§1 Administration of personal data
1. The administrator of personal data is Jacek Woźniak, conducting business under the name Brovaria Jacek Woźniak, Zębcowska 43D/20, 63-400 Ostrów Wielkopolski. The business activity is registered in the Central Register and Information on Business Activity under VAT ID no. /NIP/: 6221345404, REGON no.: 250796583.
2. Contact with the person supervising the processing of personal data in the organisation is possible by e-mail at: rezerwacje@brovaria.pl, in writing to the Administrator’s address or by telephone at +48 61 858 68 63.
3. This Policy contains the principles concerning the processing of personal data by the Administrator on the Website, including the grounds, purposes and scope of personal data processing and the rights of data subjects.
4. Personal data shall be processed by the Administrator in accordance with applicable laws, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in relation to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) Official text of the GDPR Regulation: https://uodo.gov.pl/pl/file/727.
5. The User’s rights are not absolute and do not apply to all personal data processing activities.
§2 Definitions
1. Administrator – Jacek Woźniak, conducting business under the name Brovaria Jacek Woźniak, Zębcowska 43D/20, 63-400 Ostrów Wielkopolski. The business activity is registered in the Central Register and Information on Business Activity under VAT ID no. /NIP/: 6221345404, REGON no. 250796583.
2. Personal data – information about a natural person identified or identifiable by one or more factors specific to physical, physiological, genetic, mental, economic, cultural or social identity, including the IP of the device, Internet identifier and information collected through cookies and other similar technology.
3. Policy – this Privacy Policy.
4. GDPR / GDPR Regulation – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
5. Service – the website operated by the Administrator at brovaria.pl.
6. User – any natural person visiting the Service or using one or more services or functionalities described in the Policy.
§3 Security
1. The Administrator has implemented appropriate technical and organisational measures to ensure the security of personal data processing, and in particular he is responsible for and ensures that the data he collects are:
a. processed in accordance with the law;
b. collected for designated legitimate purposes and not subjected to further processing incompatible with those purposes;
c. substantially correct and adequate in relation to the purposes for which they are processed;
d. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes of the processing; and
e. processed in a manner that ensures adequate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, by means of appropriate technical or organisational measures.
§4 Purposes and legal basis for data processing
1. On the basis of Article 6(1)(a) of the GDPR Regulation (consent), personal data will be processed for the purposes of:
a. marketing products and services of the Administrator and the Administrator’s partners,
b. sending Newsletters,
c. moderating content on the Website,
d. saving data in cookies, as well as using cookies for the proper functioning of the Website,
e. presenting opinions about a product or service,
f. participating in a webinar or online training,
g. contacting you by means of distance communication tools, in particular: telephone, e-mail or application.
2. On the basis of Article 6(1)(b) of the GDPR Regulation (performance of the contract), personal data will be processed for the purposes of:
a. Executing contracts of sale or contracts for the provision of a Service or taking action at the request of the data subject before or after the conclusion of the indicated contract, in particular: right of warranty, consideration,
b. Lodging complaints or withdrawing from contracts concluded remotely.
3. On the basis of Article 6(1)(c) of the RODO Regulation (legal obligation incumbent on the Controller), personal data will be processed for the purposes of:
a. Issuing and storing invoices, receipts or fulfilling other obligations under tax and accounting regulations, (archiving obligation regarding accounting documents),
b. Creating records and other documentation prescribed by the provisions of the GDPR.
4. Based on Article 6(1)(f) of the GDPR Regulation (legitimate interest of the Administrator), personal data will be processed for the purposes of:
a. Correct performance of the contract, they will be processed for the duration of the contract and the rights deriving from it, e.g. the right of complaint. The provision of data is voluntary but also necessary,
b. Safeguarding the security of the Website, the management of the Website and its correct operation,
c. Conducting statistics and analysis of traffic on the Website,
d. Direct marketing,
e. Establishing claims raised by or against the Administrator,
f. Contacting the User,
g. Operate the brovaria.pl Service,
h. Operating an account on Facebook, Instagram and interacting with Users of the indicated portals,
i. Data may be transferred to the following recipients or categories of recipients of personal data, i.e. courier companies, postal operators, law firms, accounting companies, IT service providers and service providers.
§5 Profiling
1. The GDPR Regulation imposes an obligation on the Controller to provide information on automated decision-making, including profiling as referred to in Article 22(1) and (4) of the GDPR Regulation, and, at least in these cases, relevant information on the modalities of such decision-making, as well as on the significance and foreseeable consequences of such processing for the data subject. With this in mind, the Controller provides information on possible profiling in this section of the privacy policy.
2. The Administrator may use profiling on the Website for marketing purposes using the personal data provided by the User.
3. The data subject shall have the right not to be subject to a decision which is based solely on automated processing, including profiling, and which produces legal effects in relation to the data subject or in a similar manner significantly affects the data subject.
§6 Period of processing of Personal Data
1. The period of data processing by the Administrator depends on the type of service provided and the purpose of processing. As a rule, the data shall be processed for the duration of the service provision, until the withdrawal of the consent given or until an effective objection is raised against the data processing in cases where the legal basis of the data processing is the legitimate interest of the Administrator.
2. The processing period may be extended where the processing is necessary for the establishment and assertion of possible claims or the defence against claims, and thereafter only where and to the extent required by law. After the expiry of the processing period, the data shall be irreversibly deleted or anonymized.
§7 User Rights
1. Any User shall have the following rights with regard to his/her personal data:
a. to access to his/her personal data,
b. to rectify his/her personal data at any time,
c. to have his/her personal data deleted at any time,
d. to receive a copy of his/her data,
e. to restrict the processing of his/her personal data,
f. to object to the processing of his/her personal data,
g. to move or transfer his/her personal data,
h. to withdraw a consent; withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal,
i. to object to the processing of personal data on the basis of the legitimate interest of the Administrator for marketing purposes, direct marketing and for purposes other than marketing,
j. to lodge a complaint with a supervisory authority.
§8 Recipients of personal data
1. The Administrator, for the purpose of proper operation of the Service, shall transfer the User’s personal data to other external entities, in particular: a hosting company, IT companies, catering and hotel software provider, payment card operator.
2. The Administrator reserves the right to disclose personal data in a situation where it is required by law, including the obligation to provide information to competent administrative or law enforcement authorities.
§9 Transfer of personal data outside the EEA
1. The level of protection of Personal Data outside the European Economic Area (EEA) differs from that provided by European law. For this reason, the Administrator transfers Personal Data outside the EEA only when necessary, in particular when using an international entity. However, it shall always ensure an adequate level of protection, primarily by:
a. cooperating with processors of Personal Data in countries for which a relevant decision of the European Commission has been issued regarding the determination of an adequate level of protection for Personal Data;
b. applying binding corporate rules approved by international certification standards and the competent supervisory authority;
c. application of standard contractual clauses issued by the European Commission pursuant to Article 46 of the GDPR.
d. personal data may also be transferred outside the EEA, based on the User’s consent. The User shall be informed of this in advance.
§10 Security of Personal Data
1. The Administrator shall conduct a risk analysis on an ongoing basis to ensure that Personal Data is processed by the Administrator in a secure manner. By its actions, it ensures above all that only authorised persons have access to the data and only to the extent that this is necessary in view of the tasks they perform.
2. The Administrator shall take all measures permitted by law to ensure that all operations on Personal Data are recorded and performed only by an authorised entity.
3. The Administrator shall also be obliged to ensure that other entities cooperating with the Administrator guarantee the application of appropriate security measures whenever they process Personal Data on behalf of the Administrator.
§11 Changes in the Privacy Policy
1. The Policy shall be reviewed and updated on an ongoing basis.
2. The current version of the Policy has been adopted and is effective as of 2025-02-07.
