Information on the Principles of Personal Data Processing (Article 13 of the GDPR) for Guests of Hotel Aviator and Customers of Restaurant Aviator

1. Data Controller and Contact Details

The controller of your personal data is SILESIA RING spółka z o.o. sp.k., with its registered office at ul. Lotnicza 5–7, 47-325 Kamień Śląski (the entity operating Hotel Aviator). Guests’ personal data is processed solely for purposes related to the provision of hotel and restaurant services, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR) and applicable Polish national legislation.

2. Data Protection Officer

The Controller has appointed a Data Protection Officer (DPO), who can be contacted regarding any matters concerning the processing of personal data and the exercise of your rights.
Contact the Data Protection Officer at: iod@silesiaring.pl.

3. Purposes of Personal Data Processing

Your personal data is processed for the following purposes:

• Hotel reservations and stays – to handle the room booking process and provide hotel services during your stay (e.g. check-in, provision of services during the stay).
  Legal basis: performance of a contract for hotel services (Article 6(1)(b) of the GDPR).
• Restaurant services (including table reservations) – to accept and manage restaurant bookings, fulfill food and beverage orders on-site, provide table service, and issue receipts.
  Legal basis: performance of a contract for catering services (Article 6(1)(b) of the GDPR).
• Catering services (single orders and subscriptions) – to accept and fulfill catering orders, including recurring subscriptions for individuals and businesses. For this purpose, we process delivery addresses and contact details (e.g. phone numbers) to prepare and deliver the ordered meals and to contact you if necessary for logistical reasons.
  Legal basis: performance of a catering services contract (Article 6(1)(b) of the GDPR), i.e. fulfillment of the delivery.
• Compliance with legal obligations of the Controller – to meet the legal requirements arising from applicable laws, particularly tax and accounting regulations (e.g. issuing and storing invoices, sales receipts), as well as potential registration or statistical obligations related to hotel operations.
  Legal basis: compliance with a legal obligation (Article 6(1)(c) of the GDPR).
• Video surveillance of the premises – to ensure the safety of guests, customers, staff, and property at Hotel and Restaurant Aviator through the use of CCTV cameras installed inside the building and throughout the hotel grounds.
  Legal basis: the legitimate interests of the Controller (Article 6(1)(f) of the GDPR), consisting of protecting individuals and property and preventing crimes and incidents.
• Establishment, exercise, or defense of legal claims – potential use of personal data or documentation related to your stay or transactions to pursue claims (e.g. unpaid charges) or to defend against legal claims brought by guests/customers or third parties.
  Legal basis: the legitimate interests of the Controller (Article 6(1)(f) of the GDPR), specifically the protection of its rights and the pursuit or defense of legal claims.
• Processing of special categories of data (sensitive data) provided voluntarily – if you voluntarily provide us with information regarding your health or other sensitive data (e.g. health conditions, disabilities, food allergies, or dietary preferences) in the course of using our services, such data will be processed solely for the purpose of providing appropriate service and tailoring our offerings to your needs (e.g. preparing a special dietary meal, ensuring accessibility for individuals with disabilities, or responding to medical emergencies).
  Legal basis: your explicit consent (Article 9(2)(a) of the GDPR), given by voluntarily providing such information.

4. Legal Bases for Processing

The processing of your data is based on the following legal grounds as provided by Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR):

• Article 6(1)(b) of the GDPR – processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract. This legal basis applies to data processing for the purposes of providing hotel, restaurant, and catering services (reservations, stays, orders).
• Article 6(1)(c) of the GDPR – processing is necessary for compliance with a legal obligation to which the Controller is subject. This legal basis applies wherever laws require us to process certain data (e.g. tax regulations requiring us to retain financial documentation for a specified period).
• Article 6(1)(f) of the GDPR – processing is necessary for the purposes of the legitimate interests pursued by the Controller. This legal basis applies where we pursue our legitimate interests without infringing upon your rights and freedoms, such as using video surveillance for safety purposes and storing data to pursue or defend against legal claims.
• Article 9(2)(a) of the GDPR – the data subject has given explicit consent to the processing of special categories of personal data. This legal basis applies only when you voluntarily provide sensitive data (e.g. health information), which we process solely with your consent and only to the extent necessary to provide appropriate services.

4. Scope of Personal Data Processing

We process only the personal data necessary to achieve the purposes outlined above. The scope of processed data includes, in particular:

• dentification data: first and last name; for hotel guests, this may also include information from an identity document presented at check-in (e.g., ID card or passport number and series, nationality, date of birth), if required by check-in or security procedures.
• Contact information: email address, phone number, and, in certain cases, mailing address.
• Address data: residential or permanent address (if provided, for example, for registration purposes or for invoice issuance).
• Catering delivery address: the address provided for delivery of catering orders (if you are using the catering service), as well as any additional delivery details (e.g., apartment number, floor, company name).
• Stay and service-related data: information related to hotel reservations and stays (e.g., dates of stay, number of guests, room number), restaurant services (e.g., table reservations, food orders), and catering orders (e.g., order history, dietary preferences, if shared).
• Special categories of data (sensitive data): information regarding health, disability, allergies, or diet—only if you voluntarily provide such information to allow us to tailor our services.
• Image: video footage from CCTV cameras located on the hotel and restaurant premises (this applies to individuals present at the Aviator Hotel or Restaurant and may include facial image, body silhouette, etc.).

5. Recipients of Personal Data

Your personal data may be disclosed or transferred to the following categories of recipients, only to the extent necessary for the specified purposes of processing:

• Authorized employees and associates of the Data Controller: individuals involved in the operation of the hotel, restaurant, and catering services who must access data to perform their duties (e.g., front desk staff, reservations department, restaurant staff, catering delivery drivers). All of them are bound by confidentiality obligations.
• Delivery and courier service providers: if you order catering services, your contact details and delivery address may be shared with our partner delivery companies or couriers to ensure delivery of your ordered meals to the specified address.
• Payment service providers: if you use cashless payment methods (e.g., credit/debit card or online transfer) for our services, data necessary for payment processing may be transferred to banks or payment operators handling the transactions (e.g., payment terminal data, bank account number in the case of refunds).
• Accounting firms and financial advisors: data contained in financial documents (invoices, receipts) may be shared with entities handling our accounting services or with tax advisors, to the extent necessary for fulfilling accounting and tax obligations.
• IT service providers and system maintenance personnel: external companies providing hosting services, maintaining our IT systems (e.g., hotel booking system, restaurant management system, catering order management system), or offering technical support may access personal data when required for system servicing. In such cases, we enter into data processing agreements with these entities to ensure proper protection.
• Law firms and debt collection agencies: in the event of legal disputes, debt recovery, or the need to defend against claims, we may share necessary data with our legal advisors or entities engaged in debt collection, within the limits permitted by law.
• Public authorities and authorized agencies: your data may be disclosed to authorized public authorities (such as tax offices, police, prosecutors, courts) or other entities performing public duties, if such disclosure is required by law (e.g., tax audits, court orders for data disclosure, or obligations related to security or the prevention of significant threats).

We ensure that every recipient to whom your personal data is disclosed is obligated to protect that data and use it solely for specific purposes in accordance with our agreements, instructions, and applicable legal regulations.

6. Legal Basis for Data Processing

We process your personal data in accordance with applicable data protection regulations, in particular the General Data Protection Regulation (GDPR). The legal bases for data processing include:

• Article 6(1)(b) GDPR – performance of a contract: we process your data as necessary to conclude and perform a contract for the provision of services (e.g., hotel accommodation, catering, restaurant services), including making reservations, issuing invoices, processing payments, and handling complaints.
• Article 6(1)(c) GDPR – compliance with a legal obligation: certain data are processed to fulfill our legal obligations, such as those under tax, accounting, or public safety regulations (e.g., storing invoices, registering guests in line with local laws).
• Article 6(1)(f) GDPR – legitimate interests pursued by the controller: we may process your data based on our legitimate interests, such as ensuring the security of people and property (e.g., video surveillance), pursuing or defending legal claims, or improving the quality of services.
• Article 6(1)(a) GDPR – consent: if we ask for and obtain your explicit consent (e.g., for processing sensitive data such as health information or for sending marketing communications), we will process your data on that basis. You may withdraw your consent at any time without affecting the lawfulness of prior processing.
• Article 9(2)(a) GDPR – explicit consent for processing special categories of data: if you voluntarily provide information related to your health, dietary preferences, or disability for the purpose of adjusting our services, we will process such data only based on your explicit consent.

7. Data Retention Period

Your personal data will be retained only for as long as necessary to fulfill the purposes described above, and thereafter for the period required by law or justified for the protection of the Controller’s rights. Specifically:

• Data related to the performance of contracts (reservations, stays, restaurant and catering services): we retain this data for the duration of the contract/service, and after its termination—for the period of limitation of claims arising from the contract. This is necessary for the purpose of defending against potential claims (ours or yours)—in most cases, the statute of limitations is a maximum of 6 years under the Polish Civil Code (or 3 years in the case of claims for periodic benefits or those related to business operations).
• Data processed in connection with legal obligations: we retain such data for the period required by applicable regulations. For example, accounting documents (invoices, reports) containing your personal data must be stored for 5 years from the end of the fiscal year to which they pertain, in accordance with tax and accounting laws. After the mandatory retention period, such data will be deleted or anonymized.
• CCTV surveillance data: video recordings from surveillance cameras are retained for a limited period, not exceeding 30 days from the date of recording. After this time, the recordings are automatically overwritten or permanently deleted, unless an incident requires the preservation of specific footage (e.g., for investigative or evidentiary purposes)—in such cases, the recording may be retained until the final resolution of the relevant proceedings.
• Special category (sensitive) data processed based on consent: if you have provided us with sensitive data (e.g., health-related, dietary information) in connection with the use of our services, we will store it only for as long as necessary to fulfill the purpose for which it was collected (e.g., until the end of your stay or completion of the relevant service), unless you withdraw your consent earlier. Once the service is completed or consent is withdrawn, the data will be promptly deleted unless its continued retention is required by law.
  After the aforementioned periods, your personal data will be deleted or anonymized in our systems so that it can no longer be linked to a specific individual.

8. Your Rights

In connection with the processing of your personal data, you have the following rights, which you may exercise at any time:

• Right of access – you have the right to obtain confirmation as to whether we are processing your personal data and, if so, to access that data along with information such as the purposes of processing, categories of data, recipients, and the planned retention period. Upon request, we will also provide a copy of the data we process.
• Right to rectification – you have the right to request the immediate correction of inaccurate personal data concerning you or the completion of incomplete data (with regard to the purposes of processing). Please inform us of any changes to your data (e.g., name, address, phone number) so we can update our records.
• Right to erasure (“right to be forgotten”) – in the circumstances provided under Article 17 of the GDPR, you have the right to request the deletion of your personal data. You may request deletion, for example, when: the data is no longer necessary for the purposes for which it was collected, you have withdrawn consent for processing sensitive data and there is no other legal basis, you have lodged an effective objection, the data was unlawfully processed, or it must be deleted to comply with a legal obligation. Please note that the right to erasure is not absolute—we may deny a request if data processing is necessary, for example, to comply with a legal obligation or to establish or defend legal claims.
• Right to restriction of processing – this right allows you to request that we temporarily stop processing your data (other than storing it) in certain cases, such as when you contest the accuracy of the data (pending verification), when processing is unlawful but you object to erasure, when we no longer need the data for processing purposes but you need it to establish, assert, or defend legal claims, or when you have lodged an objection—until it is resolved.
• Right to data portability – you have the right to receive the personal data you have provided to us, processed based on your consent or a contract, in a structured, commonly used format (e.g., CSV), if processing is carried out by automated means. You may also instruct us to transmit such data directly to another controller, where technically feasible.
• Right to object – you have the right to object at any time to the processing of your personal data based on our legitimate interests (Article 6(1)(f) GDPR) for reasons related to your particular situation. This applies especially to objections to processing for purposes such as video surveillance or legal claims. If you object, we will stop processing your data for these purposes unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms (e.g., crucial safety considerations), or grounds for establishing, pursuing, or defending legal claims.
• Right to withdraw consent – where we process your personal data based on your consent (this applies only to special categories of data, such as health information provided voluntarily), you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal—this means that processing up until the moment of withdrawal was lawful. Once consent is withdrawn, the data processed on that basis will be deleted, unless there is another legal basis for continued processing.
• Right to lodge a complaint with a supervisory authority – if you believe we are processing your data in violation of applicable data protection laws, you have the right to lodge a complaint with a supervisory authority. In Poland, this authority is the President of the Personal Data Protection Office (UODO), address: ul. Stawki 2, 00-193 Warsaw.

To exercise your rights, you may contact us in any convenient way—e.g., by sending a request to the email address: biuro@aviatorsilesiaring.pl or in writing to the Controller’s registered office address. We will respond to requests regarding your rights without undue delay and no later than within one month of receipt (this period may be extended as provided in Article 12(3) of the GDPR if necessary, and we will inform you accordingly). The exercise of certain rights (e.g., erasure, objection, or data portability) may be limited in the cases specified by the GDPR—we will inform you each time of how your request is being handled and any actions taken or reasons for refusal.

Right not to be subject to automated decision-making: We also inform you that your data will not be used to make decisions about you solely through automated processing (without human involvement), including profiling, that would produce legal effects concerning you or similarly significantly affect you. In other words, we do not apply automated decision-making based on profiling to hotel guests or restaurant customers.

9. Voluntary Nature of Data Provision and Consequences of Non-Disclosure

Providing your personal data is voluntary; however, in some cases it may be necessary to enter into or perform a contract, or be required by law:

• Data necessary for service delivery: Providing certain data is a prerequisite for entering into a contract and using our hotel, restaurant, or catering services. For example, to book a room or table, we require at minimum your name and contact details; to fulfill a catering order with delivery, we need your delivery address and contact information. Failure to provide such data will prevent us from accepting your reservation or providing the requested service, as we will be unable to perform the contract (refusal to provide data results in our inability to conclude the contract or deliver the service).
• Statutory obligations: In certain cases, the provision of data may be legally required. For example, if you request a VAT invoice for a stay or restaurant service, we are obligated to collect the legally required data (e.g., company name, address, and tax identification number in the case of business clients). Tax and accounting regulations may also require us to collect and retain specific information. Refusal to provide data required by law may prevent us from providing the service or fulfilling your request (e.g., issuing an invoice).
• Additional (optional) data: Providing any additional data or information not necessary for contract performance or legal compliance (e.g., preferences, arrival time, booking comments, or sensitive data related to health/diet) is entirely voluntary and at your discretion. Not providing such data will not negatively affect the delivery of the core service, but it may mean we cannot accommodate certain individual preferences or needs (e.g., special diets, amenities).
• Video surveillance: Entering an area under video surveillance is, of course, voluntary. We provide clear signage in areas where cameras are in use. If you do not wish to be recorded, please avoid monitored areas. CCTV footage is processed based on our legitimate interest (ensuring safety), and there is no traditional data provision in this case—data is recorded automatically when you are within the camera's range.

In summary, when we collect data directly from you, it is always your choice whether and what information to provide. However, failure to provide data marked as necessary for a specific service may prevent us from delivering that service. In the case of data collected automatically (e.g., surveillance), simply using our services (e.g., entering the hotel/restaurant premises) involves data processing—you have the option to accept the terms of service that include monitoring for safety purposes. We assure you that we do not collect any data beyond what is necessary to achieve the stated purposes, and the provision of sensitive data is always entirely voluntary and requires your explicit consent.

Last update of this privacy notice: April 11, 2025.

This document is subject to periodic review and may be updated as necessary to reflect changes in our data processing practices or applicable regulations. We encourage you to check this notice regularly.