PRIVACY AND COOKIES POLICY This privacy and cookies policy (hereinafter referred to as the "Privacy Policy") constitutes a set of rules for the processing of personal data and the collection of cookies on the webpages of Lemon Resort SPA (hereinafter referred to as the "Website"). This Privacy Policy is addressed to all persons who visit www.lemonresort.pl, contact the Personal Data Controller (by phone, e-mail, contact form), are employees, partners or representatives of contractors of the Personal Data Controller (hereinafter referred to as the "Users"). Before using the Website, the User should read the Privacy Policy. The Privacy Policy defines the rules of processing and protection of personal data of persons using the Website. The purpose of the Privacy Policy includes but is not limited to the implementation of the disclosure obligation referred to in Article 13(1) and (2) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the "GDPR"). PRIVACY POLICY Personal data controller The controller of the Users' personal data is GND spółka z ograniczoną odpowiedzialnością spółka jawna with its registered office in Krakow (KRS: 0000485688), Plac na Groblach 21, 31-101 Kraków (hereinafter referred to as the "Controller"). The Users may contact the Controller in the following ways: 1) by post at the address: Plac na Groblach 21, 31-101 Kraków 2) by e-mail: recepcja@lemonresort.pl 3) by phone: +48 (18) 440 58 00 Data Protection Officer We have appointed a Data Protection Officer (hereinafter referred to as the "Officer"). The Data Protection Officer is a person whom the User may contact in all matters related to the processing of personal data and the exercise of their rights in connection with the processing of data. The Officer may be contacted in the following ways: 1) by post at the address: Gródek nad Dunajcem 83 2) by e-mail: iod@lemonresort.pl 3) by phone: +48 (18) 440 58 00 Purposes of personal data processing and legal basis of processing The personal data of the Users will be processed for the following purposes and on the basis of the following legal basis: 1) Answering inquiries from the Users and contacting the Users in matters with which they have approached the Controller using, for instance, the "send an enquiry by e-mail," by sending a message to the Controller's e-mail address. The legal basis for data processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), i.e. the necessity to answer the Users' enquiries. 2) Contacting the Users in current matters, including in particular the performance of agreements between the Controller and the User, the User's employer or the entity that the User represents, submitting offers, receiving orders and contracts, answering inquiries. The legal basis for data processing is the Controller's legitimate interest (Article 6(1)(f) of the GDPR), i.e. the necessity of ongoing contact with the Controller's contractors. 3) Performing agreements concluded between the Controller and the User, the User's employer or the entity that the User represents, including accepting and performing orders, placing orders, concluding agreements, performing accounting activities, providing accounting services, and performing debt collection services. The legal basis is the necessity to perform the agreement or to take action before concluding the agreement with the User (Article 6(1)(b) of the GDPR), as well as the Controller's legitimate interest (Article 6(1)(f) of the GDPR), i.e. the necessity to duly perform agreements with contractors. 4) Subscribing and sending a newsletter with information about the Lemon Resort Spa Hotel, Manaw Spa and Lemon Restaurant and services provided by the Controller. The legal basis is the consent for the processing of personal data given by the User (legal basis - Article 6(1)(a) of the GDPR). 5) Performing the Controller's legal obligations, including in particular those arising from the tax law (legal basis - Article 6(1)(c) of the GDPR). 6) Establishing, securing and asserting potential claims on the part of both the Controller and the User. The legal basis is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), i.e. the possibility to establish, assert or defend claims. Recipients of data (categories of recipients) The personal data of the Users may be made available to external entities providing services to the Controller, such as legal, auditing and accounting services, as well as IT service providers, including providers e-mail services. The Controller may make personal data available only to entities with which it has concluded a personal data processing agreement. The personal data of the Users will not be transferred to a third country or an international organisation. Personal data storage period We will store the personal data of the Users for the period necessary to fulfil the purposes set out above. If: 1) the User's personal data are processed in connection with the performance of an agreement concluded with the User, their employer or the entity which the User represents, we will store them for the term of the agreement and, to the extent necessary, for 5 years starting from the end of the calendar year in which expired the time limit for payment of tax due in connection with the conclusion and performance of the agreement or longer if required by law; 2) the User contacted the Administrator - their data will be processed for the period necessary for the purposes of contacting the User and for 1 year after the termination of the contact; 3) the User subscribed to the Newsletter - their data will be processed for the period of subscription to the Newsletter - until the consent to its subscription is withdrawn. If the User's personal data will be no longer necessary for the purposes for which they were processed, the Controller will store them in order to establish, assert or defend possible claims on the part of both the Controller and the User only for the period of limitation of claims as defined by law. Consequences of failure to provide personal data Except where required by law, providing personal data is completely voluntary. Failure to do so, however, will make it difficult or impossible for us to fulfil the purposes specified above. Information on automated decision-making The data of the Users will not be processed by automated means, including profiling. The rights related to the processing of personal data The User has the following rights related to the processing of their personal data: 1. the right to access their personal data, the right to request the rectification, erasure or restriction of the processing of personal data, unless these rights are excluded or restricted by law. (2) The right to object to the processing of their personal data due to the User's particular situation - in cases where the User's personal data are processed on the basis of our legitimate interest. 3. with regard to data processed on the basis of consent - the right to withdraw consent to the processing of personal data at any time, where the withdrawal of the consent shall not affect the lawfulness of processing conducted on the basis of the consent before its withdrawal. 4. the right to personal data portability, i.e. the right to receive personal data in a structured, commonly used IT format suitable for machine reading. You may send these data to another controller or request that we send the data to another controller. However, we will only do so if such a transfer is technically feasible. 5. The right to lodge a complaint to the President of the Office for Personal Data Protection. 6. other rights under generally applicable law. To exercise the above rights, please contact us or the Officer COOKIES What are cookies? Cookies are internet data, in particular text files, which are stored in the terminal equipment (computer, mobile phone, tablet) of the User. First of all, they contain the name of the website from which they originate, their unique number, and time of storage in the terminal equipment. Cookies provide the Controller with statistical information about user traffic, user activity and the manner of using the Website. They make it possible to adapt content and services to the Users’ preferences. The term "cookie" refers to cookies and other similar tools described in Directive 2009/136/EC of the European Parliament concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) and Article 173 of the Telecommunications Law. What are cookies used for? Considering that we use cookies, we provide the most important information about their use. 1) The mechanism of cookies is not used to obtain any information about the Users, except for information about their behaviour on the Website. 2) The Controller stores cookies on the Users’ computers in order to: a. Adjust the Website to the Users’ needs and optimise the use of the Website; b. Remember the preferences and individual settings of the User, recognise the User's device and appropriately display the website according to their needs (full version, mobile version of the website); c. create Website viewing statistics to better understand how the Users use websites, so as to improve their structure and content; d. maintain the User’s session (after logging in), thanks to which the User does not have to re-enter their login and password on each page of the Website; e. store shopping cart data in the Internet shop, so that they are not lost after re-visiting the Website. What types of cookies do we have? Two main types of cookies are used on the Website: - "session cookies" and "persistent cookies". Session cookies are temporary files that are stored in the User's terminal equipment until logging out, leaving the website or switching off the software (web browser). Persistent cookies are stored in the User's terminal equipment for the time specified in the parameters of cookies or until they are deleted by the User. The following types of cookies are used on the Website: - "necessary" cookies making it possible to use services available on the Website, e.g. authentication cookies used for services requiring authentication on the Website; - "safety" cookies used to ensure safety, e.g. used to detect misuse of authentication on the Website; - "efficiency" cookies making it possible to collect information on how the Website is used; - "functional" cookies making it possible to "remember" settings selected by the User and to customise the User interface, e.g. with regard to the chosen language or region from which the User comes, font size, website look, etc. How to block cookies? In many cases, web browsers allow the storage of cookies in the User's terminal equipment by default. The Users of the Website may at any time make changes in their cookies settings, e.g. by blocking the automatic handling of cookies or each time receiving information about their being installed in the equipment of the Website User. Detailed information on the possibility and methods of using cookies is available in the browser settings or on the following websites: - Internet Explorer browser [link - https://support.microsoft.com/pl-pl/products/windows?os=windows-10] - Mozilla Firefox browser [link - https://support.mozilla.org/pl/kb/ciasteczka] - Chrome browser [link - https://support.google.com/chrome/answer/95647?hl=pl] - Safari browser [link - https://support.apple.com/pl-pl/HT201265] - Opera browser [link - http://help.opera.com/Linux/9.22/pl/cookies.html] Restricting the use of cookies may, however, affect some of the functionalities available on the Website.