GDP Regulations

Appendix No. 1 to the Resolution No. 20/6/2018 dated May 15th 2018.


Dear Sir or Madam,

The safety and confidentiality of your data is our priority. We ensure that we have and we always will make all efforts to guarantee the protection of your data by applying adequate technical and organisational measures, including the application of protections in designing new services and solutions.

These Regulations are aimed at informing the customers and interested parties of the purpose, scope and categories of processing of their personal data, the time of processing and the rights of the subjects, in line with the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27th 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing the Directive 95/46/EC (General Data Protection Regulation), that became binding on May 25th 2018. 

Data Controller and Data Protection Officer

The Controller of your Data is the “Ustroń” S.A. Health Resort Company in Ustroń, ul. Sanatoryjna 1 (

All additional information may be obtained from the Data Protection Officer at the address or by traditional mail, using the company address provided above.

Data Safety

To guarantee the safety of your data, we have conducted a Data Processing Impact Assessment considering the processing risks and the risk analysis for the applied protections.

We are currently applying high-end and proven preventive measures and mechanisms for the monitoring of the processing methods, the data flow and the access to the information, to guarantee that the processing of data is not only proceeding lawfully but also line with the best practices of data protection and IT systems.

Currently, your data stored in our resources is not transferred outside the European Economic Area (EU). If such a transfer is made, we shall inform about this fact immediately, and we shall post such information to our website, including these Regulations.

Categories of collected personal data

We inform that currently, due to our activity, we process (or we may process) the following data:

  • Personal data of our employees, candidates applying for a job, trainees and apprentices.

The data is processed to meet our legal obligations such as, e.g. the Labor Code serving as a basis for processing data in the legally required period of up to 50 years. The personal data of the candidates for a job are processed in the recruitment period based on the consent expressed in the application documents for the recruitment process.

  • Shareholders’ data

The data is processed to meet the legal obligations in line with the Commercial Companies Code and for keeping a record of shares. The information is processed within a period in line with the period of defence of legal claims and prescription based on civil, criminal and administrative procedure.

  • Patients’ data

The data is processed to provide services related to the treatment processes and the provision of dedicated medical services and procedures based on the Healthcare Institutions Law, the Act on Patients’ Rights and the Patients’ Rights Office or based on the contract concluded with commercial patients (private customers). The data about your health is stored for up to 30 years, depending on the medical services provided. The data may also be processed to enforce and defend claims due to civil, enforcement, administrative and criminal procedures.

The data is processed to provide services related to the purchase of products in our online shop, the delivery and responding to customer requests, including the handling of returns and complaints. Based on the provided services, the data is stored for five years from the date of the purchase in our shop.

  • Personal data of contractors as well as co-operating persons and entities

The data is stored to ensure the highest quality of our services based on a contract and in the range specified in the contract. The personal data of the contractors is processed based on provisions of law (e.g. the Accounting Act) for a period of 5 years.

  • Data of persons interested in cooperating with our company

The data is processed to commence cooperation with new customers, based on a request of persons interested in our offer, only in the period of negotiations and trade talks.

All data about the above have been acquired only based on your consent and to the extent specified by you.

  • Personal data of our hotel guests

The data is processed to ensure the high quality of services related to your stay in our accommodation facilities, including the handling of complaints, and to issue invoices. All data about your visit is acquired only based on your consent and to the extent specified by you. The data is stored in the period of the contract for the provision of accommodation services and based on the legal regulations about the issuing and payment of the VAT invoice. The data may also be processed throughout the limitation period for claims or up to the moment of ending civil and administrative procedures.

  • Personal data of persons registered by the monitoring system

The data is processed for protection of persons and the property of our patients, hotel guests and other persons present at the premises of our facilities for a period in line with the period of enforcement and defence of claims in civil, enforcement, administrative and criminal procedures.

  • Data of participants of contests and promotional campaigns

The data is processed to organise contests and promotional campaigns, for a period of these contests and campaigns. If you express an additional consent, we will also be able to process your data for marketing purposes (i.a. distribution of commercial information) after these events are completed until you shall withdraw such consent.

  • Data of persons who expressed consent for marketing purposes

The data is processed based on adequate consent. We always treat the data to send you commercial information (including the newsletter), news, promotions, contests and other exciting events organized by us or our partners, through the media specified in the consent (provision of services by electronic means, electronic mail, by telephone, text messages) until such approval is withdrawn. Based on the acquired consent, profiling may be performed, and the information that will be sent may be customised based on, e.g. the already provided services, sex or birth date.

  • The personal data of the “Your road to health” (Polish: “Twoja droga do zdrowia”) loyalty program

The data is processed to handle the loyalty program addressed to our customers, based on the consent expressed by the participant of the program, until such approval is withdrawn.

  • Other data provided to us to exercise cooperation contracts

Our resources also include other personal data in case of which our company is not the Data Controller but, as sub-contractors, we use the data in the performance of various duties and contracts such as the contracts for the production of accommodation services submitted by online booking system. The data may also pertain to natural persons and legal entities which provide services for our company. The data is processed in the period of the contracts remaining in force and for the defence of claims, claim limitations and due to civil, administrative, criminal and court procedures.

Your data may be transferred to the following categories of recipients:

  1. entities providing us with services necessary for the achievement of the above objectives,
  2. entities providing legal services,
  3. entities providing courier services,
  4. entities providing insurance services,
  5. substances that are entitled based on the provisions of law.

We make efforts for your data stored by us to be current and the range to be limited only to the data necessary for the performance of the services indicated above.

Rights of persons regarding personal data

At each stage of data processing, you shall have the right to:

  • access your data, including obtaining information regarding the scope of the data processed by us as well as acquiring a copy of the data,
  • modify and correct your data, including, if there are no other legal contraindications, limiting the range of processing;
  • complete removal of your data (the so-called “right to be forgotten”), unless there are other legal contraindications to apply that law;
  • not being subject to the automated decision-making process, including profiling-based decisions;
  • object to improper processing of personal data (including the withdrawal of consent);
  • transfer the data to another Data Controller, if the data is processed based on a provided consent or a concluded contract.

To ensure the proper handling of your requests and to guarantee due diligence in the process, we have prepared a form through which you may request exercising the above rights. The form may be obtained at our website in the GDP Regulations tab, as a link to a document. To facilitate the correct filling out of the form and to ensure faster examining of the request, the form is accompanied by instructions on how to fill it out.

Filled out forms should be submitted directly at our seat, through traditional mail sent to our address or by electronic mail sent at We kindly request for the form to bear an electronic signature or for it to be a scanned document bearing a signature. Otherwise, your request may not be examined.

Each submitted motion is examined individually and because of the binding provisions of law. We want to remind you that the possibility of exercising a given right may depend on the legal basis for a given purpose in which your data is processed and, e.g. on whether the processing of information isn’t dependent on the performance of a contract or service.

We ensure that we shall make all efforts for your motions to be examined without an excessive delay. The maximal period for reviewing a motion shall be one month from the moment of receiving a proposal. The term may not be met, however, due to the character of the proposal. Shall such a situation occur, you shall be informed on the delay and the causes of the delay? In the case where we will not be able to accept and examine your motion, we also undertake to inform you of the fact.

We now inform you that the motions are examined free of charge. However, we reserve the right to charge for providing information in line with art. 12 and 15, section 3 of GDPR if such motions are not substantiated or excessive. The amount of the charge or any other reasons for which we may not exercise your proposal shall be notified to you immediately.

We would also like to inform you that to ensure a proper level of safety on transferring of data in a situation where we shall not be able to identify you and authorise you to receive data, we reserve the right to change the method of informing. You shall be notified of this fact.

In case of exercising the right to transfer the data, we, as a Data Controller, shall directly transfer your data to the Controller indicated by you in the motion as far as there is the technical possibility of moving the data. We ensure that we shall inform you of such a decision.

Additional information

Complaints about the processing of personal data may be submitted to a personal data protection supervisory body. In the Republic of Poland, such a supervisory authority is the President of the Personal Data Protection Office.

These Regulations shall become binding on May 25th 2018 until revoked and are the implementation of the legal duty resulting from art. 13 – 14 of GDPR. We hereby reserve the right to introduce alterations to the Regulations, always to improve the quality of our services and while respecting your rights and privacy.

Ustroń, May 15th 2018. The Board of the “Ustroń” S.A.


Sign up and stay updated

Dziękujemy za dołączenie do subskrybentów.


Thank you for the visit!

You want to be in touch with us - leave your e-mail address.

Proszę czekać

Wczytuję system rezerwacyjny