GDPR

This Information on the Processing of Personal Data is for informational purposes only and is disclosed to fulfill the informational obligations arising under the provisions of the GDPR by ArtCollector

I.DATA CONTROLLER

1. Art Collector (sole trader) with its registered office in Opole, address: ul. Wielkanocna 2, 45-844 Opole, entered in Central Registration And Information On Business, NIP 7543371520, REGON 529400632, email: contact@epicentrumgallery.com (hereinafter: the Administrator), processes personal data of its clients, contractors, and individuals who have provided their data via forms available on the website or through email, as well as other entities that have consented to the processing of personal data.
2. The Administrator declares that it processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: GDPR).

II.PRELIMINARY PROVISIONS

1. The information regarding data processing by the Administrator applies to data obtained in particular:
   • via electronic forms;
   • collected by the Administrator’s representatives as part of activities related to business operations or marketing activities.

2. This information does not apply to the processing of personal data of employees, job candidates, or data entrusted for processing under a data processing agreement.
3. Data are processed for the purpose of performing contracts, as well as when necessary to fulfill the Administrator’s legitimate interests, in particular, for informing via electronic means about promotions of its own services or for other purposes for which the authorized person has given consent, if such consent is required under applicable regulations.

III. SOURCE OF DATA ACQUISITION AND CATEGORIES OF DATA PROVIDED BY OTHER ENTITIES

1. The Administrator may obtain personal data directly from the data subject (e.g., via electronic forms, email) or through other persons (e.g., from an employer, another employee, or another entity with which the data subject cooperates).
2. In the case of direct contact, the data subject has full control over the scope of data shared with the Administrator.
3. If personal data is provided by another entity, the Administrator typically acquires only basic contact details related to professional activities, including: first name, last name, email address, phone number, job title or position, company name, and potentially other data arising from a contract under which the data subject is designated as a contact person.
4. Data entrusted for processing by other data controllers is processed within the scope defined in the data processing agreement, for the purpose and in the manner specified by the controller transferring the personal data.

IV.LEGAL BASIS, PURPOSES, AND PERIOD OF PERSONAL DATA PROCESSING

1. The Administrator processes personal data only when at least one of the following conditions is met:
   1. The data subject has given consent for the processing of their personal data (Article 6(1)(a) GDPR);
   2. Processing is necessary for the performance of a contract to which the data subject is a party or to take steps prior to entering into a contract (Article 6(1)(b) GDPR);
   3. Processing is necessary to comply with a legal obligation to which the Administrator is subject (Article 6(1)(c) GDPR);
   4. Processing is necessary to protect the vital interests of the data subject or another natural person (Article 6(1)(d) GDPR);
   5. Processing is necessary for the performance of a task carried out in the public interest (Article 6(1)(e) GDPR);
   6. Processing is necessary for the purposes of the legitimate interests pursued by the Administrator or a third party (Article 6(1)(f) GDPR).

2. Personal data is processed by the Administrator exclusively for the purposes specified below:

1. CONTRACT PERFORMANCE – the legal basis for processing is Article 6(1)(b) GDPR.
   •   In the case of a concluded contract, personal data will be processed to perform that contract and ensure its financial settlement.
   •   If personal data is obtained via electronic forms used to arrange a meeting, the data will be processed to organize the meeting, facilitate related communications, and handle any potential financial settlements.
   •   For this purpose, personal data will be processed for the duration of the obligations and the limitation period for claims as defined by applicable legal regulations.

2) CONTACTS RELATED TO BUSINESS OPERATIONS – the legal basis for processing is Article 6(1)(f) GDPR.
• This purpose involves ongoing contacts, particularly regarding business meetings, business correspondence, negotiations, contract performance, presenting offers, marketing activities, and other actions related to professional business operations.
• For this purpose, the data subject may occasionally receive information about the Administrator’s services and other details related to its activities.
• If the data subject is a representative of a supplier or service provider, the Administrator’s representatives may contact the person to request an offer, information, or documents.
• Processing personal data in this case is carried out to achieve the Administrator’s legitimate interest, which includes marketing and selling services, as well as building and strengthening business relationships.
• The data subject has the right to object to such processing of their personal data.
• The Administrator may process contact data provided via electronic forms or shared under a valid contract.
• For this purpose, personal data will be processed until an objection is raised under Article 21 GDPR.

3) RESPONSE TO INQUIRIES – the legal basis for processing is Article 6(1)(a) GDPR.
• When completing a contact form or submitting an inquiry in another form (e.g., via email, phone, or social media), the interested party consents to being contacted to address their request or inquiry.
• Such consent may be withdrawn at any time; however, its withdrawal does not affect the legality of processing conducted before the consent was withdrawn. Withdrawal of consent will also result in the inability to respond to the inquiry.
• Data obtained based on consent will be processed until the consent is withdrawn or the purpose for which the consent was given is fulfilled.

4) PERFORMANCE OF A CONTRACT BETWEEN THE ADMINISTRATOR AND ANOTHER ENTITY – the legal basis for processing is Article 6(1)(f) GDPR.
• If a data subject is designated as a contact person by their employer or another entity, their data may be processed to perform and settle the contract concluded between the Administrator and the employer or other entity. This is to achieve the legitimate interest of the Administrator, which includes protecting its rights, fulfilling contracts, and receiving the due remuneration.
• Processing will include ongoing contacts related to the performance of the contract, the preparation and archiving of documentation resulting from its execution, and the pursuit of claims or defense against claims from the other party.
• The data subject has the right to object to such processing.
• For this purpose, personal data will be processed for the duration of obligations and the limitation period for claims as specified by applicable laws or until an objection is raised under Article 21 GDPR.

5) MEDIA CONTACTS AND PROMOTION OF THE ADMINISTRATOR’S ACTIVITIES AND SERVICES IN THE MEDIA – the legal basis for processing is Article 6(1)(a) GDPR.
• For journalists, editors, reporters, and other individuals engaged in journalistic activities, personal data will be processed to maintain contact between the Administrator’s representatives and the media, and to promote the Administrator’s activities, services, and products in the media. Such actions may include providing information about significant events, activities, products, services, and achievements of the Administrator.
• Initiating contact with the Administrator’s representative will be treated as consent to such communications.
• If consent is given, it is voluntary and may be withdrawn at any time. Withdrawal of consent does not affect the lawfulness of data processing conducted prior to its withdrawal.
• For this purpose, personal data will be processed until the contact is discontinued (upon withdrawal of consent).

6) COMPLIANCE WITH LEGAL OBLIGATIONS RELATING TO THE PREPARATION AND STORAGE OF DOCUMENTATION – the legal basis for processing is Article 6(1)(c) GDPR.
• When performing a contract or other obligations on behalf of the data subject, the Administrator will also process personal data included in invoices, accounting books, or other documentation confirming the conclusion and performance of the contract. This documentation is prepared and stored in compliance with applicable legal regulations. This applies both when the data subject is a party to the contract and when the contract involves their employer or an entity with which the individual cooperates.
• The retention period for invoices, accounting books, and documents confirming the conclusion and performance of the contract is determined by applicable legal regulations.

7) CONFIRMATION OF OBLIGATION FULFILLMENT AND PURSUIT OR DEFENSE OF CLAIMS – the legal basis for processing is Article 6(1)(f) GDPR.
• Data provided through an electronic form, shared as part of a contract, or otherwise made available to the Administrator may be processed for archiving information or documents confirming the Administrator’s fulfillment of obligations and for the purpose of pursuing potential claims or defending against claims made against the Administrator.
• This applies to situations where the data subject is a party to the contract, where the party to the contract is their employer or an entity with which the individual cooperates, as well as situations where the Administrator is obligated to provide a service to the individual or fulfill their rights on any basis.
• Processing personal data in this case is carried out to achieve the legitimate interest of the Administrator, which includes protecting its rights, confirming the performance of obligations, and obtaining due remuneration.
• The data subject has the right to object to such processing of their personal data.
• For this purpose, personal data will be processed for the duration of the obligations and the limitation period for claims as defined by applicable legal regulations.

8) VERIFICATION OF CONTRACTORS – the legal basis for processing:
a) Contractor’s data – Article 6(1)(b) GDPR,
b) Data of individuals designated by the contractor for contact purposes – Article 6(1)(f) GDPR.

• Before concluding and during the performance of a contract, data of subcontractors, suppliers, service providers, or partners with whom the Administrator cooperates, as well as data of individuals designated by these entities for contact purposes, will be processed for the purpose of verifying the contractor. This may involve sending a contractor questionnaire for completion or verifying the contractor’s data and financial situation in publicly available registers or through entities specializing in contractor verification.
• Processing data of individuals designated by the contractor for contact purposes will be carried out to achieve the legitimate interest of the Administrator, which includes contract performance and the protection of its rights.
• After achieving this purpose, data will continue to be processed:
  1) to fulfill the legal obligation to prepare and store documentation, and
  2) to confirm the fulfillment of obligations, pursue claims, or defend against claims.
• For this purpose, personal data will be processed for the duration of the contractor verification process.

V.OBLIGATION TO PROVIDE DATA AND CONSEQUENCES OF FAILURE TO PROVIDE DATA

1. For electronic forms – Providing data is voluntary; however, failure to provide data marked as mandatory will result in the inability to submit the form and, consequently, depending on the type of form, the inability to receive a response to the inquiry.
2. For data collected by the Administrator’s representatives during activities related to business operations – Providing data is entirely voluntary, and failure to provide it may result in the inability to establish future contact with the interested party.
3. For individuals who are parties to a contract concluded with the Administrator – Providing data necessary for contract performance and for fulfilling legal obligations is a condition for concluding and performing the contract. If the data is not provided, the purpose of the contract cannot be fulfilled.
4. For informational and marketing purposes – Providing data is voluntary. Refusing to consent to data processing for this purpose will prevent the Administrator from performing certain activities, such as informing about current packages, promotions, or new services.
5. Consent for marketing or informational purposes – Providing data is voluntary, and consent may be withdrawn at any time without affecting the lawfulness of processing carried out based on consent before its withdrawal.
6. For email correspondence – Providing an email address and other data for electronic communication is voluntary. Withdrawal of consent for data processing will result in the inability to continue further electronic correspondence.

VI.RIGHTS OF DATA SUBJECTS

1. In accordance with Articles 15–22 of the GDPR, the data subject has the following rights:
   a. Right to information about data processing – Upon request, the Administrator provides information about the processing of personal data, including purposes, legal basis, scope of data, recipients of the data, and the planned date of deletion.
   b. Right to obtain a copy of the data – The Administrator provides a copy of the processed personal data concerning the requesting individual.
   c. Right to rectification – Upon request, the Administrator corrects any inaccuracies or errors in the processed personal data and updates or completes them if they are incomplete or have changed.
   d. Right to erasure – The data subject may request the deletion of data that are no longer necessary for the purposes for which they were collected. This right applies only in cases specified by GDPR regulations. The Administrator may refuse deletion if exceptions apply, such as when processing is necessary to comply with a legal obligation or for the establishment, exercise, or defense of legal claims.
   e. Right to restrict processing – The Administrator will stop performing operations on the personal data except for storing them or actions explicitly consented to by the data subject, until the reasons for restricting processing cease to exist (e.g., a supervisory authority decision). This right applies in cases listed in the GDPR.
   f. Right to data portability – Where processing is based on consent or a contract, the Administrator provides the data subject with their personal data in a structured, commonly used, and machine-readable format.
   g. Right to object to processing for marketing purposes – The data subject may object at any time to the processing of their personal data for marketing purposes without providing justification.
   h. Right to object to other processing purposes – The data subject may object to the processing of personal data for other purposes at any time. Such objections must include justification and are subject to evaluation by the Administrator. The Administrator may refuse the objection if there are overriding legitimate grounds for processing, such as legal claims, except in cases of direct marketing.
   i. Right to withdraw consent – If data processing is based on consent, the data subject has the right to withdraw their consent at any time. Withdrawal does not affect the lawfulness of processing conducted before consent was withdrawn.
   j. Right to lodge a complaint – If the data subject believes that their data processing violates GDPR or other data protection regulations, they may lodge a complaint with the supervisory authority.
2. A request for the exercise of data subject rights can be submitted via email to: contact@epicentrumgallery.com.
3. A response to the request will be provided within one month of its receipt. If an extension is necessary, the Administrator will inform the applicant of the reasons for the delay.
4. Responses will be sent to the email address from which the request was submitted. For requests submitted via postal mail, a response will be sent by registered mail to the address provided, unless the letter specifies that a response should be sent via email (in such cases, an email address must be included).

VII. DATA RECIPIENTS AND TRANSFER TO THIRD COUNTRIES

1. Generally, the Administrator does not transfer data outside the EU. If data is transferred to a third country where the European Commission has not issued a decision confirming an adequate level of protection, the Administrator applies appropriate safeguards by using standard contractual clauses adopted by the European Commission or a supervisory authority (in accordance with Article 46(2)(c) and (d) of the GDPR).
2. Data may be shared with suppliers, service providers, and partners with whom the Administrator cooperates, to the extent necessary for the provision of services to clients, business contacts, marketing activities, and the operation of business activities.
3. A third party with access to personal data processes it solely based on a data processing agreement and only under the instructions of the Administrator.
4. Inquiries regarding data processing and how to obtain copies of the standard contractual clauses should be directed according to the instructions provided in Section VI, Point 2 (RIGHTS OF DATA SUBJECTS).

VIII. INFORMATION ABOUT AUTOMATED DECISION-MAKING

1. The Administrator may automatically tailor certain content to the needs of clients and individuals who have consented to the processing of their personal data, i.e., perform profiling using the personal data they have provided. Profiling primarily involves the automated assessment of which products the individual may be interested in, in order to adapt marketing content, offers, or information sent by the Administrator to the person’s interests and their economic or professional activities.
2. Profiling carried out by the Administrator does not result in decisions that produce negative legal effects for the data subjects or otherwise significantly affect them.