Privacy policy

 

§1 Introductory provisions

  • This document entitled Privacy Policy (hereinafter: “Policy”) is designed as a map of the requirements, rules and regulations regarding protection of personal data by the Controller, regardless of the form of the processing.
  • This document is a data protection policy within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), (hereinafter: "GDPR").

 

§2 Data Controller

  • Data Controller (hereinafter: "The Controller”) is CHT Sp. z o.o. entered into the National Register of Entrepreneurs maintained by the District Court for Kraków Śródmieście in Kraków, XII Commercial Division of the National Court Register, under KRS number 0001151777 with the share capital of PLN 5,000
  • Contact details of the Controller:

-E-mail: info@viaterris.com

- Mobile: + 48 691 609 719

 

§3 Purposes of the processing

The Controller processes personal data for the purposes of:

  • Concluding and performing contracts as part of business operations, i.e. the sale and offering for sale, trips, guided tours and other tourist events created by external companies in various countries for customers interested in using these services.
  • Ongoing customer service, in particular creating tour reservations.
  • Promoting the Controller’s activities by publishing the images of customers on the Controller’s website and the Controller’s fanpages on social networks.                                 
  • Providing personal data required by the Controller is necessary for the Controller to achieve the purposes described in paragraph 1. The consequence of refusal to provide the data may be the refusal to conclude a contract or establishing a cooperation by the Controller with the data subject.
  • The Controller does not process personal data using automated means or for profiling purposes.
  • The customers and all the website users provides his / her data voluntarily. 
  • The Controller, through the website and other forms of communication, collects and processes the following personal data of customers (users) provided during the registration process on the website: name, surname, address of residence, e-mail address, telephone number.

§4 Personal data recipients

  • The Controller cooperates with the following categories of personal data recipients:

-Touroperators, i.e. entrepreneurs involved in the creation, organization and sale or offering for sale: tours, guided tours and other tourist events.

-Accounting company providing accounting services.

  • The Controller provides Touroperators with only those personal data of customers, that are necessary for the organization of tours and other tourist events, and were collected from customers on the basis of valid consents including provisions allowing sharing personal data with Touroperators.
  • The Touroperator processes personal data of customers only for the purposes for which the data were collected by the Controller.
  • The Touroperator does not process the personal data of customers on behalf of the Controller (i.e. not as a processor), but instead as an independent personal data controller of the personal data provided to him. Touroperator performs information obligations on its own, and processes customer’s personal data in accordance with applicable personal data protection regulations.
  • Detailed information about the recipients of personal data is provided by the Controller to the data subject on their request.
  • The Controller does not transfer personal data to third countries, except for recipients of personal data described in paragraph 4, first point .

 

§5 Data retention periods

  • Personal data is stored by the Controller for a period of 5 years. At the end of the data retention period, the Controller deletes personal data. The Controller allows the possibility of extending or shortening the retention period, if such an obligation results from legal provisions (e.g. in pending court proceedings) or is justified by a legitimate interest of the Controller.

 

§6 Data subject rights

  • The data subject has the right to request access to personal data concerning him or her, to data rectification, deletion or limitation of processing. Data subject may object to the processing and transfer of such data. In order to make use  the above-mentioned rights, the data subject contacts the Controller directly.
  • The data subject has the right to lodge a complaint with the Data Protection Authorities.

 

§7 Controller’s responsibilities

  • The Controller develops and maintains a Record of Processing Activities (hereinafter: the Record). The Record is a form of documenting data processing activities, in which the Controller inventories and monitors the way in which personal data is being processed.
  • The Record entry for each data processing activity, which the Controller has recognized as a separate for the purposes of the Record, shall contain at least: (i) the name of the activity, (ii) the purpose of processing, (iii) description of the categories of persons, (iv) description of the categories of data, (v) planned date of deletion of data categories, (vi) description of the categories of recipients of personal data (including processors), (vii) description of technical and organizational security measures, (vii) information on transfers outside the EU / EEA. The Record template is attached as Annex 1 of the Policy.
  • In the event of employing employees, terminating or changing the terms of employment of employees or persons undertaking activities on the basis of civil law contracts for the Controller, it is the Controller’s responsibility to ensure that these persons are:

-properly prepared to perform their duties,

-authorized in writing to process personal data, in accordance with the content of the Authorization Form, constituting Annex 2 of the Policy,

-obliged to keeping the personal data processed confidential, in accordance with Annex 3 of the Policy.

  • In the event of a personal data breach, the Controller shall assess whether the breach may have caused the risk of violation to the rights or freedoms of natural persons.
  • If the violation might have caused the risk of violation of the rights or freedoms of natural persons, the Controller shall report the personal data breach to the Data Protection Authorities without undue delay - if feasible - no later than within 72 hours after learning about the violation. The reporting template is set out in Annex 4 of the Policy.
  • If the risk of violation of rights and freedoms is high, the Controller shall also notify the data subject of the incident.

 

§8 Final provisions

  • Attachments constitute an integral part of the Policy:

Annex 1 - Record of Processing Activities.

Annex 2 - Authorization Form.

Annex 3 - Confidentiality declaration.

Annex 4 - Reporting a personal data breach.

  • Attachments are available in the office of the Controller.
  • The Controller reserves the right to alter the Policy in the future. The Policy was last updated on October 25, 2019.