GDPR
The following summary provides a concise, clear, and transparent overview of the information contained in the Privacy Policy, regarding the Data Controller, the purposes and methods of personal data processing, and your rights in connection with such processing, in the format required to fulfill the information obligation under the GDPR. Details about the processing methods and entities involved are available in the full Privacy Policy.
Who is the Data Controller?
The Data Controller is GTO Global sp. z o.o., with its registered office at 3 Maja 22 / 2C, 40-096 Katowice, Poland, tax identification number (NIP): 6343029638, registration number (KRS): 0001062586, providing electronic services through the Website.
How can the Data Controller be contacted?
You may contact the Data Controller through the following means:
Postal address – GTO Global sp. z o.o., 3 Maja 22 / 2C, 40-096 Katowice, Poland
Email address – contact.pl@gto.global
Phone number – +48 32 600 79 19
Has a Data Protection Officer been appointed?
In accordance with Article 37 of the GDPR, the Data Controller has not appointed a Data Protection Officer. All data processing matters should be directed to the Data Controller.
What are the sources of personal data?
Personal data is collected from:
the individuals to whom the data pertains
social media platforms, with the express and informed consent of those individuals, when using registration via such platforms
What personal data do we process?
The Website processes ordinary personal data voluntarily provided by the data subjects (e.g. name and surname, home address, phone number, email address, passport details). A full list of processed data is available in the Privacy Policy.
What are the purposes of data processing?
Personal data voluntarily provided by Users is processed for the following purposes:
Provision of electronic services:
User account registration and maintenance on the Website and related functionalities
Newsletter services (including the delivery of promotional content with consent)
Communication with Users regarding the Website and data protection
To pursue the legitimate interests of the Data Controller
Specifically, your personal data may be processed:
a) To facilitate the conclusion and fulfillment of: a package travel contract with a tour operator and a travel insurance agreement with the insurer, as well as for after-sale assistance and contact concerning bookings made via our platform, in line with the Controller’s legitimate interest
b) For the promotion of our services and the understanding of your preferences, allowing us to tailor services and content to your needs, based on the Controller’s legitimate interest
c) For accounting purposes and financial settlements related to contracts concluded via our platform
d) To defend our rights and pursue claims related to our business activities, which may require processing personal data based on our legitimate interest
What are the legal bases for processing?
Data is processed in accordance with:
Regulation (EU) 2016/679 (GDPR), in particular:
Art. 6(1)(a) – consent to the processing of personal data for one or more specific purposes
Art. 6(1)(b) – processing necessary for the performance of a contract or to take steps prior to entering into a contract
Art. 6(1)(f) – processing necessary for the purposes of legitimate interests pursued by the controller or a third party
The Personal Data Protection Act of 10 May 2018 (Journal of Laws 2018, item 1000)
The Telecommunications Law Act of 16 July 2004 (Journal of Laws 2004 No. 171, item 1800)
The Copyright and Related Rights Act of 4 February 1994 (Journal of Laws 1994 No. 24, item 83)
What legitimate interests are pursued by the Data Controller?
Establishing, pursuing, or defending legal claims
Assessing risk related to potential clients
Evaluating planned marketing campaigns
Conducting direct marketing
How long is personal data stored?
As a rule, personal data is stored only for the duration of service provision on the Website. Data is deleted or anonymized within 30 days after the service ends (e.g. account deletion, unsubscription from the newsletter). In exceptional cases, to safeguard the Controller’s legitimate interest, the retention period may be extended up to 3 years following a request for data deletion, if the data subject is suspected of breaching the Website Terms.
Who receives the personal data?
Generally, the Data Controller is the sole recipient. However, data may be processed by other entities providing services to the Controller, such as:
Will personal data be transferred outside the European Union?
Yes. Personal data may be transferred outside the European Union due to the use of service providers based outside the EU or as a result of the User’s own activity (e.g. posting a comment). In such cases, the data is processed based on an agreement between the Controller and the provider, incorporating the European Commission’s standard contractual clauses.
Will personal data be used for automated decision-making?
No. Personal data is not used for automated decision-making (profiling).
What rights do you have concerning your personal data?
Who is the Data Controller?
The Data Controller is GTO Global sp. z o.o., with its registered office at 3 Maja 22 / 2C, 40-096 Katowice, Poland, tax identification number (NIP): 6343029638, registration number (KRS): 0001062586, providing electronic services through the Website.
How can the Data Controller be contacted?
You may contact the Data Controller through the following means:
Postal address – GTO Global sp. z o.o., 3 Maja 22 / 2C, 40-096 Katowice, Poland
Email address – contact.pl@gto.global
Phone number – +48 32 600 79 19
Has a Data Protection Officer been appointed?
In accordance with Article 37 of the GDPR, the Data Controller has not appointed a Data Protection Officer. All data processing matters should be directed to the Data Controller.
What are the sources of personal data?
Personal data is collected from:
the individuals to whom the data pertains
social media platforms, with the express and informed consent of those individuals, when using registration via such platforms
What personal data do we process?
The Website processes ordinary personal data voluntarily provided by the data subjects (e.g. name and surname, home address, phone number, email address, passport details). A full list of processed data is available in the Privacy Policy.
What are the purposes of data processing?
Personal data voluntarily provided by Users is processed for the following purposes:
Provision of electronic services:
User account registration and maintenance on the Website and related functionalities
Newsletter services (including the delivery of promotional content with consent)
Communication with Users regarding the Website and data protection
To pursue the legitimate interests of the Data Controller
Specifically, your personal data may be processed:
a) To facilitate the conclusion and fulfillment of: a package travel contract with a tour operator and a travel insurance agreement with the insurer, as well as for after-sale assistance and contact concerning bookings made via our platform, in line with the Controller’s legitimate interest
b) For the promotion of our services and the understanding of your preferences, allowing us to tailor services and content to your needs, based on the Controller’s legitimate interest
c) For accounting purposes and financial settlements related to contracts concluded via our platform
d) To defend our rights and pursue claims related to our business activities, which may require processing personal data based on our legitimate interest
What are the legal bases for processing?
Data is processed in accordance with:
Regulation (EU) 2016/679 (GDPR), in particular:
Art. 6(1)(a) – consent to the processing of personal data for one or more specific purposes
Art. 6(1)(b) – processing necessary for the performance of a contract or to take steps prior to entering into a contract
Art. 6(1)(f) – processing necessary for the purposes of legitimate interests pursued by the controller or a third party
The Personal Data Protection Act of 10 May 2018 (Journal of Laws 2018, item 1000)
The Telecommunications Law Act of 16 July 2004 (Journal of Laws 2004 No. 171, item 1800)
The Copyright and Related Rights Act of 4 February 1994 (Journal of Laws 1994 No. 24, item 83)
What legitimate interests are pursued by the Data Controller?
Establishing, pursuing, or defending legal claims
Assessing risk related to potential clients
Evaluating planned marketing campaigns
Conducting direct marketing
How long is personal data stored?
As a rule, personal data is stored only for the duration of service provision on the Website. Data is deleted or anonymized within 30 days after the service ends (e.g. account deletion, unsubscription from the newsletter). In exceptional cases, to safeguard the Controller’s legitimate interest, the retention period may be extended up to 3 years following a request for data deletion, if the data subject is suspected of breaching the Website Terms.
Who receives the personal data?
Generally, the Data Controller is the sole recipient. However, data may be processed by other entities providing services to the Controller, such as:
- Hosting companies
- Newsletter service providers
- Payment processors (for purchases on the Website)
- Accounting service providers
- Tour operators, insurance companies, and financial institutions under agency or brokerage agreements, as needed to perform the relevant contracts
Will personal data be transferred outside the European Union?
Yes. Personal data may be transferred outside the European Union due to the use of service providers based outside the EU or as a result of the User’s own activity (e.g. posting a comment). In such cases, the data is processed based on an agreement between the Controller and the provider, incorporating the European Commission’s standard contractual clauses.
Will personal data be used for automated decision-making?
No. Personal data is not used for automated decision-making (profiling).
What rights do you have concerning your personal data?
- Right of access – you may request access to your personal data
- Right to rectification – you may request correction of inaccurate or incomplete data
- Right to erasure – you may request deletion of your personal data (e.g. by anonymizing your user account or unsubscribing from the newsletter)
- Right to restriction – you may request limited processing in cases listed in Article 18 of the GDPR
- Right to data portability – you may request your data in a structured, commonly used, machine-readable format
- Right to object – you may object to processing in cases listed in Article 21 of the GDPR
- Right to lodge a complaint – you may submit a complaint to a data protection supervisory authority
