State Museum at Majdanek Online Bookstore Privacy Policy

 

General Provisions

The present Privacy Policy defines the rules of personal data gathering, processing, sharing and protection, conducted within the Online Bookstore, hereinafter Bookstore, available at: www.ksiegarnia.majdanek.eu

Personal data of the Bookstore’s Users is processed in accordance with generally applicable law, particularly with the following acts:

  1. The Directive 2016/680 of the European Parliament and of the Council of 27 April 2016EU on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data – “GDPR.”
  2. Personal Data Protection Act of May 10, 2018 (Journal of Laws 2018, item 1000)
  3. Act on Providing Services by Electronic Means of July 18, 2002 (Journal of Laws 2019, item 123, as amended).
  4. Telecommunications Act of July 16, 2004 (Journal of Laws 2018, item 1954, as amended).

Definitions

Personal Data – information on identified or identifiable natural person, based directly or indirectly on identifiers such as name and surname, ID number, location data, username, and one or more indicators of a natural person’s physical, physiologic, genetic, mental, economic, cultural or social identity.

Personal Data Processing – any action, including gathering, saving, managing, ordering, storing, adapting or modifying, downloading, browsing, using, transferring, revealing in any form, combining or merging, restricting, deleting or erasing, done upon Personal Data.

Personal Data Administrator – an entity which, independently or in cooperation with other entities, defines the methods and purposes of Personal Data Processing

User – any natural person visiting the Bookstore’s website and/or using services or features of the Bookstore

Registered User – a User who registered their own User Account

User Account  - a collection of resources and permits pertaining to a specific Registered User within the Bookstore’s database

 

Personal Data Administrator

The Personal Data of the Bookstore’s Users is administered by the State Museum at Majdanek, Droga Męczenników Majdanka 67, 20-325 Lublin, Poland; no. 30/92 in the register of cultural institutions administered by the Ministry of Culture and National Heritage, no. 14 in the National Museum Register, NIP: 9460001052, REGON: 000276096, hereinafter referred to as “Museum”).

Data Protection Officer

The Museum has appointed a Data Protection Officer, who monitors the data processing and ensures its legitimacy. The Data Protection Officer can be contacted electronically at: iod@majdanek.eu and/or by post at the Museum’s address: Państwowe Muzeum na Majdanku, ul. Droga Męczenników Majdanka 67, 20-325 Lublin, Poland.

 

Personal Data Categories and the Measures of their Gathering

Personal Data is submitted directly by the Bookstore’s Users, who enter leave behind their Personal Data upon several stages of interaction with the Bookstore. The Data is gathered:

  1. During User registration in the Bookstore: name, surname, e-mail address, phone number, login, optionally User’s date of birth.
  2. Following the User’s registration in the Bookstore, when the User voluntarily decides to enter additional data: User’s address, company name, additional/business phone number.
  3. During the payment fulfilled by the User for the products purchased in the Bookstore: name and surname (or company name) of the bank account’s owner, bank account number.
  4. While sending a message to the Museum via contact form available at the Bookstore’s website: e-mail address, order number, and/or any personal data voluntarily entered by the User within the message itself.
  5. Data automatically gathered by Cookies upon visiting the Bookstore’s website: ways of User’s interaction with the Bookstore, time and date of visiting the Bookstore’s website, User’s operating system, User’s browser, User’s type of device, IP address, Uniform Resource Locator (URL).

In some cases, Users’ Personal Data can be forwarded by third parties. A situation when Users conduct payments via electronic payment systems (PayPal/Przelewy 24) is such an instance. Upon selecting such methods of payment Users consent to the transfer of their Personal Data from the owner PayPal and/or the owner of Przelewy 24 platform to the Museum. The transfer allows proper registration of payments by the Museum.

The Museum does not collect sensitive personal data such as: medical condition, racial or ethnic background, political views, religious beliefs, world views, trade union membership, genetic information. The Museum gathers and processes only the personal data, which is necessary for the aims of their processing. In all the future features and activities requiring personal data processing, the Museum will evaluate the necessity and range of their collection.

 

Legal bases and purpose of Personal Data processing

The Museum processes the personal data only with the aim of fulfilling the purpose, for which they are collected. Such aims and the legal basis for the respective processing are the following:

 

Personal Data Processing Purpose

Legal Basis

1

Bookstore’s User account related services

The data is processed in order to conclude sales agreements and contracts, within which the person whose data is collected is amongst the parties.

Pursuant to: Article 6.1.b of the GDPR.

2

Bookstore order processing

The data is processed in order to fulfil sales agreements and contracts, within which the person whose data is collected is amongst the parties.

Pursuant to: Article 6.1.b of the GDPR.

3

Refund processing

The data is processed in order to fulfil sales agreements and contracts (in the instances when the buyer executes his rights of warranty), within which the person whose data is collected is amongst the parties, in the instances when the buyer

Pursuant to: Article 6.1.b of the GDPR.

4

Processing withdrawal from sales agreements: cancelling transactions, parcel returns, payment returns, delivery cost returns

The data is processed in order to fulfil the administrator’s legal obligations, as required by taxation regulations (e.g. Consumer Rights Act).

Pursuant to: Article 6.1.c of the GDPR.

5

Issuing accounting documents, allocations, keeping and archiving accounting and tax records

The data is processed in order to fulfil the administrator’s obligations imposed by the accounting and tax regulations.

Pursuant to: Article 6.1.c of the GDPR.

6

Archiving documents containing Personal Data for evidentiary purposes

The data is processed in order to fulfil the administrator’s legal obligations, as required by e.g. The July 14,1983 Act On The National Archive Resource And Archives; Museum’s inner office and archival regulations

Pursuant to: Article 6.1.c of the GDPR.

The data is processed in order to fulfil the administrator’s obligations to secure their interest e.g. in the instance of necessity to use the data as legal evidence .

Pursuant to: Article 6.1.f of the GDPR.

7

The assertion of possible claims or defence against assertion claims, judiciary proceedings, debt collection

The data is processed for the purposes of the legitimate interests pursued by the administrator e.g. the protection and implementation of Museum’s rights

8

Compiling and analysing statistics of interactions with the Bookstore’s website based on the data collected by Cookies.

The data is processed for the purposes of the legitimate interests pursued by the administrator e.g.

-          For the improvement of functionality of the Bookstore’s website and its features

-          For the improvement of safety within the Bookstore

-          For the improvement of services provided to the Bookstore’s Users

Pursuant to: Article 6.1.f of the GDPR.

 

Personal Data sharing

The Personal Data of the Bookstore’s Users is shared with authorised Museum personnel. In justified instances, it can also be shared with third parties including:

1)      The entities authorised to obtain data under the applicable law if requested under the relevant legal basis

2)      Bank Gospodarstwa Krajowego – the financial institution responsible for the Museum’s bank account

3)      Poczta Polska S.A. – Polish Post that is responsible for delivering all the products purchased within the Bookstore

4)      Other entities processing them at the request of the Museum, e.g. subcontractors and service providers responsible for the Bookstore’s website maintenance, hosting service providers

All third party entities entrusted with the Personal Data gathered by the Museum are bound by contracts for entrusting personal data processing.

Personal Data gathered via Bookstore’s website is never sold, nor shared with other entities for marketing purposes.

Transfer of Personal Data to a third country or an international organisation.

Personal Data collected by the Museum will not be transferred to a third country outside the European Economic Area (all EU countries, Norway, Liechtenstein, Iceland) and/or any international organisation.

Data retention span

 Personal Data gathered via Bookstore will be processed only for as long as required by the purpose of their processing.

 

Personal Data Processing Purpose

Data Retention Span

1

Bookstore’s User account service and management

From registration until the moment of account’s deletion.

2

Order processing

Until the order’s fulfilment.

3

Complaint processing

Until the complaint procedure’s resolution.

4

Client’s withdrawal from the sales agreement concluded remotely

Until the procedure’s resolution.

5

Issuing accounting documents, allocations, keeping and archiving accounting and tax records

5 years following the end of the calendar year, during which the tax maturity expires, unless common law demands longer.

6

Archiving documents containing Personal Data for evidentiary purposes

Span required by the common law and/or until the expiration date for submitting any possible assertion claims.

7

The assertion of possible claims or defence against assertion claims, judiciary proceedings, debt collection

Span required for the protection  of the Museum’s rights or until the expiration date for submitting any possible assertion claims, that is determined by the common law.

8

Compiling and analysing statistics of interactions with the Bookstore’s website based on the data collected by Cookies.

Until receiving a valid, justifiable objection.

 

All the Personal Data reaching the end of its retention span is either deleted or anonymised.

 

Vested rights of the persons being the Personal Data subject.

In recognition of the GDPR restrictions and standards we inform that you have the right to:

1)      Access the content of your data as well as to be informed what data is processed, for what purpose, by whom, on what legal basis, when they will be deleted.

2)      Demand rectification of incorrect data and/or supplementation of incomplete data.

3)      Demand deletion of Personal Data in justified cases as defined by Article 17 of the GDPR.

4)      Demand restriction of Personal Data Processing in the instances defined by Article 18 of the GDPR.

5)      Data transfer – the right to receive your Personal Data in a commonly used file format (txt, doc, rtf, xls, odt, pdf, jpeg, xml) and/or to demand sending your Personal Data directly to a different administrator if technically possible.

Every person being the Personal Data subject has the vested right to object data processing in the following instance:

  • Objection due to extraordinary circumstances of a particular person – when their data processing conducted in the Museum’s legally justified interest could jeopardise the person’s privacy.

The Users of majdanek.eu domain have the right to withdraw their consent of Personal Data processing, at any moment, however, that does not affect the legitimacy of the Personal Data processing done before the withdrawal and based on the Users’ thus far consent.

Complaints and requests can be submitted to the appointed Data Protection Officer by e-mail: iod@majdanek.eu and/or by post at the Museum’s address: Państwowe Muzeum na Majdanku, ul. Droga Męczenników Majdanka 67, 20-325 Lublin, Poland. Each complaint or request should contain data which enables the Museum to unequivocally identify each petitioner and to proceed with their case.

Any person being the Personal Data subject, who has reasons to believe that the Personal Data Processing violates their rights, has the right to file a complaint to the Polish Data Protection Commissioner (2 Stawki St.; 00-193 Warsaw).

Voluntariness of Providing Personal Data and Personal Data Processing

Providing your Personal Data is not obligatory, although sometimes necessary to use certain features of the Bookstore. Without providing Personal Data it will be impossible to e.g. sent the Museum a message via contact form, register a User Account, make purchases within the Bookstore. In certain cases, the law requires the provision of your Personal Data to the museum e.g. for accounting and tax purposes.

Automatic Personal Data Processing and Profiling

No Personal Data acquired via the Bookstore is processed in a way resulting in automated decision-making, including profiling. The Museum does not use software that collects Personal Data and makes automatic and independent decisions, which could result in any legal consequences or influence the situation of the persons being subject to Personal Data Processing.

Data Protection

All Personal Data gathered via Bookstore is protected according to the GDPR guidelines. The Museum takes adequate measures, both technological and procedural, in order to secure the Personal Data and prevent it from deliberate or accidental damage and/or erasure, accidental loss, unintentional modification, sharing with unauthorised persons, being transferred and/or stolen by an unauthorised person. These measures include:

1)      SSL certified connections with the Bookstore’s website.

2)      Personal Data storage on secure servers.

3)      Restricted access to the Personal Data, granted only to the authorised Museum personnel, processed only within the range of the stated collection purpose.

4)      Strict inner procedure of Personal Data processing.

5)      No Personal Data sharing with any third party entities unless they are bound by contracts for entrusting personal data processing singed with the Museum.

6)      The Museum demands warranty of the Personal Data safety from all the third party entities entrusted with the data.

Cookies

The Bookstore’s websites use cookie files, which collect and process anonymous User-related data. Cookies are small text files sent by websites to their visiting Users and saved on their hard drives. The collected information can only be received by the website of their origin. Data collected by cookies do not allow anyone to unequivocally identify any person.

The Museum uses cookies to monitor the interactions of Users with the Bookstore’s website, in order to improve its features and functionality, to improve our customer services, as well as to conduct statistics.

Most Internet browsers accept cookies by default. Every user, however, can at any time change the cookie settings within their browser. Deactivating cookies can bear negative impact on the functioning of the Bookstore’s websites and disable some of their features.

The Museum also collects Personal Data concerning the means of User interaction with the Bookstore, with the use of access logs based on the Users’ IP address. Thereby collected Personal Data is not sufficient to determine the Users’ identity, but it allows to improve the functionality and security of the Bookstore, as well as to identify potential security threats and the ways to solve them. Thereby collected Personal Data is also used for statistics concerning the Bookstore, which allows us to adjust our offers to the needs of the market.

Final Provisions

The Museum reserves the right to alter the present Privacy Policy. Modifications may be necessary in the case of e.g. changes within the law, new directives of the Museum’s supervisory bodies, new technologies used to run the Bookstore, new technologies used to process the Personal Data, and/or the purposes of the Personal Data processing. Any alterations will be announced to the Bookstore’s Users.

The storage, processing and transfer of the personal data entrusted to us shall be carried out in accordance with the Act of 29 August 1997 on the protection of personal data (Journal of Laws of 2002, No. 101, item 926, as amended) and Rules of the Online Bookshop of the State Museum at Majdanek.

You have the right to fully access, complement, update and correct your personal data. You also have the right to require to stop processing your personal data or delete them on rules stipulated by the binding legal provisions.

The Privacy Plice have been drawn up in two language versions: Polish and English. In case of any discrepancies between the language versions of the Privacy Police, the Polish version shall prevail