Privacy policy
I. Definitions
- Data Protection Officer - an individual with expertise in data protection law and practice who is appointed by the data controller to assist with internal compliance with the provisions of the GDPR.
- GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
- Controller / Personal Data Controller - Centrum Światowida Sp. z o.o. with its registered office at ul. Komitetu Obrony Robotników 45A, 02-146 Warsaw, NIP: 5242726128, KRS: 0000376009.
- Personal data - information about an identified or identifiable natural person; an identifiable natural person is a person who can be directly or indirectly identified by one or more specific factors determining the physical, physiological, genetic, mental, economic, cultural or social identity, including an IP address, location data, an internet identifier, and information collected through cookies and other similar technologies.
- Policy - this Privacy Policy.
- Website - the website operated by the Personal Data Controller at www.galeriapolnocna.pl
- User - any natural person visiting the Website or using one or more services or functionalities described in the Policy, as well as a natural person whose personal data is processed by the Personal Data Controller, e.g. visiting the premises of the Personal Data Controller or directing an enquiry to him/her in the form of an e-mail.
II. Introduction
- The purpose of this Policy is to set out the principles, processing and use of Users' personal data. The Policy also contains information on the rights of individuals in relation to the personal data they provide. The legal basis for the Policy is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, as well as the Data Protection Act of 10 May 2018 (Journal of Laws of 2018, item 1000). This Policy constitutes the Personal Data Controller's implementation of its obligations under Articles 12, 13 and 14 of the GDPR.
- The Policy applies to the Website, the application or the service linked to it, as well as to data provided through them, by telephone, electronically or in person at the Controller's premises. Please note that when leaving the Controller's website, the User enters an area where the Policy does not apply. The Controller is not responsible for the privacy policy rules applicable to the websites operated by other entities.
- In connection with the economic activity conducted by the Controller and the User's use of the Website, the Controller collects data to the extent necessary to provide individual services offered, as well as information about the User's activity on the Website. Below are described detailed rules and purposes of personal data processing.
III. Contact with the Controller and Data Protection Officer
For all matters related to the processing of personal data, you can contact the Controller at the aforementioned registered address or via email at dataprotection@gtcgroup.com
The Controller has appointed a Data Protection Officer, who can be contacted via email at dataprotection@gtcgroup.com or by post to the Controller's address provided above with a note "Data Protection Officer".
IV. Purposes and legal bases for processing Personal Data
The controller processes personal data according to its business profile, for the purposes indicated below. If, due to legal requirements, the nature of the service, or the need to settle it, there is a need to process other personal data of individuals whose data is being processed, the Controller may process such data to the extent necessary.
Use of the Website
Personal data of all individuals using the Website (including IP addresses or other identifiers and information collected through cookies or other similar technologies) is processed by the Controller:
- for the purpose of providing electronic services in the scope of providing Users with content available on the Website - in this case, the legal basis for processing is the necessity of processing for the performance of a contract (Art. 6(1)(b) of the GDPR);
- for analytical and statistical purposes - in this case, the legal basis for processing is the legitimate interest of the Controller (Art. 6(1)(f) of the GDPR), consisting in conducting analyses of Users' activity, as well as their preferences, in order to improve the functionalities and services provided;
- for the purpose of eventual establishment and pursuit of claims or defence against claims - the legal basis for processing is the legitimate interest of the Controller (Art. 6(1)(f) of the GDPR), consisting in protection of its rights.
User activity on the Website, including their personal data, is registered in system logs (a special computer program used to store a chronological record containing information about events and actions that concern the computer system used to provide services by the Controller). The information collected in the logs is primarily processed for the purposes related to the provision of services. The Controller also processes this information for technical and administrative purposes, to ensure the security of the computer system and manage it, as well as for analytical and statistical purposes - in this regard, the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR).
Recruitment
If you apply for our job offer, your personal data will be processed for the purpose of conducting the recruitment process for the position offered in our structures and selecting the appropriate person for employment in the position specified in the job offer, including assessing the qualifications, abilities and skills of the candidate for the job. We obtained this information directly from you.
The legal basis for processing your personal data in the scope resulting from Article 22(1) of the Labour Code is the legal obligation imposed on the Controller (Article 6(1)(c) of the GDPR); in case you provide personal data in a broader scope than specified in the labour law, and if we offer you employment on a basis other than an employment contract, and therefore the labour code will not apply, the legal basis for processing is your consent (Article 6(1)(a) of the GDPR).
If you provide us with your application, but we are currently not conducting any recruitment, your personal data will be processed for the purpose of conducting future recruitment processes and selecting the appropriate person for a vacant position, including assessing the qualifications, abilities and skills of the job candidate.
The legal basis for processing your personal data for the purpose of future recruitment is your consent (Art. 6(1)(a) of the GDPR). Sending us application documents is treated as equivalent to giving consent to the processing of data contained therein.
Sending commercial/marketing information
In case you have given your consent to receive marketing/commercial information from the Controller via electronic and/or telephone means, your personal data will be processed for the purpose of delivering the above-mentioned information.
The legal basis for processing personal data is the legitimate interest of the Controller in connection with the consent given – Art. 6(1)(f) of the GDPR, consisting in delivering content requested by the User.
Contact form/email contact/personal contact
The Controller provides the possibility to contact them via the email address provided on the website, by using electronic contact forms or through designated information points.
The legal basis for processing personal data is the legitimate interest of the Controller – Art. 6(1)(f) of the GDPR, consisting in providing message support and answering questions arising from it.
Email and regular mail correspondence
In case of contacting the Controller via e-mail or regular mail correspondence related to services provided to the sender or another agreement concluded with them, personal data contained in this correspondence will be processed solely for the purpose of communication and resolving the matter to which the correspondence relates.
The legal basis for processing is the legitimate interest of the Controller (Art. 6(1)(f) of the GDPR) consisting of conducting correspondence directed to them in connection with their business activity.
Telephone contact
In the case of contacting the Controller by phone, for matters unrelated to the concluded agreement or services provided, the Controller may only request personal data if it is necessary to handle the matter to which the contact relates.
The legal basis in such case is the legitimate interest of the Controller (Art. 6(1)(f) of the GDPR) consisting of the necessity to resolve the reported matter related to their business activity.
Collecting data as part of business contacts
In connection with their business activity, the Controller collects personal data, for example, during business meetings or through exchanging business cards, for the purpose of initiating and maintaining business contacts.
Such personal data is processed for the realization of the legitimate interest of the Controller and their contractor (Art. 6(1)(f) of the GDPR) consisting of creating a network of contacts in connection with their business activity.
Processing of personal data of customers of the Controller or members of contractors' staff
In connection with concluding contracts as part of business activity, the Controller obtains from contractors/customers the data of individuals involved in the performance of such contracts (e.g. data of individuals authorised to contact, executing the contract, representing the customer/contractor, etc.). The scope of data transmitted is in each case limited to the extent necessary for the performance of the contract and usually does not include any other information than the first name and surname, position, and official contact details.
Such personal data is processed by the Controller for the purpose of:
- concluding and performing the contract, based on the necessity of performing the contract, i.e. when processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Art. 6(1)(b) of the GDPR);
- resulting from the legally justified interests pursued by the Controller, i.e. related to identifying the parties, ensuring contact with the contractor, verifying whether the person contacting the Controller is authorized to act on behalf of the contractor, as well as in connection with any claims, handling notifications, archiving, ongoing contact (Art. 6(1)(f) of the GDPR);
- fulfilling legal obligations, in particular tax, accounting, and civil law (Art. 6(1)(c) of the GDPR).
Processing of personal data of Users by the Controller in relation to fulfilling legal obligations
The Controller processes the personal data of Users in connection with fulfilling legal obligations imposed on them, including but not limited to accounting and bookkeeping documentation, as well as fulfilling the rights of individuals whose data is processed.
Such personal data is processed on the basis of Article 6(1)(c) of the GDPR - processing is necessary for compliance with a legal obligation to which the Controller is subject.
Establishing, pursuing claims and defending against claims
In order to establish, pursue claims and defend against claims, including documenting objections to the processing of personal data, the personal data of Users provided to the Controller will be processed.
The legal basis for processing personal data is Article 6(1)(f) of the GDPR, which allows for processing personal data for the purpose of establishing, pursuing or defending against legal claims, which constitutes a legitimate interest of the Controller.
Social media platforms
Facebook
As part of managing a Facebook account, the Controller processes personal data of individuals who:
- have subscribed to the fanpage by clicking the "Like" or "Follow" icon;
- have posted a comment under any of the posts published on the fanpage.
The Controller processes the following types of personal data:
- Facebook identifier (usually containing the name and surname or a nickname);
- profile picture;
- other pictures (which may also depict an image);
- content of comments.
- Statistical data on people visiting the fanpage is available through the "Facebook Insights" function and is collected using cookies.
The Controller processes the above-mentioned personal data on the basis of the legitimate interest (Article 6(1)(f) of the GDPR) consisting of: running a fanpage under the name Galeria Północna on the Facebook social network, on the terms and conditions specified by Facebook, informing about the Controller's activity, promoting events and the brand, products and services, building and maintaining a community with the Controller and for communication through available functionalities of the Facebook service (comments, messages), conducting statistics (by analysing data on user activity on the fanpage), and eventual determination, investigation or defence against claims.
Personal data is also processed on the basis of separately given consent in the scope and purpose specified in the content of the consent and for the time until the withdrawal of consent (basis from Article 6(1)(a) or Article 9(2)(a) of the GDPR) as well as on the basis of legal requirements in order to fulfil the legal obligations of the Controller resulting from the provisions of law (basis from Article 6(1)(c) of the GDPR).
Additionally, the Controller indicates that together with Facebook Ireland Limited ("Facebook Ireland"), they act as joint controllers in the scope of data processing for statistical purposes. More information on the processing of data for statistical purposes can be found under the following link:
https://www.facebook.com/legal/terms/information_about_page_insights_data
Instagram
As part of managing an Instagram account, the Controller processes personal data of individuals who:
- have subscribed to the account by clicking the "Follow" icon;
- Those who have posted a comment under any of the posts published on the account or reacted to the published photos.
The Controller processes the following types of personal data:
- account identifier (usually containing the name and surname or a nickname);
- profile picture;
- other pictures (which may also depict an image);
- content of comments;
- statistical data regarding account visitors are collected through cookie files.
The Controller processes the above-mentioned personal data on the basis of the legitimate interest (Article 6(1)(f) of the GDPR) consisting of: running an account under the name Galeria Północna on the Instagram social network, on the terms and conditions specified by Instagram, informing about the Controller's activity, promoting events and the brand, products and services, building and maintaining a community with the Controller and for communication through available functionalities of the Instagram service (comments, messages), conducting statistics (by analysing data on user activity on the account), and eventual determination, investigation or defence against claims.
Personal data is also processed on the basis of separately given consent in the scope and purpose specified in the content of the consent and for the time until the withdrawal of consent (basis from Article 6(1)(a) or Article 9(2)(a) of the GDPR) as well as on the basis of legal requirements in order to fulfil the legal obligations of the Controller resulting from the provisions of law (basis from Article 6(1)(c) of the GDPR).
Additionally, the Controller indicates that they, together with Facebook Ireland Limited (the owner of the Instagram application), act as joint controllers in the processing of data for statistical purposes. More information on the processing of data for statistical purposes can be found under the following link:
https://www.facebook.com/legal/terms/information_about_page_insights_data
Youtube
Personal data is processed for the purposes of:
- managing and administering the Controller's channel on YouTube, including responding to posted messages and comments, and supervising content published by users
the legal basis for processing data is the Controller's legitimate interests (Art. 6(1)(f) of the GDPR) in being able to manage and administer the company channel on YouTube; - fulfilling legal obligations of the Controller arising from legal obligations
the legal basis for processing data is Art. 6(1)(c) of the GDPR; - pursuing other legitimate interests of the Controller, for which the Controller considers the possibility of pursuing and defending claims, preventing fraud and economic crimes as particularly legitimate interest
the legal basis for processing data is Art. 6(1)(f) of the GDPR.
In addition, the Controller informs that the YouTube portal administrator, as a provider of tools related to the channel, is a joint controller for processing personal data of individuals using the Controller's company channel, who may process their data for their own purposes based on their own legal basis.
More information on data processing by the YouTube portal administrator can be found at the link:
https://www.youtube.com/static?gl=PL&template=terms
TikTok
As part of managing a TikTok account, the Controller processes personal data of individuals who:
- have visited the Controller's profile on TikTok;
- have subscribed to the fanpage by clicking the "Follow" icon;
- have reacted to the posted content or posted their comment under any of the posts on the fanpage;
- sent an inquiry through a private message.
The Controller processes the following types of personal data:
- account identifier (usually containing the name and surname or a nickname);
- pictures (which may also depict an image);
- content of comments;
- statistical data regarding account visitors are collected through cookie files.
The Controller processes the above-mentioned personal data on the basis of a legitimate interest (Art. 6(1)(f) of the GDPR) consisting of: running an account under the name Galeria Północna on terms and conditions specified by the TikTok portal and informing about the Controller's activity, promoting events and the brand, products, and services, building and maintaining a community with the Controller, as well as for communication through available functionalities of the TikTok service (comments, messages), conducting statistics (through analysing data on users' account activity), and potentially establishing, pursuing, or defending claims.
Personal data is also processed on the basis of separately given consent in the scope and purpose specified in the content of the consent and for the time until the withdrawal of consent (basis from Article 6(1)(a) or Article 9(2)(a) of the GDPR) as well as on the basis of legal requirements in order to fulfil the legal obligations of the Controller resulting from the provisions of law (basis from Article 6(1)(c) of the GDPR).
Additionally, the Controller informs that your data is also processed and managed by TikTok Technology Limited, which is an Irish company ("TikTok Ireland"), i.e. the entity that manages and administers the TikTok portal. If you want to learn more about how TikTok processes data, visit https://www.tiktok.com/legal/privacy-policy?lang=pl
Video surveillance
Administrator has implemented video surveillance at Galeria Północna, located at ul. Światowida 17 in Warsaw (hereinafter "Galeria"). Your personal data in the form of images recorded through video surveillance will be processed for the following purposes:
- ensuring the safety of people present in Galeria, including employees and customers, and protecting property, which constitutes a legitimate interest of the Controller;
- establishing, investigating, and defending against claims, which constitutes a legitimate interest of the Controller.
The use of video monitoring is based on Article 6(1)(f) of the GDPR, i.e., the legitimate interest pursued by the Controller.
Places covered by video surveillance are properly marked with pictograms indicating the installed cameras.
V. Recipients of personal data
In connection with the activities requiring the processing of personal data, personal data may be disclosed to external entities.
The recipients of personal data entrusted to the Controller by the data subjects are the following entities, to which personal data are provided to the minimal extent necessary to achieve the purpose(s) for which the data were obtained:
- authorised personnel of the Controller, subcontractors, and entities providing services to the Controller (including IT and technical support services) who need access to the data to perform their duties properly;
- entities processing personal data on behalf of the Controller (e.g., accounting offices, technical service providers, hosting service providers, law firms);
- relevant authorities authorized by applicable law;
- in the case of data processed on Facebook, the recipients of data will be other users of the Facebook platform (due to the fact that information about followers, likes, comments, posts, and other information provided by users is public) and the Facebook administrator;
- in the case of data processed on Instagram, the recipients of data will be other users of the Instagram platform (due to the fact that information about followers, likes, comments, posts, and other information provided by users is public) and the Instagram administrator;
- in the case of data processed on TikTok, the recipients of data will be other users of the TikTok platform (due to the fact that information about followers, likes, comments, posts, and other information provided by users is public) and the TikTok administrator;
- in the case of data processed on YouTube, the recipients of data will be other users of the YouTube channel (due to the fact that information about followers, likes, comments, posts, and other information provided by users is public) and the YouTube administrator.
The Controller declares that they do not sell, disclose or transfer the collected personal data for processing to other individuals or institutions unless it is done with explicit consent or at the request of data subjects or at the request of authorized state bodies for the purposes of proceedings or actions related to security or defence, for specific purposes defined by law related to public interest when it is necessary to fulfil the legitimate purposes of the Controller.
VI. Data processing period
The Controller processes obtained personal data for the period necessary to achieve the purpose(s) for which they were provided. The data processing period is related to the purposes and legal bases of their processing, therefore:
- Data processed based on legal requirements (e.g. tax) will be processed for as long as the law requires data retention;
- If the legal basis for processing is the performance of a contract, then the data will be processed by the Controller for as long as necessary to perform the contract;
- Data processed based on the legitimate interest of the Controller will be processed until the effective objection of the data subject or the termination of this interest. Data processed for the purpose of pursuing or defending against claims will be processed for a period equal to the statute of limitations of such claims;
- personal data processed based on consent will be processed until the withdrawal of consent expressed by the data subject;
- personal data processed as part of the recruitment process will be kept until the end of the process and, in the case of consent to process data for future recruitment, for no longer than 1 year;
- personal data processed on Facebook, Instagram, YouTube, and TikTok will be kept for the period during which the user remains an active user of the Controller's company profile or until an objection to data processing is made; whereas data contained in posts or comments will be processed until their removal;
- recorded footage from video surveillance will be kept for a period of up to 30 days from the date of recording. In the event that the recordings are evidence in proceedings conducted under the law or the Controller receives information that they may be evidence in such proceedings, the storage period for the recordings will be extended until the final conclusion of such proceedings.
The data processing period may be extended if processing is necessary to establish or assert claims or defend against claims, and after that period, only to the extent required by law. After the end of the data processing period, the data will be irreversibly deleted or anonymised.
VII. Data subject rights
The Controller shall implement the rights related to the processing of personal data that are due to the persons whose data is concerned. In particular, each data subject has the right to:
- access their personal data, including obtaining a copy of their personal data;
- rectify (correct) or complete incomplete personal data;
- request the erasure of personal data in cases provided by law ("right to be forgotten");
- request the restriction of processing of personal data;
- object to the processing of personal data;
- if the legal basis for the processing of personal data is the legitimate interest of the Controller, the data subject has the right to object to the processing of personal data at any time, without having to justify their decision, particularly in cases where the legitimate interest consists of carrying out activities related to direct marketing;
- withdraw consent to the processing of personal data. Consent given by data subjects may be withdrawn at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
The above rights, as well as the intention to withdraw consent, may be exercised by sending a relevant request electronically to the email address indicated in point III of the Policy or by post to the Controller's registered office address indicated in points I and III of the Policy.
If it is considered that the processing of personal data by the Controller violates the GDPR provisions or is inconsistent with the Policy, Users have the right to lodge a complaint with the supervisory authority, i.e. the President of the Personal Data Protection Office in Warsaw, ul. Stawki 2, with whom they can contact in the following ways:
- by post: ul. Stawki 2, 00-193 Warsaw
- through the electronic mailbox available on the website https://www.uodo.gov.pl/pl/p/kontakt
- by phone: (22) 531 03 00
VIII. Personal data security
The Controller ensures the security of personal data against unlawful disclosure to unauthorised persons, unauthorised acquisition of data, destruction, loss, damage or alteration, and processing of personal data in a manner inconsistent with the provisions of the GDPR.
To secure entrusted personal data, the Controller implements technical and organizational measures that comply with the requirements of the GDPR, in particular the measures listed in Article 24 and Article 32 of the GDPR, ensuring confidentiality, integrity, and availability of the processing services for the transferred personal data.
IX. Automated decision-making and profiling
Your data may be processed by the Controller in an automated manner, including profiling. However, decisions regarding an individual person associated with this processing will not be automated.
X. Final provisions
Any issues not covered by this Policy shall be governed by EU and national regulations regarding personal data protection.
Last updated: 27.03.2023