Privacy policy | Zamek Królewski w Warszawie

Privacy policy

INFORMATION CLAUSE

ON

PERSONAL DATA PROCESSING

In connection with the entry into force of Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as “GDPR”, published in the Official Journal of the European Union under number L.2016.119.1 of 2016.05.04, we would like to inform you that:

  1. Data Controller:

    The controller of your personal data is Zamek Królewski w Warszawie – Muzeum. Rezydencja Królów i Rzeczypospolitej (The Royal Castle in Warsaw – Museum. The Residence of Kings and the Republic of Poland). With its registered office in Warsaw at Plac Zamkowy 4, 00-277 Warsaw, entered into the Register of Cultural Institution kept by the Minister of Culture and National Heritage under number 19/92, NIP (Taxpayer Identification Number): 526-000-13-12, REGON (National Business Registry Number): 000860582.

  2. Data Protection Officer

    In order to ensure that your personal data is processed correctly and in compliance with the law, the Data Controller appointed the Data Protection Officer who can be contacted in matters related to the protection of your data and exercising your rights at the following e-mail address: iod@zamek-krolewski.pl or in writing at the address of the Data Controller's registered office indicated above.

  3. Purposes and legal grounds of personal data processing:

    Your personal data will be processed by the Data Controller in order to pursue its statutory activities, on the following legal grounds:

    - Article 6 (1) (a) of the GDPR, i.e.: on the basis of consent given by the data subject, including to the extent of services provided electronically and for newsletter subscription,

    - Article 6 (1) (b) of the GDPR, i.e.: in connection with the conclusion and performance of contracts, arrangements, reservation of tickets for access to the Royal Castle in Warsaw – Museum,

    - Article 6 (1) (c) of the GDPR, i.e.: in connection with the performance of legal obligations imposed on the Data Controller, including to the extent of recruitment for vacancies,

    - Article 6 (1) (d) of the GDPR, i.e.: to the extent necessary to protect the vital interests of the data subject or any other natural person and insofar as necessary for the performance of a task carried out in the public interest, including by implementing an application procedure, information activities, implementing tasks related to the rental of library and archival resources, conducting scientific research, and implementing tasks connected with disseminating the knowledge about the history of the Royal Castle in Warsaw – Museum, exhibition activities, conservation activities, and implementing tasks related to the image of the Royal Castle in Warsaw – Museum as well as tasks related to ensuring the safety of visitors and other persons present on the premises of the Royal Castle in Warsaw (including through video surveillance).

    - Article 6 (1) (e) of the GDPR, i.e.: insofar as necessary for the performance of tasks carried out by the Data Controller in the public interest, including by conducting educational activities and performing tasks related to the organisation of official events,

    - Article 6 (1) (f) of the GDPR, i.e.: insofar as necessary for the purposes of legitimate interests pursued by the Data Controller, consisting in particular in the marketing of the Controller's own services and products, processing and security of its claims, for the purposes of creating the statements, analyses and statistics for internal needs of the Controller, which includes reporting, marketing, development planning, creating statistical models, creating statistical models for administrative purposes, as well as to ensure the security of networks and information.

  4. Recipients of personal data:

    The recipients of your personal data may be:

    - institutions and entities cooperating with the Data Controller,

    - contractors, selected by way of a public procurement procedure,

    - suppliers of IT systems and IT services,

    - entities providing accounting, auditing, claims recovery, legal, analytical and marketing services to the Data Controller,

    - postal operators and couriers,

    - carriers,

    - operators of electronic payment systems and banks, to the extent of executing payments,

    - bodies authorised by law to receive your personal data.

  5. Transfer of personal data to a third country:

    Personal data collected by the Data Controller shall not be transferred to a third country, unless the target country ensures an adequate level of personal data protection within its territory and the need to transfer personal data is based on applicable legal bases.

  6. Personal data retention period:

    Your personal data will be retained by the Data Controller only for the period necessary to implement the purpose of its statutory activities, i.e.:

    - where personal data is processed on the basis of Article 6 (1) (a) of the GDPR, i.e. on the basis of consent given by the data subject – until your consent is withdrawn, with the stipulation that after its withdrawal the scope of data processed by the Data Controller will be limited to the necessary minimum required to secure any claims,

    - where personal data is processed on the basis of Article 6 (1) (b) of the GDPR, i.e.: in connection with the conclusion and performance of contracts, arrangements, reservation of tickets for access to the Royal Castle in Warsaw – Museum – until claims arising from the aforementioned titles expire, and after their expiry – for a period necessary to fulfil legal obligations imposed on the Data Controller under tax, accounting or archiving regulations,

    - where personal data is processed on the basis of Article 6 (1) (c) of the GDPR, i.e. in connection with the performance of legal obligations imposed on the Data Controller – for a period necessary to fulfil the aforementioned obligations by the Data Controller (where personal data is processed in connection with the recruitment for vacancies – until the recruitment process is concluded and up to 3 months after its conclusion, and after the expiry of that period – for a period necessary to fulfil the legal obligation imposed on the Data Controller under archiving regulations),

    - where personal data is processed on the basis of Article 6 (1) (d) and (e) of the GDPR, i.e. insofar as necessary to protect the vital interests of the data subject or any other natural person and insofar as necessary for the performance of a task carried out in the public interest – until the intended purpose is implemented and any related claims expire and thereafter for a period necessary to fulfil legal obligations imposed on the Data Controller under tax, accounting or archiving regulations; where investigations related to the safety of visitors are pending – for a period necessary to perform the aforementioned activities, with the stipulation that in the video surveillance system – not longer than for a period of 3 months,

    - where personal data is processed on the basis of Article 6 (1) (e) of the GDPR, i.e. insofar as necessary to perform tasks carried out by the Data Controller in the public interest – until the intended purposes are implemented and any related claims expire and thereafter for a period necessary to fulfil legal obligations imposed on the Data Controller under tax, accounting or archiving regulations,

    - where personal data is processed on the basis of Article 6 (1) (f) of the GDPR, i.e. insofar as necessary for the purposes of the legitimate interest of the Data Controller – until any related claims expire, and where the legitimate interest of the Data Controller is to seek claims – until proceedings, including enforcement proceedings, are concluded with a final decision, and in the situation where the legitimate interest of the Data Controller is to conduct marketing to promote pursued activities – until an objection is lodged and thereafter for a period necessary to fulfil legal obligations imposed on the Data Controller under tax, accounting or archiving regulations.

  7. Your rights:

    You have the right to access your personal data, request its correction, rectification, erasure, restriction of its processing (marketing), right to data portability, and to lodge a complaint with the regulatory authority. Where the Data Controller processes your data on the basis of your consent, you have the right to withdraw that consent at any time without affecting the legality of processing carried out on the basis of that consent prior to its withdrawal.

  8. Requirement to provide personal data:

    The provision of personal data is necessary to implement the purposes referred to in paragraph 3) above.

  9. Automated decision-making:

Your personal data will not be processed in an automated manner, including in the form of profiling.