Privacy Policy
The purpose of this Policy is to present in a concise, transparent, understandable and easily accessible form, in a clear and simple language, the principles that our company follows when processing personal data of website visitors and our clients.
Who we are
The Controller of your personal data is the company Turpol Krzysztof Niewiadomski with its registered office in Pychowicka 18/93, 30-364 Kraków, Poland hereinafter referred to as ” Controller”. Contact regarding the protection of personal data is possible at the following e-mail address: travel@turpol.com
You can contact the Controller in all matters related to the processing of personal data, in particular:
– to exercise your rights regarding personal data,
– if it is noted that the principles set out in this policy are not implemented by the Controller,
– to report a breach of the protection of your personal data processed by the Controller.
You can contact the Controller by sending an email to: travel@turpol.com or by sending a letter to the Controller’s address with the note Personal Data.
Why do we process your personal data and on what legal basis we do it?
As an Controller, we process your personal data in connection with our business. Providing personal data is voluntary and depends on your decision however providing specific personal data is necessary to enable the implementation of the contract and fullfil legal obligations. The processing is carried out in accordance with the law based on Article 6. GDPR. Details you will find in the table below:
The purpose of processing personal data | Legal basis for the processing of personal data (GDPR art. 6, paragraph 1) | The scope of personal data | Period of storage of personal data |
1. enabling visitors to access content on the Website | point f) processing is necessary for purposes resulting from legitimate interests pursued by the Controller or by a third party. | Device and login information, so-called system logs, containing the date, time of visit and the IP number of the device from which the connection was made, as well as data on Website viewing statistics, traffic to and from individual websites. The above activities are aimed at improving the Services and adapting them to the needs of the User. The data can also be used for direct marketing purposes. Data saved in server logs are not associated with specific people using the Website or System and are not used by the Controller to identify the User. | Your personal data will be processed until you object or until you stop using the Website and the Controller's services. |
2. answering questions from website visitors using the contact form and emails - in the case of data required for contact | point f) processing is necessary for purposes resulting from legitimate interests pursued by the Controller or by a third party. | Name, email, mobile phone number. | The data will be stored as long as it is necessary to achieve the purpose of processing, i.e. answer the query, and then for archiving purposes depending on what the query was about. |
3. answering questions from website visitors using the contact form, emails and telephone - in the case of additional data provided voluntarily by you | point a) the data subject has consented to the processing of his personal data for one or more specific purposes. | Name, Surname, Other data provided by you voluntarily. | The data will be stored as long as it is necessary to achieve the purpose of processing, i.e. answer the query, and then for archiving purposes depending on what the query was about. |
4. provision of services by the Controller | point b) the processing is necessary for the performance of a contract to which the data subject is party or to take action at the request of the data subject before the conclusion of the contract. | Contact details: | In order to service any claims related to the service, your data is stored for 6 years from the end of the year in which the service was performed. |
5. provision of services by the Controller - in the case of additional data provided voluntarily by you | point a) the data subject has consented to the processing of their personal data for one or more specific purposes.. | Passport number, expiry date, data concerning health, e.g. for people with disabilities, people with reduced mobility, people requiring special medical care. | In order to service any claims related to the service, your data is stored for 6 years from the end of the year in which the service was performed. |
6. marketing, including sending commercial information to an email address and telephone number | point a) the data subject has consented to the processing of his personal data for one or more specific purposes. | Name, email | Your personal data will be processed until the consent for processing is withdrawn. |
7. fulfillment of legal obligations incumbent on the Controller | point c) processing is necessary to fulfil the legal obligation incumbent on the Controller. | Contact details: | In order to service any claims related to the service, your data is stored for 6 years from the end of the year in which the service was performed. |
In connection with the fact that the basis for the purposes of processing 1. and 2. indicated above, is the GDPR of Art. 6, item 1) letter f), the Controller has carried out an assessment of the legitimacy of data processing and concluded that data processing on this basis is justified for the purposes of processing. This is due to the nature of the connection between the Controller and you as a Website visitor or potential Customer for the services provided by the Controller. Processing based on this basis does not adversely affect your rights and interests.
To whom and why we transfer your personal data?
In conducting our business, we use the help of other entities, in particular:
– guides,
– carriers,
– hotel service providers,
– additional service providers (e.g. parking lots, airport services),
– local or national tourism chambers,
– IT service providers (software, website hosting, telecommunications),
– banks, insurance companies and entities servicing payments,
– accounting company.
In cases where it is necessary, we transfer your personal data to them. Sharing personal data with third parties is limited to data that is necessary for the implementation of our services.
We will never transfer, sell or otherwise disclose your personal data to third parties for marketing purposes.
If we are obliged by law or a court judgment to transfer data to other entities for purposes unrelated to the performance of our services, we will endeavour to ensure that the transfer is carried out in compliance with your rights.
Transfer of personal data to third countries
We use various popular services and technologies offered by entities such as Facebook, Microsoft, Google. These companies are based in the USA and joined the Privacy Shield program, under which they undertake to comply with standards in the field of personal data protection in accordance with the GDPR, therefore it is assumed that your personal data processed by these companies is properly protected.
Profiling and automatic decision making
Your personal data processed by the Controller are not subject to automated decision making in this profiling.
Your rights as the data subject:
– Right of access to data: you have the right to obtain information on whether and how your personal data is processed.
– Right to rectify data: you have the right to rectify your personal data that is incorrect or to complete incomplete.
– Right to delete data: you are to request the Controller to immediately delete your personal data, in accordance with art. 17 GDPR.
– Right to limit processing: you have the right to request the Controller to limit the processing of personal data concerning him, in accordance with art. 17 GDPR.
– Right to object: you have the right to object at any time to the processing of your personal data processed on the basis of the legitimate interest of the Controller (GDPR art. 6, paragraph 1) lit. f)).
– Right to withdraw consent: you have the right to withdraw your consent at any time to process your personal data processed on the basis of consent (GDPR art. 6, paragraph 1) lit. and)). Withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of consent, before withdrawal.
– Right to lodge a complaint: you have the right to lodge a complaint to the supervisory body if you feel that the processing of data by the Controller violated your rights or is not in accordance with the GDPR.
– Your supervisory authority is: https://edpb.europa.eu/about-edpb/board/members_en
How you can exercise your rights
In order to exercise your rights (except for the right to lodge a complaint to the supervisory body), please contact the Personal Data Controller by sending an email to: travel@turpol.com or by sending a letter to the Controller’s address with the note Personal Data.
Final provisions
To the extent not covered by this Privacy Policy, the provisions on the protection of personal data shall apply.
This privacy policy is effective from December 6, 2019.