Dear Sirs and Madams,

in connection with the entry into force of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as „GDPR”, we would like to provide you with information on the processing of your personal data and your rights in this respect.


Who is the controller of your data?

The controller of your data is Gdańska Galeria Miejska, ul. Piwna 27/29, 80-831 Gdańsk (hereinafter referred to as „GGM” or „Controller”).


For what purposes and on what basis do we process your data?

We process your data that are collected when we cooperate with you, also when you use our services and in all other circumstances in which we receive your personal data. From the moment the GDPR enters into force, we must inform you for what purpose and on what basis we process personal data. Please read the following information so that you are aware of how your data are processed.


Purposes of processing

  • Performing obligations arising from the contracts we conclude with you.

Legal basis: Article 6(1)(b) GDPR.

  • Sending promotional materials, invitations to events organised by GGM

and information about the GGM offer.

– Keeping statistics and making analyses to improve the quality

of the activities carried out by GGM.

Legal basis: Article 6(1)(a) GDPR.

– Determining, investigating, and defending claims. It should be noted that the Controller is entitled to pursue claims related to the activity carried out and must also be ready to counter any claims brought against it. This entitles the Controller to process personal data also for this purpose.

Data may be stored for statistical, and archival purposes and to ensure accountability (demonstrating compliance by the Controller with the obligations arising from the law).

Legal basis: Article 6(1)(e) GDPR.

– Keeping documentation required by law, including relevant accounting

documents, as well as providing the persons whose data are processed, with appropriate

confirmations of service performance (including invoices and receipts).

Legal basis: Article 6(1) (c) GDPR in connection with Article 74(2) of the Accounting Act of 29 September 1994.


To whom can we transfer the data?

In accordance with the law in force, we can transfer your data to entities processing them at our request, called data recipients. These may include entities participating in the performance of contracts (including subcontractors, entities providing postal and courier services), entities dealing with IT services and providing the Controller with IT tools, managing and entering data into databases, intermediating in the implementation of marketing campaigns, and also providing advisory (e.g. accounting, legal) services. Data may be lawfully transferred on the basis of the law in force, e.g. to courts or law enforcement authorities – however only if they make a request based on an appropriate legal basis. We will not transfer your data outside the European Economic Area (EU countries, Iceland, Norway, Liechtenstein).

What are your rights in relation to your data?

You have the right to access your data, as well as to rectify, erase, transfer, and restrict their processing and to lodge a complaint with the President of the Personal Data Protection Office. If the processing takes place on the basis of your consent, you have the right to withdraw it at any time without affecting the lawfulness of the processing based on consent before its withdrawal, you have the right to object to the processing of your personal data when their processing takes place on the basis of Article 6(1)(e) GDPR, and the objection is justified by the particular situation in which you have found yourself.


How long do we store your personal data?

The Controller processes your personal data for the time needed to perform the contracts to which you are a party. Then the data are stored for the time during which it is possible to pursue claims in connection with the performance of the contract – until the claims are time-barred. Part of the data may be stored longer, as long as there is a legal obligation, e.g. in connection with the need to document a transaction (e.g. data on invoices, bills) or for archival purposes. When you consent to the processing of data for marketing purposes, your data will be processed as long as the Controller has an offer addressed to people whose data are processed. These data will be periodically checked for up-to-date status and in the event that they are found out of date, they will be updated or erased by the Controller. At the same time, in order to comply with the accountability obligation, the data will be stored for the period in which the Controller is obliged to store data or documents containing them to document the fulfilment of legal requirements, also to enable public authorities to verify whether these requirements are fulfilled.


Do we process your personal data automatically (including through profiling)?

Your personal data will not be processed in an automated manner (including in the form of profiling). Voluntary provision of data. Personal data are provided to us by you voluntarily. Please note that we did not oblige you to provide us with any data, and providing such data is not a statutory obligation. However, personal data may be necessary to perform the contracts we conclude with you, and for you to exercise your rights. Failure to provide data may result in, inter alia, the inability to perform the contract. Providing data may not be voluntary, if the provision of data is required by law. Then we may require you to provide other data, necessary e.g. for accounting or tax reasons.


How to contact us in matters related to the processing of personal data?

You can send us your requests in connection with the processing of personal data to our Data Protection Officer at the following address: