PRIVACY POLICY



  1. The Personal Data Administrator Details

We would like to kindly inform you that the administrator of your data is Xanadu Galeria i Dom Aukcyjny Agnieszka Gniotek, whose registered office is at ul. Ho┼╝ej 51, 00-681 Warsaw, enclosed into the CEIDG by the Minister of Economy, using the NIP number: 118-09-06-167, mail agnieszka@galeriaxanadu.pl, phone, +48 503 012 889 hereinafter referred to as the "Personal Data Administrator„.

The Personal Data Administrator maintains and manages the website www.galeriaxanadu.pl.

  1. Data Protection Officer

The Personal Data Administrator has not appointed a Data Protection Officer.

  1. Purposes and principles for the processing of personal data

WEBSITE USERS DATA

To contact you in the matter described by you, we process personal data such as:

  • first name and surname,
  • email address
  • details regarding your queries,

The legal basis for such data processing is Article 6 Paragraph 1 letter f) GDPR, which allows us to pursues our legitimate interest which in this case is to respond to your message sent us by using the contact details provided on the site.

for archival and evidential purposes, we process personal data such as:

  • first name and surname,
  • email address
  • details regarding your queries,

- to secure information that can be used to demonstrate facts of legal significance. The legal basis for such data processing is Article 6 Paragraph 1 letter f) GDPR, which allows to process personal data if by such the Personal Data Administrator pursues its legitimate interest (in this case, the Personal Data Administrator's interest is to obtain personal data that will prove specific facts related to your contact with the Personal Data Administrator);

for analytical purposes, ie researching and analyzing activity on the website belonging to the Personal Data Administrator, we process personal data such as:

  • date and time of the access,
  • the operating system of the user,
  • approximate location,
  • information concerning the browser type and version used,
  • time spent on the site,
  • websites from which the user accesses our Internet site.

Article 6 Paragraph 1 letter f) GDPR, provides a legal basis for the processing of personal data which allows to process personal data if by such the Personal Data Administrator pursues its legitimate interest (in this case, the Personal Data Administrator's interest is learning about users 'activity on the site);

In order to use cookies on our website, we process text information (cookies will be described in anther point). The legal basis for such data processing is Article 6 Paragraph 1 letter a) GDPR, which allows the processing of personal data based on of voluntary consent (the first time you enter the website, we will ask you to consent to the use of cookies) . Further information about cookies can be found below.

DATA FOR MARKETING PURPOSES

To send you information about news and promotions, we process personal data such as:

  • email address
  • phone number
  • name,
  • surname,

The legal basis for the processing of personal data is Article 6 Paragraph 1 letter f) GDPR, which allows the processing of personal data, if by such the Personal Data Administrator carries out their legitimate interest (in this case the interest of the Personal Data Administrator is to learn about the users' activity on the website) in connection with your consent to receive information about news and interesting events on the website - sending the newsletter.

DETAILS OF PERSONS CONTACTING WITH THE COUNTER-PARTY OR CUSTOMER AUTHORISATION, eg DESIGNATED FOR COOPERATION WITH THE ADMINISTRATOR OF PERSONAL DATA OF EMPLOYEES OR AUTHORISED ATTORNEYS OR PERSONS COMMUNICATING FOR ANY OTHER USE THAN COMMUNICO ABITE

In order to contact you to execute a contract with a client or contractor on behalf of whom you are contacting us in a matter described by you - if you do not contact us on behalf of our contractor or client, the Personal Data Administrator processes such personal data as:

  • first name, surname,
  • e-mail address or phone number,
  • present occupation,
  • client, contractor, principal's details (ie your workplace) - if you contact us on behalf of our client or contractor,
  • information regarding the matter you are contacting us.

The legal basis for the processing of personal data is Article 6 Paragraph 1 letter f) GDPR, which allows us to carry out our legitimate interest, which in this case is: the execution of a contract with the person on behalf of whom you contact us , and Article 6 Paragraph 1 letter b) GDPR - contract execution - if you are contacting us on behalf of our client or contractor or a response to your message - if you are contenting us regarding another matter.

We have obtained your data directly from you or a person on behalf of and for whom you contact us.

for archival and evidential purposes, we process personal data such as:

  • first name, surname,
  • e-mail address or phone number,
  • present occupation,
  • client, contractor, principal's details (ie your workplace) - if you contact us on behalf of our client or contractor,
  • information regarding your inquiries.

- to secure information that can be used to demonstrate facts of legal significance. The legal basis for the processing of personal data is Article 6 Paragraph 1 letter f) GDPR, which allows the personal data processing if by that means the Personal Data Administrator carries out their legitimate interest (in this case, the Personal Data Administrator's interest is to obtain personal data that will prove certain information related to your contact with the Personal Data Administrator, eg compliance with this information obligation);

In order to determine, investigate or defend against claims, the Personal Data Administrator processes such personal data as:

  • first name, surname,
  • e-mail address or phone number,
  • present occupation,
  • information about your workplace.

The legal basis for the processing of personal data is Article 6 Paragraph 1 letter f) GDPR, which allows us to carry out our legitimate interest, which in this case is defending the property duties of the Personal Data Administrator.

In order to keep accounting books and tax documentation, if yours were given in the contract as contact details or were in the accounting documents, we process personal data such as:

  • first name, surname,
  • email address
  • current occupation,
  • client, contractor, principal's details (ie your workplace) - if you contact us on behalf of our client or contractor,
  • data resulting from relevant tax regulations.

The legal basis for the processing of personal data is Article 6 Paragraph 1 letter c) GDPR, regarding applicable tax law.

BUSINESS DATA COLLECTED FROM BUSINESS CARDS OR
AS COMMONLY AVAILABLE DATA

In order to contact you, the Personal Data Administrator processes data such as:

  • first name, surname,
  • e-mail address or phone number,
  • present occupation,
  • information about your workplace.

The legal basis for the processing of personal data is Article 6 Paragraph 1 letter f) GDPR, which allows us to carry out our legitimate interest, which in this case is maintaining and developing business relationships with you or the entity you represent.

To determine, investigate or defend against claims, the Personal Data Administrator processes personal data such as:

  • first name, surname,
  • e-mail address or phone number,
  • present occupation,
  • information about your workplace.

The legal basis for the processing of personal data is Article 6 Paragraph 1 letter f) GDPR, which allows us to carry out our legitimate interest, which in this case is defending the property duties of the Personal Data Administrator.

We obtained your data directly from you, eg from a business card, or publicly available sources, such as a company website, or www.linkedin.com, www.facebook.com, CIEDG, KRS.

POTENTIAL ASSOCIATES DETAILS

To contact you regarding a possible collaboration the Personal Data Administrator processes such personal data as:

  • first name, surname,
  • e-mail address or phone number,
  • present occupation,
  • information about your workplace.

The legal basis for the processing of personal data is Article 6 Paragraph 1 letter f) GDPR, which allows us to pursue our legitimate interest, which in this case is the establishment and development of business relationships with you or the entity you represent.

In order to determine, investigate or defend against claims, the Personal Data Administrator processes such personal data as:

  • first name, surname,
  • e-mail address or phone number,
  • present occupation,
  • information about your workplace.

The legal basis for the processing of personal data is Article 6 Paragraph 1 letter f) GDPR, which allows us to implement our legitimate interest, which in this case is to defend the property obligation of the Personal Data Administrator.


We obtained your data directly from you, eg from a business card, or publicly available sources, such as a company website, or www.linkedin.com, www.facebook.com, CIEDG, KRS.

FANPAGE and CHATBOT Users

In order to contact you in the matter described by you, we process personal data such as:

  • first name and surname,
  • email address
  • details regarding your queries,

The legal basis for the processing of personal data is Article 6 Paragraph 1 letter f) GDPR, which allows us to implement our legitimate interest, which in this case is communication with you.

for archival and evidential purposes, we process personal data such as:

  • first name and surname,
  • email address
  • details regarding your queries,

- to secure information that can be used to demonstrate facts of legal significance. The legal basis for the processing of personal data is Article 6 Paragraph 1 letter f) GDPR, which allows the personal data processing if by that means the Personal Data Administrator carries out their legitimate interest (in this case, the Personal Data Administrator's interest is to obtain personal data that will prove certain information related to your contact with the Personal Data Administrator, eg compliance with this information obligation);

In order to determine, investigate or defend against claims, the Personal Data Administrator processes such personal data as:

  • first name, surname,
  • e-mail address or phone number,
  • present occupation,
  • information about your workplace.

The legal basis for the processing of personal data is Article 6 Paragraph 1 letter f) GDPR, which allows us to implement our legitimate interest, which in this case is to defend the property obligation of the Personal Data Administrator.

DATA OF CLIENTS, POTENTIAL CLIENTS AND CONSIGNORS

The Personal Data Administrator processes your data for purposes like:

  • conclusion of a contract between you and the Personal Data Administrator,
  • communication between you and the Personal Data Administrator, as well as parties involved in the implementation of the contract - based on Article 6 Paragraph 1 letter f) GDPR (legitimate interest of the Personal Data Administrator); the legitimate interest is the exchange of information regarding the conclusion of a contract;
  • creating registers and records related to the GDPR, including the entry of persons who objected per the GDPR - based on Article 6 Paragraph 1 letter c) GDPR (obligation obligations from legal provisions) and Article 6 Paragraph 1 letter f) GDPR (the legitimate interest of the Administrator of Personal Data); the Service Provider's legitimate interest is, eg, confirmation that the information obligation towards you has been fulfilled;
  • determination, investigation or defense against claims - based on Article 6 Paragraph 1 letter f) GDPR (the legitimate interest of the Personal Data Administrator); the legitimate interest of the Personal Data Administrator is to protect his property interest;
  • archival and evidentiary, for the purpose of securing information that may be used to prove facts - based on Article 6 Paragraph 1 letter f) GDPR (the legitimate interest of the Administrator of Personal Data); the legitimate interest of the Personal Data Administrator is having information required, eg by the state authorities;
  • issuing an invoice and fulfilling other obligations obligations from the provisions of the tax law - based on Article 6 Paragraph 1 letter c) GDPR (the necessity to fulfil the legal requirement by the Personal Data Administrator);

III Cookies

  1. The Administrator of Personal Data on his website, like other entities, uses the so-called cookies, which are text files containing small amounts of information, which are downloaded to your device, or more technically, to the browser that you use on that device when you visit a site. They can be read by our system, as well as by policies of other entities whose services we use (eg Facebook, Google, LinkedIn).
  2. Cookies perform many functions on the website, most often use, which we will try to describe below (if the information is insufficient, please contact us):
  • ensuring security - cookies are used to protect the user's personal data against unauthorized access;
  • impact on processes and efficiency of using the website - cookies are used to ensure that the website works efficiently and that you can use all the features available, which is possible, among others, by remembering the settings between subsequent visits to the website. Thanks to them, you can efficiently navigate the website and individual subpages;
  • session state - these cookies collect information about how visitors use the sites, for instance, which pages visitors go to most often. They also allow identifying errors displayed on some subpages. Cookies used to save so-called "Session state" help us improve services and increase the comfort of browsing the website;
  • creating statistics - cookies are used to analyze how users use the website (how many goes on the website, how long they stay on it, which content attracts the most interest, etc.). Thanks to this, we can continuously improve our website and adapt its operation to users' preferences. To track activity and create statistics, we use Google's tools such as Google Analytics and HotJar;
  • social media - on our website we use so-called "Facebook pixel" that allows you to like our Facebook fan page while using the website, which redirects you to the Personal Data Administrator's official profile on this social network. However, for this to be possible, we must use cookies provided by the indicated entities.
  1. Your browser automatically allows the usage of cookies on your device, therefore on your first visit, we ask you to consent to the use of cookies. However, if you do not wish to use cookies when browsing the website, you can change the settings in your web browser - completely block the automatic handling of cookies or request notification whenever cookies are placed on your device. Settings can be changed at any time.
  2. We respect the autonomy of all users of the website; however, we feel obliged to warn you that disabling or limiting the use of cookies may SOMETHING IS MISSING HERE.

IV Analysis of users' browsing activity.

  1. Underneath you will find a list of tools, which are being used by the Personal Data Administrator for their website:
Tools Description Can they be disabled?
Google Analytics and HotJar We use statistical data collection tools that help us understand how users use our website and application. The hereby received data do not give us information about any specific person and we do not combine them with other data that you provide to us. This analysis service is primarily used to optimize an Internet site and for a cost-benefit analysis concerning Internet advertising. Google may collect data obtained from cookies from various websites and uses this information to create reports related to website traffic. Among other information collected by Google Analytics are the number of visits on the site; date of first and last visit; duration of the visit; the page which the user came from, user's search engine; clicked link, user's location, etc. Google Analytics applies IP masking, so only a portion of an IP address is collected. Only in exceptional cases the full IP address is transmitted to a Google server located in the USA and shortened there. The anonymsed IP address processed by Google Analytics is generally not combined with other Google data. Further information on the operation of Google Analytics can be found here. We use HotJar tools which register user's behavior such as navigation, page scrolling, cursor movement, approximate location, device used, operating system, browser type. Data received in this way are processed in an aggregated and anonymous manner in order to improve the functionality of our website. You can find more information about how HotJar works here. Yes - You can opt-out of having to make your website activity available to Google Analytics by installing the Google Analytics opt-out browser add-on found here.
You can block HotJar from measuring your activity using this this link.
Facebook Due to our legitimate interest in the analysis, optimization and operation of our online service (in accordance with Article 6 Paragraph 1 Letter f) GDPR) we use the Facebook plugin so-called "Facebook conversion pixel" to manage ads on Facebook. Using this tool, Facebook obtains information (assigned to your profile on this site) that you have visited our website. Thanks to this, we can order ads on Facebook targeting people who were on our website or its subpages (re-marketing). Then we receive from Facebook only statistical data on the effectiveness of ads (eg how many people saw our ad, how many people clicked the link), without reference to specific users. If you are a Facebook, user we encourage you to read further information on data protection here yes


The above-listed tools and cookies used by us in particular for the propose of behavioral advertising may be associated with the so-called profiling. This means that us or the marketing agencies employed by us can create a user profile based on collected data (such as e-mail address, type of device, technology used, frequency of visits) and on this basis, make purchase forecasts for the future . This allows us to decide what content (including ads) to display on our and other websites. The legal basis for the processing of personal data is Article 6 Paragraph 1 letter f) GDPR (legitimate interest of the Personal Data Administrator)

V Right to revoke the declaration of consent under data protection laws

  1. If the processing of personal data is based on consent, you can withdraw this consent at any time - at your discretion.
  2. If you would like to withdraw your consent to the processing of personal data, send an email directly to the Personal Data Administrator to the address agnieszka@galeriaxanadu.pl
  3. The lawfulness of the processing which took place prior to the issuing of the revocation of consent is not affected.

VI Requirement to provide personal data

  1. Providing personal data is voluntary and depends on your decision. However, providing certain personal data is necessary to meet your expectations regarding the use of the website or to contact the company.
  2. If you contact us in any case, providing your data may be necessary, eg to answer your question. If you contact us on behalf of our client or contractor, providing data may be required due to the relationship with the client or contractor of the Personal Data Administrator as well as it is necessary for us to conclude the contract for the person on whose behalf you communicate.
  3. If the requirement to provide your data results from legal regulations - providing data is your responsibility.

VII Automated decision making in individual cases, including profiling

We do not use your data to make automated decisions that could affect your legal situation. Instead, we use tools to analyze the readability of our messages to better adapt the content of further communication to the expectations of readers.

VIII Recipients of personal data

  1. Like most business, in our activities, we use the help of other entities, which often involves the need to provide personal data. In connection with the above, if necessary, we may transfer your data to a hosting company, lawyers, social media owners, and if you communicate with the Personal Data Administrator on behalf of our client or contractor - to entities involved, the company providing us with the e-mail marketing program, courier companies, accounting company, right agency, art market portals.
  2. Also, it may happen that, eg based on the relevant law or decision of the competent authority, we will also have to transfer your personal data to other entities, whether public or private. Therefore, it is challenging for us to predict who can make a request to provide personal data. However, we assure you that we analyze every case of a request for personal data very carefully to ensure that we do not accidentally give information to an unauthorised person.

IX Personal data transfers
We may transfer personal data to countries outside the EE; this is due to our use of Google Analytics and Facebook. Therefore your data is transferred to the USA based on the European Commission decision of 12 July 2016 (Privacy Shield).

X The period of personal data processing

  1. By applicable law, we do not process your personal data indefinitely, but for the time that is needed to achieve the set goal. The data will be deleted, once it is no longer necessary for the purpose for which it was gathered.
  2. Regarding the specific time of personal data processing, we kindly inform you that we process personal data for a period:
  • until the consent is withdrawn or the purpose of processing is achieved - in the case of personal data processed based on consent;
  • until a valid objection or achievement of the use of processing (including, eg expiration of limitation periods) - concerning personal data processed based on the legitimate interest of the Personal Data Administrator;
  • until they become outdated or loose their usefulness, but no longer than for 2 years - in relation to personal data processed mainly for analytical purposes, the use of cookies and website administration.
  • until the expiry of the limitation period - in relation to data processed under tax law.

XI Rights of the data subject:

  1. Please be advised that you have the right to:
  • access to your personal data;
  • rectify (correct, supplement) your data;
  • erase your data or restrict its processing;
  • withdraw consent for personal data processing at any time;
  • data portability;
  • lodge a complaint to a supervisory authority
  1. We respect your rights due from the provisions on the protection of personal data and strive to facilitate their implementation to the highest possible extent.
  1. We point out that these rights are not absolute, and therefore in certain situations, we may lawfully refuse you to fulfil them. However, if we refuse to accept your request, it is only after careful analysis and only if the refusal to accept the request is necessary.
  2. Regarding the right to object, we clarify that you have the right to object to the processing of personal data at any time based on the legitimate interest of the Personal Data Administrator regarding your particular situation. However, you must remember that per the law, we may refuse to accept your objection if we prove that:
  • there are legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or
  • for the establishment, exercise or defense of legal claims.

XII Right to lodge a complaint

If you think that your personal data is being processed contrary to applicable law, you can file a complaint with the President of the Office for Personal Data Protection.

XIII Final provisions

  1. To the extent not covered by this Privacy Policy, regulations regarding the protection of personal data shall apply.
  2. You will be notified of any changes to this Privacy Policy by email.
  3. This privacy policy applies from May 25, 2018.