Privacy notice under Regulation of the European Parliament and of the council (EU) no. 2016/679 on the protection of natural persons with regard to the processing of personal data and instruction to data subjects (hereinafter as “GDPR”).
Personal data controller
Company: Podwale Bar and Books sp zoo
Registered office at: Waski Dunaj 20, Warsaw 00-256
In all matters relating to the processing of personal data, you can contact us at the following e-mail address: firstname.lastname@example.org.
Extent of personal data processing
Personal data are processed to the extent to which they were provided to the Controller by the relevant data subject in connection with the entry into a contractual or other legal relationship with the Controller or which the Controller has otherwise collected and processed in compliance with legal regulations or in order to perform the statutory obligations of a controller.
- identification data: firstname and surname,
- contact information: billing and delivery address, e-mail address, and phone
Sources of personal data
- Directly from data subjects (reservations and e-shopping, e-mails, phone, website contact form, social networks, visiting cards etc.)
Categories of the personal data processed
- payment terminal provider,
- financial institutions,
- state and other bodies performing statutory obligations imposed by applicable legalregulations;
Purpose of personal data processing
- Making your order if you buy something from us.
- Making your booking if you make a reservation with us
- Send news from our bar based on your consent.
- Send news from our bar based on our so-called legitimate interest (if you are our customer).
- Performance of legal obligations.
Personal data processing period
In accordance with the time limits specified in the relevant contracts, the Controller’s filing and shredding rules and in applicable legal regulations the data are processed for a period necessary to perform the rights and obligations ensuing from an obligational relationship as well as applicable legal regulations.
Manner of processing and protecting personal data
The Controller has adopted technical and organizational measures to ensure the protection of the personal data, including in particular measures preventing unauthorized or accidental access to, alteration, destruction or loss or unauthorized transfers or unauthorized processing as well as other misuse of the personal data.
The Controller processes data with data subject’s consent with the exception of the cases defined by law where the processing of personal data does not require data subject's consent. In accordance with Article 6(1) GDPR a controller may process the following data without data subject’s consent:
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract,
- processing is necessary for the compliance with a legal obligation to which the controller is subject,
- processing is necessary in order to protect the vital interests of the data subject or of another natural person,
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller,
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data;
Rights of data subjects
1) In accordance with Article 12 GDPR the Controller informs a data subject upon the data subject’s request on the right to access his or her personal data and to the following information:
- purpose of processing,
- category of the personal data concerned,
- recipient or the category of the recipients to whom the personal data were or will be made accessible,
- planned period for which the personal data will be retained,
- all available information on the source of the personal data,
- if not acquired from the data subject, information on whether automated decision- making, including profiling, is used.
2) Each data subject who finds out or considers that the Controller or a processor engages in the processing of his or her personal data which is in conflict with the protection of the data subject’s private and personal life or in conflict with law, in particular if the personal data are inaccurate with regard to the purpose of the processing, the data subject may:
- Ask the Controller for explanation.
- Demand that the Controller rectifies the situation. This may in particular involve the blocking, rectification, supplementation or erasure of the personal data.
- Where the data subject’s application under paragraph 1 is recognized as legitimate, the Controller shall rectify the defective situation without delay.
- If the Controller dismisses the data subject’s application under paragraph 1, the data subject has the right to turn directly to the supervisory office, that is, the Office for Personal Data Protection.
- The procedure under paragraph 1 does not rule out the option that the data subject may submit his or her objection directly to the supervisory office.
- The Controller has the right to demand for the provision of information an adequate payment not exceeding the costs necessary for the provision of the information.