GDPR

PRIVACY POLICY AND PROTECTION OF THE PERSONAL DATA
1. Hereby Privacy Policy determines the rules of processing the personal data obtained through the forms on the website of Gross-Rosen Museum in Rogoźnica (further referred to as “Website”.)
2. The owner of the Website and at the same time the Administrator of the data left due to forms is Gross-Rosen Museum in Rogoźnica. German Nazi Concentration and Death Camp (1940-1945), Rogoźnica, ul. Ofiar Gross-Rosen 26, 58-152 Goczałków.
3. The personal data collected through the Website are processed in accordance with the Regulation of the European Parliament and the EU Council 2016/679 of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and the repeal of the Directive 95/45/EC (general directive on personal data protection), further referred to as “GDPR.”
4. The data Administrator puts great effort into respecting privacy of all his clients.
§1
Type of processed personal data, goals and legal basis
1. The Administrator of Your personal data is Gross-Rosen Museum in Rogoźnica. German Nazi Concentration and Death Camp (1940-1945), Rogoźnica ul. Ofiar Gross-Rosen 26, 58-152 Goczałków; muzeum@gross-rosen.eu
2. The Museum has appointed a Data Protection Inspector- email: abi@vp.pl
3. Your personal data will be processed in order for the Administrator to fill his duties resulting from legal rules of the Article 6 (1) c) of the GDPR in connection with the regulation about museums on 21st November 1996.
4. Through the Website the Administrator collects the personal data of natural persons (further referred to as “Clients”) performing legal actions such as applying for the Newsletter, sending inquiries via the Search card of a prisoner and online shopping in the Store/ Bookshop and all the other actions connected with shopping (including returns, exchange, complaint letters.)
5. Personal data of Clients are collected on the basis of:
a) Article 6(1) a) GDPR- permission for sending information form a Newsletter
b) Article 6(1) b) GDPR- fulfilling the purchase- sale contract
6. While sending an inquiry via the Search card of a prisoner, the Client gives:
a) their first and last name;
b) purpose of their search;
c) mail address (postal code, town/city, street, number of the house/flat, country);
d) e-mail address;
7. While applying for the Newsletter the Client gives:
a) their e-mail address;
8. While ordering online in the Store/ Bookshop the Client gives:
a) their first and last name;
b) mail address (postal code, town/city, street, number of the house/flat, country);
c) phone number;
d) e-mail address;
9. While using the Website there can be collected additional information, especially: the IP of client’s computer or the IP of the internet provider, name of the domain, type of the browser, type of the operating system- according to the Article 6(1) f) GDPR- legally justifiable interest of facilitating online services as well as ensuring proper functionality of such services.
10. In case of an inquiry and a claim enforcement the personal data given by a Client will be processed in order to prove such claim to be valid, including the size of a damage on the basis of Article 6(1) f) GDPR- legally justifiable interest of determining, inquiry and claim enforcement in legal or other state authorities proceedings.
11. Transfer of the personal data to the Administrator is voluntary in connection with drawn purchase- sale contracts and other services.
Not filling the required data in the online shopping an inquiry forms will result in inability to fill Client’s order .

§2
Rights of persons whom the data concern
1. The right to withdraw their consent- legal basis Article 7 (3) GDPR.
a) a Client has a right to withdraw any consent they gave to the data Administrator;
b) consent withdrawal is in effect from the moment of the withdrawal;
c) consent withdrawal does not impact the legal processing before its withdrawal;
d) consent withdrawal does not implicate any negative consequences for the Client, however it may make impossible further use of the services or functionality which- according to law- the Administrator may ensure only by a consent.
2. The right to have access to the data- legal basis: Article 15 GDPR, a Client in particular has:
a) a right to have access to their personal data;
b) a right to the information about purposes of the processing, categories of the processed personal data, about receivers or categories of receivers of those data, as well as about planned time of storing those data;
c) a right to have a copy of their personal data;
3. The right to correct the data- legal basis: Article 16 GDPR.
a) a Client has a right to demand an immediate correction of their personal data and a right to demand supplementation of the incomplete personal data
4. The right to remove the data (“a right to erasure”)- legal basis: Article 17 GDPR.
a) a Client has a right to demand removal of all or some of their personal data;
b) a Client has a right to demand removal of their personal data if:
– the personal data are no longer necessary for the purposes they were collected for or they were processed for;
– they withdraw their consent for processing their personal data in the range he agreed for;
– objected against using their personal data for the marketing purposes;
– personal data are processed against the law.
Despite a demand to remove personal data in connection with making a complaint or withdrawal of a consent, the Administrator can keep some of the personal data in the range in which their processing is necessary to establish, investigate or defend claims, as well as in order to fulfill the legal obligation that requires processing by the power of the law of the EU or a member country. It concerns in particular personal data such as: first and last name, e-mail address, which will be kept for the purpose of examining complaints and claims connected with the use of the Website; or additionally: mail address, number of an order, which will be kept for the purpose of examining complaints and claims connected with the drawn sales contracts or providing services.
5. The right to restrict data processing- legal basis: Article 18 GDPR.
a) a Client has the right to demand restricting processing of their personal data especially when:
– they question correctness of their personal data;
– data processing is against the law and instead of removing them, the Client demands restriction of their use;
– personal data are no longer necessary for purposes they were collected for but they are necessary for the Client in order to establish, investigate or defend claims;
– they made a complaint against the use of his data.
6. The right to transfer the data- legal basis: Article 20 GDPR.
a) a Client has the right to receive their personal data and then to send them to another chosen personal data administrator. Moreover, Client can require for his personal data to be send directly to another administrator, as long as is it technically possible.
7. The right to object against the data processing- legal basis: Article 21 GDPR.
a) a Client has the right to object in any chosen moment against processing of their personal data, including against profiling;
8. a Client has the right to make complaints, inquire and draw conclusions about processing of their personal data as well as about execution of their rights.
9. a Client has the right to make a complaint to the President of the Personal Data Protection Office (UODO) in the range of violation their rights to personal data protection or other rights bestowed on them by the power of GDPR.

§3
Disclosure, entrusting and storing of personal data
1. Client’s personal data are shared with providers of services that are used by the Website on the basis of agreements (disclosure of data) or on the basis of entrusting to processing (data entrusting agreement).
2. The Website uses the services of outer companies, like hosting, book- keeping services, systems of direct marketing, systems of network traffic analysis, systems for the analysis of marketing campaigns efficiency.
3. Personal data are shared with courier companies in order to deliver ordered merchandise.
4. Clients’ personal data are stored for a duration:
a) in case when the basis for personal data processing is a consent- until the consent is canceled or for a period equal to expiration of claims that may be set up by the data Administrator and which may be set up towards him. If a special regulation does not state otherwise, expiration time is 5 years, and for claims of periodic payments and claims connected with business activity- 3 years;
b) in case when the basis for data processing is carrying out of a contract- as long as it is necessary to carry out a contract, and after- for a period equal to expiration of claims. If a special regulation does not state otherwise, expiration time is 5 years, and for claims of periodic payments and claims connected with business activity- 3 years;
5. When requested, the Administrator must disclose personal data to the entitled state agencies, especially to the Prosecutor’s Office, Police, President of the Personal Data Protection Office, President of the Office of Competition and Consumer Protection or President of the Office of Electronic Communications.

§4
IP Address and cookies.
1. The Website uses small files known as cookies. They are saved on terminal devices of the Website’s visitors if the browser allows it. Cookies usually contain name of the domain they are from, their “life span” and individual, random number that identifies them. Information collected by cookies allow for adjusting the products offered by the Website to the preferences and needs of the Website’s visitors. Moreover, they enable preparing general statistics of visits of the presented products on the Website.
2. The Website uses two types of cookies:
a) session cookies- expire after the browser’s session is over or when a computer is shut down. This mechanism does not collect any personal data nor any confidential information from Clients’ computers.
b) persistent cookies- they are stored on the disc of the terminal device and remain there until they are deleted or expired. This mechanism does not collect any personal data nor any confidential information from Clients’ computers.
3. Cookies are used for the following:
a) analysis and research and to make anonymous statistics in order to improve customer services;
b) to collect general and anonymous statistical data via analytical tools Google Analytics (administrator of external cookies: Google Inc. in USA)
4. Clients of the Website can limit or turn off the access of cookies to computers which may hinder the use of the Website.
5. The Website can collect the IP of a Client’s computer that is used while diagnosing technical problems with a server, making statistical analysis, as well as for the purpose of safety and potential identification of unwanted automatic programs that ‘browse’ the content of the Website and overload the server.