GDPR Information Clause

GDPR Information Clause
to the terms and conditions of online sales of tickets  

In accordance with Art. 13 of Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR) (OJ.EU.L.2016.119.1), we inform you that:

  1. CONTROLLER – The controller of the personal data in the Module, i.e. the entity that decides for what purpose and how the data will be processed, is the Royal Łazienki Museum in Warsaw, address: ul. Agrykola 1, 00-460 Warsaw.
  2. DATA PROTECTION OFFICER – In matters related to the processing and protection of your personal data, you can contact the Data Protection Officer appointed by the controller via e-mail address: iod@lazienki-krolewskie.pl or in writing to the controller’s registered office address: Royal Łazienki Museum in Warsaw, address: ul. Agrykola 1, 00-460 Warsaw.
  3. SOURCE OF DATA ORIGIN –The controller processes the data of persons who have completed the Order Form contained in the Module. If a ticket has been sent to a person who did not order it via the shopping Module, his/her data has been provided by the person filling in the Order Form. The personal data obtained when filling in the aforementioned Form includes the following data categories: first name, last name, e-mail address. Optional – telephone number and language version of the Module. And for the purpose of obtaining a VAT invoice, also: address and NIP number (tax identification number).
  4. PURPOSES OF PROCESSING – personal data of those ordering tickets to visit exhibitions or participate in Events organized in the Museum through the Module shall be processed in order to:
      1. provide services electronically by concluding agreements with the Ordering Party for the sale of tickets ordered by the Ordering Party using the Module and the performance of these agreements, as well as, after registering an account, for the purpose of placing further orders through the use of the Module for the sale of tickets on the website (Art. 6(1)(b) of the GDPR);
      2. return tickets and handle any complaints (the basis for processing is Article 6(1)(b) of the GDPR);
      3. comply with legal obligations, in particular the fulfilment of financial reporting obligations (the basis for processing is Article 6(1)(c) of the GDPR);
      4. fulfil the legitimate interests of the controller (the basis for processing is Article 6(1)(f) of the GDPR), which means:
        1. carrying out marketing activities in the form of a newsletter – due to specific legislation, activities via e-mail or telephone are carried out on the basis of a separate consent to use the relevant communication channel;
        2. answering questions sent by Ordering Parties via e-mail and telephone;
        3. establishing, investigating or defending claims relating to the operation of the Module and the services provided through it.
  5. PROCESSING TIME – personal data will be processed:
    1. over the duration of the sales contract between the Ordering Party and the Administrator and, after its termination, until the expiry of the limitation periods for claims arising therefrom;
    2. with regard to data processed under the legitimate interests of the controller, until the Ordering Party raises a legitimate objection, subject to the following point;
    3. with regard to marketing activities, until the withdrawal of consent to the sending of such information by e-mail or telephone or until an objection to processing in this respect is lodged, whichever occurs first;
    4. until expiry of the obligation to store data resulting from legal provisions, in particular the obligation to store accounting documents relating to the sales contrac;
  6. DATA RECIPIENTS – personal data may be shared with:
    1. State authorities and other entities authorized to access the data to the extent and for the purpose specified in the provisions of the law;
    2. external entities providing services to the controller in support of its operations in the scope of the services provided, e.g. transport companies, IT service providers, entities auditing its operations, entities responsible for electronic payments (PayPro SA , the owner of the www.przelewy24.pl portal).
  7. RIGHTS OF PERSONS WHOSE DATA IS PROCESSED – in relation to the processing of personal data, in cases provided for by law, the Ordering Party using the service has the following rights:
    1. to access their personal data;
    2. to amend their personal data;
    3. to erase their personal data;
    4. to limit the processing of their personal data;
    5. to transfer their personal data;
    6. to object to the processing of their personal data;
    7. to withdraw their consent to the processing of their personal data where it forms the basis for the processing of their data, which does not, however, affect the lawfulness of the processing carried out on the basis of their consent before its withdrawal;
    8. to lodge a complaint to the supervisory authority, i.e. the President of the Office for Personal Data Protection – more information on this right is available at: https://uodo.gov.pl/pl/p/skargi.
      More information on the rights of data subjects is available in Art. 12–23 of the GDPR, the text of which can be found at: https://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679
  8. VOLUNTARINESS TO PROVIDE PERSONAL DATA – Providing personal data by the Ordering Party is voluntary, but failure to provide such data will prevent (concerning data indicated in the Order Form as necessary) or may obstruct (concerning e-mail address, telephone number) the controller’s provision of electronic services and thus the Ordering Party’s purchase of online tickets.
  9. TRANSFER OF DATA TO THIRD COUNTRIES – the personal data of Ordering Parties ordering on-line tickets via the Module will not be transferred to countries outside the European Economic Area.
  10. AUTOMATED PROCESSING, INCLUDING PROFILING – the Administrator will not carry out activities involving automated processing (including profiling) of the Ordering Party’s personal data which could result in legal consequences for the Ordering Parties or otherwise significantly affect them.