Privacy

The privacy policy of www.arche.pl defines the rules under which your data will be processed and the entity responsible for its processing – in accordance with generally applicable laws.

The privacy policy also defines the purposes for which your personal data will be processed, the scope of their processing, and the rights you have in connection with the processing of your personal data by us.

Table of Contents

PREAMBLE
§1 Definitions
§2 Data Controller
§3 Data Protection Officer
§4 Purposes of processing your personal data
§4A Processing of personal data for the purpose of responding to your requests/inquiries that you send to us via contact sources available on the Website, including through our fan pages on social media portals
§4B Processing of personal data for the purpose of concluding and properly performing a hotel service contract or taking actions at your request before its conclusion
§4C Processing of personal data for the purpose of identifying persons representing the party to the conference contract or the contract for organizing events or group stays
§4D Processing of personal data for the purpose of identifying persons representing the party to the contract for organizing special events
§4E Processing of personal data for the purpose of identifying persons representing the party to the contract for the supply of products or services
§4F Processing of personal data for recruitment procedure for the position you apply for via the "Jobs and Careers" tab
§5 Joint controllership of personal data within the framework of directing commercial information about promotions, offers, and events organized by the Joint Controllers, including sending newsletters (direct marketing)
§6 Your rights
§7 Automated decision making
§8 Security of personal data

PREAMBLE

The privacy policy of www.arche.pl defines the rules under which your data will be processed and the entity responsible for its processing – in accordance with generally applicable laws.

The privacy policy also defines the purposes for which your personal data will be processed, the scope of their processing, and the rights you have in connection with the processing of your personal data by us.

§1 Definitions

The terms used in this document mean:

  • Policy – The privacy policy of the website www.arche.pl.
  • Website – www.arche.pl.
  • GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 2016 No. 119, p. 1 with later amendments).
  • Personal data – any information relating to an identified or identifiable natural person (the data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name and surname, identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • Processing – any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction;
  • Controller – a natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data;
  • Joint Controller – at least two controllers jointly determining the purposes and means of processing your personal data.
  • Processor – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
  • Recipient – a natural or legal person, public authority, agency or another body to which personal data are disclosed, whether a third party or not. Public authorities which may receive personal data in the framework of a specific inquiry in accordance with Union law or the law of the Member State are not considered recipients.

§2 Data Controller

  1. The controller of your personal data is "ARCHE" S.A. headquartered in Konstancin-Jeziorna (postal code: 05-520) at Mirkowska Street 45A, registered in the National Court Register by the District Court for the Capital City of Warsaw in Warsaw, 13th Commercial Division of the National Court Register under the number: 0000831001, NIP: 8211639335, REGON: 71002127700000, with a share capital of PLN 2,982,300.00 – fully paid.
  2. You can contact the Controller via traditional mail to the Controller’s registered office address indicated above or by email: rodo@arche.pl.

§3 Data Protection Officer

  1. The Controller has appointed a Data Protection Officer with whom you can contact regarding all matters related to the processing of your personal data through the following means:
    • traditional mail to the Controller’s registered office address indicated in §2 point 1 of this policy marked with – Data Protection Officer
    • via email address: rodo@arche.pl.

§4 Purposes of processing your personal data

  1. Your personal data will be processed by us for the following purposes:
  • Providing responses to your requests/inquiries that you send to us via contact sources available on the Website, including through our fan pages on social media portals.
  • Concluding and properly performing the contract or taking actions at your request before its conclusion.
  • Conducting a recruitment procedure for the position you apply for via the "Jobs and Careers" tab.
  • Directing commercial information to you about promotions, offers, and events organized by the Joint Controllers, including sending newsletters to your email address (direct marketing) – if you consent to such actions. This activity will take place within the framework of Joint Data Control – as referred to in §5 of the Policy.

§4A Processing of personal data for responding to your requests/inquiries that you send to us via contact sources available on the Website, including through our fan pages on social media portals

  1. Your personal data will be processed by us to respond to your message/inquiry if you decide to contact us through our communication channels available on the Website (including, among others, the contact form, email or through our fan pages on social media portals such as: Facebook, Instagram, LinkedIn, and YouTube).
  2. The legal basis for processing your personal data by us will be Article 6(1)(f) GDPR i.e. the legitimate interest of the Controller consisting in processing your requests or inquiries that you send to us and providing responses to them.
  3. If you send us an inquiry or request via our social media profile:
    • Facebook and Instagram – the recipients of your personal data will be Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (hereinafter: Meta Facebook Platforms).

More information about the processing of your personal data by the Facebook and Instagram social media platforms can be found at the following links:

More information about the processing of your personal data by the LinkedIn social media platform can be found at the following link:

More information about the processing of your personal data by the YouTube social media platform can be found at the following link:

4. If your data are transferred within the fan pages on the above-mentioned social media portals to locations in a third country (outside the European Economic Area), this will only take place with appropriate data security measures (standard contractual clauses).

5. Additionally, recipients of your personal data may be entities providing IT and legal services to the Controller.

6. We will store your personal data for the period necessary to conduct correspondence with you, in particular for the period necessary to respond to your messages/inquiries.

7. Providing your personal data is mandatory if you want to contact us and receive a response to your inquiry or request.

§4B Processing of personal data for concluding and properly performing a hotel service contract or taking actions at your request before its conclusion

1. Your personal data will be processed for the following purposes:

  • concluding and properly performing a hotel services contract (hereinafter: Contract) or taking actions at your request before the Contract is concluded,
  • protection of persons and property through the use of video surveillance,
  • performing organizational activities in the framework of event organization, group stays, and special events,
  • fulfillment of legal obligations imposed on the Controller by generally applicable laws,
  • pursuing or defending against possible claims arising in the course of performing the Contract or after its termination.

2. The legal basis for processing your personal data by us will be:

  • for concluding and properly performing the Contract or taking actions at your request before its conclusion – Article 6(1)(b) GDPR,
  • for the protection of persons and property – Article 6(1)(f) GDPR, i.e. the legitimate interest of the data controller consisting in ensuring the safety of persons present on the premises,
  • for the performance of organizational activities related to events, group stays, and special events – Article 6(1)(f) GDPR, i.e. the legitimate interest of the data controller consisting in ensuring the proper organization and proper course of events and occasions,
  • to fulfill legal obligations imposed on the Controller by generally applicable laws – Article 6(1)(c) GDPR in connection with Article 70 of the Act of 29 August 1997 – Tax Ordinance and Article 74 of the Act of 29 September 1994 on Accounting,
  • to pursue or defend against possible claims arising during the performance of the Contract or after its termination – our legitimate interest in protecting the interests of the Data Controller (i.e. Article 6(1)(f) GDPR).

3. The recipients of your personal data will be entities providing legal, financial, and IT services to the Controller.

4. Your personal data will be stored:

  • for the purpose of concluding and properly performing the Contract or taking actions at your request before its conclusion – for the period necessary to conclude or properly perform it,
  • to fulfill legal obligations imposed on the Controller by generally applicable laws – no longer than 5 years, counted from the end of the calendar year in which the basis for charging a public-law receivable occurred,
  • to pursue or defend against possible claims arising during the performance of the Contract or after its termination – for the period provided for in generally applicable law, depending on the legal relationship from which the claim arises.

5. Providing your personal data (for the purpose referred to in §4B point 1) is a condition for concluding the contract, as without their provision we will not be able to conclude it with you. Providing personal data by hotel guests and participants of events and occasions is necessary for their proper organization and ensuring the proper course. Providing your personal data is also mandatory due to the need to fulfill legal obligations imposed on us and because we would not be able to pursue our legitimate interests.

§4C Processing of personal data for concluding and properly performing a contract for identifying persons representing the party to the conference contract or event/group stay organization contract

1. Your personal data will be processed for the following purposes:

  • identifying a person authorized to conclude the contract on their own behalf or on behalf of an organization (e.g., a commercial company, foundation, association, administrative unit),
  • identifying a person authorized to contact and cooperate in pre-contractual activities and in the performance of the concluded contract,
  • fulfillment of legal obligations imposed on the Controller by generally applicable laws,
  • pursuit or defense against possible claims arising during the performance of the Contract or after its termination.

2. The legal basis for processing your personal data by us will be:

  • for identification of the person authorized to conclude the contract and identification of the person authorized to contact and cooperate in the performance of the concluded contract – Article 6(1)(f) GDPR, i.e. the legitimate interest of concluding contracts and contacts in the case of a party to the contract being a legal person; for a natural person (e.g., an entrepreneur) concluding the contract on their own behalf, the legal basis for data processing is Article 6(1)(b) GDPR,
  • to fulfill legal obligations imposed on the Controller by generally applicable laws – Article 6(1)(c) GDPR in connection with Article 70 of the Act of 29 August 1997 – Tax Ordinance and Article 74 of the Act of 29 September 1994 on Accounting,
  • to pursue or defend against possible claims arising during the performance of the Contract or after its termination – our legitimate interest in protecting the interests of the Data Controller (i.e., Article 6(1)(f) GDPR).

3. The recipients of your personal data will be entities providing legal, financial, and IT services to the Controller. Your personal data will be stored similar to the periods referred to in §4B.

4. Providing your personal data (for the purpose referred to in §4C point 1) is a condition for concluding the contract, as without their provision we will not be able to identify the persons authorized to represent and persons authorized to cooperate.

§4D Processing of personal data for identifying persons representing the party to the contract for organizing special events

1. Your personal data will be processed for the following purposes:

  • identifying a person authorized to conclude the contract,
  • fulfillment of legal obligations imposed on the Controller by generally applicable laws,
  • pursuit or defense against possible claims arising during the performance of the Contract or after its termination.

2. The legal basis for processing your personal data by us will be:

  • for identification of the party to the contract and performance of the concluded contract – Article 6(1)(b) GDPR,
  • to fulfill legal obligations imposed on the Controller by generally applicable laws – Article 6(1)(c) GDPR in connection with Article 70 of the Act of 29 August 1997 – Tax Ordinance and Article 74 of the Act of 29 September 1994 on Accounting.
  • to pursue or defend against possible claims arising during the performance of the Contract or after its termination – our legitimate interest in protecting the interests of the Data Controller (i.e., Article 6(1)(f) GDPR).

3. The recipients of your personal data will be entities providing legal, financial, and IT services to the Controller.

4. Your personal data will be stored:

  • for concluding and properly performing the Contract or taking actions at your request before its conclusion – for the period necessary for its conclusion or proper performance.
  • to fulfill legal obligations imposed on the Controller by generally applicable laws – no longer than 5 years, counted from the end of the calendar year in which the basis for charging a public-law receivable occurred.
  • to pursue or defend against possible claims arising during the performance of the Contract or after its termination – for the period provided for in generally applicable law, depending on the legal relationship from which the claim arises.

5. Providing your personal data (for the purpose referred to in §4D point 1) is a condition for concluding the contract, as without their provision we will not be able to identify the persons being the party to the contract.

§4E Processing of personal data for identifying persons representing the party to the contract for supply of products or services

1. Your personal data will be processed for the following purposes:

  • identifying a person authorized to conclude the contract on behalf of an organization (e.g., commercial company, foundation, association, administrative unit) or concluding the contract on their own behalf (e.g., natural person running a business).
  • identifying a person authorized to contact and cooperate in pre-contractual activities and during the performance of the concluded contract.
  • fulfillment of legal obligations imposed on the Controller by generally applicable laws.
  • pursuit or defense against possible claims arising during the performance of the Contract or after its termination.

2. The legal basis for processing your personal data by us will be:

  • for identification of the person authorized to conclude the contract and identification of the person authorized to contact and cooperate in pre-contractual activities and the performance of the concluded contract – Article 6(1)(f) GDPR, i.e. the legitimate interest of concluding contracts and contacts in the case of the party to the contract being a legal person; for a natural person (e.g., entrepreneur) concluding the contract on their own behalf, the legal basis for data processing is Article 6(1)(b) GDPR,
  • to fulfill legal obligations imposed on the Controller by generally applicable laws – Article 6(1)(c) GDPR in connection with Article 70 of the Act of 29 August 1997 – Tax Ordinance and Article 74 of the Act of 29 September 1994 on Accounting.
  • to pursue or defend against possible claims arising during the performance of the Contract or after its termination – our legitimate interest in protecting the interests of the Data Controller (i.e. Article 6(1)(f) GDPR).

3. The recipients of your personal data will be entities providing legal, financial, and IT services to the Controller.

4. Your personal data will be stored:

  • for concluding and properly performing the Contract or taking actions at your request before its conclusion – for the period necessary to conclude or properly perform it.
  • to fulfill legal obligations imposed on the Controller by generally applicable laws – no longer than 5 years, counted from the end of the calendar year in which the basis for charging a public-law receivable occurred.
  • to pursue or defend against possible claims arising during the performance of the Contract or after its termination – for the period provided for in generally applicable law, depending on the legal relationship from which the claim arises.

5. Providing your personal data (for the purpose referred to in §4E point 1) is a condition for concluding the contract, as without their provision we will not be able to identify the persons authorized to represent and persons authorized to cooperate.

§4F Processing of personal data for conducting a recruitment procedure for the position you apply for via the "Jobs and Careers" tab

1. We will process your personal data to conduct the recruitment procedure for the position you applied for via the "Jobs and Careers" tab on the Website. Based on the information you provide, we select the candidate best suited to our expectations and make decisions on the subsequent stages of the recruitment process (arranging a meeting, conducting an interview, etc.).

2. The legal basis for processing your personal data will be:

  • Article 6(1)(a) i.e. your voluntarily given consent to the processing of your personal data for the needs of future recruitment processes organized by the Controller, including informing you about new job offers at the email address you provide – for the next 12 months.
  • Article 6(1)(a) GDPR i.e. your voluntarily given consent to the processing of your personal data if you have included in your application documents or disclosed during an interview personal data beyond what is required for concluding a contract with you or prescribed by law (this consent is given by your explicit actions).
  • Article 9(2)(a) GDPR i.e. your voluntarily given consent to the processing of your special categories of personal data if you have included in your application documents or disclosed during an interview data beyond what is required for concluding a contract or prescribed by law (e.g., data concerning your health condition).
  • Article 6(1)(b) GDPR i.e. the necessity to process your personal data to conclude a contract with you (establish employment) or take actions before its conclusion at your request.
  • Article 6(1)(c) GDPR in connection with Article 22(1) of the Labour Code i.e. the necessity to process your personal data to fulfill a legal obligation imposed on the controller by generally applicable laws (in the event of intending to employ you based on an employment contract).

3. Recipients of your personal data may be entities providing recruitment, IT, and legal services to us.

4. Your personal data will be processed (stored) by us until the recruitment process for the position you applied for ends. If you consent to the processing of your personal data for future recruitment processes, your personal data will be stored until you withdraw your consent – but no longer than 12 months.

5. Providing personal data where the legal basis for processing is your consent (i.e. data processed on the basis of Article 6(1)(a) GDPR and Article 9(2)(a) GDPR) is entirely voluntary. Providing other personal data is a statutory obligation or a condition for concluding a contract – without providing which it will not be possible to conduct the recruitment process involving you.

§5 Joint controllership of personal data within the framework of directing commercial information about promotions, offers, and events organized by the Joint Controllers, including sending newsletters (direct marketing)

The Joint Controllers of your personal data will be the following entities that will process your personal data based on the Joint Controllership Agreement (hereinafter: Joint Controllers):

  • "ARCHE" S.A. headquartered in Konstancin-Jeziorna (postal code: 05-520) at Mirkowska St. 45A.
  • ARCHE ADMINISTRACJA Sp. z o.o. headquartered in Warsaw (postal code: 02-801) at Puławska St. 361.
  • Lena Grochowska Foundation headquartered in Siedlce (postal code: 08-110) at Brzeska St. 134.
  • WG 1 SPV sp. z o.o. headquartered in Warsaw (postal code: 02-826) at Poloneza St. 85B.

We note that the current list of Joint Controllers may change in the future – the current list of Joint Controllers can always be found on the website www.arche.pl.

2. The Joint Controllers are jointly responsible for protecting your personal data.

3. Your contact point regarding your data protection matters is Auraco Sp. z o.o. based in Warsaw (postal code: 00-382) at Solec St. 81B/73A, with whom you can contact by mail at the above address or via email at arche.marketing@auraco.pl.

4. The Joint Controllers will process your personal data to carry out marketing activities towards you by sending personalized commercial information about promotions and current product and service offers of the Joint Controllers as well as events related to the Joint Controllers and their activities to your email address and/or phone number.

5. The legal basis for processing your personal data is your consent to such processing for the mentioned purposes (i.e., Article 6(1)(a) GDPR), which you can withdraw at any time – however, withdrawal will not affect the lawfulness of processing carried out based on consent before its withdrawal.

6. Recipients of your personal data may be intermediaries offering our services or products or supporting our initiatives, as well as entities supporting our marketing activities, i.e., providers of systems used to manage marketing databases and entities providing IT and telecommunication services to us. Under no circumstances will your personal data be transferred by the Joint Controllers outside the European Economic Area.

7. We will store your personal data until you withdraw your consent to their processing or until the purposes of the Joint Controllers for which they were collected cease to apply (e.g., in the case of discontinuing marketing campaigns).

8. Providing your personal data is entirely voluntary, but without them, the Joint Controllers will not be able to send commercial information about promotions and current offers of their products and services to your email address and/or phone number.

9. We will analyze your relationship history with us (e.g., services you have used) and information obtained through interaction analysis with our websites to determine your preferences and interests, which will allow us to send personalized commercial information about products, offers, and events organized by the Joint Controllers.

10. We will not process your personal data for automated decision-making purposes.

§6 Your rights

1. In connection with data processing, you have the right to:

  • Withdraw your consent to the processing of your personal data at any time (in cases where we process your personal data based on your consent).
  • Object to the processing of personal data (in cases specified in Articles 21 and 22 of GDPR).
  • Data portability – if the legal basis for processing your personal data is your consent or the conclusion and proper performance of the Contract.
  • Access your personal data and receive a copy (Article 15 GDPR).
  • Rectify inaccurate or incomplete data (Article 16 GDPR).
  • Delete your personal data (the so-called right to be forgotten, in cases specified in Article 17 GDPR).
  • Restrict processing of your personal data (in cases specified in Article 18 GDPR).

2. If you find that we process your personal data contrary to the generally applicable laws, you have the right to lodge a complaint with the supervisory authority, which in the Republic of Poland is the President of the Office for Personal Data Protection.

§7 Automated decision making

We will not process your personal data for the purpose of automated decision-making.

§8 Security of personal data

1. The website has a valid certificate issued by a trusted certification authority. This means that information such as passwords or credit card details is securely sent to this site and cannot be intercepted.

2. The IT employee grants users of the IT systems the rights to process personal data in the Controller’s IT systems immediately after receiving a declaration from the user on keeping personal data confidential and methods of securing it.

3. Access to the Controller’s IT systems used for personal data processing is possible only after providing a unique identifier and password.

4. Data encryption is applied, especially for data transmitted via public networks.

5. Each person employed/cooperating in personal data processing has been authorized to process data.

6. Agreements on entrusting data processing pursuant to Article 28 GDPR have been concluded with third parties processing data on behalf of the Data Controller.

7. Authorized persons have been trained on safe data processing principles.

8. Responsibility for actions related to data security has been defined.

9. Persons processing personal data have submitted statements on confidentiality of personal data and methods of securing personal data.

10. Periodic verification of data integrity is conducted by restoring data from backups.

11. Emergency power supply of servers and workstations has been implemented via UPS or dedicated power network.