations and any legal obligations incumbent on the Controller.
4.4 The Guest’s personal data are processed on the basis of Article 6(1)(f) of the GDPR, i.e., the Controller’s legitimate interest in determining, asserting, or defending claims until they are time-barred or until the relevant proceedings, if any, are concluded.
5. DURATION OF DATA RETENTION
5.1 The Guest’s personal data may be stored for the following periods: a) during the planning of a trip for the Guest, drafting, concluding, and implementing the Agreement, b) until the expiry of the limitation period for claims that may arise from the performance of the Agreement, c) in compliance with periods arising from taxation, accounting regulations, and other binding legal acts.
5.2 Data obtained on the basis of consent will be retained until the consent is withdrawn. Withdrawal of consent does not affect the lawfulness of data processing that occurred prior to the withdrawal.
5.3 In the case of submitting an objection, data will be retained until the objection is reviewed. However, data will not be processed during this period.
6. CHANGES IN THE PRIVACY POLICY
6.1 The Controller reserves the right to make changes to this Privacy Policy. These changes may result from the development of online technology, and changes in legal regulations regarding personal data protection. The Tour Operator will inform users of all changes in a visible and comprehensible manner.
